Consortium for School Networking (CoSN) Report

Unsecurity Podcast

In this week’s episode of the UNSECURITY Podcast, Evan and Brad take a deep dive into a recent report from the Consortium for School Networking (CoSN) titled “The State of Edtech Leadership in 2020.”

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Evan Francen: All right. Hey everyone. Welcome to the Unsecurity podcast. This is episode 79. The date is May 11, and I’m Evan Francen with me today is my co-host Brad Nigh. Good morning Brad.

[00:00:32] Brad Nigh: Good morning Evan.

[00:00:35] Evan Francen: See I told you and I knew you would say that. I wrote it in the show notes.

[00:00:42] Brad Nigh: I mean I am a super nice guy like that

[00:00:45] Evan Francen: Totally right so I nailed that one. That’s good. That’s a good way to start off on monday. Uh We’ve got a good show plan today. You and I both we really love helping people and I think we’re going to cover some things in this episode that should help our listeners. Um Before we get too deep though let’s catch up. It’s uh it’s what we do every week. So how you doing what’s new?

[00:01:10] Brad Nigh: Uh you know I. R. S. More I. R. S. We actually caught the attack pivoting last week. We saw it go from, we knew it was on an infected machine. Uh We saw it as almost as it was happening within minutes of it happening uh reaching out and trying to copy the infected you know beacon file across two different machines. So we got the whole kind of attack chain luckily things in place to block it so it didn’t in fact those other machines but it’s kind of cool to see usually you don’t see that right in the eye, are you come in after everything is completely you know controlled anyway, so

[00:01:57] Evan Francen: after things are completely owned,

[00:01:59] Brad Nigh: You know it’s kind of interesting to see, it would be reached out over TCP130 5139. The RPC board can’t remember which one handed. Yeah um made that connection and as soon as it got that it tried to do a copy across of an excusable that we knew it looks like it’s a motet block the copy. But wow, it’s kind of cool to watch that.

[00:02:29] Evan Francen: So this came in last week.

[00:02:31] Brad Nigh: Yeah this is on the on going, why are we have

[00:02:34] Evan Francen: the one that we were talking about last week?

[00:02:36] Brad Nigh: No, that that was a different triage call?

[00:02:38] Evan Francen: Okay.

[00:02:40] Brad Nigh: Yeah, this is the one that we we knew we had to machines that look to be the command and control but there were production machines that they just literally they could not take down. So we’re keeping an extra close eye on it. Mhm. And since that happened we were able to convince them to expedite and has now been put into quarantine and replacement stood up. So we’re going to see any activity since we got that that happened and the next day they basically put them into quarantine. So it was pretty cool.

[00:03:11] Evan Francen: Okay, wow. All right, so how much longer before you don’t have to work, instant responses?

[00:03:18] Brad Nigh: I was mostly covering because Oscar took some PTL last week. So

[00:03:24] Evan Francen: what’s that? We still do PTO.

[00:03:26] Brad Nigh: I know

[00:03:27] Evan Francen: it was cold, but I thought no PTO drink

[00:03:29] Brad Nigh: dedication. He needs it because we know what the wave is coming. So just just helping out without. It was pretty, I mean it’s fun. I always have fun trying to hunt that down and it is fun. But yeah, you talked about it’s disruptive like everything else you’re trying to get done, but the team did a great job.

[00:03:51] Evan Francen: Cool. So is that I are all wrapped up now or do you still have a lot of work to do?

[00:03:55] Brad Nigh: It’s still a lot of cleanup in forensics to try and figure out what exactly happened and things like that there. Uh they were able to grab a copy of that. Well, it’s kind of interesting to watch and kind of reverse engineer the scripts. You see it running out and hitting a certain ideas, certain DNS names, we were able to have them blocked that, but it executed in a sandbox and it it reaches out in pains a specific um, DNS name and if it doesn’t get a response, it just, it sits quiet and just runs, it runs in a hidden command through him, man. You don’t even see it and what does uh, past manager running? Yeah. And then it gets it, you know, if it gets it back from the DNS, that’s when it actually executes when it gets the response. So you don’t get the whole script of what it’s doing. So you can’t you can only decode certain parts of it. So

[00:04:57] Evan Francen: interesting. All right, we’ll all work. No play. Makes brad. A dull boy. What else you been up to? Uh you know, comes from a classic movie by the way?

