Tag: cyber

TEISS, Infosec summit

Last week saw me attend the TEISS European Information Security summit down in London.  This is one of my annual journeys outside of the education bubble to look at cyber security, resilience and health in the broader industry and enterprise context.   I feel it is always important to try and seek diversity and to seek to avoid falling into the issues associated with existing purely within a silo, so stepping outside of my day to day on a regularish basis is a must.

More of the same, but greater volumes and speed.

If I was to summarise one of my main takeaways from the event, it would be that a lot of what I had heard was similar to what I had heard a year before.    Cybercrime continues to grow in terms of both threat and in terms of its potential impact.    The specific threats, such as ransomware, or social engineering, haven’t really changed but the frequency and speed of attacks has increased.    One particular slide looked at national state actors showing how some countries were now down to a breakout time, from compromise to exfiltration, of under 6 minutes.   Now it isn’t likely that schools will need to face nation state actors, albeit we could end up as collateral damage, however this increase in speed for nation state actors is likely mirrored for other threat actors, including those schools may actually face.      Related to this, one presenter showed screenshots of AI powered cybercrime tools which are now available, highlighting that AI, and in particular Large Language Models, not only have the potential to increase the productivity and efficiency of users, they also have the potential to increase the productivity and efficiency of criminals.   I was aware of FraudGPT and WormGPT so this wasn’t new to me however the subsequent slide provided showed an automation and orchestration platform which criminals could use.    The combination of AI powered creation tools alongside automation tools gives me concern as it would clearly give the criminals the ability to broadly launch convincing attacks but where any compromise can be quickly leveraged before defenders have an opportunity to react.   Think PowerAutomate for criminals.    Lots more, better phishing emails, where user errors are quickly capitalised on to deliver malware, extract data or propagate further attacks.

Geo-political instability

Discussion of the impact of geo-political instability and its impact on information security was very interesting especially in considering the room full of cyber security professionals charged with protecting companies and data, including companies responsible for critical national infrastructure.   From a school point of view, this might seem to be outside of our wheelhouse however on reflection I wonder about our need to educate students in relation to this.    We have already seen that modern warfare now involves a cyber element, with the cyber element often preceding any physical engagement.   Do students need to be aware of the implications of globally connected digital services in a world of increasing conflict along national and geographic borders?   How might these issues directly impact us, but also what about where we are indirectly impacted or where the impact is subtle manipulation via social media.   I suspect there is a whole post possible on this alone.

User awareness and training

I spent a significant part of the conference watching sessions within the Culture and Education stream.    There was some good discussion in relation to culture and testing of cyber resilience, particularly the use of phishing awareness testing.   These tests are very good at giving us a snapshot or even a longitudinal view as to our general cyber resilience, however they aren’t as useful at an individual user level.    To present a staff member or student with some additional training material to undertake following them falling for a phishing test, doesn’t find them are their best in terms of their potential to learn.     One presenter presented an alternative view suggesting that all users mean to do the right thing, so therefore we should be asking what it is that makes them do the wrong thing, rather than focusing on how we change individuals behaviour.    For me this very often comes down to being time poor and therefore being in a rush or suffering workload issues so I am not sure quite what we can do about this.   In my view, the world and our roles only see us adding more tasks and activities, and very seldom do we take things away, therefore it is no wonder that we are time poor and therefore no wonder that in our hurry we fall for social engineering and for phishing emails.  That said, it is definitely worth the conversation as to what the barriers to good cyber behaviours are and then looking to see if there is any way to address them.   I suspect we wont solve the issue, but I bet there will be some possible quick wins.

Recovery over prevention

One presenter made a very interesting observation that we continue to spend too much time focussed on prevention over spending time looking at how we might respond and recover from an incident.   I can immediately see why we might focus on prevention, as if a cyber incident doesn’t happen, then things are all good.   The reality however is that cyber incidents are almost guaranteed.    And if we accept that an incident is definitely going to happen at some point in the future then we are better spending a little less time focussed on prevention and a little more on considering what we will do when an incident does happen.    This can easily be done through desktop exercises, and doing so is always preferable to actually having to work it out when the world is on fire in the midst of a real cyber incident.   And to that end I actually delivered a little exercise only the other day.

People, Processes and Technology

One of the biggest takeaways from the event was the mention of People, Processes and Technology (PPT for short, and not the Microsoft App).    Sadly all to often we focus on Technology.   How can we technically keep data secure?  How can IT deliver training to those clicking a phishing link?   What we need to do more of is to consider the people involved and their impact, as well as the processes.   If we consider people, processes and technology we likely will have the best opportunity of keeping things secure and safe.   And I note, that considering people, processes and technology isn’t just an infosec thing, it can equally be applied to school technology strategy, to use of technology in classrooms, and much more.

I suspect as we continue to make use of more technology and as technology further pervades every aspect of our lives, we need to increasingly seek to look to the human contribution and to human behaviour, rather than getting so focussed on the tech.

Apple, governments, privacy and public good

Apple recently announced they are no longer providing Advanced Data Protection (ADP) for UK based customers in response to a request by the UK government.    ADP basically amounts to end to end encryption meaning only the user themselves can decrypt and access their data.    The press is largely carrying headlines focused on the negative impact on user privacy of this decision, either deriding Apple for reversing their long established position in relation to the privacy of user data or deriding the UK government for pushing Apple into this position.    And as always reporting tends to be very binary but the reality is things are a little more nuanced than that so I thought I would share my thoughts.

