Tag: online security

Cybersecurity Part 4: Surviving Ransomware

Tony DePratoLeave a comment

ransomware-3998798_1280

By Tony DePrato | Follow Me on LinkedIn

The scope of all the following arguments is for equipment owned by the school, or equipment approved to use at school. This post is not promoting policies for personal devices used solely at home, nor is this post addressing devices that may be used for entertainment or non-academic purposes.

Ransomware, in its most basic form, is self-explanatory. Data is captured, encrypted, and held for ransom until a fee is paid. The two most common forms of ransomware delivery are through email and websites.~ https://insights.sei.cmu.edu/sei_blog/2017/05/ransomware-best-practices-for-prevention-and-response.html

Ransomware is scary. Ransomware, once it begins to propagate, becomes more about survival and mitigation and less about prevention.

I have thought about how to advise K12 schools around the world how to prepare for ransomware. I have concluded that there are only two approaches everyone can follow: Reduce or Completely Remove Windows and Create Very Inconvenient Backups of Data. 

Reduce or Completely Remove Windows

I decided to compile known types of ransomware. I stopped at 106 identified types. Here is a graph, and link to the sources, that demonstrate what operating systems are vulnerable:

Screen Shot 2020-02-19 at 8.58.44 AM

Data Link

If you want to do the math:

  • 106 Ransomware programs
  • 100 Target Windows Operating Systems
  • 93%-94% of Targets are Windows Operating Systems
  • Using Windows is Riskier than Using other Systems

“Riskier” is a little weak in this case. It is very likely that Windows users will be a target, it is very unlikely that Apple and Chromebook users will be a target.

If the goal is to live in a relatively peaceful ransomware free environment, then the majority of end-users need to be using Apple or Chrome-based devices (Linux varieties are also an option for a subset of users).

There are tools for Windows that help defend and protect against ransomware. However, nothing is better than not being attacked at all.

Create Very Inconvenient Backups of Data

Every time I ask an IT director or IT manager about backups, they claim they are 100% compliant and 100% able to deal with any problems. I have never believed my planning was close to 100%, nor have I ever believed I could restore 100% of all data. I would say, at my best, I am 60%-70% certain that I can restore 80%-90% of data.

Data. Not operating systems and settings. Data. Not the software that was installed. Just all the data consisting of but not limited to documents, databases, movies, music, pictures, special configuration files, scripts and code, and the inclusive content of all websites.

There is only one question a person needs to ask to confirm if backups are safe from ransomware: “Can the backup be accessed right now if we need it?”.

If the answer is ‘Yes’, then backups are going to be vulnerable.

There should be at least two layers of backups. Layer one can be data that is backed-up and accessible on the network, in the cloud, and/or from normal workstations. Meaning, someone can sit down and create or restore a laptop, database, etc by following a workflow at their desk.

Layer two backups are inconvenient. These backups are stored outside of the normal network. These backups are scheduled and not even accessible by network administrators without taking extra steps. These backups require some level of multifactor authentication or even a physical lock and key.

Backup

Layer two backups also need to be tested at least monthly (this is only recommended for K12 schools most businesses need to test more frequently; school districts would need to test very often and on a predetermined schedule).

Tests need to include:

  1. Data restoration
  2. Data access and use
  3. A scan for malware, ransomware, etc
  4. An iterative process to consistently reduce the size of backups
  5. An archival process to store data that will most likely never be needed, but is legally required to store
  6. Imagination. Because you never know where you will be and what the situation will be when you need to access these backups

A very low tech approach to a layer two back-up could include someone taking an external drive to the data source, moving the data manually, and then locking the drive in a safe. Do not overthink this, just start doing it and keep improving the process. If you can access these backups from your workstation, then those backups are vulnerable by definition.

If ransomware happens, and the data cannot be decrypted, this layer two data would be safe as it would be offline. Layer one backups may stay secure, but layer two backups will be secure unless you are victim of very bad timing.

The cybersecurity industry is rapidly developing better protocols for handling ransomware. Staying educated and studying cases is not only essential, but it should also be scheduled into the cycle of work at least once every 6-8 weeks.