[00:05:07] Brad Nigh: Yeah. Yeah. We did a bunch of board games and stuff yesterday during for Mother’s Day. Cool throw throw burrito is a lot of fun for kind of the family with the younger kids throw

[00:05:24] Evan Francen: throw burrito. Yeah. Do you actually throw burritos?

[00:05:27] Brad Nigh: Yes, they have a little like stuffed burritos. You throw at each other.

[00:05:31] Evan Francen: I would like that.

[00:05:32] Brad Nigh: It’s pretty fun. It’s very competitive.

[00:05:35] Evan Francen: So that’s a better game than throw throw in ville

[00:05:38] Brad Nigh: a little less painful, your bruises,

[00:05:41] Evan Francen: a little less blood, probably less jail time.

[00:05:46] Brad Nigh: Yeah. That just some, you know around the house is kind of gross this weekend. So I couldn’t do much.

[00:05:53] Evan Francen: Yeah. Yeah. I didn’t get to ride much this weekend. I think I wrote around the block just because I was cleaning out the garage. Uh Yeah, it’s um when you saw where I started off the show notes this this week, You know, 56 days we are now into you know kind of the office being shut down and I was thinking this weekend, man, I can’t remember april happened april, you know it was just so like different everything was so disruptive and like april just came and went and it was like did anything happen?

[00:06:31] Brad Nigh: Everything just blurs together.

[00:06:34] Evan Francen: It’s nuts man. So that stuff sort of led me to thinking about you know some of the other things you know I get asked you and I get asked a lot of questions about security stuff and You know a lot of times people ask these questions that are like I’ll give you the classic one. you know management comes and ask you so brad are we secure? Right? It’s like well I mean in context of what and in relation to what? Yeah. So you know this whole covid thing you know it kind of puts my whole life kind of like that it seems like a little bit you know just like are we safe? I don’t know I mean are we okay? I don’t know. You know it’s just weirdness. I spent Saturday you know I spent it was really cool. I spent like nine hours maybe eight with my son joe over his house doing some electrical work. Yeah it was cool. We put a new GFC I’ll let on the outside of his garage and cool. Yeah wired up maybe I don’t know 67 outlets done in his basement. So I was kind of fun.

[00:07:50] Brad Nigh: It’s fun to do that. So I enjoy doing this I think United saying that way like you’re building your cooper like because, you know, working with your hands so different than what we do day to day. It’s it’s kind of a nice break.

[00:08:02] Evan Francen: It is, man, it just gets you away. I spent I spent more time in my garage In the last, you know, 6, 7 weeks than ever. You know, I’m building stuff like I put I built a platform to put um one of our generators, you know, gas generator. I wanted to get everything off my floor. So, you know, I built a platform, put the generator up and then uh probably gonna, you know, route the exhaust outside. Yeah, it’s a gas generator. It will create fumes and on all that. So I did that. Mm it’s about it. And then you get back to you and then you get back to work on monday. And I got up early and you were mentioning before we started this episode that you had trouble sleeping last night. I got to like to, you know, Mondays for me, monday mornings are just weird. So I got up at like two came in uh you know, right up the show now it’s did some other stuff. But yeah, life is weird man, I’m ready. I don’t know what the hell normal is.

[00:09:13] Brad Nigh: I know, and I think it’s gonna be like that for a while. I

[00:09:17] Evan Francen: mean because I say, you know, the new normal are getting back to normal. It’s like we’ve been in this for like 89 10 weeks. Sometimes some people more. I don’t know what normal is. Yeah, I mean, it would normally be back to the way it was prior to this.