Removing ADP

So, what does this removal amount to?    Basically, in my reading of it, it amounts to the removal of encryption of your data at rest.  What this means is that your data continues to be encrypted in transit, so as it traverses the air, via 4G/5G or Wi-Fi, as it traverses the internet to its final destination being Apples servers.    So, a criminal, or another unscrupulous threat actor, intercepting data in transit will only get your data in its encrypted form and therefore be unable access it in its raw form.      The change comes at the point the data is stored on Apples servers.     Here, without ADP, the data will be stored in its unencrypted form allowing for Apple to access the data, or for Apple to share the data with law enforcement or other government entities, or for criminals to access the data should they gain access to apples servers.

So what does this mean for privacy?

The fact that the data is now unencrypted at rest amounts to a reduction in privacy and an increase in risk for individuals.   This is due to several reasons.   Firstly, an unscrupulous Apple employee could access your data, or maybe an Apple employee might be able to blackmailed or social engineered to give away data.    As Apple have the relevant encryption keys to decrypt your data, it may be that a criminal gains access to these and therefore is also able to decrypt your data having intercepted it in its encrypted form in transit.   And there is also the issue of unscrupulous governments using the same methods as the UK government to force Apple to remove end of end encryption and then demanding access to data in order to target dissidents or those who are vocal about the government, all under the guise of national defence or anti-terrorism.   Basically, your data without ADP is not as secure and private as it would be with ADP.

Why would anyone want to reduce privacy?

This all leads to the question of why the UK government would push Apple towards this decision.    The answer is one of national security and public good largely.     Privacy is a great thing however its benefits are felt by all and that includes terrorists, criminals, users sharing child sexual abuse materials (CSAM), etc.    With end-to-end encryption there would be no method for police or security services to investigate content as they simply wouldn’t be able to access it.  They would need to arrest the criminal end user and get them to unlock their device to be able to access content.    This would limit the potential for investigation to be carried out quietly in the background, which might also limit the potential for preventative measures as opposed to reactive measures.    And I note, when things do go wrong the press is quick to identify when people have been on watch lists, etc, but what use is a watch list if you have no way to actually see what users are actually doing?   Hindsight is 20/20 but with ADP enabled foresight would be encrypted.

Balance

The challenge here is we are trying to balance the risks to individual privacy, as experienced by all users in the UK in this instance, with the need to identify those who may seek to cause harm, distress or even death.    I don’t believe there is a perfect solution sadly.    It is about risk-based decision making.   

My belief is that the net impact of the removal of ADP is negative.   It impacts and increases risk for all users while those who the UK government may seek to monitor or discover will simply shift to using non-Apple services and devices, thereby meaning the gain from the removal of end-to-end encryption will be minor if any gain exists at all.    And additionally, the fact Apple have ceded to the request of the UK government will likely mean other governments will request the same, although for some the motivation may be more related to their own aims rather than anything related to public good or safety.

Conclusion

There is, in my view, an increasing level of friction between public good and personal privacy, with this particular issue related to Apples ADP service being the most recent and public example.    We sadly cannot have privacy, but only for some or at certain times.   Its privacy for all or for no-one, and where we opt for privacy for all we need to accept this will include those who seek to use privacy to cover illegal, immoral or unethical activities.     This news story also highlights the challenges related to national legislation of international companies.    In both cases, I think these are issues we should be discussing with our students as part of digital citizenship programmes, as these issues are only likely to grow in frequency.

Sadly the press pick a good news headline which is good for getting readership rather than conveying the more nuanced nature of the situation.   Maybe this also highlights the need for critical thinking skills to, so we can see through the black and white headlines, into the various shades of grey which are more representative of the real world.

BETT 2025: Cyber resilience and schools

On the Friday afternoon of BETT 2025 I had the opportunity to deliver a session on cyber security for education, called “cyber resilience and schools: lets get pragmatic”.   Now I will admit I was a bit worried with it being a day three afternoon session, would anyone turn up, however the session was very well attended which was great.     One thing I will note though is that when I asked about the roles of the various people in the audience, around 95% of them were from technical IT roles.    I get why this would be the case however I worry that this is symptomatic of cyber incidents still being see as an “IT” issue rather than a school wide issue.   When an incident happens, although IT will be the people working hard to resolve it, it will be the whole school which is impacted including in relation to administrative tasks like registration and parental contact, teaching and learning, pastoral and wellbeing support and much more.    Cyber resilience, or cyber security if your prefer that term, needs to be seen as a school wide issue so my thanks and applause go to the small number of school leaders who attended my session, and I hope they found it useful.

My presentation broke down into four main areas, being the current context of schools and cyber security, the need for risk assessment, the need for incident preparation, and the basics which schools need to be doing to limit risk including reducing likelihood and impact of an incident.

In relation to the context it is pretty easy to see the impact and risk in relation to cyber and schools with one school being forced to remain shut at the start of the first week of BETT due to a cyber incident.   The ICO also acknowledged that reported incidents in 2023 had grown 55% over those in 2022.   If putting a cost figure to things, cyber crime world wide is estimated to reach $10.5 trillion dollars this year.   So cyber crime will definitely continue and will continue to hit schools.    One key challenge for schools though is the limited budget available, both financially and staff resource related, to tackle cyber risks and cyber resilience.    This highlights the challenge for schools however I noted a discussion in an industry event where they talked of whether doubling cyber related budgetary spend might half the risk;  The common consensus was probably not.    So, cries for more money, although money would help, would not solve the challenge.

