Tag: cyber security

Online Safety: Another challenge

Keeping students safe in a world of technology, and where students are spending increasing time engaging with technology, and even learning via technology, is very important.    As I have written in the past, this is also becoming increasingly difficult.   Back in March 2021 I wrote about how internet filtering, something that was easy when I started out on my teaching career, is now far from easy and verging on no longer possible (Internet Filtering, March 2021).    As such, I suggested that internet filtering can now no longer be considered as a distinct action schools should take in terms of safeguarding, instead needing to be treated as one part of a larger process encompassing a number of stakeholders and actions, all taking within a risk management, rather than compliance framework.

In June I re-emphasised the above in my post, Keeping students safe in a digital world.   This time my focus was on Virtual Private Networks (VPNs) and the implication of students being exposed to TV marketing on the use of VPNs to maintain privacy.  My concern was that this would drive some students to using free VPNs where the safety and security of data may not be as certain as the apps suggest.  It would also serve to make it more difficult for schools to monitor student online activity in the interests of safeguarding.

Since the above June post Apple have held their Developer Conference.   Apple, like a number of other device or software vendors are being very “privacy” focussed following recent high publicised incidents around the privacy of user data and some very well known services.   With this, Apple decided to announce iCloud+ and their Private Relay functionality built into the iOS and providing VPN like functionality when browsing within Safari.    This means “baked in” VPN functionality provided at the operating system level, on Apple Devices such as the iPad which are widely used in schools.   Yet another challenge for online safety. Private Relay, a great facility for privacy but yet another blow for school IT and safeguarding teams seeking to keep students safe online.   Now my hope is that there will be some ability to control this functionality using a Mobile Device Management (MDM) solution however for now this isnt possible, and I suspect it may only be possible on “supervised” devices rather than on Bring Your Own Device (BYOD) Apple devices.   Only time will tell.

I often refer to a continuum, when speaking to sixth form students, existing between individual privacy on one side and public good and safeguarding as items on the other side.    So for schools this is the privacy of the individual student versus the schools responsibility to keep students safe, and therefore to monitor and filter online activity.  Currently the pendulum continues to move further towards the individual privacy side.    I wonder if this will continue or if we will eventually see some balance restored.   I also wonder whether, given the increasing ineffectiveness of the technical measures schools can put in place, do the guidelines in relation to safeguarding students online need to be re-examined.

Reframing cyber costs in education

Schools and colleges need to focus their available funds on teaching and learning, and in the students within their care.   As such it can be difficult to justify significant spending on cyber security.   Investing in cyber security is investing in preventing the possibility, a chance, of a cyber incident occurring.   The challenge therefore is establishing a way to frame the costs in order to identify what represents good value.

Cyber security is all about risk management.   Every risk has a probability of occurring.   This might be a 1 in 100 or 1 in 1000 or 1 in 1 million.    This is where the difficulties in justifying spending on cyber security arise.    For the last 10 years an institution may not have suffered any significant incidents.   As such how can the head of their IT justify spending an additional £4000 or £5000 per annum on cyber security?    We are working from the point that it is more likely an incident wont happen that it will.   Viewed from the point of view of past experience, the institution has been fine for 10 years, with the probability of an incident assumed to remaining roughly the same, so is likely to be fine in the next 10 years, excepting for this small probability.    So, stay as is or spend £40,000 – £50,000 over 10 years to provide additional protection just in case?   Viewed from this point it may be difficult to justify the spend especially if the overall budget for the school is low.

Let’s take a more mathematical approach to the problem; If we take approximately 25,000 schools in the UK where I am aware of around 20-25 which have experienced cyber incident this year.   Let’s assume I am aware of only a small number of the schools which actually experience incidents, say 10%.   So, lefts take a probability of 250 incidents per 25,000 schools or 1 in 100.   At this point rather than looking at the chance of an incident occurring, we are assuming that an incident is guaranteed to occur within a given period.  Taking this probability, in 100 years, every school in the UK would likely have been hit.   If hit, let’s make an assumption that the cost would be £250,000 to recover (this is very much a guess figure and would be dependent very much on the size of the school, its type, complexity, infrastructure, etc).   Taking the probability of 1 hit every 100 years, with each hit costing £250,000, this means the approximate annual equivalent cost would be £2500 per annum.   The cost for the additional protection is looking a little better at this point.    All it would take is for the recovery costs to grow to £400,000 or for the probability of a hit to increase to 1 in 62.5 rather than 1 in 100 schools.   