[00:09:36] Brad Nigh: I don’t think so.

[00:09:38] Evan Francen: I don’t know man. So I don’t know. We’ll just keep trucking through, you know, try to keep your head up. Try to keep focused on, you know, something good for people. Uh All right, well that’s good stuff. So um anything else, you know, in terms of this weekend fun stuff, you got anything you’re looking forward to next weekend this week.

[00:09:59] Brad Nigh: Hopefully the weather turns nice and get out and do some fishing. Just get out of the house. Yeah.

[00:10:04] Evan Francen: Yeah, hopefully we’ll get a ride him I think uh I think jim nash might be coming over to my house this afternoon. We’re supposed to sit out in the backyard smoke cigars and talk about strategy for um state, local government. But our yeah, I don’t know if I’m gonna do that because we got class tonight, you know. MTV.

[00:10:25] Brad Nigh: Yeah, it’s a long and you’re teaching as a long day. You might you might need a nap in there.

[00:10:31] Evan Francen: Yeah, I don’t know that. A lot more energy drinks. Yeah. Like I noticed that. Where the hell did I stop? Uh huh. Remember when I stopped holiday maybe and got a energy drinks. They have the bang power punch, which is pretty cool. My battery looks like it’s gonna die. Mhm mhm I better is gonna die? Uh Mhm Maybe this charger doesn’t work.

[00:11:10] Brad Nigh: I’ve had it or sometimes yeah, it freaks out. Unplug it and plug it back in and it will be fine. Mm

[00:11:17] Evan Francen: Yeah, well uh exactly, that’s why I was, that’s why I was just looking around Oh crap, It’s got a message saying the battery is going to die but its end. We’re good now. All

[00:11:33] Brad Nigh: right, live troubleshooting,

[00:11:37] Evan Francen: right? Yeah, I have trouble shooting. I don’t know what exactly went wrong. But anyway, so I came in this morning. They have these power punch you’ve ever seen? Have you ever had these?

[00:11:46] Brad Nigh: They had the power punch, but I’ve had some of the other banks,

[00:11:49] Evan Francen: it’s like cohesion treat but looks good stuff in it.

[00:11:53] Brad Nigh: No. Yeah, listen there uh you have to take them easy. I drink one a little bit fast the first time I definitely feel a little pretty jittery there.

[00:12:05] Evan Francen: You build up a big tolerance. I was talking to the some of the security people that did come in last week, you know, a very limited office open and we were talking about somebody who went out and got more red bulls, it’s stocked up the fridge we’re talking about, you know how many energy drinks we drink and and I know it’s not good for me, so I don’t need anybody sending me messages saying, oh or whatever uh Did I drink four or 5 of these a day. Uh So people are like, dude, you must never sleep here. You can’t sleep. I sleep like a baby man. So I think you just build the tolerance. I think if you’re making and then now, you know, I think my body’s like adjusted to it. Uh so I don’t think it’s really that unhealthy for me anymore. I mean, I think if I were, if my body hadn’t built like a tolerance for it, then it, you know, probably worse for it. I don’t know. I’m not a doctor, thank God

[00:13:06] Brad Nigh: any nine points that you’re able to To work at two a.m.

[00:13:10] Evan Francen: Yeah, yeah. Thank God I’m not a doctor because I think all my patients probably would probably be dead. So I am good at security, so I’ll stick to that. All right, so this weekend, uh somebody a good friend of mine, somebody follows me on twitter uh just amazing person. I enjoy reading what she she writes and all this other stuff. But she asked me for my opinion, you know, getting back to kind of putting things in the context. You asked me about my opinion on this article And the article is key 12 tech leaders prioritize cybersecurity, but many underestimate risks survey says. So if you go to the link, it’s it’s at education week. So blogs dot ed tech blogs dot ed week dot org. That’s where you can find the article. The article has a reference to a really good report that I think coz input together? Um That’s the consortium of school networking. And I dug into the report because you know I wanted to give her some opinion, right? So and after after I’m kind of going through this mike oh my God I have a lot of opinions. I don’t have just a opinion. Yeah

[00:14:32] Brad Nigh: you will I didn’t read the whole thing I read and you know you put a bunch of stuff in there and read the kind of the overview of it. It was uh right there’s a lot of contradictory things in there.

