Tag: cyber security

Cyber: What is a sophisticated attack?

Looking at news reports or alerts in relation to cyber incidents in schools they often refer to “sophisticated” attacks.   This got me wondering about what a sophisticated attack, rather than a simple attack, might look like.   Are the attacks quite as sophisticated as is suggested?

I decided to make use of AI and ChatGPT for its view on what might represent a sophisticated attack and it suggested the below:

Advanced Persistent Threat (APT) attacks – These are long-term targeted attacks that involve a high degree of planning and coordination, often carried out by state-sponsored actors or well-funded criminal organizations.

Zero-day exploits – These are attacks that target previously unknown vulnerabilities in software or hardware, which can allow attackers to bypass security measures and gain unauthorized access to systems.

Social engineering attacks – These attacks involve the use of psychological manipulation to trick users into divulging sensitive information or performing actions that could compromise security.

Ransomware attacks – These are attacks that involve the use of malware to encrypt data and demand payment in exchange for the decryption key, often targeting critical systems such as hospitals or government agencies.

Distributed Denial of Service (DDoS) attacks – These attacks involve overwhelming a target system with a flood of traffic from multiple sources, effectively rendering it unusable.

Considering the above I would suggest the APT attack is likely to be very sophisticated being largely nation state in nature, however these types of attacks are more likely to be targeted against national infrastructure, key research, government offices, etc rather than schools.     I would suggest the creation of zero-day exploits is also very sophisticated in experimenting and identifying the exploit in the first place, however once exploits are shared it is not so clear.  Some exploits are likely to be sophisticated and require significant work and expertise however other exploits may be much simpler in nature and therefore require little more than the shared instructions in relation to exploiting the identified vulnerability.

Social engineering attacks are likely the most common impacting schools and like the discussion above in relation to zero-day exploits, some social engineering attacks may simply involve a phishing email whereas others may involve more sophisticated recon and intelligence gathering, followed by creation of cloned websites and a spoofed email.   As such the level of sophistication can vary.   

In terms of ransomware again the level of sophistication might be varied with some ransomware simply encrypting the data it can get to, while others might exfiltrate data or seek out and encrypt backups.  The is also the issue of how the ransomware gets delivered, whether this might be via social engineering attack or a zero-day exploit, with the delivery method also having variable sophistication.    And the same can be said for DDoS, in terms of the number of hosts leveraged in the attack, how the hosts were compromised and controlled, etc, meaning sophistication can be varied.

From the above is seems clear that the different attack methods each have a variable level of sophistication possible, plus also that a single attack might using multiple attack types such as a combination of social engineering leading to the ability to leverage a zero-day exploit and then deliver ransomware for example.    So maybe the repots and warnings of “sophisticated” attacks may be justified.

But what if we look at the situation through a different lens and perspective.    Let’s consider cyber attacks as less targeted and more of a general attack across a mass of organisations or schools.   An attacker might start with a phishing emailing as I mentioned above, sending this out to a large number of organisations based on email addresses gathered from the dark web.    The 2020 Phishing Benchmark Global Report suggested on average 13% of users would click on any phishing email, so this could lead to attempted credential compromise or delivery of malware.     Defensive measures in place may protect some users here, such as through MFA, EDR, etc, so the actual successful compromise rate is less than the 13% of all users who received and fell for the email.    Let’s assume 75% of the attempted compromises are blocked, so this leaves us roughly 4% of all recipients where credentials are compromised or malware delivered.    At this point the cyber criminal is now focussed on this 4%.    They might now check the permissions level of all the compromised accounts to see if they have got any admin accounts or look for those particular organisations which represent juicier targets, which I would suggest includes schools and colleges.    They might also now try a Business Email Compromise (BEC) attack from the compromised accounts, seeking to try and get access to an admin account.    The process could be iterative with each step relatively simple.   A phishing emailing sent to many.   An automated BEC attack from the accounts compromised in the first attack.  A further BEC attack in the new accounts gained from this second attack, and on and on until admin credentials are compromised, and ransomware delivered for example, or until a interesting or high value target is identified among the compromised credentials.

Looking at the above the attack is a simple iteration but viewed from the point of view of the organisation who eventually suffers a ransomware infection it seems complex and “sophisticated”.   The ransomware was installed and encrypted data, with this being the result of compromised admin credentials from a BEC attack, which in turn can be tracked back to another BEC attack and an originating phishing email.   As a 4 step or more process it seems to be fair to consider it “sophisticated”.    But consider that the attacker began with 100,000 targets, whittling this down with each successive step to the one or small number of eventual victims.   At each step, where users were suspicious, where defensive measures were successful or where the organisation was simply lucky they manage to avoid the attack, but probability would suggest at least a few organisations would remain and become victims.    With this view it may be possible to consider the attacks as less surgical and “sophisticated” and more brute-force and a matter of probability.

