Archive for category: Podcast

In this episode, we discuss with our guest Kevin Ford CISO of North Dakota how they are taking a state-based approach to K12 cybersecurity, cybersecurity education, and workforce development.

Protect Your School from Cybersecurity Threats

SecurityStudio helps schools ensure they’re protected against cybersecurity threats with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:33] Ryan Cloutier: Hey everyone, welcome back to another episode of the K 12 cybersecurity podcast. I’m your host Ryan Cloutier. Today we have a very special guest that has agreed to join us and our next guest is the former Chief information Security Officer of cyber Grx, one of the top cybersecurity startups in the nation where he was responsible for expanding cybersecurity privacy and risk management capabilities. He was responsible for protecting the information security of over 50,000 organizations including Fortune 100 clients. He has advised the US Congress, the us Indian health service, local governments and multiple private sector customers on cyber risk management initiatives and digital privacy. He has also served as a member of the National Institute of Standards and Technology cybersecurity framework development team and served as a cyber risk manager for Nasa. He received the 2016 Nasa achievement Award and is the recipient of a Deloitte cybersecurity Graduate award. He is currently the Chief information Security officer of North Dakota. Please join me in welcoming our guest kevin ford, Good morning kevin, thanks so much for joining us.

[00:01:46] Kevin Ford: Morning Ryan, thanks for having me,

[00:01:48] Ryan Cloutier: you know um I don’t personally know you but I have had a chance to get to know Sean and that’s how I kind of came to know of you. And so first and foremost congratulations on the new job.

[00:02:01] Kevin Ford: Oh thank you. I appreciate it. It’s been a it’s been a challenge and adventure and it’s been um really interesting and fun. So they’re pretty great here in North Dakota, so I’m really excited to be here.

[00:02:12] Ryan Cloutier: They really are. And that’s actually kind of what led me to want to talk to you is you know, I’ve been keeping an eye on what you guys have been doing in North Dakota and I’m frankly I’m a little smitten and somewhat in love with this idea of a unified cybersecurity strategy. Can you tell me a little bit more about that?

[00:02:30] Kevin Ford: Sure. Yeah. So uh maybe I need to give a little more background before I get to the strategy piece. Um One of the interesting things about North Dakota in comparison to a lot of other states is that we have a unified network in place already um on which all political subdivisions as well as state government um are required to connect. Right? So that means on our network we not just have uh State agencies, um the legislature and judicial branches but we also have K. 12. Um we have cities and counties all sort of co mingling on this this larger unified structure um as part of that uh the the North Dakota I. T. Department and V. I. P. Um has has perceived a mandate from the state to to sort of centralize our I. T. Services for state agencies um as well as a mandate to advise and oversee on cybersecurity, Um strategy for the state. And so that’s sort of where my office comes in um when I’m working with organizations uh further out from us than the state agencies meaning pay 12 or the cities and the counties or higher, education. my role becomes that of of an advisor and someone who’s had strategy rather than someone who um is sort of a C. So so um there you know multi multiple hats there on this is so for um and and have operational authority um in the realm of state government but for the locals, the K. 12, the higher education, I’m a strategist um and uh leader um uh and kind of community organizer as well.

[00:04:24] Ryan Cloutier: That’s awesome. You know it’s that whole government kind of approach that I really like and it’s very cool that you know your K. 12 schools are able to access the wealth of experience and expertise and knowledge um that you’re able to bring to bear for them and that consultant capacity it’s it’s something they desperately needed and So I you know, as one cyber professional to another. I thank you for that K12 is such an underserved market and a lot of times you know they have the same risks, they have the same technology the same complexity but they’re lacking a lot of the necessary kind of enterprise support structure, um Talent Experience systems if you will. So That’s just really great to hear that you’re doing that, you know, in doing that work. What is the biggest challenge that you’re currently seeing to getting appropriate levels of cybersecurity into the K-12 environment?

[00:05:19] Kevin Ford: Yeah, that’s a that’s a great question and a really complex one, because there are so many challenges, particularly right now when we’re in this sort of work from home and educate from home and study from home um paradigm, um you know, and there’s there’s so many different pieces of the architecture right now um that were, you know, nice and unified that are now spread across the state, right? We have the educators on their home networks, you have the students on their home networks, we have the uh my key personnel in between and trying to make sense of it all. And unfortunately, some of the externalities, some of the knock on effects of that are um our educators and our students and the parents of our students are often being called upon to do tech support. Right? And so there’s there’s um there’s a lot of concern about, you know, uh and this is a knock on on our teachers or are the parents of our students are our students, but there is kind of a concern around people who are maybe not completely educated in um the way uh I p works or who aren’t qualified um you know working on systems Um that belonged to K. 12 and maybe miss configuring them or um or you know plugging them into modems directly rather than behind the firewall or rather. Um so those are kind of you know, the gremlins that are in the system right now. Um We never expected to you know, have it could be relying on parents to be tech support. I think we

[00:07:03] Ryan Cloutier: uh and you know, it’s interesting that you bring that up because I’ve kind of heard that as an overarching theme. Um I serve school districts across the nation. I sit on a handful of advisory boards, Khazen being one of them the consortium of school networking and the theme I’ve really heard is Covid is brought to light this digital literacy gap and that some of the fundamental foundation als of updating a system, right? Um Pre Covid will say just even a few months ago updating a system wasn’t even necessarily something the average home user was aware was a thing to be done. And then now where to your point we’re asking them to kind of be our remote hands at home, right, we’re trying to do this. I. T. Support. It’s like, hey mom and dad, I can’t be in your house but I need you to click this and do that. And and so I think you know we’re seeing that as a national trend. Is that that gap in digital literacy, if you will. Um so it’s it’s I guess on the one hand, it’s reassuring to know that even you guys are struggling with that as well. But on the other hand, you know, it’s going to be interesting to see how we collectively as those who who serve K 12 and cyber um how we kind of overcome that challenge. I know, internally we’re looking at developing some free training for parents on things like secured configuration of a home router. Like how do we make that consumer level conversation? So that would be fascinating. Which segues me to my next question. What are your thoughts around how automation um can increase security and reduce risks knowing that that a lot of this work is complex work? Uh and some of that work can be automated. What are kind of your thoughts on the value of automation to to help our K-12 get better at this.