[00:14:47] Evan Francen: Oh yeah for sure. And so the report you can go to the annual report in the link is this annual report that Qasem does. I think it’s really well put together. The name of the report is the state of Edtech leadership in 2020. Um And in that And that link it’s a 40 page reports, there’s a lot of stuff in there but really covers all kinds of things about you know IT and not just security stuff. Um So I read read the article and at the very beginning of the article There’s this quote that says fewer than 20 of ad tech leaders marked any items on list of cybersecurity threats as high risk from their perspective. Yes. All right. Uh So then it gets me thinking like what’s your definition of cybersecurity, what’s your definition of high risk? Where are you getting your list of threats? Tell me a little bit about your perspective. Um And you read so many articles like this all the time where it’s like they cite these things like high risk or medium risk or cybersecurity, information security and all these things. And I get to thinking like, does anybody know what the hell they’re talking about? Or is it or is it me or is it? No,

[00:16:12] Brad Nigh: it’s not. You I had the same thought. I’m like, okay, so what’s high risk? Like how, I mean, did they define high risk for them? Do they expect everybody to have their own definition of high risk? I mean, how can you say it’s high risk without defining high risk?

[00:16:32] Evan Francen: Right. Right. And so those are the three questions that came off right away, and and I’m not even through like the first paragraph of the article is how to add tech leaders define cyber security. Mhm. What’s on their list of cybersecurity threats? And what is high risk? So you dig in and you get through all of this stuff and you find out that, you know, there’s some key quotes in that chosen reports, I’m looking for the answers to these questions as I’m reading the report, Right, and you don’t get answers uh in the report, which isn’t no fault at all, you know, on the part of chosen? I think it’s more just kind of gives you a better view of the state of Security in K- 12 or information security cybersecurity, whichever one you want to. There are obviously two different terms. But you know, let’s say that they’re using them interchangeably. One of the first, you know, kind of key points in that chosen report is cybersecurity remains the number one technology priority Fried two leaders yet the threat is generally underestimated.

[00:17:50] Brad Nigh: Yeah, I would definitely agree with it gets a lot of lip service and then not a lot of support uh as a general right observation. Obviously there’s certain certain schools that are much better at this than others. But yeah, that would align with what I’ve seen.

[00:18:15] Evan Francen: Yeah and it also, you know, as you go through this, it seems like there’s been such a rush to go do something, not necessarily the right thing and not necessarily understanding what this actually means. Like what is what, what is information security in a school? Yeah. What is it? Well define that first and then they talk about risk. Like it’s you know, I could say Just a two bit phrasing what is risk? How are you defining this? These things are fundamental things that are really, really important before I go and spend a bunch of money on something. I better understand what I’m spending my money on.

[00:19:00] Brad Nigh: Yeah Well in in there, you know this is where it really started jumping out at me. It’s like this is 69% of districts they’re proactive are very proactive. But only 18% have a full time employee whose sole job is cyber security.

[00:19:17] Evan Francen: Right? Is it connect there on? What is proactive is proactive? The fact that you’ve talked about it is proactive. The fact that you’ve written a policies proactive that you’ve bought a firewall. I mean, Yeah. And I think this whole thing when you look at information security and you take it out of context, you can make it as pretty or ugly as you want it to be just like anything. You know, if you take something out of context. Yeah, we’re proactive. Well, show me on what, but we got we got a firewall. Okay. On that one little point, Yes, you’re proactive. You bought a firewall before and I’m not faulting K 12 by any means and I’m not faulting Edtech leaders. What I’m faulting is, uh, just, I guess general ignorance of what information security is and how broad it actually is.

