Month: November 2022

Privacy and OSINT

The more time I spend looking at cyber security the more concerned and paranoid I become and the more I realise how, in general, we don’t pay enough consideration to the data we share online.  Take for example a recent post I saw online where an individual was celebrating the purchase of a new house.  

They posted a lovely photo of the front of the house, with the for sale sign showing as sold.   The photo didn’t include the door number however it wouldn’t take much effort to find the address of the individual concerned.    Their photo showed the name and telephone number of the estate agent giving a rough area based on the UK area code.    A quick search on the estate agents site would give details of houses they had for sale along with photos from that period in time.   A quick comparison and you have an address, plus the name of the individual is included in their social media profile.   So, we now have a name and an address, plus from the social media profile we know about what they do for a living and various other bits of info.

The above is an example of OSINT or Open Source Intelligence, using freely available information to track someone down or create a profile on an individual.   It is all too easy given the information we make available online plus the various search tools which are now available. A logo, identifiable vehicle, company name or any manner of other things can help in tracking a person down.

In another post I saw an individual posted regarding repairs being done by the water board and how the works blocked their driveway.    The house number is in sight in the photo as is a house name plate.   Again, there is enough information to track the individual down and identify their address, with their name and job identified through their social media profile.

We all too often post photos online, such as photos from our evening run or photos with family, almost always giving away more information than we intended.   We equally may share information from health or fitness apps, possibly including run routes, again giving away more information than we intended.

This is yet another area of digital citizenship which we need to be discussing in our schools, with staff and with students.     If we don’t, it is likely that our continual sharing online will continue to compromise our privacy and potentially could result in some individuals putting themselves at risk.

Connected isolation?

How is it that social media allows us to be hyper connected yet we can still feel so much individual isolation?

I found myself wondering this ahead of the schools and academies show sat having something to eat on my own, while tweeting and otherwise engaging with individuals from all over the world via social media.     Isnt connection a key feature of social media in allowing us to have large “friends” groups which we can access even when geographically apart?    Shouldn’t I therefore have felt connected rather than isolated as I sat there?

A broadcast medium

One possible reason for my feeling of isolation may be the fact that todays social media is very much a broadcast medium.   We post outwards on twitter, we post outwards of Facebook, on TikTok and on other social media platforms.  They are no longer a simple extension of our “in-real life” connections, our friends and our families.   We hope that someone will reply and engage with what we have posted, or at least will provide a like, however this is a hope rather than an expectation.   So maybe the isolation therefore relates to the fact that my social media engagement amounts to throwing out posts and updates in much the same way a message in a bottle is cast into the sea in the hope that someone may read it.    It isn’t the two way conversation and engagement, the “social” experience which it pretends to be.

The human animal

This brings us nicely to another possible explanation being how we as humans have been conditioned through centuries of evolution to behave and respond.   We are used to smallish social groups rather than the 1000’s of followers we may achieve on social media.    Could it be that the we don’t have the same connection online with the 1000s we send our posts out towards, at least not to the same extent we might have a connection with the stranger we bump into and have a drink with in the pub? I will admit to having a conversation earlier in the day with a stranger in a busy pub and that this was engaging and enjoyable, and made me feel connected.

We are used to the social experience of face to face interactions, of getting verbal, facial and other non-verbal ques in our interactions with people.     We have a physiological response to the presence and interaction with those we know and like, while we have a different physiological response with those we don’t get on with.    Am not sure, however I suspect there may equally be a physiological response when interacting with people online however I suspect in some ways it may be a lesser response although I will also acknowledge in some cases the response may be greater or even extreme, spurred on by the safety of being a keyboard warrior distanced from any physical risk which could arise through face to face arguments.   I would suggest though, if we take the extreme cases out of the equation the average physiological response to online interactions is less than that for face to face interactions.  And so it may be that the online interactions feel a little numb when compared with face to face interactions.

Conclusion: An illusion of connection but not a very good one

The above is simply a little musing.   I have made some great connections with some great people via social media so as a vehicle towards face to face connections it is invaluable.    But does the supposed “social” nature of social media, the 1000s of online connections, make us think we are more connected than we end up feeling?    And if so, does the difference between how connected we think we are versus how connected we feel lead to a greater feeling of isolation?   Is the feeling of isolation a response or a result of this disparity?