Conclusion

I suspect the description of “sophisticated” can be considered appropriate looking at the multiple steps which may have been involved however I think it wrongly gives an impression of the cyber skill and expertise level which was involved.   Now I acknowledge in some cases the attacks will have been complex and involved high levels of skills, however I would suggest in most cases this isnt true;  The attacks involved multiple simple attacks made against large number of organisations at once, iterating down to a small number of eventual victims through a process of elimination.   

Another way to look at this situation is to consider how “sophisticated” may suit the narrative of leaders and marketing staff so it may be more about shaping the perception of the attack than an actual assessment of the attack itself.   And thinking about it, maybe this is the truth of the matter;  who is going to own up to being subject to a “simple” attack so maybe its no wonder that most, if not all, reported incidents are considered “sophisticated”. If this is true, then describing attacks as “sophisticated” in general press releases or alerts, although possibly appropriate to do, doesn’t actually tell anyone about the nature of the attack.

References:

2020 Phishing Benchmark Global Report (2020), Terranova Security & Microsoft.

End to end encryption: Ensuring privacy or increasing the risk of harm?

There have been some recent calls for Meta to refrain from adding end to end encryption to the messaging functionality in some of their apps, in relation to safeguarding.    It makes initial sense to consider the potential risk of harm to children and others through harmful online content or contact.   How can agencies, schools and individuals protect people, including the young, from harmful content or contact when they are unable to identify the content due to encryption?   How can criminal individuals be prosecuted when key evidence is inaccessible due to being encrypted?   The challenge here however is establishing some of the possible implications of either weakening or removing encryption as like most things there is a balance and improvements in monitoring and detection through removed or weakened encryption will result in other less positive counter implications.   I note that sticking with the current level of encryption, where technology moves on and where criminal skills and approaches continue to develop likely equates to a weakening over time meaning we can either continue to strengthen our approach or, by doing anything else, reducing or doing nothing, choose to effectively weaken encryption. So, what are the general implications should we choose to reduce or remove encryption, rather than seeking to strengthen it?

Increased vulnerability to cyber attacks

Encryption is a key tool used to protect data and information from unauthorized access. Weakening or removing encryption makes it easier for cybercriminals to break into systems and gain access to sensitive information which in turn puts individuals, including children, more at risk.  At a time when individual privacy is such a hot topic anything which may reduce or put at risk this privacy is of concern.

Increased surveillance

Weakening encryption can also make it easier for governments and other organizations to monitor online activities and communications.  Now it may be that this monitoring is done in our interests, in the interests of safeguarding for example, but there is the potential for data or monitoring solutions to be mis-used.   It could be used for invasive monitoring and surveillance, to identify individuals based on beliefs or political beliefs for example.   It may be used to challenge or silence views counter to the government or intelligence agencies.   It may be that the data gathered allows for other data to be inferred where this then violates individual privacy and freedom of speech.  Or it may be that these systems used correctly and ethically suffer data breaches resulting in the data or systems being misused for criminal or unethical purposes.   Increased surveillance capability thorough weakened encryption has significant potential as a risk to individual privacy.

Loss of trust

Weakening encryption can erode public trust in online communication and commerce. This in turn can lead users to be less likely to trust systems the digital systems which we increasingly require in our day to day lives.    The potential impact should we no longer be able to trust our online communications and collaboration platforms, our online banking, online shopping, etc would be very significant indeed.    It may also lead individuals to seek to use systems in the darker recesses of the internet where these systems may be perceived as more secure and outside government monitoring or surveillance, but where other implications or risks may exist.

Negative impact on businesses

Related to the above, weakening encryption could also have a negative impact on businesses that rely on secure online communication and transactions. This includes e-commerce sites, financial institutions, and healthcare providers.    If encryption is weakened or removed then users of online services are more at risk, plus the services themselves are also more at risk.   Individual users may lose data and become subject to fraud or other cyber crimes while the breached organisation suffers reputational damage, legal claims for compensation plus the overall cost of recovery following a cyber incident.    Basically, no-one wins, other than the cyber criminals that is. 

Conclusion

The issue here is one of balance, the balance between individual privacy and protecting individuals from harm online, where providing privacy will provide the individuals who may cause harm with protection which means that harm is more likely.   But where providing protection against online harm will weaken an individual’s privacy even where their motivations and actions are honest and good.    Sadly, we cannot provide privacy online for some but not for others.   Either privacy and security it built into systems, or it is not, as we have no way of identifying those who may or may not cause harm.   

