Category: cyber

Cyber: What is a sophisticated attack?

Looking at news reports or alerts in relation to cyber incidents in schools they often refer to “sophisticated” attacks.   This got me wondering about what a sophisticated attack, rather than a simple attack, might look like.   Are the attacks quite as sophisticated as is suggested?

I decided to make use of AI and ChatGPT for its view on what might represent a sophisticated attack and it suggested the below:

Advanced Persistent Threat (APT) attacks – These are long-term targeted attacks that involve a high degree of planning and coordination, often carried out by state-sponsored actors or well-funded criminal organizations.

Zero-day exploits – These are attacks that target previously unknown vulnerabilities in software or hardware, which can allow attackers to bypass security measures and gain unauthorized access to systems.

Social engineering attacks – These attacks involve the use of psychological manipulation to trick users into divulging sensitive information or performing actions that could compromise security.

Ransomware attacks – These are attacks that involve the use of malware to encrypt data and demand payment in exchange for the decryption key, often targeting critical systems such as hospitals or government agencies.

Distributed Denial of Service (DDoS) attacks – These attacks involve overwhelming a target system with a flood of traffic from multiple sources, effectively rendering it unusable.

Considering the above I would suggest the APT attack is likely to be very sophisticated being largely nation state in nature, however these types of attacks are more likely to be targeted against national infrastructure, key research, government offices, etc rather than schools.     I would suggest the creation of zero-day exploits is also very sophisticated in experimenting and identifying the exploit in the first place, however once exploits are shared it is not so clear.  Some exploits are likely to be sophisticated and require significant work and expertise however other exploits may be much simpler in nature and therefore require little more than the shared instructions in relation to exploiting the identified vulnerability.

Social engineering attacks are likely the most common impacting schools and like the discussion above in relation to zero-day exploits, some social engineering attacks may simply involve a phishing email whereas others may involve more sophisticated recon and intelligence gathering, followed by creation of cloned websites and a spoofed email.   As such the level of sophistication can vary.   

In terms of ransomware again the level of sophistication might be varied with some ransomware simply encrypting the data it can get to, while others might exfiltrate data or seek out and encrypt backups.  The is also the issue of how the ransomware gets delivered, whether this might be via social engineering attack or a zero-day exploit, with the delivery method also having variable sophistication.    And the same can be said for DDoS, in terms of the number of hosts leveraged in the attack, how the hosts were compromised and controlled, etc, meaning sophistication can be varied.

From the above is seems clear that the different attack methods each have a variable level of sophistication possible, plus also that a single attack might using multiple attack types such as a combination of social engineering leading to the ability to leverage a zero-day exploit and then deliver ransomware for example.    So maybe the repots and warnings of “sophisticated” attacks may be justified.

But what if we look at the situation through a different lens and perspective.    Let’s consider cyber attacks as less targeted and more of a general attack across a mass of organisations or schools.   An attacker might start with a phishing emailing as I mentioned above, sending this out to a large number of organisations based on email addresses gathered from the dark web.    The 2020 Phishing Benchmark Global Report suggested on average 13% of users would click on any phishing email, so this could lead to attempted credential compromise or delivery of malware.     Defensive measures in place may protect some users here, such as through MFA, EDR, etc, so the actual successful compromise rate is less than the 13% of all users who received and fell for the email.    Let’s assume 75% of the attempted compromises are blocked, so this leaves us roughly 4% of all recipients where credentials are compromised or malware delivered.    At this point the cyber criminal is now focussed on this 4%.    They might now check the permissions level of all the compromised accounts to see if they have got any admin accounts or look for those particular organisations which represent juicier targets, which I would suggest includes schools and colleges.    They might also now try a Business Email Compromise (BEC) attack from the compromised accounts, seeking to try and get access to an admin account.    The process could be iterative with each step relatively simple.   A phishing emailing sent to many.   An automated BEC attack from the accounts compromised in the first attack.  A further BEC attack in the new accounts gained from this second attack, and on and on until admin credentials are compromised, and ransomware delivered for example, or until a interesting or high value target is identified among the compromised credentials.