[00:20:20] Brad Nigh: Yeah. I would say this is not limited to K-12 by any means. Not at all. Right. And it’s, I’m actually impressed with the report because there’s a lot more transparency here that you see from most other sectors.

[00:20:35] Evan Francen: Alright. And K- 12 general hasn’t been well supported here at all. Right. Even edtech in general isn’t supported very well. Most Edtech, I think people uh, weren’t special, you know, weren’t specifically trained to be edged tech people, you know, that might have been a teacher who kind of transitioned into that role and they really have nearly an impossible job, Right? You’ve got to keep the school running, You’ve got, you know, a bunch of little hackers running around, you know, got parents, seemly limited budget. You’ve got parents, you know, breathing down your neck and you’ve got administrators breathing down your neck. I mean, it’s, it’s not an easy job by any means. And so when I, you know, when I’m pointing out the faults, I think in this, it’s not them. It’s it’s the whole thing mess,

[00:21:26] Brad Nigh: we’ve said it in the past, right? The fact that, and security people, we haven’t communicated that well, it’s not on the quote unquote normal people that they don’t understand. Some of that. It it kind of falls back on us for not doing a better job of, of providing support and communication.

[00:21:45] Evan Francen: Right? Right. So 69% of the districts say that they are proactive or very proactive, which we don’t know necessarily what that means, but it’s up significantly from last year at 52%,, uh, districts employ. And I guess you could take the flip side of that coin to, I don’t want to be negative nelly, but I guess that means 31% are not proactive. Yeah. Or maybe 31% are honest. or 31 different definition of

[00:22:13] Brad Nigh: proactive. Exactly. I think that’s the, that’s the problem is we don’t know what, how they define this. So you’re kind of like stuck interpreting this and making assumptions.

[00:22:25] Evan Francen: Yeah. And again, it’s it’s things taken out of context. I mean, I’ve dealt with you and I have done security for so, you know, for long enough to know you can look at any one part of security, maybe that you’re doing well and tout that you discount everything else.

[00:22:39] Brad Nigh: It’s like doing some of those audience right? You do a scope and your what’s in scope is fantastic, but everything else not so

[00:22:47] Evan Francen: much right. This is goes on to say districts employ a variety of strategies to minimize risk, including the vast majority in which staff training is a top practice and a majority requiring teachers and principals to receive training as well, which is all good stuff that probably does minimize risk, but it’s not necessarily a risk management or a risk minimization strategy. Person

[00:23:16] Brad Nigh: wouldn’t say training staff is proactive. That’s kind of

[00:23:20] Evan Francen: well, yeah, I mean, and it’s helped, but it’s part of a strategy, right? But no strategy, right? Not necessarily our strategy, but I guess and maybe I’m being picky, but I just think it’s really important that when you look at information security that you view it in a holistic view. You know, you take a broad look at all of it. So training is definitely a, you know, certainly a good thing despite concerns. The survey also found that less than 1/5 of respondents 18% have a dedicated full time employee whose sole job is cybersecurity. you know, I mean, I guess if you can justify a full time job in cybersecurity in a school district then, you know, maybe good or bad. I’m not sure how to interpret that, I’m not sure how how big of a deal that is, because I know that a lot of school districts struggle so much with budget that it would be really hard to justify a full time employee, yep, whose only job is cybersecurity? I think that’d be hard.

[00:24:27] Brad Nigh: Yeah, no, I I agree. And you know, that’s an and gosh, this will be tough.

[00:24:36] Evan Francen: Yeah. And maybe you could justify it if you put everything in the context, you know what I mean? If you did, if you did like a whole, like where we start in every single, not every single, but almost every customer, we start working with it. Let’s do a risk assessment, let’s do a holistic risk risk assessment. If you did that in a school district, you would you would you would either justify the need for a full time cybersecurity role or you would not, you know what I mean? I think you kind of have to start there. So just the fact that you don’t have a full time employee who’s dedicated a cybersecurity may or may not be a big thing. I don’t know.