There is also an issue of pragmatism.   If we reduce the privacy level of some services by not enabling end to end encryption for example, then users, and particularly those seeking to do harm, will simply move to those services which provide more security and provide end to end encryption.    I have seen it myself in the unknown user who DMs an individual on a major social media platform, before, after a short series of messages, suggesting moving to an alternative “better” platform as they know this is better suited to protecting their privacy as the seek to go about their likely malicious aims.    

Overall, there is no perfect answer here.    I think technical security and privacy is key to the digital world we live in but also we need to keep individuals safe online.   Sadly, these two requirements are largely at opposite ends of a continuum.   I suspect a reduction in technical security would have wider implications on the world than increased security although I note it isn’t a zero-sum game.  Personally, I think we need to err-towards greater encryption but while seeking to mitigate the safeguarding risk as much as reasonably possible by increased discussions, training and education regarding safety and risk online.    Not a perfect answer, I know, but as I said, there is no perfect answer and anyway, we don’t live in a perfect world.  

Cyber culture

The enterprise org budgets being spent in relation to cyber security have, for a number of year, seen a steep increase however at the same time the volume of attacks and size of attacks have also seen a continuing and steep increase.  From a return in investment point of view this doesn’t look good.   In how many areas of a business or school would we be willing to accept increasing spends but worsening results?

Now this isnt such a big issue for schools and colleges as the available budget which might be applied to cyber security are very small indeed however viewed from a different perspective, this might mean it is all the more important to spend that which we have carefully and correctly.  

Or maybe we need to start looking at the problem differently?   If we accept that additional money and associated spends on technology tools and more staff won’t necessarily solve the problem then what can we or should we be doing?

Culture

I suspect this is key to how we need to approach cyber security.  It needs to be “how we do things around here” rather than something which is seen as an IT issue or, where things have progressed a little further, an IT and SLT issue.   Cyber security and appropriate cyber behaviours need to permeate a school, being the responsibility of everyone in the school community.    Everyone needs to understand why it matters and what part they play in keeping users, data and systems safe.     Now building such a culture isnt a quick process however I suspect it is something we need to start developing now, as part of a longer term journey to having more cyber resilient schools.

Measurement

Another area that is important is the need to have some form of measurement.  In order to make sure our cyber efforts are effective we need to be able to measure this effectiveness.   This might relate to awareness of phishing or a multitude of other measures we might create in trying to assess our cyber security.    The key however is the need for some sort of measurement so we actually have some data as how we are doing, to help identify areas we need to focus on and to assess whether our efforts bring about the positive change we are hoping for.    This measurement could be the data from a phishing awareness exercise, from help desk calls or even from a RAG (Red/Amber/Green) rating exercise.    It needn’t be overly complex but it needs to provide some meaningful data in terms of where we are at the point the measurement is taken.

Accountability

The third area which I think is key, and which was shared at a TEISS InfoSec event I attended, is the need for accountability.   We might have data as to where we are, or where a given department is or a school within a school group, but who is responsible and accountable for moving things forward?    We need to ensure this is clearly identified and again it isnt simply an IT issue and instead should belong to the business, the school.   It may therefore be that the HR manager is responsible for the HR dept, while the academic Head is responsible in terms of academic data, processes and staff.    Whatever the accountability lines are, they need to be clear and understood.

Conclusion

On reflection, the above isnt a quick fix;  culture takes a long time to develop and even establishing accountability and measures for assessing cyber readiness will take time.  We need to ensure we are measuring the right things and that accountability is set at the correct hierarchical level, with this taking some time to get right.   That said, the current approach, and complaint regarding lack of money/resources, doesn’t work as additional  money/resources havent solved issues for those which have more of both money and resources currently.    As such I think maybe we need focus on cyber culture in the same way we have previously focussed on safeguarding culture in schools.   Maybe we all need to be focusing on cyber culture?

TEISS European Information Security Summit

I try to step outside education at least once each year, looking at the bigger technology world by attending an industry event.  The most recent of these ways the TEISS European Information Security Summit on 23rd Feb in London.    I feel it is important to keep up to date with the wider technology world to sense check my thoughts and ideas and to benchmark technology in education against technology in other sectors.    During the course of the event it was interesting to have discussions from a diverse range of industries including highly regulated industries like banking.   Hearing that they suffer similar issues to education, such as shadow IT or issues identifying responsibility for data, but at a much larger scale was reassuring.

Given below are some of my takeaways and thoughts from the various sessions and discussions I had throughout the course of the conference.