Looking at the above the attack is a simple iteration but viewed from the point of view of the organisation who eventually suffers a ransomware infection it seems complex and “sophisticated”.   The ransomware was installed and encrypted data, with this being the result of compromised admin credentials from a BEC attack, which in turn can be tracked back to another BEC attack and an originating phishing email.   As a 4 step or more process it seems to be fair to consider it “sophisticated”.    But consider that the attacker began with 100,000 targets, whittling this down with each successive step to the one or small number of eventual victims.   At each step, where users were suspicious, where defensive measures were successful or where the organisation was simply lucky they manage to avoid the attack, but probability would suggest at least a few organisations would remain and become victims.    With this view it may be possible to consider the attacks as less surgical and “sophisticated” and more brute-force and a matter of probability.

Conclusion

I suspect the description of “sophisticated” can be considered appropriate looking at the multiple steps which may have been involved however I think it wrongly gives an impression of the cyber skill and expertise level which was involved.   Now I acknowledge in some cases the attacks will have been complex and involved high levels of skills, however I would suggest in most cases this isnt true;  The attacks involved multiple simple attacks made against large number of organisations at once, iterating down to a small number of eventual victims through a process of elimination.   

Another way to look at this situation is to consider how “sophisticated” may suit the narrative of leaders and marketing staff so it may be more about shaping the perception of the attack than an actual assessment of the attack itself.   And thinking about it, maybe this is the truth of the matter;  who is going to own up to being subject to a “simple” attack so maybe its no wonder that most, if not all, reported incidents are considered “sophisticated”. If this is true, then describing attacks as “sophisticated” in general press releases or alerts, although possibly appropriate to do, doesn’t actually tell anyone about the nature of the attack.

References:

2020 Phishing Benchmark Global Report (2020), Terranova Security & Microsoft.

Cyber culture

The enterprise org budgets being spent in relation to cyber security have, for a number of year, seen a steep increase however at the same time the volume of attacks and size of attacks have also seen a continuing and steep increase.  From a return in investment point of view this doesn’t look good.   In how many areas of a business or school would we be willing to accept increasing spends but worsening results?

Now this isnt such a big issue for schools and colleges as the available budget which might be applied to cyber security are very small indeed however viewed from a different perspective, this might mean it is all the more important to spend that which we have carefully and correctly.  

Or maybe we need to start looking at the problem differently?   If we accept that additional money and associated spends on technology tools and more staff won’t necessarily solve the problem then what can we or should we be doing?

Culture

I suspect this is key to how we need to approach cyber security.  It needs to be “how we do things around here” rather than something which is seen as an IT issue or, where things have progressed a little further, an IT and SLT issue.   Cyber security and appropriate cyber behaviours need to permeate a school, being the responsibility of everyone in the school community.    Everyone needs to understand why it matters and what part they play in keeping users, data and systems safe.     Now building such a culture isnt a quick process however I suspect it is something we need to start developing now, as part of a longer term journey to having more cyber resilient schools.

Measurement

Another area that is important is the need to have some form of measurement.  In order to make sure our cyber efforts are effective we need to be able to measure this effectiveness.   This might relate to awareness of phishing or a multitude of other measures we might create in trying to assess our cyber security.    The key however is the need for some sort of measurement so we actually have some data as how we are doing, to help identify areas we need to focus on and to assess whether our efforts bring about the positive change we are hoping for.    This measurement could be the data from a phishing awareness exercise, from help desk calls or even from a RAG (Red/Amber/Green) rating exercise.    It needn’t be overly complex but it needs to provide some meaningful data in terms of where we are at the point the measurement is taken.

Accountability

The third area which I think is key, and which was shared at a TEISS InfoSec event I attended, is the need for accountability.   We might have data as to where we are, or where a given department is or a school within a school group, but who is responsible and accountable for moving things forward?    We need to ensure this is clearly identified and again it isnt simply an IT issue and instead should belong to the business, the school.   It may therefore be that the HR manager is responsible for the HR dept, while the academic Head is responsible in terms of academic data, processes and staff.    Whatever the accountability lines are, they need to be clear and understood.