It is therefore about risk management and balance.   Schools can be more secure but in doing so this might impact on flexibility, and therefore on the educational experience of students.    We need to seek to risk assess, identifying our risks, their likelihood and impact, plus the mitigation we could or have put in place, complete with any implications of such mitigation.   Once we know our risks we can plan accordingly in terms of mitigation or incident planning.

My next main point was the need to accept that cyber incidents are a “when” rather than an “if”, and based on this we need to prepare ourselves.    For me this is where desktop exercises are useful, actually working through an example incident with colleagues to identify what needs to be done, by who and when, plus to identify any assumptions which may have been made in terms of how an incident would be responded to.    Now this was one of the exercises from my session however the key value is in conducting such exercises in your own school, with a cross section of your own staff and therefore where the exercise can be tailored to the specific needs and context of the school.    It is all about thinking about the processes in a safe environment of a desktop exercise rather than in the heat of battle in the event of a real life incident.

The last section of my presentation, which may feel a little backwards in relation to having looked at risk management and incident planning first, was that of how we might pragmatically delay an incident occurring or limit its impact.    As I mentioned earlier we don’t have the resources of enterprise organizations so we cant simply throw money or resources at the problem.    For me this therefore means we need to seek to do the basics in terms of cyber resilience.    This refers to forcing MFA, patching as many servers as we can, providing users only with the access they truly need, etc.   It is these basics that will reduce the risk level for our school and college, and hopefully see criminals moving along to the next school or organisation in the hope of an easier target.   And generally the basic steps don’t cost the earth, other than some time to undertake them.

Conclusion

My summation for the session was very much about the need for cyber resilience to be seen as a school wide issue and therefore for it to be discussed at the highest levels including governors/trustees and senior leadership.    They need to have a sense on the risks being faced and guide in relation to seeking to address these risks.   They may not know the technical side however they set the risk appetite and therefore guide the spending of resources, including IT staffing, plus the balance between security and flexibility, which includes flexibility in the classroom.    They should also be central to considering the “what if” scenario and considering how the school might respond to cyber incidents such as data breaches, ransomware, etc.    It is better to prepare than to have to work out what you are going to do while in the midst of a cyber crisis.   And lastly is the basics, we simply need to do these as they are the most cost effective method to delay or limit the impact of a cyber incident.

Cyber crime isn’t going away, so we need to plan and prepare, and not just the IT staff. 

Now if you wish to review my slides or the resources, which included some cyber incident cards for a risk assessment exercise, then you can access them here via Google Drive.

Who poisoned the AI?

One of the challenges in relation to Artificial Intelligence solutions is the cyber risk such as that presented through AI poisoning.  When I seek to explain poisoning the example I often use is of an artist who sought to keep traffic away from a particular street.   To do this he simply purchased a number of cheap smartphones, put them in a little trolley and then walked this trolley slowly down the chosen street.    To Google Maps the fact a number of smartphones were progressing very slowly down a street was interpreted as a traffic jam or accident and therefore Google maps sought to redirect people away from the street.   Basically, the individual had poisoned the AI data model to bring about a generally unwanted outcome, at least from the point of view of Google Maps.

Poisoning might take a number of forms, such as through the input data received by the AI such as the position information from the phones, or through the prompts made to a generative AI solution or through the training data provided, including where this might include the prompts.    The key is that the AI solution is being manipulated towards an output that wouldn’t normally be anticipated or wanted.  And there are also concerns from a cyber security point of view in relation to poisoning being used to get AI solutions to disclose data.

That said I previously read an article in relation to AI poisoning but where the poisoning was being presented as a solution to a problem rather than a risk.   In this case the problem is ownership and copyright of image content, where an AI vendor might use such image content, scraped from the internet often without permission or payment to the creator, and used to train the AI.    The concern from copyright owners and artists is that they are creating works of art, images, etc, but as generative AI solutions are fed this data, the AI solution either copies elements of their works, or could even be asked to create new works, but in their style.   And given the creator is receiving no remuneration for the use of their works in training an AI, plus that the AI might lead them to receive less business, they are concerned.   Roll in Nightshade, a solution for poisoning an image.   Basically, what the solution does is to change individual pixels within an image, where this isnt perceptible to the human eye, but where it will influence an AI solution.   The poisoned images therefore negatively impact the functionality of AI solutions which ingest them into their training data, but while still be totally acceptable from a humans point of view.

The above highlights technology and AI as a tool;   Poisoning can be used for malicious purposes but in this case can be used positively to protect the copyright of image creators.    The challenge however is that this technology for poisoning images will likely lead to AI solutions either capable of identifying and discarding poisoned images or AI solutions which are tolerant to poisoned images.   It will end up as a cat and mouse game of AI solutions vendors vs. copyright holders.    This is much like the cat and mouse which is the tech vendors seeking to create generative AI solutions which create near human like content versus the detection tools seeking to detect where AI tools have been used.   Another challenge might be the malicious use of poisoned images to disrupt AI solutions such as the feeding of poisoned images into a facial recognition or image recognition solution in order to disrupt the operation of the system.