Budgets and Cyber

One of the first takeaways from the event related to cyber security and budgets.    It was presented that cyber budgets and cyber spending has been on the increase for a number of years.   It was also however indicated that the volume of attacks and the size of attacks continue to increase.    For me this suggests that more budget, including more staffing associated with additional budget, does not necessarily solve or improve the situation in relation to cyber.   From the point of view of schools and colleges this is important given the limited budgets available.    I think this highlights the need to start approaching cyber and cyber risk a little differently including possibly being more accepting of the fact we will never reach 100% secure and therefore accepting cyber as a journey and simply trying to focus on our key “business” assets and on continual improvement in relation to cyber security in whatever form this may take, including where this may be simple and small improvements.

Gamification

User awareness and cyber security culture was one of the three main streams offered at the conference with one session looking specifically at the potential use of gamification in relation to cyber security awarenss training.   It is true that often cyber security and other online training can be a boring process of reading a screen of text and clicking next repeatedly before completing a test at the end.   Clearly not an engaging experience and therefore possibly an experience  where little long term or deep learning takes place;  We may remember for long enough to answer the test at the end, but ask the same questions a week later and I suspect the retention of the content will have dropped to very low indeed.   So this is where gamification comes in.    The presenters identified two types of gamification, being content or structure based.   In content based gamification the content is presented as a game.  In structured based gamification the content is the same but includes some sort of leader board, prize of other enticement to engage users.   As the session was presented I was thinking of the potential of doing a Kahoot quiz with heads of department where they need to identify whether emails are trustworthy or not for example.     I also thought about some sort of competition between departments so maybe a quiz or phishing test which results in a cyber score which can be reported and compared with other departments.   This is one area I will certainly be looking into in the short term to see how I can try to gamify user awareness materials and processes, and to see what impact that has.

Civic duty rather than organisational cyber security awareness

Another point that was made during the conference was to engage people on security awareness beyond simply keep the organisations data secure but to accept that we can also deliver a civic benefit in making users more secure, both personally and also professionally.   Where we seek to do this we are more likely to engage users and have them learn from awareness programmes plus additionally we address the risk of a personal cyber incident potentially impacting on the school or other organisation anyway.  Take for example the compromised personal mobile phone:  It may have organisational email on it or info about the individual which could be used in crafting attack against them in their professional context, among other data which could pose a risk to the organisation.

Regulation as a change agent

One of the panel sessions I attended involved discussion of change and of compliance with security standards, change processes, etc.     From a school and college point of view this can be difficult as although policies are in place sometimes these will be overlooked and busy staff, both teachers and support staff, as well as students, may fail to engage with requirements or training around cyber security.    One of the panellists in the session highlighted that this wasn’t an issue in financial technology (FinTech) due to the nature of the business being heavily regulated meaning the penalties for non-compliance, for both the individual and the organisation, can be quite extreme.   Taking this insight and applying it to education got me thinking of the potential for the DfE to set requirements and of ISI and Ofsted to then include this within the inspection requirements.   Now the release of the DfE standards is a small step towards this however I suspect that is about as far as things will progress, which without any monitoring or penalties for non-compliance, is very limited in terms of impact.

Cyber insurance

There was a good session discussing cyber insurance with a very clear take away.  The session talked about how the cyber insurance market has seen policy costs increase along with greater requirements to get insured.   The questionnaires which you need to complete were a particular focus of discussion in that some of the questions are not easy to answer or not appropriate in a given context.   I have never really thought about this however the panel highlighted that the purpose of these questionnaires is for the underwriters to get a view of the risk in order to provide their proposal.   As such if the questions don’t make sense, it is the underwriters which we need to discuss this with to find out what it was they were hoping to find out from a given question.   Apparently the underwriters often don’t have access to client information, with this handled by the broker, so it is for the client, the school or college, to request a discussion with the underwriter and to initiate dialogue.

Conclusion

Cyber security seems to me to very much be a business risk, including where that business is the education of students.    As such it impacts all organisations albeit the scope of impact and the scope of risk varies.    This means there is a lot to gain from sharing experiences and ideas across sectors rather than just within sectors.    Having attended this industry focused information security event, where I think I may have been one of very few from the education sector, I came away with a fairly long list of ideas and things to try.    

But if I am to leave this post with one thought it is that maybe we need to get past the doom and gloom of cyber and become more accepting of doing what we reasonably can and of seeking to constantly improve, even where these improvements might only be small and minor;   It is about risk management.Any progress in the right direction is progress after all.

Ransomware – A criminal enterprise

A recent story of a ransomware incident impacting a hospital for sick children highlighted for me how ransomware, and by extension other cyber-crime, is often a criminal enterprise.   It is run by individuals and groups in much the same way that a conventional business or enterprise would be run, but to a criminal ends.