Conclusion

On reflection, the above isnt a quick fix;  culture takes a long time to develop and even establishing accountability and measures for assessing cyber readiness will take time.  We need to ensure we are measuring the right things and that accountability is set at the correct hierarchical level, with this taking some time to get right.   That said, the current approach, and complaint regarding lack of money/resources, doesn’t work as additional  money/resources havent solved issues for those which have more of both money and resources currently.    As such I think maybe we need focus on cyber culture in the same way we have previously focussed on safeguarding culture in schools.   Maybe we all need to be focusing on cyber culture?

Ransomware – A criminal enterprise

A recent story of a ransomware incident impacting a hospital for sick children highlighted for me how ransomware, and by extension other cyber-crime, is often a criminal enterprise.   It is run by individuals and groups in much the same way that a conventional business or enterprise would be run, but to a criminal ends.

The story in question related to a ransomware incident which impacted on SickKids just prior to Christmas this year (you can read more here).    The incident was reported as resulting in longer patient waiting times however where this story diverges from the normal ransomware story is that a ransomware gang publicly apologised for the attack and provided resources to help the hospital in the form of a free decryptor tool.   Now it is unclear if the decryptor worked on all or some of the effected systems, or even if it was used at all, as using a file provided by a criminal operation doesn’t come without its risks.   The ransomware gang also acknowledged that the attack came from a “partner” and that they have been expelled from the ransomware gangs “affiliate program” for violating the gangs rules.

If we change the context to a simple and legal business operation a lot of the above would still make sense.   Affiliate programs, business or partnership rules, a public apology for an error plus the offer of support;   This is what you might expect from an conventional business operation, not a criminal gang.

This I believe is the big challenge for education and the wider world, that we need to accept that some see a business opportunity, an opportunity to make money off the illegal activity of cyber-crime.   While this continues to be the case criminal gangs and cyber crime will continue to exist.   And if we consider increasing technology usage and increasing data volumes being gathered in society as a whole, this opportunity can only be viewed as continually increasing.    Additionally, if we extend the business analogy these illegal gangs will likely be constantly seeking to improve, expand existing revenue streams and create new revenue streams in much the same way as a conventional, and legal business would do.

So cyber crime is likely to continue to grow as a threat and this is pretty inevitable.   What do we therefore do to try and protect ourselves?    For me it comes down to a number of things, to organisations but also to individual staff, to seeking to regularly review, test and improve defensive measures, while also preparing to deal with an incident when it should eventually arise.  It is about building awareness as to the risks and preventative measures and building a wider cyber culture in organisations.  

All of this makes me think of business competition, where two business fight it out in a given sector or product market, to see who wins.   Coke vs. Pepsi for example.  Here however one business will be legal, fighting against another illegal, criminal enterprise.    I can’t help but think that this is an inherently unfair fight but one that will continue to become more and more common!

Privacy and OSINT

The more time I spend looking at cyber security the more concerned and paranoid I become and the more I realise how, in general, we don’t pay enough consideration to the data we share online.  Take for example a recent post I saw online where an individual was celebrating the purchase of a new house.  

They posted a lovely photo of the front of the house, with the for sale sign showing as sold.   The photo didn’t include the door number however it wouldn’t take much effort to find the address of the individual concerned.    Their photo showed the name and telephone number of the estate agent giving a rough area based on the UK area code.    A quick search on the estate agents site would give details of houses they had for sale along with photos from that period in time.   A quick comparison and you have an address, plus the name of the individual is included in their social media profile.   So, we now have a name and an address, plus from the social media profile we know about what they do for a living and various other bits of info.

The above is an example of OSINT or Open Source Intelligence, using freely available information to track someone down or create a profile on an individual.   It is all too easy given the information we make available online plus the various search tools which are now available. A logo, identifiable vehicle, company name or any manner of other things can help in tracking a person down.