I also think it is worth stepping back and looking at us as humans and how poisoning might work on human intelligence rather than artificial intelligence.   One look at social media, one look at propaganda and at the Cambridge Analytica scandal shows us that poisoning of intelligences, such as human intelligence, isn’t something new;  I would suggest fake news is a type of intelligence poising albeit possibly at a societal level.    Poisoning has been around for a while and I am not sure we have a solution.   So maybe rather than looking at how we deal with or positively use the poisoning of artificial intelligence we need to go broader and consider poisoning of intelligence in general, including human and artificial intelligence?  

References

This new data poisoning tool lets artists fight back against generative AI, Melissa Heikkilä (2023), Technology Review, Downloaded 07/11/2023

Berlin artist uses 99 phones to trick Google into traffic jam alert, Alex Hern (2020), The Guardian, Downloaded 07/11/2023

TEISS 2024, Resilience, Recovery and Response

I try and take myself out of the educational bubble at least once per year.   This has been a conscious decision for a number of years as I realised the importance of diversity and therefore the limitations of only looking at IT and at cyber, data protection, etc from the stand point of people in similar educational contexts.    As such the TEISS event is one of those events I try to attend to broaden my experiences and get the views and thoughts of those who exist beyond the educational context of schools and colleges.  

This years TEISS event, where these events focus on cyber security and cyber resilience, had some predictable topics of discussion.  These obviously included Artificial Intelligence and also third party or supply chain risks.    So what were my big take aways from the event?

The cyber context

I am reasonably well aware of the cyber context and the risks which impact organisations in general including schools however the TEISS event presented a couple of key facts which I think are interesting.   That there is a cyber attack every 29 seconds in 2023 says it all, with this only likely to grow once the 2024 figures have been calculated.    This highlights the need for all organisations, including all schools and colleges to consider cyber risks and their defensive and recovery methods.    There is no excuse for having not done so.

Behaviourism

A number of presenters, and a number of those I had conversations with during the course of the conference highlighted the need to consider human behaviour as part of cyber thinking.    A cyber awareness programme isn’t so much about the programme but about bringing about behavioural change, so although having an annual training or other training programme might meet compliance requirements, does it bring about the behavioural change we seek and how do we know that this is the case.    It is about encouraging people to report issues and reinforcing such reports by making users aware of the impact where they do report concerns such as a phishing email.   If we can reinforce this view of reporting having an impact, rather than just being another thing staff are “asked” to do, then we might manage to build the cyber culture we want in organisations.   In discussion with one event attendee they raised a solution which would automatically remove phishing emails from mailboxes once it had been reported, and would then let the reporting user know as to their positive impact.   This seems like a great tool but apparently what had been a cheap tool was bought up by a bigger company and now forms a part of their free valued added tools but to a bigger more expensive product which needs to be purchased.  For schools this brings us back to limited budgets which means that key tooling for cyber security continues to be outside the budgets of those in education.

Its about people

The old Richard Branson quote in relation to looking after your staff as they will look after your customer was raised, albeit with a cyber bent, that you should look after your cyber security staff and they will look after your security rather than focussing on security.   I have to strongly agree with this and also to strongly agree with the need to look after those staff involved from an IT point of view in cyber incident response . The stress levels are high following the onset of an incident and someone needs to make sure that those leading the technical response stop and eat, sleep and take time out.    One interesting discussion which was raised however was how the CISO might do this for their team but who might do this for the CISO.    If the board and senior leaders push for updates and things to be “fixed”, while the CISO supports the team of people doing this work, who looks after the CISO?   Now in my team I feel lucky in that I feel my team would be quick to question me and challenge me to take the necessary time if needed.   This then goes to organisational culture and the culture to question at all levels.  I feel lucky to feel this would happen in my team, although I hope I never have cause to test this in a real incident, as we can only test these things in a real life situation;   Desktop exercises are all well and good but they pale when compared to the stress and challenges of a real incident.

Incomplete information and its inevitable

The inevitable nature of cyber risk is something I have talked about for some time.   You can do all you want in terms of your defences but the defenders need to get it right all of the time, while the attackers need only get it right, or get lucky once, so the probability lies with the attackers.    If we take that defence can never be 100% and therefore attackers always have a chance and will be trying from now unto an organisation ceases to exist, plus that no organisation seeks to not exist, then probability states with relative certainty that an incident will happen, just not when.      And when it happens we will see only bits of the picture initially with increasing amounts of the picture as to the impact of the incident, the ingress route, etc, appearing as time progresses, yet the expectation will be to communicate quickly as to an incident.   In relation t o comms the key message seemed to be that the worst thing to do is to state something which is later proved to be untrue, so this means it is all about saying little.     Another point which came across was related to the cadence of information, in that although we may seek to say little, we should seek to be regular in our communications even if this means saying that investigations are ongoing and that at this stage we know nothing more.   

Cyber and AI…..Or not

Within a couple of presentations the issue of language was raised.   The issue of AI being the current buzz word and being used both in terms of vendors singing about their products, but also in terms of threats and AI based threats, was mentioned.    Maybe AI has become a bit of a buzz word which needs to be included in product pitches, in conferences, etc, and maybe this doesn’t match the reality.   Another presenter raised how we use the term cyber.   Cyber bullying, cyber threats, cyber security, etc.   But isn’t it just bullying, a threat or security, albeit enabled by technology?    And does the use of the cyber word push us to think its an IT issue, an issue for IT companies and vendors rather than something which is the responsibility of a wider organisation, a school or a school community.   Maybe we need to reduce our use of the word cyber and embrace the wider links of technology enabled attacks as a subset of existing issues rather than as something unique and distinct.