For me the key things is to move from a position of looking at the chance on an incident happening, where we assume it is more likely an incident wont occur and moving to a position of “not if but when.”   At this point we are accepting an incident is guaranteed to occur within a given time period, but we just don’t know when.   With this viewpoint we can start to make a more reasoned judgement on costs.    We can also factor in the schools risk appetitive, with a school with a high risk appetite likely to choose to underestimate the probability of an incident while one with a low appetite for risk likely to overestimate.

We very much need to reframe how cyber risk and cyber security investment is looked at.   Hopefully the above presents at least one possible way to do this in an easy but yet meaningful way.

TAGs and Data Integrity

Following on from my previous post regarding Teacher Assessed Grades (TAG) and cyber security, in my first post I focused on mitigation measures around avoiding possible data loss.   In this post I would like to focus on the integrity of data rather than possible loss.

  • Accidental changes made by users with access
  • Deliberate changes made by users not authorised to make changes, such as students.

The are a couple of issues which could impact on the integrity of TAG data:

Dealing with these issues relies on a number of basic principles which ideally should already be in place.

Least Privilege Access

This refers to simply minimising the users which have access, including minimising those users who have write access over those with read only access.   By limiting the permission level provided you therefore limit the users who may accidentally or deliberately make unauthorised changes and reduce the risk as a result.

Linked to the above it is important to fully understand which users have access to which data/systems, with this being routinely reviewed and adjusted to accommodate for staffing changes, role changes, etc. 

A checking process

It is likely you will have a process for gathering the data, with this data then reviewed by Heads of Department before eventually going to Senior Leaders then the exam boards themselves.   It is also important to have a review process to check that unauthorised changes havent occurred along the way and that the integrity of data is retained across the whole process, from collection to eventually supply to the exam boards.

Audit Trails

If we assume, that there is a reasonable likelihood of an accidental or deliberate unauthorised change, the next thing we need to be able to do is to is identify such changes including the user who performed them, and the changes they made.    It is therefore important to consider if the solution we use to store our TAG data has the relevant audit capabilities, whether it is using the audit logs in your Management Information System (MIS) or version history in either Google Workspaces or Office 365.

Conclusion

Generally, when considering cyber security, the important thing is to identify the risks and then identify and employ appropriate mitigation measures.    There is seldom a “solution” in terms of a product or configuration or setup which is perfect, however there is a solution appropriate to your context, your organisations view as to risk and risk appetite.  

It is also important to note that the best approach is a layered approach.   In this and my last post I havent mentioned the use of storage arrays, mirroring of servers and other approaches aimed at either ensuring business continuity or making recovery quick and hopefully easy.    Although these options add to the complexity of the possible approaches, the key is once again to assess the risks in your school’s situation and context, and deploy the solutions which you believe best address these risks within the framework of a risk management strategy.

TAGs and Backup

As schools gather their Teacher Assessed Grades (TAGs;  We do like a good acronym in education) it got me thinking about cyber security.

The two potential key issues I see in relation to TAGs are:

  1. Loss of access: So, this could be deletion, ransomware or some other issue which means the school doesn’t have access to these important grades and therefore is unable to provide them to the relevant exam boards.
  2. Manipulation of grades:  This would be an individual, internal, or external, gaining access to the grade information and manipulating it either for someone benefit or simply to cause mischief.

For this post, lets focus on loss of access:  So, what measures can a school take?

The key mitigation measure for loss of access is backup.   We need to ensure a backup is kept separate to the main systems on which the data is stored.    So, if the data is being stored in the schools Management Information Systems (MIS) then ideally there should be an exported copy stored in Office 365.    By keeping it in a separate system, we hopefully avoid any potential issues which might result from a significant problem with the MIS followed by issues recovering the MIS from its own backup.  As our data backup is in a separate system, we would be able to deal with this scenario.

Ideally, we also want to keep copies geographically separate, so maybe stored on a separate site or using a cloud-based solution.   We may also choose to use a removable media solution to “airgap” our backup.