In another post I saw an individual posted regarding repairs being done by the water board and how the works blocked their driveway.    The house number is in sight in the photo as is a house name plate.   Again, there is enough information to track the individual down and identify their address, with their name and job identified through their social media profile.

We all too often post photos online, such as photos from our evening run or photos with family, almost always giving away more information than we intended.   We equally may share information from health or fitness apps, possibly including run routes, again giving away more information than we intended.

This is yet another area of digital citizenship which we need to be discussing in our schools, with staff and with students.     If we don’t, it is likely that our continual sharing online will continue to compromise our privacy and potentially could result in some individuals putting themselves at risk.

JISC Security Conference Day 2

It’s been a few days since the JISC Security Conference however I am only now seeing light at the end of the tunnel, having spent the last few days catching up following my two days out at the event.   As such I thought I would share some thoughts following Day 2 of the conference.

Defend as one

During the course of the 2nd day of the conference I attended a number of sessions where various educational institutions shared their experiences of cyber incidents.   I will admit it was good to hear their experiences as generally all we get to hear of in relation to cyber incidents in schools, colleges, and universities, is the news posts which lack any of the detail as to the cause and impact of the incident, or of the resulting recovery operations.   It would be good to hear more of the details around cyber incidents in schools, etc, as there is a great opportunity for use to learn from the experiences and collectively seek to be more secure, with this being summed up by the JISC conference tag line, “Defend as one”.    I will however note the challenges in relation to this due to the sometimes sensitive nature of such information.

Cyber:  An IT issue?

Now the event itself was very useful for me as a Director of IT, being surrounded by others in similar roles however, as identified by one of the speakers, this also represents a challenge.    Technology security is not solely the responsibility of IT.    It is the responsibility of all those who use technology, who manage or are the owners of data, who lead departments and who lead or govern within educational institutions.      Equally all these people need to be onboard and considering what they might be doing in the event of a critical technology incident where they will need to try to keep operations going while the IT team focusses on the technical issue.     Yet the JISC security conference was mainly attended by IT people.   Clearly there is need for others to be more engaged, and I will certainly be looking to try and encourage other non-IT senior staff to attend events like this in the future.

Third Parties and supply chain risk

As the second day proceeded, I started to see some key themes and messages coming out, some of which aligned with some of my thinking, with one of these being the risk associated with third parties and the supply chain.   Increasingly we are using more external solutions, either online based solutions, or solutions where we have technology solutions from a third party running on our networks.   Examples might include a third party hosted web-site solution, a CCTV solution hosted on site, or a visitor management solution hosted on site.    These solutions have access to school data or may be on the school network, and as such may either represent a risk to the data should they suffer a cyber incident or could represent a risk to the school network.   If on the school network, they might introduce vulnerabilities, which we are unable to address and where instead we must wait for the supplier to identify and resolve by developing and deploying an update or patch.   So this risk highlights the need for due diligence before introducing new solutions.  This didn’t really happen during the pandemic, as we sought to act quickly to address the challenges so there is work to do in carry out the due diligence for systems now in use.   Also, due diligence at the point of purchase represents a snapshot;  Most technology solutions evolve over time, with new functionality being added or existing functionality adjusted and changed, meaning the due diligence which was originally conducted is now out of date and inaccurate.  This highlights the need for periodic review, but this is then yet another task or piece of work which needs doing, and who does this due diligence where departments across a school, college or university as sourcing their own solutions?  For me the key here is we need to look to do more in relation to examining the cyber resiliency and disaster recovery plans of the third parties we use.

Prioritisation

Another theme which came across was the extent of the cyber incidents described.   Basically, in some cases it meant going back to scratch, turning everything off and rebuilding.   But this takes significant time running into weeks and months.    This means it is key to identify the priorities for the recovery.  What systems and processes need to be recovered first?    If we don’t stop and consider this now, when things are running, we will likely find ourselves in the middle of an incident with every department and users screaming that they system or process is most important, and we will then waste significant time trying to debate and decide.    Clearly there is need to examine all the systems and technology in use and then identify a clear and documented priority order for these systems such that when an incident occurs there is a clear priority order with which to work with.