[00:08:59] Kevin Ford: Yeah. But you know, we’ve had a lot of experience with this firsthand, our network is so large. We’re talking about 250,000 and 300 points at any, you know, at any given our um, so, uh, you know, my team is large, but not large enough and I don’t, I’ve never met a security professional who says, hey, you know what my team is the perfect size or or I have maybe a few too many people write that. I’ve never met one. And um if you’ve met one, I’d like to meet them, I’m

[00:09:33] Ryan Cloutier: still looking for him too, right,

[00:09:36] Kevin Ford: they don’t exist. Um And that’s and that’s unfortunate, you know um the reality that’s imposed on us by both the supply side and the demand side here, right? Um uh you know, these problems go hand in hand with both the funding associated with cyber security as well as um you know, and I’m sure you’ve probably covered this a lot um are kind of national um dearth of cybersecurity skills right? There just aren’t enough qualified cybersecurity analysts uh to fill all the demand that’s out there. Um So we’ve really been relying heavily on automation. Um We we brought in a security orchestration and automation tool which we like a whole lot um and that kind of sits uh and harmonizes very well with our current security Operations center tech stack. Um and uh we’ve been able to automate using that a lot of sort of the day to day in and out analyst work. Um That includes, you know, an analysis of um I don’t know, a couple 1000 phishing emails a day, so on and so forth. The things that you would have may be sent to the intern or had your your pier one or you’re very junior analysts doing before. Um Now we’ve automated that, which means that there are more human eyes on the the higher level incidents, the ones that are sort of spit out from that automated analysis of saying hey these are the important ones or the ones that we haven’t quite been able to automate yet just because they’re so dynamic and there’s so many variables associated with those incidents and where where that particular solution, the security orchestration and automation solution um doesn’t cover. We’ve also brought in um uh consultants and uh processes for robotic process automation. Looking at the things are humans are doing day to day and see kind of what we can automate with computers and that aligns to the greater North Dakota I. T. Strategy. We’re looking at a situation where as much as 20-30% of our workforce could retire Um in the tech fields without adequate um without adequate replacement. Um so we’re kind of in a jam here and so we need to be able to figure out how we can automate probably around 30-40% of all the tasks that we’re doing. Uh an information technology organization for the state. Um So those are sort of the big drivers behind that and we achieved um quite a bit of success in that. We have a lot. It seems like every week a new thing in our in our sock is automated which is really neat. Um So you know I’m excited for what the future brings in that regard. Um I think in the cybersecurity field, you know there should be no concern around that from a human aspect or unemployment aspect because it’s really allowing the analysts to do the interesting things um and and not have to be stuck doing all the boring things all the time. Yeah,

[00:12:56] Ryan Cloutier: absolutely and I know um you know some of the automation is really good, some of the ai stuff still in its infancy. Uh you know, one of the organizations I participate in is nice. Um So that’s a subgroup of of Nist, it’s uh it’s the cybersecurity Education initiative and one of the areas that we were talking about in addition to just cybersecurity education is also um expanding kind of machine learning and ai education. Uh Somebody’s going to have to write those routines right, we still have that human component so many times people here automation and they think complete elimination of human and it’s it’s not that it’s elimination of someone like you said those those more basic tasks, things that I would have differed down to, you know, an intern or something like that, where I don’t need necessarily that that experience and that kind of judgment feel if you will that that we have in cyber where it’s like, okay, what is this? Does it feel like it might be suspicious, does it feel like it’s worth digging into? Um It’ll be interesting to see how we, how we kind of automate some of that stuff as we move forward. Uh 11 other question I have for you here is that I get asked a lot about how folks can get more involved and specifically recently I’ve had several people reach out to me and say, hey, we know that you’ve been, you know, kind of talking with Sean and stuff and keeping an eye on North Dakota, how do we get involved? Can we get involved? So my question is, is, you know, what can K 12 leaders outside of North Dakota due to get involved in a similar program to what you guys are doing?

[00:14:42] Kevin Ford: Yeah, that’s a that’s a great question. Um so we’ve spent a lot of effort and a lot of money on building a very sort of dynamic um and and technology forward approach to security here at North Dakota. And one of the things we’re really looking to do is kind of expand the footprint of that outward. Um so so that other organizations, other public organizations can can participate with us um in in security operations. And we’ve looked at a number of different ways we could achieve that um and come up with kind of a multi tiered approach. Uh so what we’re, what we’re calling, this is the multi state or multi sled um security operation centre, um where, you know, state government, state agencies as well as political subdivisions, K 12 higher education can participate with the state of North Dakota to really try to make to make inroads on the security posture for everyone. The technology we use the background we use is able to do a lot of very, very great and quick sharing so that if we see for instance an attack over here on in this area, well, um, the entire organization, the entire partnership would be covered in a matter of seconds against an attack, um, which is very, very important because we do see similar attacks across, you know, across the nation. Um, and we, and we see organizations falling like dominoes, right? Because our current means of sharing information, um, is too slow. So what this would be able to do is is set up at its lowest, most fundamental level, automated data sharing around attacks between all of the organizations associated with the multi state or multi sled sock. Um, and then at higher levels we’re looking at provisions to actually do operations. Right? So for instance, if I’m a, uh, I’m an organization that’s under attack and, and you know, I don’t have enough manpower to respond to the attack. Well now, um, in the current situation, what I have to do is kind of put out an all hands call and ask for other states to come and fly people in so on and so forth. But if we can sort of melt those barriers, maybe just get a, you know, a memorandum of understanding in place, um, and have a common tool set. Um, you know, I’d be happy to lend North Dakota analyst to help out a school system that’s in need. Um, and I’d be happy to welcome analysts from, you know, a school system or some other state to help North Dakota out if it’s indeed, um, and we can do that in a very, very short time with this sort of technology for putting in place. Um, so, so that’s, that’s kind of how you can get involved if, if you’d like to know more. Um, I don’t know, Ryan, maybe you can, um, you know, put my email address out there and, and people can, um, absolutely yeah,