[00:25:15] Brad Nigh: Yeah. And I think there’s so many variables, especially with school districts because some are so much bigger than others, right? You might be in a smaller district that just doesn’t you need a full time. You might have, you know, your sys admin, network admin, both do security stuff. So you have the equivalent of a full time, right? Because nobody there to kind of splitting their time, but you don’t need that, there’s not enough. But then there’s others that are big, especially in the cities and stuff. Mhm. Yeah. They probably should have a somebody working on this, right?

[00:25:50] Evan Francen: Yeah. At least uphold a pooled full time resource kind of thing, you know, break and combine stuff. All right. So then um I. T. Leaders feel phishing scams pose the greatest risk to network security. Almost half 49% rating them as medium high too medium slash high risk to high risk. It’s almost like we’ve got some sort of quantification there.

[00:26:22] Brad Nigh: Yeah, it’s like a 1-5 scale mustard all that

[00:26:27] Evan Francen: despite this results also show an overall trend to underestimate risk less than 1/5 of respondents considered any specific threat as high risk any.

[00:26:41] Brad Nigh: I mean. Yeah.

[00:26:46] Evan Francen: Yeah.

[00:26:48] Brad Nigh: I mean that the I don’t even know how to respond to that. Like your that your that secure and we know that that’s not the

[00:26:59] Evan Francen: case. Yeah, yep. And this and then they do you know, put in there in the report again, I think it’s a fantastic report. They took the data uh interpreted the data, put it into a nice report and it’s not reflection of chosen, it’s not a reflection of any one particular ed tech professional. It’s just I don’t get

[00:27:22] Brad Nigh: it’s a snapshot of where we’re at

[00:27:25] Evan Francen: with the industry. Yeah. Is that they put this runs counter to the reality that school systems are being specifically targeted by cyber criminals with reported cyber incidents tripling in one year. So while cyber reported triple reported cyber incidents have tripled in the year. You still have less than 1/5 of the respondents who consider any specific threat to be at high risk. It’s interesting. You’re right. They do seem very counter to each other. Yeah so All that stuff is fine. And I think one thing that the K-12 could really use is some quantification of information security to put this into context. Some playbook that they can all play by, right? So then when you read medium high risk, you know what medium high risk is, you know what high risk because you know where your most specific or significant risk or threat, you know, is it just seems like there’s a lack of sort of overall direction in any of this. But anyway, uh moving out of the next point artificial intelligence hey promise and peril for I. T. Leaders I know we could throw more stuff at it. Yeah. Yeah just uh I’ve always kind of had this saying that a I won’t compensate for your lack of your own lack of I. Mhm.

[00:29:05] Brad Nigh: Yeah. Very

[00:29:06] Evan Francen: true. Uh There’s a lot of Ai being sold out there. That isn’t a I I think most I don’t know what percent but a very big percentage of Ai that’s being sold isn’t A. I. At all. Right. Um So I mean, gosh if you’re gonna go start down the Ai path it’s premature to say the least.

[00:29:35] Brad Nigh: Right? Well and to you know a lot of people see it as like the Holy Grail. It’s just blind trust it and it’s still you know built by people so you know there’s bugs and flaws in it and biases built into it. You can just plug and play forget it. You start to monitor any softer review and make sure it’s doing what you stacked and

[00:29:55] Evan Francen: stuff the patch it yeah

[00:29:59] Brad Nigh: yeah it patches itself, it learns when there’s a problem.