Data Governance

The issue of data governance was particularly notable in discussions related to HE, to universities and this is likely due to their size and scope when compared with schools and colleges.   That however is not to say that the same challenges don’t also exist in schools and colleges.   The key question here is about the basics of data management and knowing what data we have, why we have it, where it is and likely most importantly who is responsible for it.   And in terms of responsibility, I am not referring to IT teams being responsible as they run the systems the data is stored on, but who the owner of the data is.  For example, admissions data doesn’t belong to IT, it belongs to the admissions team, while pastoral data belongs to the pastoral team.    IT can never know the processes and uses of all the data stored by different depts on IT solutions, therefore they cannot therefore be responsible for the data management side of such data.   It is the data owners that are responsible for what data they gather, how it is stored, how long they keep it, etc.    It was key from some of the discussions that greater effort needs to be made to ensure all understand who is responsible for what data. 

Conclusion

There was a lot to think about on Day 2 and to be honest I havent as yet had a sufficient amount of time to properly stop and reflect on the day or on the wider conference as a whole.   And I suspect it will be a few weeks and maybe the end of term before this will properly happen.

That said the above represents some of my initial thoughts based on some of the copious notes I took during the course of day 2.

I will end on an important message as I see it; This can all seem like doom and gloom.  The “when” rather than “if” of a cyber incident, the size and impact of such an incident and the multiple things we need to be doing to prevent and prepare, but against the backdrop that no matter what we do it may still happen.    We cannot allow it to be all doom and gloom.   My view is therefore that we need to simply seek to continually improve, to not try and do everything, but to try and seek to be more secure today than we were yesterday.

JISC Security Conference Day 1

I thought it would be useful for this weeks blog to focus on the JISC Security conference in Wales, which I am attending today (Mon 7th Nov) and tomorrow, plus which includes a third day held online.

So, lets start with my usual travel difficulties.   This shouldn’t have been a difficult one as have driven to the event however my car decided to develop some engine issues, including the engine warning light deciding to stay one plus occasionally flash alarmingly at me.   I noted a reduction in engine power which meant my cheeks were firmly clenched as I crossed the Prince of Wales bridge in the wind and rain;  Not somewhere I would want to break down.   Thankfully the car got me to my destination and can now have a rest before the return leg.

So the event itself, as I write this opening part of the blog I am sat waiting for the event to begin.  I have high hopes for the conference as there are so many different talks all focussed on the very important topic of technology security in education, principally in Further Education and Higher Education.   As a topic technology or cyber security is increasingly important in schools, colleges and universities as cyber criminals seem set on targeting education.   One presenter at the JISC conference suggested education was the number 1 target for ransomware attacks.   It makes sense sadly due to the data schools, colleges and universities hold, plus due to the fact the focus is on education with cyber security relegated to a secondary or even tertiary concern, often reserved for those working in IT roles.   Given the focus of the whole conference is on security I was very hopeful that I will take away quite a bit from the two days.

One of the big take aways from Day 1 for me was a document which presented 16 questions for University Vice Chancellors to answer in relation to cyber security.   The purpose of the 16 questions being to prompt discussion in relation to cyber security at the highest levels of management in universities.  It was clear from conversations with a few people that although this document had been sent to all universities, it hadnt necessarily been disseminated and discussed.   Looking at the 16 questions I could see how they were applicable not just to universities but also to colleges and even schools.    This did make me wonder about the need to share ideas and how, at the moment, there are various organisations sharing advice on cyber security, however no-one really collating this and providing it across sectors.   For example the DFE shared guidelines for schools while JISC developed and shared guidance for universities, yet both publications contained some common themes.   Wouldn’t it be good if this was shared centrally but with all educational institutions regardless of stage/sector?

