By Philip Reitinger, President and CEO of the Global Cyber Alliance
The pandemic hasn’t only affected businesses. Millions of students are now engaged in remote learning, and that number will soar when schools “reopen” in the coming months. Our own local school system, for example, will see most students going to school in person two days a week.
Cash-strapped school systems can get free help from the GCA Cybersecurity Toolkit for Small Business. Yes, the toolkit is targeted at small and medium-sized businesses, but the recommendations are just as applicable to schools and students, and most of the tools included can be used by them as well. Also, our nonprofit Work From Home coalition site includes a very few easy things to do immediately that will have a significant impact on improving your security.
As schools struggle to deliver remote learning securely, here are twenty questions for school IT staffs, superintendents, and school boards to consider:
Questions to ask today:
- Do we have a full inventory of devices, hardware, software/applications, and cloud services we use? How do we keep that up to date?
- Is all of our software current “in support” by the publisher? For example, are all of our Windows end user computers on Windows 10?
- What is our patch management policy? How quickly do we patch critical and severe vulnerabilities? Are we fully patched right now?
- How do we authenticate users? How broadly do we use authentication stronger than just a username and password? Is multi-factor authentication required for computer administrators and anyone with access to sensitive student data?
- How do we address malicious software on our systems? Do we depend just on antivirus software? Do we use a “Protective DNS Service” like Quad9 to detect and prevent installation and operation of malicious software?
- How do all of our security protections work in a “remote learning” environment? How well do our security tools work when devices are not on the schools’ network and may not be on site for months at a time?
- Is our data backed up? Really? Are the backups offline or online? Could our backups be erased or encrypted by an intruder? How often do we back up? If we were hit by ransomware, could we restore our systems, or is it possible that our backups would be encrypted, untrustworthy, or unavailable?
- How do we defend against phishing attacks? If a principal’s username and password were phished, how would we know it?
Questions to ask as soon as possible:
- Are our devices and software/applications securely configured? What standards do we use to configure endpoints and servers? How do we lock down those configurations so users can’t change them? If you are a US-based public academic institution, you can join the MS-ISAC and the CIS Secure Suite at no-cost, which includes access to tools to scan configurations across the network, along with other cybersecurity tools and services. https://learn.cisecurity.org/ms-isac-registration
- Do we scan our network for vulnerabilities? Do we scan both externally-facing systems like websites and our internal network (servers, endpoints, applications)?
- How do we monitor and log activity to detect attacks and system abuse? How long do we retain logs? How would we detect inappropriate use of our systems by insiders, such as students or staff?
- What is our incident response plan? How would we respond if we were attacked, such as through ransomware? Do we have any arrangements with third parties, such as the state or private companies, to help? If student data were exposed, how would we handle it?
- Have we locked down video-conference capabilities? Are we making sure that uninvited guests can’t join, and if someone disrupts the learning environment, we can immediately stop the misbehavior and also identify who is responsible?
- Do we protect our community against attacks that use our reputation and domain? Have we deployed DMARC to prevent spoofed emails being sent to students and parents? This point is easily forgotten – students or their families could be attacked by sending spoofed email from the school system, such as “please install this software” (where the software is actually malicious). This can harm students, families, and the school system.
- Are we worried about denial-of-service attacks? Do we have defenses in place, and if an attack occurred, how would we respond?
- How do we select third-party and cloud services to use? Do we look at their security practices?
- Have we examined the privacy and other policies for our software and service providers (including cloud services and applications) so that we are confident our sensitive data – particularly student data – is not being used inappropriately?
- What is our strategy for protecting smart devices (IoT) on our network? If we installed a smart device our system, and it had a vulnerability, would we know and what would we do?
Things you may not have thought about but are just as important as technical stuff:
- Is the superintendent aware of the risks and what we are doing? Does the superintendent know their role in an incident? Have we briefed the school board and asked for any additional resources we need to help provide cybersecurity and privacy during the pandemic?
- Have we talked to students and the community about the risks, to obtain their help to spot problems, and to emphasize that securing remote learning is a responsibility we all share?