The key thing for me is that there is no one single solution.   You need to consider the risk, the available mitigation options, and their cost, in terms of financial costs, time, staffing, difficulty/complexity, etc. and then decide what works for your school.    For example, removable media may help in terms of air gaping our backups, but it also would incur costs in terms of time to remove, replace and store the tapes/drives in use.  If staff is limited this may therefore me a less appealing option.  It is also about avoiding reliance on a single process/solution.   So, having tape backup as a single solution is unlikely to be sufficient.   You should be layering the various backup options to arrive at a solution which is appropriate to your resources, your data, your finances, etc. while reducing the risk of any single point of failure.

The other point I think is important to make regarding backups is the need to test them.   All too often the only time backups are tested is at the point when recovery is required due to an incident.  It is at this point that we can least afford backups to fail.  As such it is important to test backups to make sure they work as they should, that you are aware of the processes and aware of any potential pitfalls.    By doing so, you can be reasonably assured that when you truly and urgently need them you will know what do to and can be confident in the likely success of recovery processes.

Coming up with your school’s solution to backup doesn’t need to be complex.   It is about considering different scenarios and the mitigation options and then identifying what is right for your school based on its needs and its appetite to risk.    As I have often commented, it is all about risk management.

Data Protection and Cyber Security in a Pandemic

In a pandemic, when trying to keep students learning and businesses operating, while schools, offices and shops are no longer able to operate as they normally would, cyber security and data protection aren’t exactly top of the list of things to consider.   They may even have fallen off the list altogether.   As such, over a year after the first lockdown I thought it appropriate to share some thoughts in relation to data protection and cyber security in schools.

During a pandemic it is critical to prioritise.   The important things come first.   So, health, safety and wellbeing are likely at the top of the list.   For businesses, during a lockdown, the ability to work remotely is critical while, when looking at educational institutions, enabling online teaching and online learning are critical, all requiring action to be taken quickly.    Back in mid-march 2020, although the writing was on the wall, we didn’t see the first UK lockdown coming and so when it did there was a rapid move to put the relevant technologies in place to enable online working, teaching and learning.

The issue with this rapid deployment of technology was that it was done based on an immediate need rather than fully thought and reasoned out.    Considerations, such as potential cyber security of data protection risks, were, due to immediate necessity, either pushed to the side or given less consideration than they would normally receive, or they are due.    So now we find ourselves a year further on, here are some of the things I think we should be looking at:

  • The big players

Schools coalesced largely around the two big players in relation to cloud based productivity solutions, being Google and Microsoft.    For me this was done for very good reasons given the functionality provided by each, however I wonder if the implications of this, such as the reliance on a single platform had been considered.   I also wonder if schools have considered what they would do in the event of a significant issue/outage within their chosen platform or if specific tools within the platform were discontinued.   I do believe that it is almost essential to select one of the two platforms, however I think it is important to consider the implications of this decision.

  • Where is my data?

During the pandemic, and in order to deliver the best learning experiences possible, teachers introduced new apps, often for specific lesson activities rather than for long term use.    I suspect that as a result of this the overall visibility in relation to the apps in use, and therefore the location of school data, may have reduced.    This is something that will need to be addressed and will likely require schools to audit the apps in use as we move forward.

  • PIA and risk assessments

Linked to the above, apps may have been introduced without an appropriate review of cyber security and data protection, including reviewing terms and conditions, privacy policies and other documentation relating to third-party apps.   This would have been done due to the need to quickly adapt to the remote learning and teaching situation we found ourselves in however as we move forward appropriate reviews and impact assessments will need to be carried out.   Additionally, changes to existing platform settings or their usage are likely to have been made to facilitate learning during a lockdown, and as such any previously conducted risk assessments or impact assessments may no longer be valid; These will therefore need to be reviewed and updated.

  • Use of personal devices

During lockdown both students and staff have often either been forced or have chosen to make use of personal devices in remote working and remote learning.    With this comes cyber risk and also data protection implications, such as the potential for school data to end up on a personal device which is shared by different members of a family.    This needs to be considered and risk assessed, and appropriate mitigation measures put in place, whether these be technical measures and/or policy measures.

  • Remote Access

Remote access to systems was key during lockdown.  How else would students and staff access the relevant systems including both teaching and learning, and administrative systems.   We now need to review this situation with a view to cyber security to limit the risk of the malicious use of remote access by external threat actors, plus also to ensure that remote access settings are appropriate to a secure IT environment.