The story in question related to a ransomware incident which impacted on SickKids just prior to Christmas this year (you can read more here).    The incident was reported as resulting in longer patient waiting times however where this story diverges from the normal ransomware story is that a ransomware gang publicly apologised for the attack and provided resources to help the hospital in the form of a free decryptor tool.   Now it is unclear if the decryptor worked on all or some of the effected systems, or even if it was used at all, as using a file provided by a criminal operation doesn’t come without its risks.   The ransomware gang also acknowledged that the attack came from a “partner” and that they have been expelled from the ransomware gangs “affiliate program” for violating the gangs rules.

If we change the context to a simple and legal business operation a lot of the above would still make sense.   Affiliate programs, business or partnership rules, a public apology for an error plus the offer of support;   This is what you might expect from an conventional business operation, not a criminal gang.

This I believe is the big challenge for education and the wider world, that we need to accept that some see a business opportunity, an opportunity to make money off the illegal activity of cyber-crime.   While this continues to be the case criminal gangs and cyber crime will continue to exist.   And if we consider increasing technology usage and increasing data volumes being gathered in society as a whole, this opportunity can only be viewed as continually increasing.    Additionally, if we extend the business analogy these illegal gangs will likely be constantly seeking to improve, expand existing revenue streams and create new revenue streams in much the same way as a conventional, and legal business would do.

So cyber crime is likely to continue to grow as a threat and this is pretty inevitable.   What do we therefore do to try and protect ourselves?    For me it comes down to a number of things, to organisations but also to individual staff, to seeking to regularly review, test and improve defensive measures, while also preparing to deal with an incident when it should eventually arise.  It is about building awareness as to the risks and preventative measures and building a wider cyber culture in organisations.  

All of this makes me think of business competition, where two business fight it out in a given sector or product market, to see who wins.   Coke vs. Pepsi for example.  Here however one business will be legal, fighting against another illegal, criminal enterprise.    I can’t help but think that this is an inherently unfair fight but one that will continue to become more and more common!

JISC Security Conference Day 2

It’s been a few days since the JISC Security Conference however I am only now seeing light at the end of the tunnel, having spent the last few days catching up following my two days out at the event.   As such I thought I would share some thoughts following Day 2 of the conference.

Defend as one

During the course of the 2nd day of the conference I attended a number of sessions where various educational institutions shared their experiences of cyber incidents.   I will admit it was good to hear their experiences as generally all we get to hear of in relation to cyber incidents in schools, colleges, and universities, is the news posts which lack any of the detail as to the cause and impact of the incident, or of the resulting recovery operations.   It would be good to hear more of the details around cyber incidents in schools, etc, as there is a great opportunity for use to learn from the experiences and collectively seek to be more secure, with this being summed up by the JISC conference tag line, “Defend as one”.    I will however note the challenges in relation to this due to the sometimes sensitive nature of such information.

Cyber:  An IT issue?

Now the event itself was very useful for me as a Director of IT, being surrounded by others in similar roles however, as identified by one of the speakers, this also represents a challenge.    Technology security is not solely the responsibility of IT.    It is the responsibility of all those who use technology, who manage or are the owners of data, who lead departments and who lead or govern within educational institutions.      Equally all these people need to be onboard and considering what they might be doing in the event of a critical technology incident where they will need to try to keep operations going while the IT team focusses on the technical issue.     Yet the JISC security conference was mainly attended by IT people.   Clearly there is need for others to be more engaged, and I will certainly be looking to try and encourage other non-IT senior staff to attend events like this in the future.

Third Parties and supply chain risk

As the second day proceeded, I started to see some key themes and messages coming out, some of which aligned with some of my thinking, with one of these being the risk associated with third parties and the supply chain.   Increasingly we are using more external solutions, either online based solutions, or solutions where we have technology solutions from a third party running on our networks.   Examples might include a third party hosted web-site solution, a CCTV solution hosted on site, or a visitor management solution hosted on site.    These solutions have access to school data or may be on the school network, and as such may either represent a risk to the data should they suffer a cyber incident or could represent a risk to the school network.   If on the school network, they might introduce vulnerabilities, which we are unable to address and where instead we must wait for the supplier to identify and resolve by developing and deploying an update or patch.   So this risk highlights the need for due diligence before introducing new solutions.  This didn’t really happen during the pandemic, as we sought to act quickly to address the challenges so there is work to do in carry out the due diligence for systems now in use.   Also, due diligence at the point of purchase represents a snapshot;  Most technology solutions evolve over time, with new functionality being added or existing functionality adjusted and changed, meaning the due diligence which was originally conducted is now out of date and inaccurate.  This highlights the need for periodic review, but this is then yet another task or piece of work which needs doing, and who does this due diligence where departments across a school, college or university as sourcing their own solutions?  For me the key here is we need to look to do more in relation to examining the cyber resiliency and disaster recovery plans of the third parties we use.