The data above could change. An uptick in ransomware for Chrome or Apple of even 1% is enough to review internal processes and procedures. Until then though, get the number of Windows OS users down and make better backups.

businessman hand holding money banknote for paying the key from

Start Your Research Here

Ransomware: Best Practices for Prevention and Response

https://insights.sei.cmu.edu/sei_blog/2017/05/ransomware-best-practices-for-prevention-and-response.html

CyberSecurity Part 3: Simple Penetration Testing for K12 Schools

Tony DePratoLeave a comment

simplepen
By Tony DePrato | Follow Me on LinkedIn

I have been following a few online threads where schools are considering contracting penetration testers. For those who may not know, penetration testing (pentesting) is a security assessment, an analysis, and progression of simulated attacks on an application (web, mobile, or API) or network to check its security posture. The objective is to penetrate the application or networksecurity defenses by looking for vulnerabilities. These are usuallyweaknesses or flaws that an attacker could exploit to impact confidentiality, integrity, or availability. This goal is the same whether performing application pentesting or network pentesting. ~ https://cobalt.io/pentest

As a consultant, I am not opposed to K12 schools using consultants. However, I have seen some red flags out there from pentesting consultants. I want to highlight those issues, and also provide a method for K12 schools to get started on this process in an easy and low-cost manner.

Finding a Good Pentester

The Conversation

School: We are looking for someone to help test our security.

Pentester: Great. I can do that ( credentials and background presented).

School: What do you need?

Pentester: I need a list of (x,y,z). I need an office to work from. I need to interview…

What is wrong here?

Here is how this should go

School: We are looking for someone to help test our security.

Pentester: Great. I can do that ( credentials and background presented).

School: What do you need?

Pentester: I need a contract protecting me if I break into one or more of your services. I need a contact person to send my findings to. I need a timeline.

A pentester’s job is to find the weaknesses and to find a way to access your organization. If you provide access, not only is the job easier, but they could simply report an issue that is unlikely to occur. I witnessed a similar scenario where a firm was asking for the keys to break into the car.

There may be a point where you want a pentester to become a student and see what a student can do with the access provided. There may be a point where you want them to test spaces used by the public during events.  If you provide and manage laptops, a good pentester will need one of the school’s laptops.

These are reasonable requests. Asking the school to literally give them a roadmap and set of targets is not reasonable.

Doing Your Own Testing

I have a list of standards schools should work towards to be secure. Some these do not always connect well to third party services, public-facing websites, etc.

Over the last few months, I have developed a checklist for pentesting K12 school websites and resources.

Test Definition
Subscription and Services Discovery Can your subscriptions and services be easily discovered?
Files Exposed to the Public Are there files publicly available that supposed to be private?
Calendars Exposed to the Public Is calendar data that should be private, private?
Staff and/or Student Email Harvesting Can your staff and/or student PII be used to create a database for phishing and spamming?
Portals and SIS Are your portals and SIS properly secured and difficult to brute force attack?
Websites and Social Media Are websites and social media properly secured; is the media being used legally and correctly?
Cloud Services Have cloud services been properly secured?
Third-Party Sharing Is anyone sharing your content and do they have permission?
FTP, SSH, and Telnet Are any of these protocols a threat to your school via publically accessible information?
Email Blacklist Is your email domain blacklisted?
Email Header Check Is there any data in your header that could be anonymous or lead to blacklisting?
Email Catch-All for Non Existent Emails Is your email set up to catch any email that does not exist and alert someone?
SMTP Relay Is your email system running services that would allow an attacker to use your email for a criminal act; send an email on someone’s behalf?
4xx and 5xx Error Check Do the 4xx and 5xx pages on your public-facing services configured properly and supportive of trusted users?
HTML Forms Are any HTML Forms vulnerable to low-level URL based attacks? (Will also review CAPTCHA.)

I score these on a scale of 1-5 and document the issues/results. The next level is researching the solutions to correct the problems. Keep in mind, many solutions are in policies and procedures. This means issues need to be articulated for school leaders, teachers, students, and parents.

In other words, avoid jargon and lingo.

Doing as much due diligence as possible before contracting someone will not only save time and money, but it will also help to further educate the community.