If I was to draw any sort of conclusion I think it would be this;   For me, I am happiest when engaged in conversation in person even where with strangers.   Social media presents an illusion of connection and not a very good one, but this illusion can impact on us.    I think that is why I felt isolated as I sat there.   The solution, to stop engaging in social media in hope of a connection and to spark up a conversation with someone, to do what we as humans have been doing for centuries and engage with a fellow human being in a face to face conversation where I can actually feel properly connected.

Online Safety – Meta/SWGfL Event

This week included a little visit to the Meta offices in London for an SWGfL event focussed on online safety.   Now I decided to attend this event as I believe in the importance of online safety and in the wider issue of digital literacy or digital citizenship.   I am also highly conscious of the challenges from a technology point of view given the ongoing focus by technology vendors on individual privacy, including the use of encryption, over public good and online safety.It was also a great opportunity to bump into Abid Patel although he had to remind me as to the need for the obligatory selfie.

Digital Literacy

During the course of the event the term digital literacy was used which I take to mean similar to “normal” literacy, but in terms of digital media.   Now I don’t think this term goes far enough although I am happy for others to disagree with me on this.   For me digital literacy may cover the users use of technology and understand how and when, etc, but it doesn’t stretch to the issues of behaviour online and the online identities we develop as we post increasing amounts of content online.   As such my preference over the term “digital literacy” has always been a focus on “digital citizenship”, where digital literacy may form a part of this. It may seem a minor point, but for me it is an important point.

Being online

One message which was quite clear from the event was the extent that our students are now online.    The opening session quoted figures of 3hrs and 36mins as the average time spent online by 9-16yr olds.   If we assume 8hrs sleep, that’s over 20% of a child’s waking day spent online.   And for weekends the figure only increased, plus it was noted that children are increasingly “multi-screening” where they are using multiple devices such as a laptop and phone at once thereby allowing them to consume more content in less time.    From a risk point of view, the more content consumed the greater the risk of inappropriate or even harmful content being consumed.

Another similar statistic shared identified below 5% of internet users in 2003 as being under 18, yet now the figure standards at almost 40%.   A big jump, suggesting a clear trend, again highlighting how our children and students are now highly active online.  

Guidance and help

In relation to help dealing with living online it was noted that parents were viewed as the main source of help and support in relation to issues experienced online with teachers taking second place.    Unsurprisingly though a survey of teachers noted training and the ability to keep pace with technology being two barriers towards being able to properly support students online.    In relation to keeping pace with technology, I think we need to acknowledge that we can never really keep pace.    On reflection, I found myself more able to keep pace when I was a younger teacher than I am now; this may be age related however it could equally be technology related in that the pace of tech change is now quicker than it was when I was younger.    I think here the importance isn’t necessarily knowing the answers but about being open about not knowing the answers and accepting that the discussion with student may itself have value.

In terms of training this makes me think of a poster in my office regarding students never asking for professional development, or training, on using technology.   Now I will note this statement is overly simplistic but aimed to get across a point regarding the massive number of resources and help available online plus the increasingly intuitive nature of [simple] apps.  Maybe we need to be more willing to “just Google it” in relation to technology?   That aside, the issue with training is where is it going to fit into the already busy curriculum and crowded workload of todays teachers?    Surely it cannot be yet another thing added, and who every subtracts, from workload?   I don’t have an answer to this one however I think the topic needs to become something regularly discussed in staff rooms, insets, assemblies, etc.  It needs to become part of culture however with this I recognise it may take time for this change to occur, at a time when technology changes occur so much faster.    So, for now, for me, I am regularly trying to prompt discussions and thinking in relation to digital citizenship just by doing simple things such as highlighting news stories in our school weekly bulletin.   The individual effect is low however my hope is that over time it will build awareness and discussion.

Conclusion

The event had a fair few points of interest and things I could take away.  Far more than I have outlined above. I had hoped that it might help and answer the challenge of balancing out the need to protect students with the prevailing narrative regarding the importance of individual privacy.   Sadly, I don’t think the event provided any real answers in this area beyond some evidence that Meta are partnering with organisations to help to address the problem, and that efforts are being made.   Are these efforts enough?   Am not sure there will ever be enough effort as any single loss of life or significant impact on the life of young person will aways be considered sufficient evidence that more could have been done.    The fact Meta are supportive of a programme allowing individuals, including children, to log a fingerprint of non-consensual intimate imagery such that it can be automatically quarantined and even removed is good news.   I actually find this interesting given Apple seem to have allowed their proposal of scanning for Child Sexual Abuse Material (CSAM) to quietly disappear from discussion. So maybe there is progress being made after all?