Prioritisation

Another theme which came across was the extent of the cyber incidents described.   Basically, in some cases it meant going back to scratch, turning everything off and rebuilding.   But this takes significant time running into weeks and months.    This means it is key to identify the priorities for the recovery.  What systems and processes need to be recovered first?    If we don’t stop and consider this now, when things are running, we will likely find ourselves in the middle of an incident with every department and users screaming that they system or process is most important, and we will then waste significant time trying to debate and decide.    Clearly there is need to examine all the systems and technology in use and then identify a clear and documented priority order for these systems such that when an incident occurs there is a clear priority order with which to work with.

Data Governance

The issue of data governance was particularly notable in discussions related to HE, to universities and this is likely due to their size and scope when compared with schools and colleges.   That however is not to say that the same challenges don’t also exist in schools and colleges.   The key question here is about the basics of data management and knowing what data we have, why we have it, where it is and likely most importantly who is responsible for it.   And in terms of responsibility, I am not referring to IT teams being responsible as they run the systems the data is stored on, but who the owner of the data is.  For example, admissions data doesn’t belong to IT, it belongs to the admissions team, while pastoral data belongs to the pastoral team.    IT can never know the processes and uses of all the data stored by different depts on IT solutions, therefore they cannot therefore be responsible for the data management side of such data.   It is the data owners that are responsible for what data they gather, how it is stored, how long they keep it, etc.    It was key from some of the discussions that greater effort needs to be made to ensure all understand who is responsible for what data. 

Conclusion

There was a lot to think about on Day 2 and to be honest I havent as yet had a sufficient amount of time to properly stop and reflect on the day or on the wider conference as a whole.   And I suspect it will be a few weeks and maybe the end of term before this will properly happen.

That said the above represents some of my initial thoughts based on some of the copious notes I took during the course of day 2.

I will end on an important message as I see it; This can all seem like doom and gloom.  The “when” rather than “if” of a cyber incident, the size and impact of such an incident and the multiple things we need to be doing to prevent and prepare, but against the backdrop that no matter what we do it may still happen.    We cannot allow it to be all doom and gloom.   My view is therefore that we need to simply seek to continually improve, to not try and do everything, but to try and seek to be more secure today than we were yesterday.

JISC Security Conference Day 1

I thought it would be useful for this weeks blog to focus on the JISC Security conference in Wales, which I am attending today (Mon 7th Nov) and tomorrow, plus which includes a third day held online.

So, lets start with my usual travel difficulties.   This shouldn’t have been a difficult one as have driven to the event however my car decided to develop some engine issues, including the engine warning light deciding to stay one plus occasionally flash alarmingly at me.   I noted a reduction in engine power which meant my cheeks were firmly clenched as I crossed the Prince of Wales bridge in the wind and rain;  Not somewhere I would want to break down.   Thankfully the car got me to my destination and can now have a rest before the return leg.

So the event itself, as I write this opening part of the blog I am sat waiting for the event to begin.  I have high hopes for the conference as there are so many different talks all focussed on the very important topic of technology security in education, principally in Further Education and Higher Education.   As a topic technology or cyber security is increasingly important in schools, colleges and universities as cyber criminals seem set on targeting education.   One presenter at the JISC conference suggested education was the number 1 target for ransomware attacks.   It makes sense sadly due to the data schools, colleges and universities hold, plus due to the fact the focus is on education with cyber security relegated to a secondary or even tertiary concern, often reserved for those working in IT roles.   Given the focus of the whole conference is on security I was very hopeful that I will take away quite a bit from the two days.

One of the big take aways from Day 1 for me was a document which presented 16 questions for University Vice Chancellors to answer in relation to cyber security.   The purpose of the 16 questions being to prompt discussion in relation to cyber security at the highest levels of management in universities.  It was clear from conversations with a few people that although this document had been sent to all universities, it hadnt necessarily been disseminated and discussed.   Looking at the 16 questions I could see how they were applicable not just to universities but also to colleges and even schools.    This did make me wonder about the need to share ideas and how, at the moment, there are various organisations sharing advice on cyber security, however no-one really collating this and providing it across sectors.   For example the DFE shared guidelines for schools while JISC developed and shared guidance for universities, yet both publications contained some common themes.   Wouldn’t it be good if this was shared centrally but with all educational institutions regardless of stage/sector?