[00:30:03] Evan Francen: God. Uh Yeah. Right. So but 55% of I. T. Leaders anticipate that of the emerging technologies ai will play significant or transformational role in teaching and learning over the next five years. Which is probably true. I mean if you can embrace Ai for what Ai is for. I think that’s probably true but um there’ll be big issues around information security if you haven’t covered the fundamentals. Right? Yeah the fundamentals first of all define what information security is and for anybody who’s in K. 12 Information Security is managing risk. Right. And you can’t manage this without assessing it first. Right. You to manage risk. You assess risk, make risk decisions, build roadmaps, execute and then re assess risk or accessories continually. But you can’t manage it if you don’t understand it. Right? Agreed. So, you know, where schools should start is every single one of them should be doing risk assessments. If you’re not doing risk assessments, in my opinion, you wouldn’t be proactive

[00:31:18] Brad Nigh: well, I mean, I don’t Yeah, I agree. How can you be proactive if you don’t know where your holes are, where your strengths are and what you should be focusing on.

[00:31:29] Evan Francen: And that wouldn’t that be step now for you? Let me let me ask, you know for you would step one in pro activity be to do a risk assessment.

[00:31:38] Brad Nigh: It would be the first thing I would ask if I was coming in in that role is when was the last one done? Oh, we’re doing one. So Yeah, I guess so.

[00:31:49] Evan Francen: I just don’t know where else I would start. I guess maybe asset management, you know, having a very good grass because I certainly can’t protect the things. I don’t know I have right.

[00:31:59] Brad Nigh: You could possibly look at. You know, it’s a response because if you come in and they have done nothing, you know, something’s probably going on.

[00:32:08] Evan Francen: Yeah. And I would I’ve always built, you know, that was usually like one of the first 1, 2, 3 things that would come after the risk assessment,

[00:32:16] Brad Nigh: asset management and into our sponsor. Probably the biggest. Yeah. What would be your third?

[00:32:26] Evan Francen: I think Identity management.

[00:32:28] Brad Nigh: It’s not where I was going to. Yeah.

[00:32:31] Evan Francen: Identity management. And I don’t throw identity and access management together. I treat them as two separate things that once you get mature enough, you can start to integrate them but makes no sense to go after, you know, hunt down access hyper identities that shouldn’t be there.

[00:32:45] Brad Nigh: Yeah. How many users do you have? 200? Why are there 3000 directory accounts?

[00:32:51] Evan Francen: Right. And you and You know, 80% of them haven’t logged in in the last four years?

[00:32:57] Brad Nigh: Yeah. Actually had someone say they finally got some approval to clear out accounts. They had Like 1000 ISH users and had like over 10,080 accounts. They just would build into a Oh, you and just sit there forever. Right.

[00:33:17] Evan Francen: Yeah. So those things to me, I mean when I think of pro activity, I don’t think of any one particular thing as being proactive because You can pick any one particular thing and call yourself proactive but you’re still negligent in the other 900 things. Right?

[00:33:34] Brad Nigh: Yeah. I got to prioritize and like that’s that road that that prioritization, understand what the risks are. That’s where you start to get the some productivity.

[00:33:43] Evan Francen: Exactly. 100%. Because how do I know what to be proactive in? I don’t I don’t get how you can do this any other way. Mm All right. So there we have defined for you, if you’re listening, we’ve defined for you what proactive is for information security. Uh, we’ve defined I think a little bit how to really identify what your most significant risks are. Right. We defined an inch. You can define your own inch if you don’t want to use somebody else’s inch. But to find some sort of objective metrics that you can reapply over and over again to being um, you know, to represent what risk is mm What we don’t want is some subjective opinion about what risk is, right? High risk, medium risk. It’s low risk. Um, because that stuff changes, man, I mean, you could catch me on 1, 1 day from the next. You know, if you, you asked me today, Evan risk rate this high medium or low, I might read it different today than I would on a friday.

[00:34:50] Brad Nigh: Well, yeah. And yeah, there’s just so much, there’s so much at play, right? Like that’s a low risk, Oh, there’s a known exploit could be done remotely. Well, now it’s changed to high risk, right? Like a technical perspective.