It was a useful event.   The more we can discuss the challenges the more they evident and the greater chance we can seek to manage and mitigate them together. And this is another takeaway, that the event marked a number of individuals and organisations coming together to discuss the issue; This needs to continue and grow in frequency. 

JISC Security Conference Day 2

It’s been a few days since the JISC Security Conference however I am only now seeing light at the end of the tunnel, having spent the last few days catching up following my two days out at the event.   As such I thought I would share some thoughts following Day 2 of the conference.

Defend as one

During the course of the 2nd day of the conference I attended a number of sessions where various educational institutions shared their experiences of cyber incidents.   I will admit it was good to hear their experiences as generally all we get to hear of in relation to cyber incidents in schools, colleges, and universities, is the news posts which lack any of the detail as to the cause and impact of the incident, or of the resulting recovery operations.   It would be good to hear more of the details around cyber incidents in schools, etc, as there is a great opportunity for use to learn from the experiences and collectively seek to be more secure, with this being summed up by the JISC conference tag line, “Defend as one”.    I will however note the challenges in relation to this due to the sometimes sensitive nature of such information.

Cyber:  An IT issue?

Now the event itself was very useful for me as a Director of IT, being surrounded by others in similar roles however, as identified by one of the speakers, this also represents a challenge.    Technology security is not solely the responsibility of IT.    It is the responsibility of all those who use technology, who manage or are the owners of data, who lead departments and who lead or govern within educational institutions.      Equally all these people need to be onboard and considering what they might be doing in the event of a critical technology incident where they will need to try to keep operations going while the IT team focusses on the technical issue.     Yet the JISC security conference was mainly attended by IT people.   Clearly there is need for others to be more engaged, and I will certainly be looking to try and encourage other non-IT senior staff to attend events like this in the future.

Third Parties and supply chain risk

As the second day proceeded, I started to see some key themes and messages coming out, some of which aligned with some of my thinking, with one of these being the risk associated with third parties and the supply chain.   Increasingly we are using more external solutions, either online based solutions, or solutions where we have technology solutions from a third party running on our networks.   Examples might include a third party hosted web-site solution, a CCTV solution hosted on site, or a visitor management solution hosted on site.    These solutions have access to school data or may be on the school network, and as such may either represent a risk to the data should they suffer a cyber incident or could represent a risk to the school network.   If on the school network, they might introduce vulnerabilities, which we are unable to address and where instead we must wait for the supplier to identify and resolve by developing and deploying an update or patch.   So this risk highlights the need for due diligence before introducing new solutions.  This didn’t really happen during the pandemic, as we sought to act quickly to address the challenges so there is work to do in carry out the due diligence for systems now in use.   Also, due diligence at the point of purchase represents a snapshot;  Most technology solutions evolve over time, with new functionality being added or existing functionality adjusted and changed, meaning the due diligence which was originally conducted is now out of date and inaccurate.  This highlights the need for periodic review, but this is then yet another task or piece of work which needs doing, and who does this due diligence where departments across a school, college or university as sourcing their own solutions?  For me the key here is we need to look to do more in relation to examining the cyber resiliency and disaster recovery plans of the third parties we use.

Prioritisation

Another theme which came across was the extent of the cyber incidents described.   Basically, in some cases it meant going back to scratch, turning everything off and rebuilding.   But this takes significant time running into weeks and months.    This means it is key to identify the priorities for the recovery.  What systems and processes need to be recovered first?    If we don’t stop and consider this now, when things are running, we will likely find ourselves in the middle of an incident with every department and users screaming that they system or process is most important, and we will then waste significant time trying to debate and decide.    Clearly there is need to examine all the systems and technology in use and then identify a clear and documented priority order for these systems such that when an incident occurs there is a clear priority order with which to work with.