Another discussion that I found interesting related to how we know or can assess how we are doing in relation to cyber in our own organisations.   Each school/college should be doing some form of risk assessment but it would be useful to be able to take this and assess your security against other similar institutions.   In HE this could be done using the 16 questions, but would rely on universities self assessing and then sharing their findings with a body such as JISC who could then calculate the “average” preparedness for universities.  This average could then be used as a benchmark with which to compare.   For schools, rather than the JISC 16 questions, the DFE guidelines could be used in a similar fashion.

If there was one big take away from day 1 of the JISC event it was that universities, colleges and schools are all subject to similar risks in relation to cyber crime and cyber resilience, albeit with different resources available to address the challenges.    As such there is a need to collaborate more across sectors, sharing experiences and knowledge where possible.    Currently the sharing is very silo’ d, so schools and MATs share, independent schools share and universities share, but each sharing separately.   There is a need, in my view, to bring this all together.

Disaster Recovery Planning

Part of cyber resilience is considering what to do when the worst happens.    And that worst case scenario is sadly likely to inevitable at some point.    This worst-case scenario will take the form of a significant incident, a disaster from which the school or college needs to recover, and in planning for this a Disaster Recovery (DR) plan should have been created.   But what should such a plan look like?

I have given this quite a bit of thought.    Is this disaster recovery plan a long and detailed document or something much more simple and digestible?  

On one hand we might want the long document and all the details as in the event of a disaster we will want as much information as possible to help us with first isolating and managing the incident and then later with recovery.    The issue with this is that when the fire has been lit under the IT Services team due to an IT incident, the last thing anyone wants to do is wade through a long and complex document.   I have seen a disaster plan which included lots of Gantt charts with estimated timelines for different parts of the recovery, but how can we predict this with any accuracy against the multitude of different potential scenarios.   Additionally, the information you will actually need is likely to depend very much on the nature of the incident.

The flip side is the much more managable document which is easier to digest and look to in a crisis situation, when things are high stress but its shortness will lack some of the detail you may want.   That said, a shorter document will be easier to rehearse and prepare with when running simulated and desktop incidents such that staff remember the structure and are largely able to act without needing to refer too often to the supporting DR plan.   It is also more likely to be applicable across a wider range of scenarios.

The above however suggests only two options, being the detail or the brevity and ease of use, but my thinking on DR has led me to think we need to have both.    We need to have a brief incident plan which should be general and fit almost all possible incidents.    It should consider how an incident might be called and then which roles will need to be implemented including contact details for the various people which might fill each of the roles.   It should consider the initial steps only, getting the incident team together so they can then respond to the specific nature of the incident in hand.  It is the outline process for calling and the initial management of an incident.

Then we need to have the reference information to refer to which will aid in the identification, management and eventual recovery from an incident.   Now most of this should already exist in proper documentation of systems and setup and of processes, however this is often missed out.   When things are busy its often about setting things up, deploying technology or fixing issues, and documenting activities, configurations, etc, is often put off for another day, a day which often never happens.    I think the creation of this documentation may actually be key.

Conclusion

The specifics of a DR plan will vary with your context so I don’t think there is a single solution.   For me there are 3 keys factors.

  1. Having a basic plan which is well understood in relation to calling an “incident” and the initial phases of management of such an incident.   This needs to be clear and accessible so as to be useful in a potentially high stress situation.
  2. Having documentation for your systems and setup to aid recovery.  This is often forgotten during setup or when changes are made, however in responding to an incident detailed documentation can be key.
  3. Testing your processes to build familiarisation and to ensure processes work as intended, plus to adjust as needed.

DR planning is critical as we need to increasingly consider an incident as inevitable, so the better prepared we are the greater potential we have for minimising the impact of the incident on our school or college.

EdExec Live

Yesterday I presented at the EdExec Live event in London where I discussed cyber security with a session purposely mis-titled as “Preventing cyber attacks: is your cyber security up to scratch”.    The reason the sessions title didn’t really reflect the content of the session is my belief that cyber attacks are now inevitable and that the thinking behind trying to be “secure” or “up to scratch” involves a mental model which doesn’t fit our current reality and especially the reality in busy schools with limited IT resources, and even lesser resources to focus on cyber security or cyber resiliency.   As such the session was aimed at trying to highlight this belief.

Now at this point you might be thinking I am showing some nihilist tendencies in the face of the growing cyber security threats and risks, however I am certainly now advocating that we consider incidents inevitable and therefore simply down tools and don’t bpther with any cyber mitigation, prevention or preparation activities.

What I am however advocating is that we accept that we can never do enough, never be up to scratch, so all we can do is to do what we can.    The approach to cyber in schools needs to be to seek to take little steps rather than seeking to reach an imagined point of being cyber secure, a point that is both likely to be unreachable and also a point which is likely to constantly shift in response to new technologies, new vulnerabilities, new threat actors and new methods of attack.