Another discussion that I found interesting related to how we know or can assess how we are doing in relation to cyber in our own organisations.   Each school/college should be doing some form of risk assessment but it would be useful to be able to take this and assess your security against other similar institutions.   In HE this could be done using the 16 questions, but would rely on universities self assessing and then sharing their findings with a body such as JISC who could then calculate the “average” preparedness for universities.  This average could then be used as a benchmark with which to compare.   For schools, rather than the JISC 16 questions, the DFE guidelines could be used in a similar fashion.

If there was one big take away from day 1 of the JISC event it was that universities, colleges and schools are all subject to similar risks in relation to cyber crime and cyber resilience, albeit with different resources available to address the challenges.    As such there is a need to collaborate more across sectors, sharing experiences and knowledge where possible.    Currently the sharing is very silo’ d, so schools and MATs share, independent schools share and universities share, but each sharing separately.   There is a need, in my view, to bring this all together.

Disaster Recovery Planning

Part of cyber resilience is considering what to do when the worst happens.    And that worst case scenario is sadly likely to inevitable at some point.    This worst-case scenario will take the form of a significant incident, a disaster from which the school or college needs to recover, and in planning for this a Disaster Recovery (DR) plan should have been created.   But what should such a plan look like?

I have given this quite a bit of thought.    Is this disaster recovery plan a long and detailed document or something much more simple and digestible?  

On one hand we might want the long document and all the details as in the event of a disaster we will want as much information as possible to help us with first isolating and managing the incident and then later with recovery.    The issue with this is that when the fire has been lit under the IT Services team due to an IT incident, the last thing anyone wants to do is wade through a long and complex document.   I have seen a disaster plan which included lots of Gantt charts with estimated timelines for different parts of the recovery, but how can we predict this with any accuracy against the multitude of different potential scenarios.   Additionally, the information you will actually need is likely to depend very much on the nature of the incident.

The flip side is the much more managable document which is easier to digest and look to in a crisis situation, when things are high stress but its shortness will lack some of the detail you may want.   That said, a shorter document will be easier to rehearse and prepare with when running simulated and desktop incidents such that staff remember the structure and are largely able to act without needing to refer too often to the supporting DR plan.   It is also more likely to be applicable across a wider range of scenarios.

The above however suggests only two options, being the detail or the brevity and ease of use, but my thinking on DR has led me to think we need to have both.    We need to have a brief incident plan which should be general and fit almost all possible incidents.    It should consider how an incident might be called and then which roles will need to be implemented including contact details for the various people which might fill each of the roles.   It should consider the initial steps only, getting the incident team together so they can then respond to the specific nature of the incident in hand.  It is the outline process for calling and the initial management of an incident.

Then we need to have the reference information to refer to which will aid in the identification, management and eventual recovery from an incident.   Now most of this should already exist in proper documentation of systems and setup and of processes, however this is often missed out.   When things are busy its often about setting things up, deploying technology or fixing issues, and documenting activities, configurations, etc, is often put off for another day, a day which often never happens.    I think the creation of this documentation may actually be key.

Conclusion

The specifics of a DR plan will vary with your context so I don’t think there is a single solution.   For me there are 3 keys factors.

  1. Having a basic plan which is well understood in relation to calling an “incident” and the initial phases of management of such an incident.   This needs to be clear and accessible so as to be useful in a potentially high stress situation.
  2. Having documentation for your systems and setup to aid recovery.  This is often forgotten during setup or when changes are made, however in responding to an incident detailed documentation can be key.
  3. Testing your processes to build familiarisation and to ensure processes work as intended, plus to adjust as needed.

DR planning is critical as we need to increasingly consider an incident as inevitable, so the better prepared we are the greater potential we have for minimising the impact of the incident on our school or college.

EdExec Live

Yesterday I presented at the EdExec Live event in London where I discussed cyber security with a session purposely mis-titled as “Preventing cyber attacks: is your cyber security up to scratch”.    The reason the sessions title didn’t really reflect the content of the session is my belief that cyber attacks are now inevitable and that the thinking behind trying to be “secure” or “up to scratch” involves a mental model which doesn’t fit our current reality and especially the reality in busy schools with limited IT resources, and even lesser resources to focus on cyber security or cyber resiliency.   As such the session was aimed at trying to highlight this belief.