The above 5 issues are the 5 which come most easily to my mind however I suspect I could easily continue this blog to cover 10, 15 or even more items which we now need to consider.    The pandemic and resulting lock down required us to work quickly and flexibly to identify solutions.   We now need to spend some time and reflect on the decisions made, and to check that in the longer term they continue to be the right decisions.  

As I have commented on a number of previous occasions, the issue with data protection and cyber security is that everything is ok until it isnt.   We may have put new systems in place or changed settings to support us through the pandemic.    There may be no current issue with what has been done however unless we now spend time to analyse the decisions and their potential implications, we run the risk of sleep walking into a data protection or cyber issue.   As some sense of normality hopefully returns to the world, we need to look back to the rapid change the last year has brought and assure ourselves that we are happy with what is in now in place.

Less email filtering?

Cyber security is often thought of as a defensive exercise.   It is often thought in terms of preventing threats gaining access however in considering malicious emails I wonder whether there might be a slightly different way to think about it.

My concern is this;  If in our cyber defence we do a really good job and prevent malicious emails, such as the all too common phishing email getting through, then we could potentially create a work force who are unfamiliar with phishing emails.   Our defences may create a situation such than when a phishing email eventually does get through, and this is pretty much guaranteed, the recipients are ill prepared to identify it as malicious and respond to it accordingly.   Our defences create a more vulnerable user base. I also would suggest that an expectation of 100% successful filtering if naïve; Our filtering solutions are simply not that good combined with the fact cyber criminals are constantly adjusting their approach to bypass common filtering solutions and approaches.

Now to be clear, I am not proposing no defence against malicious emails.   What I am suggesting is that having filtering which is at least slightly porous, allowing some malicious emails through may be preferable in developing users who are more aware.

I suspect some may argue that awareness is developed by training and awareness campaigns, etc, however I would suggest that these are all proxies for exposure to the real thing, and for learning to deal with the real thing. Again, I am not saying that we shouldnt have any awareness training, in fact I am a firm believe in the critical importance of awareness training, I am simply suggesting that training is not as effective as real life events.

The challenge with the above is the level of porosity.   As I suggest, not porous enough and the user base may be ill prepared however equally defences which are overly porous will simply expose users to a great volume of risk through a greater volume of malicious emails.   Once again the challenge relates to achieving balance and to managing risk.

Cyber Security ROI

Investment in organisational cyber security is very much a preventative measure to hopefully prevent or reduce the likelihood of a cyber security incident.This investment in reducing a probability is problematic.

Investment in organisational cyber security is very much a preventative measure to hopefully prevent or reduce the likelihood of a cyber security incident.    This investment in reducing a probability is problematic.

The ideal is always that no cyber incidents, where a threat succeeds on having an impact on a organisation, occur however as we project off into the future the likelihood of an incident can only increase in line with the unpredictability of future events.   Entropy is clearly at play.

In the worst-case scenario, an incident happens and there is an impact on the organisation.  In this case we know that our current solutions and the related investment have been insufficient.  I note this is not to say that we need to spend more following an incident, although I suspect this will be the trend, more that what has been spent has not delivered the outcomes we wish and helped in preventing a incident.   It may be that we need to spend on different things going forward, but the expenditure to date has been ineffective.

The issue with all of this is that our current setup is fine until it isn’t.   We can be happy with our current investment until it is revealed that it is ineffective by an incident, but we don’t want this to occur.    How do we therefore decide on an investment which is appropriate to the organisation, without waiting for incidents to prove what we have is ineffective?     And at the same time how can we avoid spending excessive amounts on cyber security, which would therefore be drawing funds away from the organisations core business, assuming the core business isnt cyber security itself?

I have always believed in taking a risk-based view.   We need to first identify the risks which we believe exist, the likelihood they will occur and the impact they would have on the organisation should they happen.   From this we can start to consider the amount of investment we might apply to mitigate measures, to cyber security, in relation to the risk.   So, a risk with a potential impact of £500,000 which is considered low likelihood might merit a £10,000 investment annually but is unlikely to merit £400,000.  If the risk impacts a business-critical system, it might merit more investment than a risk impacting on a low business value system.

The above isnt a science sadly; There is no magic Return on Investment (ROI) formula.   It is all based on subjective judgements hopefully based on experience and hopefully backed up by a third party to provide some level of assurance.    It also isnt easy.   Whatever amount you invest there will always be a probability that in the future it will be proven to have been ineffective by a single breach.   Those overseeing the cyber security must get it right all the time while the cyber criminals only need to get it right once.   This is why I continue to believe in a “healthy paranoia”.