[00:18:00] Ryan Cloutier: for sure. I’ll make sure to put that into the, um, description on the podcast here. Um, so that, that’s fantastic. I, I think, you know, it’s, it’s okay North Dakota sometimes, you know, gets the butt of a lot of jokes because you guys are, you know, in the middle of nowhere and you know, we call it flyover country, right? Um, and, and being a midwestern midwesterner myself, I’m just over here in Minnesota. So I’ve, I’ve, I’ve taken the drive up to bismarck once or twice, right? Um, and, but it’s, it’s awesome to see how you guys are, are really thinking about this in a, in a very future forward way in, in, in, it seems like you’ve already got this understanding that the world is forever different because of digital. We will not get ahead of this until we come at it collaboratively will always be playing whack a mole As long as we’re all trying to do our own thing, our own way with our own tool kits and our own um, descriptions the founder and Ceo of security studio Evan francine as a saying. Uh, and that’s that complexity is the enemy of cybersecurity and he’s not wrong, right? And, and the other thing is that we don’t have common language. So I just, I love, I love to see that you guys are doing that and being leaders in that space because it’s what we need. We we have to handle. It’s the whole country problem. We have to handle it as a country, you know, it’s just like, you know, unfortunately dealing with this covid, right? It’s each state’s kind of doing something a little different and, and some are more or less doing things, but at the end of the day it’s it’s a whole country problem. Right? So I just love that you guys are doing that one of the other. If I

[00:19:54] Kevin Ford: if I may, I just like to pull a thread around north Dakota there, um, because I am, you know, I’m from the east coast, I’m from Washington, D. C. And then spent some time in Denver and startup community there. Um, and the interesting thing about North Dakota, um is, you know, yes, we are, we are a flyover state and we embrace that. But, but with that, you know, there’s some, some, some swagger, some braggadocio to write were small, but that that makes us agile. Um and when you look at, you know, our total security footprint of around 300,000 devices, right? That puts us on par with a lot of Unfortunate 30 organizations out there. Um and you know, our governor is a leads attack, He was a ex Microsoft executive, he had a startup that he sold in the Microsoft um and also what chairman of the board for at Lassie, and so he is, you know, he is as tech forward as it as it comes um in in in the government space and he’s always ready and willing and able to lead with tech. So, you know, this is a top down thing and so we’re really, really um You know, really in a great position, largely because of the leadership we have in the state as well as the forethought of our legislature um to, you know, to build even this, this network, the statewide network back in the 90s. Um and that leads us all the way up through today. So

[00:21:18] Ryan Cloutier: absolutely a

[00:21:20] Kevin Ford: great spot.

[00:21:21] Ryan Cloutier: And speaking of forward thinking on your legislators part, that actually is a perfect segue to my, to my last question for you. Um, so I understand that you guys are taking kind of a holistic PK 2 20 approach to cybersecurity education For, for K- 12 students that don’t have the luxury if you will of of having their state, um take that as seriously or maybe um be as ready to deliver as it sounds like you guys are getting geared up to do or maybe are already doing, How do we get more K 12 students involved in this? We know we have a workforce shortage, but we also know that they’re just digital citizens of the world who um in my opinion at least cybersecurity is a foundational life skill, It’s a basic life skills like washing your hands or bathing or brushing your teeth. Um So how, you know, in your in your opinion, how do we get them engaged? How do we get them involved?

[00:22:22] Kevin Ford: Yeah, that’s a that’s a great um that’s a great question and and North Dakota is lucky to have a K 20 w effort which means for us um every student um is cyber security and cyber skills educated from kindergarten through ph D. As well as the workforce. So we have a comprehensive K 20 W program which is led by just a fantastic group in our in our edgy tech division Um and they just do so much great work particularly around outreach to the schools um both K-12 and higher education as well as workforce training um as and reaching out to trade schools. Um and I think you know, you kind of hit the nail on the head there right with the digital citizen uh Comic, we are in a position where cybersecurity needs to become as fundamental as the things I was taught um way back in the way back in the day when I was in kindergarten, things like stop drop and roll and stranger danger and you know, don’t get in the car with strangers and and all these other things, these basic life skills, how to wash your hands, so on and so forth, cyber security needs to become part of that because while it’s true that you know, maybe not everyone is going to go into a cybersecurity field or even a computer field. Um there is no um area, there is no field right now that it’s not impacted by technology. Um if you want to become a doctor, a surgeon, um you know, you are still going to have to interact with technology and you’re going to need to know how to do that safely in order to for instance, in the doctor surgeon case protect the personal health information of your patients.

[00:24:13] Ryan Cloutier: Yeah. And in addition I think there’s the, you know, surgery robots, right? I mean it’s, I don’t foresee tech going away if anything, I see more of a deep integration and so no, I think that’s just fantastic. Well, I do want to respect your time. I know you’re a very busy man, so thank you so much for taking this time to to talk with us today and to share your thoughts. Um I’ll provide your email to folks in the description. Is there anything else you’d like the audience to know?

[00:24:45] Kevin Ford: Uh No, I just I just want to shout it again or are educated group. Um There is such a good group work, they do both kind of operational work with our K- 12 um uh as well as educational work and really head up like a 20 W so kudos to them and I’m open to any conversations anyone would like to have regarding how they could do something similar within their state or within their K 12 organization as well as um as well as, you know, the Security Operations Center after interested in that.

[00:25:19] Ryan Cloutier: Well, thank you so much for that generosity and definitely will help get the word out to folks. Uh Thanks everyone for joining us. This has been a great episode, will continue to produce these. You can follow us on twitter @StudioSecurity, you can find me on twitter @CloutierSEC. Thanks everyone have a great day

We discuss with our guest Amy McLaughlin, COVID-19 and tips and tricks for homeschooling cybersecurity to stay safe when schooling and working at home.