Now at this point you might be thinking I am showing some nihilist tendencies in the face of the growing cyber security threats and risks, however I am certainly now advocating that we consider incidents inevitable and therefore simply down tools and don’t bpther with any cyber mitigation, prevention or preparation activities.

What I am however advocating is that we accept that we can never do enough, never be up to scratch, so all we can do is to do what we can.    The approach to cyber in schools needs to be to seek to take little steps rather than seeking to reach an imagined point of being cyber secure, a point that is both likely to be unreachable and also a point which is likely to constantly shift in response to new technologies, new vulnerabilities, new threat actors and new methods of attack.

I concluded the session with 6 recommendations which are outlined below:

There is no enough so do what you can

As mentioned above there is no “enough” so this kind of thinking is no longer appropriate.

Carry out regular risk assessments

We need to treat cyber like health and safety and try to identify the risks and then decide on mitigation measures where possible.    If we explore and think about the risks which impact on use we are likely to be able to better prepare and respond.

Carry out a desktop exercise or “war game”

Our plans and processes often include assumptions.   We need to challenge these assumptions with staff from across the school involved in desktop exercises playing out an example cyber scenario.   By playing such incidents through we are likely to be better prepared when incidents happen for real.

Deliver ongoing user awareness

Users continue to be one of the most common factors in cyber incidents so the more training we can provide the better, but such training needs to be dynamic and ongoing rather than an annual refresher presentation at the start of the year.    Cyber needs to come up in meetings, in briefings, it needs to be part of the schools culture and a constant point for discussion.

Address the cyber security basics

Cyber criminals will take the easy opportunities where they can and therefore it is important to cover the basics such as patching servers, keeping backups, etc.   This is about increasing the friction an attacker might feel in the hope that they will move on to a easier organisation to attach.

Reach out

Schools and colleges are all in this together, suffering similar challenges and issues in relation to cyber, so collectively we are so much stronger.   As such, share with other schools, use groups like the ANME, and let’s make a collective effort to protect our schools from attacks and prepare for the inevitable incident.

Conclusion

At the end of the session, I concluded with a little question in relation to terminology.   Cyber security as a term is now out of fashion due to suggesting that being “secure” is possible when most now acknowledge this is no longer possible.   Cyber resiliency is now the term of choice however I feel, although better, it still suggests a “resilient” final state is possible where I believe it is now.   My suggestion, which doesn’t have the same ring to it of the above, was continuous cyber improvement, however my request was for someone to come up with a better alternative that wasn’t quite so much of a mouthful.

Is your cyber up to scratch?    If you think it is, I suspect you are up for a fall at some point in the future or at least that’s what probability would suggest.   Are your efforts continuous, regularly reviewed and involve repeated incremental improvements?    If so, I think you are most likely going about things the right way, so well done, keep at it, and try not to worry too much!

You can view the slide deck from my session here.

And for those who have followed my usual travel woes, this time I managed to get to London and back with only a 20min train delay, so unusually uneventful by my standards.

Going phishing?

Phishing emails continue to be one of the most common attack vectors used by cyber criminals, in attacking individual and organisations, and in attacking schools colleges and other educational organisations.   In schools, where things are increasingly busy, it is important that staff and students have had appropriate training and other resources provided in order to build their awareness and hopefully make them better at identifying such phishing emails.   The challenge though is how do we know if our phishing awareness programme is actually working?