We need to be concerned, to be paranoid, and to be constantly reviewing the risks, our organisation, the available technologies and threat trends.    We also need to be concious that we cannot know the future with any certainty and can only predict based on what we know now.   We need to communicate the decision-making processes and ensure these are understood.   In the future our decisions from today may be proved to be wrong; That’s always easy to do in hindsight but at the moment of decision making and with the information available, a decision which seemed appropriate at the time was made.   We need to balance our paranoia in the interest of our sanity and wellbeing.   We need to accept that we won’t always get it right!

Return on investment on cyber security spends, in my view, will always be difficult.    If all goes well then everything runs smoothly and no cyber incident occurs but this doesn’t prove your investment.   The future incident may have been brilliantly prevented or more likely it just hasn’t happened yet.   Sadly, the only definitive proof is when things go wrong, when an incident proves that your spend on cyber security was ineffective.    This is the kind of proof you just don’t want to see.

So, for now I will continue with the difficult decision process in relation to cyber security investment.  That fine balance between cyber security and business operations/cost.

Lateral attacks

More than ever there is a need for healthy paranoia in how we deal with all communications we receive.

Cyber Security

The other day I was looking at Facebook and a post appearing to come from one of my relatives outlining how they had made easy money based on a guide on a website they had found.   The post seemed out of character and therefore I treated it with a healthy amount of paranoia.   Having contacted my brother in law via text it became apparent he hadn’t posted the comment on social media.  He had in fact been hacked however prior to my text he was unaware.

This highlights the dangers of lateral attacks.   Rather than come straight at us the cyber criminal attempts to get to us via a trusted person or organisation.    Due to the increasing cyber risk we are all becoming more sensitive to the potential malicious approaches by strangers and how these may in fact be malicious.   The cyber criminals have therefore pivoted to trying to use one person or one organisations accounts to gain access to others.  As such they will look at the contacts of a compromised email account and then approach these contacts using the compromised account to send the emails hoping that the fact the sender is someone we are familiar with and therefore trust that we will be less suspicious and more likely to click the links or open the attachments.

Given the fact the number of breached accounts now outnumber the number of people on the planet it is no surprise that the lateral attack is becoming more common.

The fact an email comes from someone we don’t know is no longer the key indicator of a malicious email as increasing the emails may come from those we know.   More than ever there is a need for healthy paranoia in how we deal with all communications we receive.

We also need to be more vigilant of unusual activity on our own accounts which might signal an account compromise and a malicious outsider trying to quietly use our accounts for lateral attacks on our friends, colleagues and other associates.

Huawei: National needs vs. World Internet

The recent issue of Huawei 5G equipment in the UKs 5G infrastructure highlights the challenges of the internet and technology, which often cross international borders, but where the services and hardware is produced by companies which exist clearly within the borders of countries and therefore potentially within the influence of their governments.     There is a clear tension here between the services provided to the internet and the companies providing them.

The Huawei case is very much about internet security.     The implication is that Huawei could be influenced by the Chinese government who could then leverage the Huawei equipment installed in foreign countries telco infrastructure to gather intelligence, modify or filter communications or otherwise impact on the operation of a country through control of its communications systems.    This all seems quite logical.   Who would want a foreign government to be able to exercise power of their infrastructure?

The issue for me here, is that the technologies, either hardware or software, have to be created and then developed and deployed from somewhere in the world.     Apple devices, Microsoft Windows, Facebook, Google, all have to come from somewhere and in doing so could be influenced by governments or political powers within that given location.   So, the Huawei argument from the perspective of a UK citizen, may equally be matched by Chinese concerns over Apple from the perspective of a Chinese citizen.     Looking to the US, there is even some precedence for being suspicious with Kaspersky, which I note are a Russian firm, highlighting in 2015 that the NSA, a US intelligence agency, could “implant spyware of hard drives to conduct surveillance on computers around the world”.

Technology and technology services are used internationally whether that is a Dell laptop, Dropbox cloud file storage or newspaper website.    Often, these products or services may use components from other organisations, such as Seagate hard drives in a laptop, or Google Analytics or Facebooks share and like buttons on a companies website.   This further complicates things.   The devices, services and components are all used without consideration for international borders.     Yet we live in a world where international borders exist, where governments may have a stake in technology companies or may have influence.  The risk of influence exists.