Protect Your School from Cybersecurity Threats

SecurityStudio helps schools ensure they’re protected against cybersecurity threats with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:07] Ryan Cloutier: Welcome to the K 12 cybersecurity podcast. I’m your host Ryan Cloutier. Today we’re gonna be talking about Covid 19 and its impact on distance learning, remote school and school closures joining me today is Amy Mclaughlin. Did I say that? Right, Amy

[00:00:50] Amy Mclaughlin: yes, he did.

[00:00:51] Ryan Cloutier: Amy is an experienced information technology and information security professionals. She has over 20 years experience including the last 10 years in K 12 and higher education. She holds a master’s degree in Science and information technology management and a masters of arts in marriage and family therapy. Amy currently serves as a project lead for the COz in cybersecurity and smart education networks by design and as the director of information services information student health services at Oregon State University. Did I pronounce that? Right? Amy

[00:01:24] Amy Mclaughlin: Yes, pretty darn good. Thanks so

[00:01:26] Ryan Cloutier: much for joining us. Um it’s really some wild times out there and you and I have been, you know working through this the last week more intensely, but even from the week before and you know, as we were talking, it kind of dawned on us both that what people really need right now. It’s just kind of a short, simple list of actions and things that they can be doing as they prepare for remote work, remote school. You know, we’re looking at, you know, 14, 15 days here in some cases, but I think a lot of people are starting to prepare for longer. Um, and so you know what we were thinking is we would put this list together for you guys and give you some some pro tips if you will and how you can stay safe and stay calm during this crisis. So the number one thing that we came up with was that really you need to stay calm. Um being panicked makes you more susceptible to digital risk. You’re more likely to click on a link if you’re in a state of panic. So really think before you click or share. Um amy can you share with us a little bit of what you’re seeing with some of these phishing scams and and how they’re kind of exploiting this Covid 19

[00:02:38] Amy Mclaughlin: Sure. I think one of the biggest challenges of course is that every, there a lot of there’s a lot of panic around covid 19. So obviously opens the door for a lot of exploitation uh, in the school area. What we’re seeing is a lot of emails coming out that are pretending to be from school district authorities or principles coming with logos say things like, hey, I need you to immediately felt the storm to give me your cell phone, contact information um, or provide us additional information on how to reach you. Uh they’re actually going for a two layer attack which is a little bit more sophisticated than the standard click here and enter your username and password because they’re collecting cell phone numbers for later exploitation, which means that the person won’t necessarily associate the later attack with the original email. So we’re seeing a pretty complex and uh well thought out approach also really exploiting people’s fear and concern about my work my school, are my kids going to be safe? Am I going to have enough hand sanitizer? Those kind of phishing scams coming through um in large volumes right now or an increasing volumes, they’re going to start increasing even more I think over the next few days,

[00:04:00] Ryan Cloutier: you know, and it’s interesting that you bring up the multi factor authentication exploit angle if you will, excuse me not corona um the M. F. A. Side of it where they’re trying to get that cell phone number um that’s really so that they can come back later and send you a phishing email that requires a multi factor authentication. So when you get that text message or that um alert pop up on your on your authenticator app. Um a lot of times if they have already gained access that information it makes it much easier for them to do another type of exploit that allows them to get access to your system. One of the things that were really stressing is you know, verify before you share any data. Financials before you make any purchases with a lot of us moving towards remote school and remote home or sorry remote work from home. Um Those activities where we would normally be able to walk down the hallway and verify with the person you know directly obviously as we’re all kind of self quarantining here that’s not really a reality for us. Do you have some tips on other ways that people could verify um when they’re asked to share this data or sensitive information You know make purchases.

[00:05:15] Amy Mclaughlin: You know I think that the alternative to walking down the hall right is picking up your phone and calling uh And I think as you move to work from home and school from home options um having a phone number of who to call to verify, making sure that that’s a valid number not one that came off the bottom of the false email uh to confirm the purchase or a lot of people are going to video conferencing options so you know hitting uh your video conferencing option with the person who you need to verify with and looking at his face to face and saying hey I just got this request. Did you really want me to purchase this or um am I really like supposed to send you all the W. Two S for the whole quote company um and making sure that that is actually confirmed by somebody at the other end.

[00:06:04] Ryan Cloutier: That’s a great great tip and I think you know, video is definitely becoming more prevalent and I think a little bit later here we’re going to talk about video and some considerations for it. Um, the other big thing right now that we’re seeing a lot of in the information security community is coronavirus scams that are attached to coronavirus maps. Um, you know, all of us want to know what’s going on and and most of us are trying our best as much as our sanity will allow us to keep up with all of this information. And it’s incredibly important to only get your information from reputable sources. We are seeing not just viruses, you know, being attached to coronavirus maps, but we’re also seeing a lot of disinformation and misinformation um kind of floating around rumors and conjecture. Um as one would expect to see in a situation like this. So really do try to stick to those reputable known national sources. You know, World Health Centers for Disease Control, your state health officials, your local health officials. Um really be very cautious and verify those U. R. L. S. If you are going to those coronavirus maps myself. I just go directly to john Hopkins website. Um, that way I can get to the map that everybody’s kind of using anyways. Uh, and I don’t run the risk of falling victim to a scam. So with that. Um, I think we, you know kind of segue here too. Okay, we’re all stuck at home. What are the security considerations that we need to be thinking of at home? Um amy what are your ideas there? Where do we start?

[00:07:46] Amy Mclaughlin: Well, I think you know, we can start with some basic cleaning, right? Uh you’re at home um time to do some digital cleanup. So first thing is check all those devices that you’re using are updated quick and easy. Run through, run updates on your computer, your, your cell phone, um, your router, that’s the one people always forget And for a lot of people that means digging the manual out of a box where you stuffed it when you first step thing up. But just make sure all those home devices are running the most current version of their operating systems and have been updated and patched because that will protect you from quite a lot of basic exploits And it’s step one and it’s relatively simple just to go through and do update.