Conclusion

I enjoy stepping outside of the education bubble and hearing about what cyber security looks like to those in the enterprise world where they generally have far greater resources.   It is heartening to hear that they suffer from the same problems and have the same answer, despite or in spite of their significantly greater resources.    This continues to highlight for me that “not enough money” or “not enough staff” isn’t the answer as we need to be pragmatic about cyber.   We could have  infinite staff and budget and we would still face challenges.   It continues to be about doing what we reasonably can, and preparing for the worst.   It also continues to be about getting this message across to trustee and governors, that no matter what we do the risk will continue to exist plus also that most schools or colleges which have suffered an incident have moved past it and survived.  In education with students we talk about FAIL as first attempt in learning, and maybe that’s what a cyber incident is? That said, its not a learning exercise I would care to undertake!

Desktop Cyber Exercises

I recently worked through a desktop exercise in school as part of my ongoing efforts to look to progress cyber security.    As such I thought I would share some brief thoughts I had following the exercise.

Communication, communication and more communication

I think one of the key things that sticks out to me in relation to cyber incidents is the importance of establishing how things will be communicated out to students, staff, parents, etc.    In the event of a significant IT issue it may be that your normal communication methods such as desk phones and email are out of commission, at least for a period of time.   As such you then need to look to how you communicate without these tools, whether this is using mobile phones, radios or even going for a walk to speak directly to people.   If you have school social media accounts can you use these, and where are the credentials kept so you can access them even when your main IT systems are down,  The key is the need to get information out to staff, students and parents in the immediate or near immediate term, and therefore that you have the right information, such as phone numbers, available even if IT systems are inoperable.  

Printing

We are now in a world of digital communication however in the event of an IT incident it may be necessary to revert to a previous time, and to a time of the printed sheet or document.   As such establishing some printing and copying capability in the short term is very beneficial and would support the needs of communication.    This would allow the creation of temporary registers, bulletins for noticeboards and other processes which would support the school, staff and students through the initial periods of an incident. 

Safeguarding

One of the key safeguarding duties of a school is to know which students it has on-site, now on a normal day the schools MIS will serve this purpose, but if this is not accessible then there needs to be an alternative solution to identify attendance or absence.   This might be pre-prepared emergency registers or hand written registers which are then collected and compared against a school master list.

The internet is key

More and more of the services we use rely on the internet for access, and more and more the internet is important to teaching and learning especially where using cloud productivity suites.   As such if internet access is impacted by an incident, there needs to be a way to quickly restore at least some access or to find access somewhere else such as in a neighbouring business, etc.    Restoring local access might involve bypassing filtering and monitoring solutions if identity management isnt functional, with access then limited to staff.   That said, from an impact vs. risk point of view, the impact of a lack of internet impacting on learning, especially where technology use is embedded and heavily uses productivity suites, might exceed the safeguarding risk meaning you may wish to restore access for students even where filtering is unavailable for a short period of time.   This would obviously need careful consideration and appropriate documentation of decision-making processes.

Consider the variables

In doing a desktop exercise it is worth giving some consideration to some of the variables which might have a material impact on an incident.   This might be considering when an incident might happen such as what the impact would be if it happened during exams season or during a significant event, with visitors on-site.   It is also worth considering how things would work if key members of staff, such as the headmaster, were away from school.   We need to know who fulfils the role of the missing staff member while they are away.

Slow down!

One key thing in my view, is the need to take careful decisions during an incident and to be careful of knee-jerk reactions.   This is particularly important for IT staff as a mistaken attempt to resolve the issue could make things worse, however it is also the case for the wider SLT involved in incident management.    Yes, an incident means we want to move quickly to get solutions in place so the school can continue to operate, however equally we need to avoid moving so quick we make mistakes.  It’s a balance.   It is also important to slow down to allow the appropriate bodies and support organisations to be contacted and involved, including the likes of the NCSC, Action Fraud, cyber insurance providers and insurance providers, etc.

Conclusion

The purpose of a desktop exercise is to get people discussing and thinking about what they might do in the event of a critical incident, IT or otherwise.   It is about testing the assumptions and identifying areas for improvement.    The choice is to conduct this in a safe environment or to wait until an incident hits at which point all bets are off.    My preference has always been to opt for the safer option.   As Benjamin Franklin put it, failing to plan is planning to fail.   If you havent therefore done a desktop exercise to explore what you would do in light of a cyber security incident in your school or college I therefore suggest this is something you do in the near future.

Cyber Awareness Month: Cyber threats

October is cyber awareness month and an important opportunity to discuss and highlight cyber security and cyber threats.   Now cyber security and particularly the development of a culture of positive cyber security practices is an ongoing  requirement, however cyber awareness month provides a valuable chance to highlight cyber security and ensure it is the subject of discussion.    Due to this I would briefly like to share some of my thoughts in relation to the main cyber threats as they current exist for schools and colleges.

Phishing, vishing  and other “ishing” attacks.