I concluded the session with 6 recommendations which are outlined below:

There is no enough so do what you can

As mentioned above there is no “enough” so this kind of thinking is no longer appropriate.

Carry out regular risk assessments

We need to treat cyber like health and safety and try to identify the risks and then decide on mitigation measures where possible.    If we explore and think about the risks which impact on use we are likely to be able to better prepare and respond.

Carry out a desktop exercise or “war game”

Our plans and processes often include assumptions.   We need to challenge these assumptions with staff from across the school involved in desktop exercises playing out an example cyber scenario.   By playing such incidents through we are likely to be better prepared when incidents happen for real.

Deliver ongoing user awareness

Users continue to be one of the most common factors in cyber incidents so the more training we can provide the better, but such training needs to be dynamic and ongoing rather than an annual refresher presentation at the start of the year.    Cyber needs to come up in meetings, in briefings, it needs to be part of the schools culture and a constant point for discussion.

Address the cyber security basics

Cyber criminals will take the easy opportunities where they can and therefore it is important to cover the basics such as patching servers, keeping backups, etc.   This is about increasing the friction an attacker might feel in the hope that they will move on to a easier organisation to attach.

Reach out

Schools and colleges are all in this together, suffering similar challenges and issues in relation to cyber, so collectively we are so much stronger.   As such, share with other schools, use groups like the ANME, and let’s make a collective effort to protect our schools from attacks and prepare for the inevitable incident.

Conclusion

At the end of the session, I concluded with a little question in relation to terminology.   Cyber security as a term is now out of fashion due to suggesting that being “secure” is possible when most now acknowledge this is no longer possible.   Cyber resiliency is now the term of choice however I feel, although better, it still suggests a “resilient” final state is possible where I believe it is now.   My suggestion, which doesn’t have the same ring to it of the above, was continuous cyber improvement, however my request was for someone to come up with a better alternative that wasn’t quite so much of a mouthful.

Is your cyber up to scratch?    If you think it is, I suspect you are up for a fall at some point in the future or at least that’s what probability would suggest.   Are your efforts continuous, regularly reviewed and involve repeated incremental improvements?    If so, I think you are most likely going about things the right way, so well done, keep at it, and try not to worry too much!

You can view the slide deck from my session here.

And for those who have followed my usual travel woes, this time I managed to get to London and back with only a 20min train delay, so unusually uneventful by my standards.

Going phishing?

Phishing emails continue to be one of the most common attack vectors used by cyber criminals, in attacking individual and organisations, and in attacking schools colleges and other educational organisations.   In schools, where things are increasingly busy, it is important that staff and students have had appropriate training and other resources provided in order to build their awareness and hopefully make them better at identifying such phishing emails.   The challenge though is how do we know if our phishing awareness programme is actually working?

I was originally very reluctant to make use of phishing awareness tests, where a fake phishing email is sent out to assess how many staff would fall for a phishing email plus how many staff might report receipt of a phishing email.    I felt at the time that it was a little unethical in trying to entrap people who work for my school.    I was also worried people would feel it unfair and adding to workload at a time when everyone is already busy.      It wasn’t until an IT conference event where I got discussing the issue with someone working within the police force that my view changed.    The catalyst for this change being this point; would I rather identify how susceptible the school is to phishing emails and how good individuals are in relation to reporting malicious emails due to a real phishing email, and the likely compromise of user accounts, or would I prefer to gain this information through a safe test where I would be able to respond and do something about the findings.It didnt take me long to realise I was better off testing awareness on my own terms rather than waiting for a cyber criminal.

Since this change of views I have set about regular phishing awareness tests on small groups of users, refining the approach and the follow up messaging and training materials as a result of the findings.    Tests might be targeted on certain areas or departments based on recent events or based on trends we are seeing in the types of phishing emails being seen or reported.    Follow up training might focus on the users who were tested or might take the data from a test and share it with all staff to highlight specific concerns or areas for improvement.   In some cases individuals have felt unfairly treated or “entrapped” however generally have been more understanding when my changed reasoning has been explained to them.  The main aim is for the testing and the related awareness development programme to be dynamic in nature, constantly changing in response to the external context and the internal awareness levels and habits as identified from the test data.

Phishing awareness testing doesn’t improve cyber security or users phishing awareness however it can provide a snapshot of where we are at a particular moment of time and in relation to a specific style or type of phishing email.   This, when used in combination with dynamic training materials, can be powerful in building up user awareness of phishing emails, of how to identify them and of what to do when things go wrong and you fall for a phish.   Where phishing tests are conducted regularly, with the appropriate follow up training, communication and awareness development, it can also go to help develop a culture of cyber security and this, ultimately, is what we really need to achieve.