[00:08:33] Ryan Cloutier: I know when I went to update my devices here this week, um, I couldn’t find that manual, who knows what box it’s buried in. So I hit the Youtube and I was quite surprised and happy when I found there’s there’s an extensive amount of of how to videos out there already. Um as well as those manufacturer instructions. So if you can’t find the paper, manual laying around a lot of times your manufacturer will still have a manual on the website, just type that model number into google and take it from there. Um you know, as we, as we talk about, you know, getting those things up to date. One of the things that a lot of us aren’t thinking about is how things might operate differently at home than they do in the school setting or in our office setting. And one of those things that’s especially important for parents to be aware of is that the content filters so that that piece of software that is keeping the bad and ugly part of the internet if you will away from the kids. Uh some of those content filters don’t work when the devices are are out of the schools network. Um some do, it all comes down to the type of content filter the manufacturer, the in the way it’s configured. Um but that’s just something to be aware of. Is that the the uh internet access at home a lot, a lot of times is a lot more wide open than the internet access at school or at work. Do you have any tips for a Sammy on things we can do at home to kind of help keep an eye on that.

[00:10:01] Amy Mclaughlin: You know, I think one thing is to trek in regularly with your students and know what they’re doing, you know what they’re working on another is to take a look at your home routers, a lot of home routers have some basic firewall set ups where you can send set parental controls um again if you’ve lost the manual just got to youtube look up your device number and look for parental controls. Usually there’s just a switch flip on and it says you know low medium or high level of control. Uh and you just want to make sure that you said it just right your your family and what your needs are but it can put a nice basic safety net in place to help protect your family. Um And there are some actually some reputable um low cost or no cost online content filters, software content filters, the parents can load onto machines for their students. So if it’s home machine that’s personally on device you may be able to load your own content filtering on as well now. So I’d note too that doesn’t do any good to lead the content filter on and then give your student the override password. Yeah, because you might as well not have it on there at all.

[00:11:20] Ryan Cloutier: Yeah, we definitely want to be careful about about passwords and who has them um you know, and that leads me to to a privacy concern that we have at home and that’s IOT devices. Right. So we have a lot of us have these smart devices in our home that will respond to their name right? Maybe we, you know have an Alexa and okay google or or some other type of smart device, Maybe it’s our cell phone um series something along those lines. Generally the rule is if the device responds to its name, uh that means that it’s listening all the time. So we need to take extra care when we’re having those at home school conversations at home work conversations. Um you know, are we around these devices, you know what what potentially might they inadvertently be picking up? Um that we’re saying we want to exercise extra care there and try to mute them if we can or maybe hold those conversations in a room that doesn’t have that device in it. Is that something you’re hearing as well? Amy?

[00:12:17] Amy Mclaughlin: Oh yeah, I think that is true for both for IOT devices and the other device that people don’t necessarily think about until it’s too late is cameras, webcams on laptops and what all they show of somebody’s home. So if you’re working or attending school through an online interface and you have a webcam enabled and you’re having a meeting or you’re in a classroom, what is showing up in your workspace in your school space that maybe isn’t something you wanted to share with the public, you know? Um

[00:12:58] Ryan Cloutier: Well I think you’ve got a great

[00:12:59] Amy Mclaughlin: that’s is inviting people into your private home space. Well, very visible way.

[00:13:03] Ryan Cloutier: And the other thing to be aware of um I have unfortunately seen a growing trend of teachers screen Shotting their classrooms and and posting it as a matter of pride on how they’re successfully navigating this remote schooling and you know that presents a different set of privacy considerations right? We want to be careful and thoughtful about you know sharing that type of online learning environment because we are you know looking into the private homes of these students. We are you know in a lot of cases um potentially doing so without direct consent. I don’t think the directory information policy covered um group chat on zoo. So I think there’s there’s definitely new considerations there. Um pro tip is cover that webcam if you’re not using it. The other thing is is we want to make sure that you’re aware of virtual private networks and that as much as possible and this is to any district technologists that might be listening here. Um as you roll out your remote school plan really take great care and caution to set your VPns up correctly and ensure that the VPNS are enforced on any district owned device. Uh For those that are you know at home remote workers a lot of your companies already have this in place if you work for a larger company. But if you work for a smaller company and you don’t have a VPN you might want to talk to your I. T. Team about what it would take to get one in. There’s a lot of great and inexpensive options out there. Um and it really is that extra layer of protection that helps keep you and the school and and company data that you’re handling safe. We’re going to move on. Yes.

[00:14:46] Amy Mclaughlin: Just for those folks who aren’t aware, um VPN helps encrypt your data so that other people on the same local network can’t see what you’re doing. That’s the simple explanation.

[00:14:58] Ryan Cloutier: Absolutely. Thank you for that. It’s it’s about trying to keep things well, just like coronavirus. Right? So we’re practicing social distancing distancing. So we can think of a VPN as digital distancing. It’s a way to keep uh individuals separated from each other so that it’s harder to spread infection. Uh into that point, let’s let’s move on to keeping clean um, physically and digitally, you know, that’s a really hot topic. Um you know, around the world over the last week, we have seen a hygiene product in extremely high demand. Uh folks definitely want to make sure that a certain part of them is is very clean and and have acquired all the necessary supplies to do. So, some of us are referring to it as the TP crisis of 2020. Um it’s getting a bit silly out there and I think, you know, most of us have had some kind of personal experience now with a completely sold out TP I’ll, but to that point, you know, how do we keep these digital devices digitally clean but also um keeping them physically clean. So we know antivirus and anti malware are are must have I like to think of them as the hand sanitizer of the computer world. Um you know, the important part about that though is to make sure that you’re actually scanning so when you do install this stuff set it to auto scan. Um the other thing that I would encourage you to do is is think about um how often you know you’re doing updates, do you have automatic updates? You know, these types of things will definitely help keep you digitally clean. Amy in a in a education setting. You know, one of the things that we’re hearing a big amount of talk around is is kind of device support and device recapture. Can you kind of share with us your thoughts around you know, safe ways when that tech support needs to actually recapture device safe ways to not just keep it physically clean but digitally clean.