If you do not know what is actually dangerous, then everything could be sold as dangerous.

These recommended tests are not very difficult, but if you want to outsource this, email me at: tony.deprato@gmail.com  .  I thoroughly enjoy doing this kind of work and have automated many of these processes with scripts and services.

 

 

 

 

CyberSecurity Part 2: OPSEC and Post-it Note Passwords

Tony DePratoLeave a comment

Password 123456 written on a paper

By Tony DePrato | Follow Me on LinkedIn

How many times have you seen it? You walk into an office or classroom, and a Post-it is proudly announcing a user’s password. Why? Because schools are trusting environments.  Maybe the password is not for the computer, maybe it is for the teacher/staff WiFi. A WiFi network that has no other security aside from the password: TeacherWifi1.

Before spending thousands of budgetary funds on security consultation, all schools (and organizations) should focus on their Operational Security or OPSEC. OPSEC is officially defined as:
Operational security (OPSEC), also known as procedural security, is a risk management process that encourages managers to view operations from the perspective of an adversary in order to protect sensitive information from falling into the wrong hands.

Developing a solid OPSEC plan is not that difficult. A bit of common sense and creative thinking goes a long way. Let’s walk through some simple practices that will help improve a school’s operational security, and the school’s ability to react to problems.

Follow Normal Child Safety Practices All the Time and in all Departments

The basic child safety concepts are: keep students away from unverified adults and make sure adults are not alone with children (and if they are alone they are visible).

The standards seem to be prevalent in all child safety courses and certifications. Following these two standards, and applying them to a technology plan would yield the following rules:

  • Students are never allowed on the same network as teachers/staff/guests
  • Students share information through the cloud or monitored middle process (such as a Synology share that requires user login)
  • Students should not be allowed to peer share with teachers (e.g. no more AirDrop)
  • The guest network is limited and separated from everyone else
  • No access to the network etc. unless all users provide an ID or their devices are identified as approved devices

You can find more detailed standards here for securing your network and developing a better level of OPSEC.

Office and Classroom Access Should Be Managed by Policy

The worst hacking scenarios I have personally experienced, and that resulted in child and family trauma, began with data being printed and left in unattended offices/classrooms.

Simple and reasonable practice can deter most people from crossing the privacy line. Here are some suggestions:

  • Laptops should be secured in a bag or other area when unattended; on the desk, lid open is bad practice
  • Documenting passwords should be discouraged
  • Desktops and other devices should be logged out when unattended; or secured with a password screensaver
  • Teams should split their lunches and breaks to ensure that the office/classroom always has someone present
  • Office/classroom hours should be posted so that everyone knows when the space is open for meetings or visitors
  • Desktop phones should have a security code to make calls off-campus
  • Students, parents, and others should have a demarcated area for meeting and working with staff and teachers; certain areas should remain off-limits
  • Printing from offices needs to terminate in a secure space; it should be difficult for an unauthorized person to make physical contact with an office printer

Walk Around and See What You Can Do

School administrators often conduct classroom walkthroughs and observations. This process is similar.

The leadership team needs to be scheduled to break-in to areas on-campus. They should test closets, offices, doors, etc. Printers should be checked for abandoned documents, and those documents should be sampled. Did someone print and leave any confidential information? Any tests or assessments? When guests are in the building, how freely can they move beyond common areas before they are politely challenged?

The team should document what they find, and question why the access was possible. A formal review of all vulnerabilities is going to inform the necessary actions that need to be taken.

If there is a plan to work with an external contractor, having all this research is essential. Focusing on unrealistic threats and problems will not strengthen security or cybersecurity. A misaligned plan will waste resources, provide a false sense of security, and overall weaken any future response to a real threat.

 

 

 

 

Offense Wins Games, Defense Wins Championships

Tony DePrato2 Comments

Richard Dent, Chicago Bears Superbowl MVP

Catchy title- but statistically not accurate. I trust the people at Freakonomics a bit more than I trust my family screaming at the TV on Thanksgiving.

So is this post about statistically irrelevant phrases? No. It is, however, about offense vs defense.

I spent a few days last week working on a “Loss and Recovery” policy for one of the schools I am working with, and if you would like a copy of it, please email me directly: tony.deprato@gmail.com .