For me, phishing and similar attacks based on SMS, messaging services, social media, phone calls and even malicious QR codes continue to be one of the most common attacks aimed either at compromising a user account or at compromising a target machine through malware.   One of the big issues here is that we ae living in an increasingly busy world dealing with ever increasing numbers of emails, messages, etc.   And in this busyness it is “human to err”, to click a malicious link, to reply to a malicious email or provide user credentials to a convincing looking, but fake, login page.    Continued user awareness training can help in this area, making users more aware of the signs to look for in malicious messaging, but it can only go so far especially as people are becoming increasingly busy.   For me, the key is for users just to have a fraction more time to review messages before acting, giving their conscious brain just that bit more time to engage and identify the unusual features of a malicious email, message or call.    I am not talking about huge amounts of time, only fractions of a second.   That said this time needs to come from somewhere in a time bounded world so we are going to need to make some compromises to fine this time as otherwise we are only likely to see data breaches resulting from phishing and other “ishing” style attacks becoming both more common and more significant in their impact.

Third parties

We are increasingly using more and more third parties, including online tools, in our lives and in our schools, whether this is a cloud hosted MIS, a learning platform, quizzing app, website provider or a multitude of other solutions providers.   In each third party there is an additional risk.   And this risk is two-fold.    One part relates to an incident on this third party resulting in school data being breached, where the school as data controller, remains responsible.    The other part of this issue relates to the use of a third party to gain access to a schools systems, possibly through a business email compromise attack having gained access to a compromised email account within a third party, or it could involve using integration between the third parties solution and school systems.   Either way, I see third parties as the 2nd most significant risk which schools are exposed to.   Due diligence is key here in terms of ensuring appropriate checks are done on vendors in terms of their approach to security, etc, although I note these are often only superficial in nature in the information third parties may provide via their policies or via response to direct queries.   I suspect the other solution is simply least privilege and both limiting the access of third parties to school systems, plus in trying to limit the total number of third parties used.   Sadly this is often easier said than done.

Conclusion

Given the above as to the two main risks as I see them, and the acceptance that a cyber incident is a matter of a when rather than an “if” scenario, it therefore makes sense to play out the above scenarios as desktop exercise to consider how your school might respond.    Phishing can also be easily tested for through the use of a phishing test campaign, sending out a fake phishing email to see how users respond.   I would suggest in both of the above scenarios there isnt a huge amount schools can do to prevent an incident, although I will once again state the importance of doing the basics in terms of cyber such as using MFA, patching, least privilege, taking and testing backups and performing regular user awareness training.   So, if there is limited opportunities for preventative measures beyond the basis, then the key thing is to prepare for the most likely threat scenarios.   How would you respond to a compromised user account resulting in MIS data being exfiltrated for example or to a third party data solution suffering a data breach resulting in school data being leaked publicly?   Would police be involved?  What would you tell the press, parents and the wider community?   How would your school respond internally, including who would be involved in discussions around actions and who would have the authority needed to approve comms, etc, plus what roles would each person undertake?   And how might you deal with wellbeing and mental health during a high stress incident?   

It is better to consider these and other questions now, than waiting and having to answer them during an incident.    And maybe this is one aspect of cyber awareness month we neglect;  It isnt just about preventative measures and reducing the likelihood of an incident, it is also about acceptance that incidents will happen and therefore spending some time planning and preparing.

TEISS London 2023: Reflections

During September I managed to find myself in two industry level cyber/info security conferences, one of which I have already blogged about (See here).   This post focusses on the other event, being the TEISS London 2023 event which was a little more focussed on incident management rather than the previous event which was a little more generic.   So, what were my take-aways as relevant to education?

Incident Response

One of the key discussions across this particular event was in relation to the inevitable cyber incident and therefore the need to prepare.    Discussions arose around desktop exercises, the development of incident response playbooks and disaster recovery plans.    The key take-away for me was in the need to play through potential cyber incidents and to do this regularly.   We are not talking about once every few years, but as often as can be managed so that the relevant staff, both senior and IT technical, know how to respond when the inevitable issue arises.    It was also discussed, the need to carry out these desktop exercises with different groups of individuals in order to ensure that all are prepared.   Desktop exercising is definitely something I want to look towards repeating in the coming months, and building a process so that it doesn’t occur ad-hoc but more as part of  a regular process allowing for the review and improvement of the related processes with each test.

Concerning external factors

One of the presenters went into the risks associated with geopolitical issues, where issues in the geopolitical space often result in corresponding issues in the cyber arena.  From a schools point of view it is easy to wonder why this makes a difference;  Why would a nation state or similar focus on education?    I think the issue here is not so much an attacker focussing on education, but on the collateral damage which might impact education.   Now this collateral damage might be accidental however we also need to acknowledge the increasing use of cloud services;  This often means data and services hosted in various countries across the world so what is the potential risk where countries have disagreements and where some aggressive activity online results.   It is easy to say your school exists in Europe or the UK so this is unlikely however the presenter demonstrated some  aggressive cyber activity even within the UK and EU, so it therefore isnt unpredictable that this may happen again in the future.    For schools this means, as far as I am concerned, that we need to continue to do the basics plus prepare to manage an incident when it occurs.

Artificial Intelligence

AI once again factored in the discussion however at least one presenter suggested that where we are now is more akin to Machine Learning than AI.   I suspect this depends on your definition of both terms, with my definition having ML as a subset of AI.    The key message here was that the current instance of AI, generative AI, presents rather generic responses but quickly.   Its benefit, whether used for defence or attack, is its speed and ability to ingest huge amounts of data, however it is only in pairing with a human that it progresses beyond being “generic”.   In the future this may change, as we approach the “singularity” however for now and the near future AI is an assistant for us and for criminals, but doesn’t represent a significant innovative change in relation to cyber security;  good security with AI is little different to good security prior to generative AI.