One solution to this is to block and to ban.   China block Google and YouTube for example, and now it looks like the US and UK are banning Huawei.    Meanwhile in Russia they are testing their own national internet system separate to the “real” internet.    This may be the direction governments increasingly pursue, to block, ban or to create in-country copies, but for me I don’t see how this will work.    In China VPNs provide a solution to circumvent blocks while I am sure Chinese semiconductors/microchip are already in so many of our devices in the office and at home.   If the service or device works for users, it will find its way into use no matter what governments choose to do.

The answer for me is an acceptance of the complexity of this predicament and that countries will have their own personal motives or ends that they wish to encourage.    It is, in my view, a lose-lose situation.     Leave Huawei in place and allow for the risk of Chinese influence or remove Huawei which will likely result in counter moves by the Chinese plus, assuming they are seeking to exert influence via technology, them targeting other parts of the world wide internet infrastructure and services.

All we are left with is a risk-based judgement, which is what I believe must have been taken here.    The risk of counter action, Chinese influence over other parts of the internet and additional cost of changing supplier including removing existing Huawei technology must have been judged to be less than the risk created by Huawei technology within the UKs core or edge network.  My worry here is the potential for bias in the decision making.   As Pinker(2018) points out, “people are poor at assessing probabilities” so “if two scenarios are equally imaginable, they may be considered equally probable”.   Potentially the probability of destructive Chinese action against the UK may have been over estimated.   As such the preventative action taken in blocking Huawei may be excessive.   Or maybe it isn’t!

And if you want to take this whole discussion a stage further let’s consider how companies might now influence the world.   Take for example Facebook which, if it were a country, based on users it would be biggest in the world.    What if we accept that it to may have motives and ends to its is actions, beyond simply providing the Facebook platform?    Google, Microsoft, Apple, Twitter, etc, may all be the same.   But that is possibly for another post.

 

References:

BBC News. 2020. Huawei 5G kit must be removed from UK by 2027. [ONLINE] Available at: https://www.bbc.co.uk/news/technology-53403793. [Accessed 16 July 2020].

CNet. 2015. NSA planted surveillance software on hard drives, report says. [ONLINE] Available at: https://www.cnet.com/news/nsa-planted-surveillance-software-on-hard-drives-report/. [Accessed 16 July 2020].

Pinker, S., 2018. Enlightenment Now. 1st ed. UK: Penguin House.

TechCrunch. 2019. Russia starts testing its own internal internet. [ONLINE] Available at: https://techcrunch.com/2019/12/26/russia-starts-testing-its-own-internal-internet/?guccounter=1. [Accessed 16 July 2020].

World Economic Forum. 2016. If social networks were countries, which would they be?. [ONLINE] Available at: https://www.weforum.org/agenda/2016/04/facebook-is-bigger-than-the-worlds-largest-country/#:~:text=If%20Facebook%20were%20a%20country%2C%20it%20would%20be,it%20each%20month%20-%20around%201.9%20billion%20people.. [Accessed 16 July 2020].

Digital Citizenship

AI, Driverless cars, drones and the other societal changes with Tech may bring
Cyber Security, Data Protection and Big Data
Mobile Devices: To ban or not to ban?

For a while now I have been sharing various online articles which I believe relate to Digital Citizenship via twitter and also sometimes via linkedIn however it recently came to me that it might be useful to curate these tweets so that teachers looking for discussion material in relation to specific aspects of Digital Citizenship might be able to use them.

To that end I created three Wakelets based on three themes which I thought we reasonably common in relation to Digital Citizenship.

  • AI, Drones, Driverless cars and the other societal changes with Tech may bring

https://wke.lt/w/s/kJ3z2B

  • Cyber Security, Data Protection and Big Data

https://wke.lt/w/s/XFOeIs

  • To ban or not to ban?

https://wke.lt/w/s/09MVpQ

Now it may be that in future I may expand the number of themes.  I suspect this is highly likely, but for now the above are hopefully a good starting point.

In addition, for ease, I have created a separate section on my site for this curated Digital Citizenship content in case anyone wants to bookmarks it.  This section is also available via the sites menu structure.