I was originally very reluctant to make use of phishing awareness tests, where a fake phishing email is sent out to assess how many staff would fall for a phishing email plus how many staff might report receipt of a phishing email.    I felt at the time that it was a little unethical in trying to entrap people who work for my school.    I was also worried people would feel it unfair and adding to workload at a time when everyone is already busy.      It wasn’t until an IT conference event where I got discussing the issue with someone working within the police force that my view changed.    The catalyst for this change being this point; would I rather identify how susceptible the school is to phishing emails and how good individuals are in relation to reporting malicious emails due to a real phishing email, and the likely compromise of user accounts, or would I prefer to gain this information through a safe test where I would be able to respond and do something about the findings.It didnt take me long to realise I was better off testing awareness on my own terms rather than waiting for a cyber criminal.

Since this change of views I have set about regular phishing awareness tests on small groups of users, refining the approach and the follow up messaging and training materials as a result of the findings.    Tests might be targeted on certain areas or departments based on recent events or based on trends we are seeing in the types of phishing emails being seen or reported.    Follow up training might focus on the users who were tested or might take the data from a test and share it with all staff to highlight specific concerns or areas for improvement.   In some cases individuals have felt unfairly treated or “entrapped” however generally have been more understanding when my changed reasoning has been explained to them.  The main aim is for the testing and the related awareness development programme to be dynamic in nature, constantly changing in response to the external context and the internal awareness levels and habits as identified from the test data.

Phishing awareness testing doesn’t improve cyber security or users phishing awareness however it can provide a snapshot of where we are at a particular moment of time and in relation to a specific style or type of phishing email.   This, when used in combination with dynamic training materials, can be powerful in building up user awareness of phishing emails, of how to identify them and of what to do when things go wrong and you fall for a phish.   Where phishing tests are conducted regularly, with the appropriate follow up training, communication and awareness development, it can also go to help develop a culture of cyber security and this, ultimately, is what we really need to achieve.

Data protection and modelling

While at the School and Academies Show one of the discussions I had focussed on general EdTech and the need for teachers to model appropriate digital, including cyber security, behaviours for students. As the discussion progessed it then moved over to the topic of data protection, and I think this hit a chord with me.

Seeking solutions

The pandemic has required us to be agile in quickly finding solutions for issues, ways to engage learners and bring about the best learning experiences where students are either all online, away from the classroom, or where we have a hybrid situation, with some in the class and some not.   The issue is that the resulting search for solutions has led to tools, which may have pedagogical benefit being adopted which the due diligence as to data protection.

All staff need to appreciate that where signing up to an online service they are giving away some data.   It might seem as simple as an email address and password, but the reality is most services will also look at IP addresses, which gives away some rough geographical information, plus information on the device being used such as the browser, device type and operating system.   Then dependent on the nature of the service itself, they will then gather further data as provided by us, but also in relation to when we access a service and how often, and also which others in similar geographical areas, based on IP address, tend to access the service at the same time.

And this is all before, as a teacher, I then get students to sign up for the same service as it is useful in the teaching of my given subject or a specific topic.   So now, students are also giving away data but at my request.

Data Protection and GDPR

I think part of the issue here is that all staff are not IT experts or data protection experts.   But yet we all sign up to services which in effect gather the data we provide, and some data we don’t quite realise they are gathering.    For me the issue here is that, although we may not be experts, we need to exercise some care in relation to data protection.    Now this might be simply looking at the privacy policy for anything which seems out of place.   It might be seeking support from the IT team in a school, or seeking support of educators the world over via twitter or other forums.   The key thing is we cant simply sign up without given some consideration to the risks and implications of doing so.

Now those in the data protection world may see the above as not going far enough, they may state GDPR UK or other legislation however the reality, in my view, is most things boil down to risk based decision making.    The role of a school is not to be as secure in its data protection as a bank or other highly regulated industry, but to facilitate learning.   So there are some trade offs, where learning takes the priority and some risks are accepted, and hopefully, mitigated as much as is possible.

Conclusion

I think all schools need to spend some time discussing the implications of signing up for online services, and to data sharing with all staff.   We can’t hope to make them experts but we can hope to educate them enough to give some reasonable consideration to the implications of their actions in signing up for a service, or where getting students to sign up for an online service.  Its about doing all we can to reasonably facilitate good data protection based decision making and behaviours, in both staff and through modelling, in students.