Data Governance

The issue of data governance was particularly notable in discussions related to HE, to universities and this is likely due to their size and scope when compared with schools and colleges.   That however is not to say that the same challenges don’t also exist in schools and colleges.   The key question here is about the basics of data management and knowing what data we have, why we have it, where it is and likely most importantly who is responsible for it.   And in terms of responsibility, I am not referring to IT teams being responsible as they run the systems the data is stored on, but who the owner of the data is.  For example, admissions data doesn’t belong to IT, it belongs to the admissions team, while pastoral data belongs to the pastoral team.    IT can never know the processes and uses of all the data stored by different depts on IT solutions, therefore they cannot therefore be responsible for the data management side of such data.   It is the data owners that are responsible for what data they gather, how it is stored, how long they keep it, etc.    It was key from some of the discussions that greater effort needs to be made to ensure all understand who is responsible for what data. 

Conclusion

There was a lot to think about on Day 2 and to be honest I havent as yet had a sufficient amount of time to properly stop and reflect on the day or on the wider conference as a whole.   And I suspect it will be a few weeks and maybe the end of term before this will properly happen.

That said the above represents some of my initial thoughts based on some of the copious notes I took during the course of day 2.

I will end on an important message as I see it; This can all seem like doom and gloom.  The “when” rather than “if” of a cyber incident, the size and impact of such an incident and the multiple things we need to be doing to prevent and prepare, but against the backdrop that no matter what we do it may still happen.    We cannot allow it to be all doom and gloom.   My view is therefore that we need to simply seek to continually improve, to not try and do everything, but to try and seek to be more secure today than we were yesterday.

JISC Security Conference Day 1

I thought it would be useful for this weeks blog to focus on the JISC Security conference in Wales, which I am attending today (Mon 7th Nov) and tomorrow, plus which includes a third day held online.

So, lets start with my usual travel difficulties.   This shouldn’t have been a difficult one as have driven to the event however my car decided to develop some engine issues, including the engine warning light deciding to stay one plus occasionally flash alarmingly at me.   I noted a reduction in engine power which meant my cheeks were firmly clenched as I crossed the Prince of Wales bridge in the wind and rain;  Not somewhere I would want to break down.   Thankfully the car got me to my destination and can now have a rest before the return leg.

So the event itself, as I write this opening part of the blog I am sat waiting for the event to begin.  I have high hopes for the conference as there are so many different talks all focussed on the very important topic of technology security in education, principally in Further Education and Higher Education.   As a topic technology or cyber security is increasingly important in schools, colleges and universities as cyber criminals seem set on targeting education.   One presenter at the JISC conference suggested education was the number 1 target for ransomware attacks.   It makes sense sadly due to the data schools, colleges and universities hold, plus due to the fact the focus is on education with cyber security relegated to a secondary or even tertiary concern, often reserved for those working in IT roles.   Given the focus of the whole conference is on security I was very hopeful that I will take away quite a bit from the two days.

One of the big take aways from Day 1 for me was a document which presented 16 questions for University Vice Chancellors to answer in relation to cyber security.   The purpose of the 16 questions being to prompt discussion in relation to cyber security at the highest levels of management in universities.  It was clear from conversations with a few people that although this document had been sent to all universities, it hadnt necessarily been disseminated and discussed.   Looking at the 16 questions I could see how they were applicable not just to universities but also to colleges and even schools.    This did make me wonder about the need to share ideas and how, at the moment, there are various organisations sharing advice on cyber security, however no-one really collating this and providing it across sectors.   For example the DFE shared guidelines for schools while JISC developed and shared guidance for universities, yet both publications contained some common themes.   Wouldn’t it be good if this was shared centrally but with all educational institutions regardless of stage/sector?

Another discussion that I found interesting related to how we know or can assess how we are doing in relation to cyber in our own organisations.   Each school/college should be doing some form of risk assessment but it would be useful to be able to take this and assess your security against other similar institutions.   In HE this could be done using the 16 questions, but would rely on universities self assessing and then sharing their findings with a body such as JISC who could then calculate the “average” preparedness for universities.  This average could then be used as a benchmark with which to compare.   For schools, rather than the JISC 16 questions, the DFE guidelines could be used in a similar fashion.

If there was one big take away from day 1 of the JISC event it was that universities, colleges and schools are all subject to similar risks in relation to cyber crime and cyber resilience, albeit with different resources available to address the challenges.    As such there is a need to collaborate more across sectors, sharing experiences and knowledge where possible.    Currently the sharing is very silo’ d, so schools and MATs share, independent schools share and universities share, but each sharing separately.   There is a need, in my view, to bring this all together.