Human Factors

The human factor and culture were a fair part of the discussion.    The cyber culture and “the way we do things around here” in relation to information security is key.   We need to build safe and secure practices into all we do and at all levels;  Easier to say than it is to do.    This also links to the fact that humans, and the wider user group which in schools would be students, staff, parents, visitors and contractors among others, continue to be involved in around 74% of breaches.   This means it is key that cyber security awareness training needs to hit all of these users and be regular rather than a once a year.    Additionally, if we assume we will suffer a cyber incident, how do we protect our IT staff and also those senior staff involved in incident response and management.   The stress levels will be very high, and as a result self-care may be lacking, but schools and other organisations have a duty of care for their staff, and during a cyber incident that duty of care may become all the mor important.   This is why, in my team anyway, I am introducing a role of “chief wellbeing officer” as part of our incident response plans.

Conclusion

The organisations at this particular event, similar to the previous cyber event, were generally large corporate entities yet for me the messaging may be all the more important for schools given we hold student data and student futures in our hands, and given the targeting of educational institutions.  How do we get more schools to attend these events?    I suspect events like these fall into the important but not urgent, where fixing a server issue or a device issue in a classroom is urgent and important, but then how do we ensure that school IT staff are prepared and preparing for cyber incidents?   Chicken or the egg issue maybe?   

Cyber incidents are inevitable and I have always said that “the smartest person in the room is the room” so if we can share with industry where I believe they have much more experience in this arena, then maybe we, as in schools, will be all the better for it.

ISMG Cyber Summit: Reflections

I recently undertook my annual trip outside of the education bubble and into the wider tech and particularly InfoSec world, attending the ISMG cyber summit in London.   Now my trip was largely uneventful in terms of my usual transport disasters although I note that Google Maps did make its best effort to send me off on a wild goose chase between the tube station and the event venue, but for once my common sense prevailed.  

The purpose of my annual trip outside education is to sense check where we are as schools in terms of cyber security, in relation to the wider world.   It is also an opportunity to gather advice and best practice from industry.   I note those in the room with me were largely senior security staff, rather than my more broader role which encompasses security, plus they had budgets far exceeding anything any school will ever have access to for spending on technology, never mind purely on cyber security.

The day was very useful with a number of key topics coming out:

AI

Artificial intelligence was a hot topic during the course of the day particularly in relation to the increasing use of AI solutions within businesses, much in the same way we see increasing use in education.    The challenge and focus was on how we secure AI solutions against issues such as prompt-injection, poisoning of the training model and data exfiltration among other areas.    For me the key takeaway from this is that AI solutions are yet another area which organisations, including schools, need to consider and secure.  And as schools seek to use more AI solutions, including third party solutions, this risk will only increase.

Wellbeing during an incident

This particular issue resonated with me.   IT teams often work hard behind the scenes only becoming visible when there is an issue or when someone wants a new solution, new functionality, etc.   And in the event of a cyber incident the stress largely falls on them to get things up and running.  If the school, or other organisation, seldom recognises the hard work which goes into the normal working day, what hope is there during a cyber incident when they are working even harder and under significantly more stress.   As such the wellbeing, mental health and general support for IT staff, and broader with all staff, is so key.    How are we supporting wellbeing, and this has to be beyond the tick box efforts, the wellbeing working party, etc. How can we evidence we truly are cognizant and focussed on wellbeing?   Also, in the event of a high stress incident, how will we manage wellbeing?   One suggestion during the event was to have a “chief care officer” during incident response, which was an idea I liked.

Ransomware and Third parties

Two of my key concerns from an educational IT point of view have been ransomware and third-party incidents.   Both of these appeared as significant discussion points in relation to industry and enterprise organisations.     Ransomware continues to be a common attack method in general while third party data breach also continues to be common.  One particular presenter during the course of the conference talked about adding additional external solutions to monitor logs, etc, but thereby adding an additional vendor and vulnerability risk, as this third party become yet another vector through which an organisations data and systems might be comprising.  Here is one of the key challenges in our attempts to improve our security resulting in layering of solutions, where each new solution may represent an additional risk and attack vector.  This to me highlights the important of governance over security, so that decisions of risk v. benefit can be appropriately authorised and accountability made clear;  I note accountability was another discussion point from the event in relation to CISO liability however I didn’t feel this quite impacts on schools.

Conclusion

Once again, this event proved to me that the challenges that impact on education are not limited or unique to education.   They are issues which impact organisation across different sectors with only the context and resourcing varying across sectors.  In the case of education there continues to be the issue in the limited resourcing in relation to cyber security in terms of the products but also in terms of the staffing and expertise; A bank might have a while cyber team however how many schools can claim to actually have even a single cyber security focussed professional?   This, the large and varied user base, and the need for quite so many users to have access to sensitive personally identifiable information, means schools and other educational organizations will continue to be a focus for attacks for some time to come.