[00:16:58] Amy Mclaughlin: Yeah. You know, the interesting thing about devices is quite frankly um phones and laptops are some of the most dirty devices out there. Uh so this is a really big recommendation for anybody but especially protecting two will be re capturing devices, redeploying them and handling them extensively. Um really working hard to keep keyboards and touch screens clean and well kept um before deployment and when you receive them back and also at home. Right. Uh you know, we were laughing earlier about tp but you know, think about how often you’re touching your cell phone or your laptop um while eating or while doing some other activity that can transfer germs onto viruses onto the device or transfer anything onto the device into you. So um I’ve done quite a lot of research actually on cleaners lately because there’s a long list of things that you don’t want to use. So for a keyboard. I mean easy options uh take a if you can find them uh you know an antibacterial wipe and squeeze out most of the moisture and wipe the keyboard. There are also keyboard cleaner specific wipes. Actually there are a little easier to find right now than just your standard antibacterial wipes because you can get them through computing catalogs. Um And online retailers and they haven’t quite sold out in the same volume as your standard grocery store issue. And then you’ve got you know, soap and water and I don’t mean like a ton of water. I mean like a lightly damp cloth to wipe off the keyboard. Do not scrub your keyboard with like dish soap. Just take a light damp cloth wife over the keyboard and the screen and dry it again with another damp cloth. And when I say a cloth, I mean like micro fiber cloth, something soft, avoid using tissue paper, paper towels, anything scratchy that’s going to damage your monitor surface or your phone surface because that’s going to end up damaging your device and making it not last as long whatever you do do not use abrasive cleaners. I know there’s a real temptation to grab like Windex or um, you know, you

[00:19:29] Ryan Cloutier: want to keep, you want to keep the Ajax away from the keyboard, right? Don’t

[00:19:33] Amy Mclaughlin: know, Ajax, no toilet scrubbers on your keyboard. Well,

[00:19:38] Ryan Cloutier: and one thing I would I would call out to is just use reasonable pressure when touching the monitor. Right? So when you’re cleaning the screen, no need to pretend that you’re the hulk, right? Take it easy, give it a good wipe, give it a thorough white, but really want to be cautious, not depressed too hard. And, and that kind of leads me to the next point, uh school administrators. Um, and you know, I. T. Professionals, uh, if you’re responsible for the support of these devices, you really should consider putting together care sheets. Uh, while we would like to assume that everybody kind of knows how to do this. Um, a lot of folks actually don’t. And you add panic into the mix, you add stress into the mix. You know, kids are at home now, parents are trying to work. I’m looking forward to the cavalcade of, of hilarious videos where the, where the toddler burst into the board meeting. Right? Um, we’ve seen a few of these on youtube, it’s only going to increase with time. Um, you know, while that’s going to be, you know, a good source of entertainment when we’re stuck inside ourselves. Um, I think it’s important to get a care sheet out with those devices, especially for districts that are going to be hold

[00:20:53] Amy Mclaughlin: on and say well and I think you want, as districts are recapturing repurposing and working with large volumes of devices, I think it’s important to work on protecting tech staff from um, the transfer of anything that could be on those devices. So thinking about issuing gloves for tech staff, working with a large volume devices, reminding people to wash their hands routinely, especially when handling devices that have been in other people’s hands have been coming in and going out. So those kind of basic health and safety precautions in order to keep district technology stuff safe are also going to be really important,

[00:21:33] Ryan Cloutier: completely agree. And I think to um lastly on that topic, um, when communicating to parents, you know, how to, you know, safely maintain these devices. It’s also important to communicate to them. Any changes that potentially have occurred with regards to any content filtering or uh, internet access availability that may exist or any additional responsibilities that the parent that now needs to take as the at home tech support if you will for the student. I think some districts are exploring a hybrid model of educating mom and dad on some basic tech and troubleshooting tips through through video through different uh papers if you will. Um, you know, think, think long and hard about how you’re going to engage the parent because you know as we go to a more isolated state, they really are going to be that first line of physical tech support. Um Obviously we want to limit the amount of, of devices that need to be brought back to the school wherever possible. We want to limit the travel of those individuals and those devices um so really give deep consideration too, you know, how you’re going to work with the parents in a in a tech support situation that leads us to our next point which is keeping accounts safe. Um Number one, we really want to limit the sharing of passwords via email. We in the security industry understand that that is a practice that unfortunately is probably going to increase but it should be noted that email that is not encrypted is easily read by just about anybody um if they’re looking to read the email and it’s going across the net and clear text it is, it’s relatively easy to intercept and read. Um so really try not to share passwords via email if you can and as much as it’s practical leverage automated password resets. Um Most of us these days are operating the majority of our district in the cloud from a learning perspective from uh in a lot of cases a student information systems perspective um so we wanna, we wanna, you know leverage those automated resets wherever we can. Um the other big yes,

[00:23:56] Amy Mclaughlin: I’m going to jump in here and just point out a couple key differences between passwords that can be email is like sitting, you’re putting your password on a post garden and sending it in the post because the postcard isn’t protected by even an envelope, it’s just text wide open. Whereas when you’re using a leveraging an automatic password reset option, those are usually encrypted connections back to the host of the application. So that password, the automated reset is done through encrypted format as opposed to a postcard.

[00:24:29] Ryan Cloutier: So more like the security envelope that my check would come in, right? So 11 would be like a postcard and the other would be more like a like a bank security envelope.

[00:24:40] Amy Mclaughlin: Exactly. So when you think about it, that’s why leveraging the automated reset is such a superior option.

[00:24:47] Ryan Cloutier: I like it, you know, and one of the other things we want to think about um as we congregate together uh and this will be an interesting social experiment. There’s a lot of families that are either going to get closer together or less less enjoyable to each other with with close confinement for for all day every day. But we want to try to limit sharing those devices. It can be tempting sometimes um some of us are work devices is much more powerful than our home device. Uh Sometimes uh we’re in a situation where maybe that is the only computer in the home and and so we do end up using it for non school or work purposes but we want to try to limit sharing of devices as much as we possibly can. Um Amy do you have any tips for us on how to kind of implement that practice in our lives if you will. Especially if it’s something that we’ve been previously doing and we’re comfortable with.