The school seems to have been struggling for the last two or three years with students and teachers losing school owned and personal equipment. Everyone I spoke to originally said that it was not a real problem, but when I spoke to the person who manages the inventory, I found out that it was a problem.

As I wrote this policy I had to make a choice, and set my priorities. I firmly believe anyone with more than one priority, has no priorities, so I forced myself to choose: offense or defense.

This is the same decision I had to make a few months ago when redesigning the network. Did I want an offensive active monitoring solution or a defensive passive monitoring solution? In both cases I chose defense over offense.

In a defensive system, the goal is to protect the school’s assets, protect the assets actively connected to the school’s assets, and to record enough information to execute a focused offensive plan in the future. In an offensive system, the goal is to try and find potential threats coming from all clients, at all times, and to intervene as quickly as possible.

For example, in an offensive network if a student goes to a website and downloads inappropriate material- the school would have someone assigned to immediately block their network access and intervene. The student would be reprimanded, probably taken to see an administrator, and various punishments would be carried out. Systems that allow this level of control are expensive. They often require a school to employ a few people to manage them; or they require teachers to stop teaching and play police officer. Long term though, they are ineffective. When students feel they are being monitored, they stop using systems. They stop engaging. They start circumventing school resources by linking to 3G and 4G networks that no one can block.

Before you say, “Yes you can block 3G and 4G services I have seen hardware that does this!”- You need to know this is illegal in mosts parts of the world. The risk of blocking people from making contact during an emergency is always considered too high to allow 3G and 4G networks from being legally blocked.

Also remember, if you can offensively control students, you can do the same to teachers. Maybe teachers were told, “Hey don’t worry we are not watching what you are doing.” It would be more fair to tell them, “Hey we can watch what you are doing when we want to, we just are choosing not to, at least today, tomorrow it depends.” Ask yourself, are teachers who are being monitored doing the same quality of work as teachers who are not?

Offensive systems make administration seem easy, because all the bad things start happening in the shadows. The statistics flatten-out and everyone feels safe. They make teaching and learning worse, because these systems are usually setup to block first and ask questions later; or they run over the network and take-up huge amounts of bandwidth. They use the bandwidth to watch screens and control devices. The worst part is, most people running these systems have no special training. They have no guidelines for understanding privacy, or even how to detect a real threat. They may not even be aware of how much impact they are having on the network, since their priority is to be invasive.

Untrained people will also react quickly to false flags.When a school responds to a false flag, their response resources are tied-up and focused. This means if an event is happening that is significantly worse, the school will not be able to respond in time. Having a great response time is not significant if a pattern of events is occurring and the pattern is unseen.

I recently attended a meeting with 15 other schools. About 50% of them had offensive systems in place or had them in place. One school had spent $60,000 USD on hardware in less than a year, and since, had abandoned their offensive strategy. The 50% that were attempting to be offensive, had poor results, and were looking to either spend more money or hire more people.

The largest school in attendance had completly abandoned monitoring and simply moved resources to teaching and learning and servers. They said that it was impossible to maintain security and teaching and learning if the budget was not infinite. They chose teaching and learning and increased their server/network defense. This school went further, and stated that 3G and 4G devices made it possible for 3-4 kids to hotspot outside the network. Again – they found no point in fighting a losing battle when more than 80% of the students had the ability to be online without being on the school’s network.

In 2011-2012 I was in Hong Kong. At that time I met with 5 different schools, all with a variety of IT configurations and budgets. All of these schools, however, were delivering good education. That statement is based-on test scores and university placement, but I can also state the learning environments I saw were engaging and well supported. None of these schools had made an investment in offensive systems. All of them but one had the budget to execute any type of security plan, and yet, none chose this course of action. Why? Maybe because their schools were doing a good job at being a school and they didn’t want to impact teaching and learning? Just a question and a thought.