If I was to take anything away from the event it was that enterprises and schools all suffer the risk of a cyber incident.    All we can do is limit the impact, and delay the inevitable    A banks spending seven figures on security might sound like the way forward but the reality is that all it does is reduce the risk so spending huge amounts of money might make no difference in the long run; It is just case of when rather than if.    As such, for schools, the focus needs to continue be on doing the basics in terms of user awareness, MFA, backups, least privilege access, patching and incident planning.

Cyber, schools and week 1

The first week of the 2023/24 has now been completed and during this first week I have been made aware of 4 different schools having cyber incidents reported in the press.     I think this highlights the risks that schools face in relation to cyber security/resilience and possibly the fact that cyber criminals may focus more directly on schools, and education more generally, at key points of the year when they are likely to have a greater chance of their attacks succeeding, such as at the busy start of a new academic year.   So what can schools do to reduce the risk?

I cannot speak to the 4 incidents as I don’t know sufficient details as to the nature of the attacks and incidents however there are generally actions which I believe schools can take which can reduce the risk.    Given below are the 5 things I would say are the priority areas:

  • Staff Awareness Training

In the vast majority of cyber incidents a human is involved at some point, and usually towards the start of the incident.   Whether this is giving away user credentials following clicking on a link in a phishing email, using a weak password or misconfiguring a solution, our staff are both our weakest point but also our best defence if properly training.    And this training needs to go further than simply a session at the start of the year.   It may include this start of the year session but it must include advice, stories, examples and other awareness content throughout the year;  little and often.   Whether it is videos to watch, information given in morning briefings or content in newsletters or other regular documentation, awareness content should be delivered often and in different formats and medium.    I also think one way to help get the importance across is to focus broader than the benefit to the school and highlight that good cyber hygiene is important for our daily lives and our interactions with the many digital tools which we use.

  • MFA (Multi-Factor Authentication)

Phishing and credential theft resulting from phishing attacks continues to be a common attack method.    As such anything that reduces the risk of a users credentials being compromised is important.    Multi-factor or two-factor authentication is an easy method of reducing this risk.  Cyber criminals may get your password through guessing or a data breach of another service, where you have re-used your password, but without the 2nd factor, such as the app on your phone, they are unable to get into the account.   Now I have heard many raise issues about using their personal phones for this purpose and about having to install an authenticator app on their own phone.   I get this but there is no cost as we almost all have smartphones these days and the cost of not having our schools accounts secured, the risk to all staffs personal data, to student data, to parent data and to all the other data a school may hold, never mind to students coursework and other critical learning info surely outweighs the downside of having a small authenticator app installed on the personal phone you already have?   For me, all schools should have MFA enabled for any user who needs to access data from away from the schools network.   Note, if only accessing accounts from the schools network, the fact that the account can only be accessed from the network, and not from home or elsewhere, counts as a second factor.

  • Backups

We need to accept that a cyber incident will happen at some point in the future and at that point we will need to find a way to quickly and safely recover our IT systems.  Backups are key to this.    As such it is important to have backups in place and the 3-2-1 rule is a good rule of thumb;   You should be keeping 3 backups, in two different mediums (e.g HDD and Cloud or HDD and tape) with 1 being offside or immutable.   It is also important to note that your backups are of no value or use until the point when you need to recover them, so it is important for you to test that you are able to recover from your backups when you need to following an incident.   It is also important that those who would need to conduct the recovery are familiar and comfortable with the backup process such that when under high pressure following an incident they are comfortable with what they need to do.

  • Patching

If cyber criminals didn’t gain access via a compromised user account then the other way they may gain access, or maybe the 2nd stage of their attack following compromising a user account, might be to exploit a vulnerability in software.    This is all the more likely if you havent patched systems where these patches often contain fixes for known vulnerabilities which cyber criminals may already be actively exploiting.    By regularly patching software, including operating and application software, we reduce the risk of a known vulnerability existing within our network environment.   This includes the need to patch or update end point devices such as laptops, tablets and printers.   Now this can sometimes be difficult as it may result in downtime, either waiting for a server to reboot, or waiting or a device to restart, however it is important.  Being pragmatic, and given the fact it may often be impossible to patch all devices, servers and systems, the key is to identify which devices or systems are most important in terms of the operation of the school or the sensitivity of the data contained on them, and seek to do these first.    Every newly patched system represents a reduction in risk, so patching 1 server is better than worrying about which of 60 servers to patch, but patching none.   Every small step matters.

  • Least Privilege Possible

It is important to reduce the access rights of users to what they really and essentially need.    This includes things like remote desktop access.   If using Office 365 or Google Workspaces do users really need remote access?    Also you administrative credentials;  Do your IT team need high level access all of the time or can they use Privileged Identity Management (PIM) such that they only escalate their privileges when needed.   And when technicians are logging into PCs are they using credentials with Global Admin access or a separate set of credentials?   The more we can reduce the access rights provided to users the less access a cyber criminal will gain should they compromise an account.

Conclusion

We have to accept that all organisations will suffer a cyber incident at some point in time, with this being all the more the case in education where the diverse nature of users technology skills, the number of users, the diverse range of systems and the limited investment in cyber security and resiliency all come to play.   The key thing though is that we need to make it as difficult as possible for the cyber criminals and the above 5 areas to focus on will help do just that.

Am hoping the 4 schools suffering incidents in the first week just relates to the busy nature of things in the first week, and that things will settle down over the coming weeks, however I suspect these 4 schools are just the start of the list of schools which will suffer incidents in 2023/24.