[00:25:49] Amy Mclaughlin: You know, I think one of the challenges of course is that as you mentioned, a lot of people may only have the one device. So I think if you can use separate devices for separate functions, it’s a really good idea to do that. If for some reason you can’t then look into the device that you have and think about how you can use the operating system on the device to segment out the functions. So maybe creating separate user profiles based on the function to try to limit the crossover between your work and your personal or your work in school will be one way of handling that. Uh That way when you’re logged in into a work environment you’re working and you’re not acting using personal things where you could contaminate your workspace.

[00:26:39] Ryan Cloutier: That’s really great advice. And on a personal note for those of you that are going to be working at home, um showers and hygiene and dressing for your day is still greatly appreciated. Uh While I have developed a bedhead bingo card for the various meetings I’m going to get on that have gone beyond casual. Uh you know, think, think and treat this digital time as you would your physical in real life, because it is, I mean, the reality is is even though we’re gonna be stuck in our houses and we’re going to be having to make all these, you know, accommodations and changes to what we’ve grown accustomed to his daily life here. Um try to keep in perspective that, you know, a fresh look and, you know, being hygienic, um helps really set morale and tone um for as much as I had enjoyed to get a tour of all the various, you know, forms and formats of people’s, you know, at home loungewear. Uh I don’t know that that that’s going to help us maintain the professionalism and so as you as you think about how to dress for your day for your students, as you think about how to dress for your day for your co workers, um that’s just kind of a personal thing, because I’ve already started to see a bit of a trend towards uh towards the super casual if you will. And to that point actually, I

[00:28:01] Amy Mclaughlin: think there’s a really good psychological reason to do that. And here, let me, you know, my old my old psychological life here um is that, you know, by getting dressed for work and setting the tone that okay, I’m sitting down and I am at work or I am at school, you’re putting yourself in a physical and mental mindset and space that says the behaviors that I’m doing right now need to be work appropriate. So if I’m reading my email, reading it in the context of work and thinking in terms of, is that an email I should be responding to in my work environment, Is this an appropriate, you know, is this sufficient attack? Is this appropriate for how we interact at work as opposed to, you know, feeling like I’m casual, I’m at home and they need relaxing a bit, not actually thinking as critically, right? Because that’s great advice place we go to relax, so

[00:28:59] Ryan Cloutier: yeah, no, I think that’s great advice and you know, to that to that end, I think having a as much as is reasonable and practical in your space, having a dedicated area for work. I myself, I work from home a lot. I’m doing this podcast from home. Uh my workspace is a sacred space. It is for work, it’s not really for entertainment or, or being at home. Um and that helps me stay very focused to what I’m trying to do um as much as you can do that, I know some people are just setting up camp in the kitchen because that’s what they’ve got to work with and you know, I I encourage you to do your best to make whatever space you have available, um be kind of focused and dedicated to work and our school it is going to help you be more successful in this remote setting and to that end? Um We’re going to close out on our last point which is not to take shortcuts. Uh we’re all in a mass scramble right now to do whatever we can do to keep this pandemic if you will. Um at bay right. It’s you know, how do I we’re practicing social distancing. We’re working from home or you know, some states are closing bars and restaurants. The guidance I heard this morning uh coming out of the C. D. C. Now is no more than 10 people should be gathered together at any given time which kind of starts to change what daily life looks like and and so on. Our rush to re adjust to this new reality. We want to be careful, we’re not deploying technology so quickly. We’re not able to take basic security measures. And this is especially true, especially true in the world of schools where we are, you know, moving our classrooms to these, you know distance learning virtual learning environments where giving devices to students that maybe previously didn’t have them. Uh we’re having staff work from home which you know in a school setting is is relatively new. Some districts have had the learning days to kind of dry run this. But as I’ve heard from several uh district leaders that I’ve been speaking with an E learning day is not equal to long term distance learning and so amy can you kind of tell us a little bit more about, you know, that long term distance learning but also what are some of the steps and and things we want to think about is we are deploying this technology to to make sure we’re not missing some of the basics.

[00:31:42] Amy Mclaughlin: So yeah, I think, you know, one of the things we need to think about when we look at long term distance learning is that we have to make sure that we’re studying up environments for the for the long haul. It’s not a hair get this out to you. So you can be at home for a day or two. It’s really a more thoughtful products us. So I think one of the challenges as I see people ordering large volumes of chromebooks and laptops and ipads is um not deploying so quickly that we forget to take really basic security measures because once those devices are out the door, once those systems are set up for home learning, if we haven’t thought through the security requirements beforehand, it’s going to be really hard to bolt security on, on the back side. So thinking through really simple basics, did we change default credentials on the devices or can our students break into these and make these devices, whether there are hotspots or um laptops, ipads, can they get in and add applications or change, you know, web content filtering. So um making sure those default credentials are turned are are reset are changed to a password that isn’t available to students um that the drives are encrypted so that if if faculty member teacher loses a laptop or it’s stolen has student information on the drive is encrypted and they’re protected, the data doesn’t get exploited. Um And using the simple tools that already come with the devices, right, turning on automatic updates. Let the device manage itself.

[00:33:22] Ryan Cloutier: Yeah, I think those are

[00:33:23] Amy Mclaughlin: students to accept them.