Ranting and Raving aside, here is how I see a defensive policy working at a school:

  1. The first step is to creating V-LANS for everything. Make sure the network is organized so that people can clearly see where people are when they are online.
  2. The next step is to pay close attention to user-groups, or organizational units. These can be easily audited by a normal non-IT person. Each group of students and teachers should be in a group. For example, year 6 students should all be in a year 6 group; and middle-school teachers should all be in a middle-school group. This allows rules to be applied to people who have commonalities. Often groups are neglected because no-one makes sure that each year IT updates and audits the users.
  3. Servers and network equipment need to be defended like NORAD. If no-one at the school has completed a Certified Ethical Hacking course, then someone should. The network and servers need to be attacked, exploited, and re-adjusted until the most common exploits are removed. This includes all printers, switches, and peripherals.
  4. All WiFi and LAN connections should require a username and password to sign-in. Everyday, people should have to sign-in when they connect. This creates a very transparent view of who is online, and where they are accessing the network from.
  5. Wifi networks should have a common community password on the SSID. This adds a layer of defense between the school and the outside.
  6. Users should be restricted to a fixed number of devices. This is a simple way to keep people from accessing accounts after stealing someone’s password.
  7. Password policies need to be real and enforced at least twice a year if not more. This means forcing people to change their passwords, and preventing them from using the same passwords all time. People who write down their passwords and leave them out in the open, should be spoken to in a firm and alarming manner :). 
  8. An accurate map of the campus should display all access points using the access points IP address. An image file of a map can be overlaid with XML to allow for real-time updating of this data. Having a map of Wifi activity gives IT the ability to narrow down patterns and to hunt for lost devices still connected to the wifi.
  9. Usage reports should be ran weekly to look for trends among groups of users. This level of data collection requires some type of firewall or other access control system. These reports should be shared with the administration and any anomalies or potential risks should be highlighted.
  10. All AUPs need to include the phrase, “No Expectation of Privacy.” Make it clear that data is being collected and studied, and this data will be checked if anything is irregular. The data connects to the user or group, and only data that is alarming will be followed. In other words, we are not watching your screens or reading your emails, we are just watching you online activity. 

In this environment technology can be used to protect resources, help people find things they have lost, and help identify trends in what people are using and needing for their teaching and learning. All of these things are positive, and most people in the community will appreciate the functionality.  However, users will also be very aware that this type of network allows for a history of activity to be flagged as a threat or a violation. The system provides the tools needed to track locations as well as online interactions. Thus, allowing the school to narrow down the time, place, and population in any given scenario.

Most people do things in groups. Monitoring the group and trying understand the group’s goals is more important than apprehending a single student or teacher for breaking the rules.

My “Loss and Recovery” policy includes the defensive use of security cameras, and defensive methods for searching lockers and dorm rooms. It was hard not be aggressive and threatening when writing it, because I wanted to be aggressive. I wanted to be blunt and exercise the school’s right to protect property. Then I realized that being aggressive and blunt against a bunch of middle school kids looking to pull pranks all day really was not the best way to teach them about balancing private and public spaces and understanding the difficulties in managing personal and private property in an organization.

Students are not the enemy, unless you give them something to hate.

Tony DePrato

www.tonydeprato.com

 

Podcast Episode 55 – I want a Portal gun – February 7, 2013

Patrick Cauley2 Comments

itbabble_podcast

 

While we are missing Omar and Cara it was still a great episode. I mean check out that agenda below. As always you can find us on iTunes and Podomatic.

  1. iTunes University Workshop
    1. Course Manager
    2. Can only be viewed on an iPad
    3. Modular by design
  2. Portal 2 to teach Physics
    1. Portal 2 website
    2. The official learning with Portals website
    3. A teacher’s blog site
  3. Learning how to play the guitar – online
    1. Year of Rock website & the Instinct website
    2. Better or worse than a real teacher?
    3. Better or worse than GarageBand or online classes?
  4. Passwords and online security
    1. Google 2 step verification
    2. What can students do to protect themselves
    3. Lifehackers 5 best Password managers
    4. Kill the Password: Why a String of Characters Can’t Protect Us Anymore by Mat Honan at Wired
    5. Hackers Outlaw and Angels – Hacker documentary
  5. iOS app of the week – Ticket to Ride
    1. $1.99

Subscribe to us on iTunes HERE!

Subscribe to us on Podomatic HERE!

Listen to this week’s episode below.