[00:33:25] Ryan Cloutier: Right. I think those are all very valid points. You know, one of the, one of the things I’ve heard kind of coming out of the private sector right now. Um

[00:33:33] Amy Mclaughlin: and there, you know, there

[00:33:34] Ryan Cloutier: are a couple steps ahead. Uh some, you know, as early as two weeks ago some of the larger organizations began to transition non essential employees to remote work. Um And I know when speaking to one of my colleagues um just just here today, uh their organization has put out some pretty aggressive measures all employees are to remote work if they’re unable to remote work, they’ve they’ve gone to kind of a deferment program if you will. Um as far as I know everybody’s getting paid. But the big issue that they’re having, there’s a lot of the systems that were set up for remote access to to kind of manage the day to day uh weren’t set up for long term remote access and and they’re having issues where they’re kind of kicking each other off the systems, they’re, they’re trying to remote in and do their daily work. But those remote access setups were really designed for kind of middle of the night, emergency access, not multiple employee long term use. And so you know, as you’re, as you’re setting up these environments and a lot of, you may be setting them up for the very first time or you may be expanding what was once just a handful of VPN users to now encompass your entire district. Really be planned fel and thoughtful about ensuring that each employee has a unique credential um that you have the appropriate type of remote access set up. Um, so that they’re not all terminating to a single jump box And this is more to my tech directors. Right. As you guys are getting into managing servers and databases, insists and you know, um, you know, meals, meals and fees and activities type services. Um really look at, how is your remote access setup? Are you just going on a shared account into a single jump server or do you have unique credentials? Are you remote in directly into the boxes? In some cases? You know, there could be additional security concerns for remote. Ng direct into the box, definitely by no means am I advocating direct internet exposure for any sensitive system. I think that is unwise move while it might be the easiest way to get access to that system. It is also the most unsafe way. So as you, as you set these things up, make sure you’re taking all that into consideration that you’re setting up automatic updates that you are doing the local firewall that you are encrypting drives. If you can do that if you’ve got a Windows environment it’s you know, make sure turn on that bit locker um in chromebook, go into your G suite administration console and see if you can configure encryption on those chromebooks. Amy do you have any kind of pro tips if you will around drive encryption because I think that’s a that’s a huge component here as we take these devices out of our schools and out of our offices is maintaining that physical security should that device be stolen or compromised?

[00:36:36] Amy Mclaughlin: Well, you know I think the first tip is that now most devices come with encryption options already built into the operating system. So the easiest thing is to actually leverage what comes with the device and then make sure that you have a really solid plan for how you’re going to store the encryption key for each device because you’re going to get an encryption key when you encrypt the device and you’re going to want to um store it now in my environment, we actually record the encryption key and our active directory so we can track the encryption key back to the device and that way we know the device name and the encryption key and it’s in our inventory and we know where it’s deployed. So that’s my pro tip. Um I think making sure it becomes part of your inventory is really key so that you lock yourself out of the device. That’s going to create a lot of extra work.

[00:37:31] Ryan Cloutier: Yes definitely. So to kind of recap stay calm, think before you click your share, focus on your at home security, make sure you’ve done all you can to ensure your devices are up to date and you’re doing your part. So just like with social distancing, covering your cough, coughing into your elbow, you know all these different things that we’re doing right now to protect ourselves, our families, our loved ones in each other. Um we’re gonna make sure we’re doing those steps digitally as well and we want to keep our devices clean, we want to keep ourselves clean. Um we need to keep our accounts safe and take whatever measures are necessary to do so and we want to avoid taking shortcuts and you know my personal take on all this uh to all of you and to you amy as well as is to say this is the time to be kind to be calm, to be thoughtful and to be considerate. I know these might seem like foreign concepts given the current generations and times that we’ve lived in but no time in my lifetime has it mattered more than now to show a little kindness to each other. You know, people are going to get sick. People are going to be stressed. People are going to have challenges financially emotionally. This is an unprecedented time that we live in and I think it calls for unprecedented kindness and consideration. Amy in closing, do you have any kind of tips for folks on, you know, especially given your background in in mental health and and family therapy? Any tips for how to manage? I mean being stuck inside for you know, 14 plus days can be quite challenging. I know living in Minnesota just the winners alone. I mean we have a saying for it. It’s called cabin fever and most of us have been inside all winter already. So it’s, it’s even more intense for some of us,

[00:39:35] Amy Mclaughlin: it’s like an extended snow day. Right? So you know, my tips for folks with this. Um, first of all, give yourself adequate rest, make sure you’re getting enough sleep, make sure getting plenty of light and fresh air while we say, you know, stay home and socially distance. That doesn’t mean that you can’t sit out on the back porch. That means it doesn’t mean you can’t take a walk around the break, getting, you know healthy fresh air exercise. Um, and also finding ways to have social interaction. So we are fortunate that we live in a time where there is technology available to us pick up the phone and call your friend, pick up the phone and call a family member. Um you know, one of the interesting things is right now, there’s unprecedented levels of loneliness already. And then we’re now telling people to isolate themselves, but we’re talking about physical isolation, uh not um not social isolation in terms of conversation. So find other avenues to connect with people, right? Um and set up a video conference call or face time on the phone um and and take the time to get in touch and stay in touch with friends and family. And you know, I’m going to say that if you have pats, take the time to pat your pets. Um there’s some good data out right now that for example, covid doesn’t spread through dogs. You got a dog hide your dog. Physical touch is really healthy for us, petting cats and dogs and horses, goats, whatever you have access to is um very therapeutic. It’s been shown to reduce blood pressure and improve mental and emotional health. So uh and it’s important for us as social beings. So leverage that as an option as well. I think, you know, this is also a chance to um if you’re not for example commuting an hour each day each way each day, you know, take the time to spend time on relationships, you may not be able to see people in person, but connecting will help really ease some of that cabin fever.

[00:41:44] Ryan Cloutier: I think that’s just fantastic advice. I know my dog lucy has been a tremendous uh place for me to, to go to kind of decompress from the day, just giving her some pets and belly rubs. Um you know, it’s, it’s good for me, it’s good for her and and it just kind of improves the overall quality of life. So I think that’s really great advice. Well with that we’re gonna close uh this inaugural episode of the K 12 cybersecurity podcast, very serious topic today. But as we move forward, we’re going to continue to give you pro tips on how to keep yourself and your family safe from cyber crime, how to help your school organization get going and continue along on their security journey. You can follow along on social media. I’m @CloutierSEC on twitter amy, what’s your twitter handle?

[00:42:42] Amy Mclaughlin: My twitter handle is @LumosGravitas.

[