[00:35:10] Evan Francen: You see the thing is when you’re making these risk decisions based on kind of faulty logic off the of the bat or at least um, then it permeates through the rest of your pro activity. The rest of your program. Right? So at least nail this stuff down. Um, and then and then go rush off and do other stuff, but to rush off and do other stuff without taking care of these fundamental things first, it’s bound to be flawed just how it works. No. All right. Top three challenges persist for K 12 budget Professional development and department silos. I think that was good insight. I like budget is always a problem. Certainly In K- 12. I’ve never had to justify a budget in K-12 before, but I can only imagine how difficult that would be. I think one of the things that you can use to help justify your budget is objective. You know, risk criteria, right?

[00:36:14] Brad Nigh: Make it easy to under for those that are making that decision to understand why these things are important. Why do we need money for these things?

[00:36:24] Evan Francen: Right. So, I think all these things are really tied together. And I’ve said risk assessment, risk management so many damn times. I get tired of hearing myself say it. But my God, it’s the basics. It’s the fundamentals. You have to start there. It justifies your budget, it could justify In terms of information security professional development, you could justify staffing. I mean, it justifies all sorts of things, right? You know, if you’re not if if a certain risk is unacceptable to you, well then you’ll need to do something you need to mitigate or avoid that risk. Well, the mitigate would be this and that’s going to cost this. I mean, there’s your budget justification right there. Yeah,

[00:37:06] Brad Nigh: yeah. Give, give it, like I said, give him a way to understand what the options are and what that decision means. Right.

[00:37:15] Evan Francen: Right. So I think the big thing with K- 12 is is to get these fundamentals. These foundational is the basic things done so that they can make better decisions. I think every single one of them Wants to make the best decisions possible. That’s the thing I love about K 12, you look at one of these teachers, every one of these administrators, every one of these counselors and even the people, you know, uh, you know, the janitors, the custodial staff. I mean, they’re all so bought in involving our Children. The least we can do is reach out and try to help them get these fundamentals done. So they can make better decisions,

[00:37:51] Brad Nigh: man. Yeah, no, those people are in it for the paycheck. I mean, in terms of like they could go make more money elsewhere.

[00:37:59] Evan Francen: Right. Some of the most amazing people ever. And well, I love our teachers

[00:38:05] Brad Nigh: really inventive to a lot of times because they are forced to make do with so little. You get to see some really kind of creative ways to deal with this stuff. It’s really kind of, it’s cool.

[00:38:20] Evan Francen: Absolutely, man. And so I think, you know, getting them basic fundamental information. City risk assessments on those risks that they choose. The administrators typically, hopefully the superintendent or the school board chooses are unacceptable risks. What are some really cool creative ways that we can mitigate those risks that are going to cost us money. Mhm. You know, and then, and now you start getting a school that becomes innovative. The raising Children to think out of the box. To think of creative ways that I don’t have to spend any money. And I think it just permeates through the rest of private industry potentially to. Right? So it’s, I think with, with K 12, it’s hold on a minute, we’re not teaching you anything that isn’t, this isn’t revolutionary security stuff. This is stuff that we’ve been teaching forever. But knowing it and applying it are two different things. Right. Yeah. All right. Uh, So Budget professional Development Department Silos. None of that stuff was really surprising to me. Other things from the report, which I thought were interesting. Page 14 of that report, You’d be a little more insight into kind of what they’re thinking. I think that is proactive. So districts without a dedicated person or staff use a variety of methods to monitor network security. The most common approaches sharing the responsibility across several jobs. 46%. Yeah. People monitoring the network, you know, 46% and have different things followed by incorporating network security monitoring as part of another job

[00:40:02] Brad Nigh: suit kind of. All right. That’s a problem that falls in line with what I would expect. About three quarters of the people. It’s part of what they do is as their job, but it’s not security specific.

[00:40:17] Evan Francen: Job Outsourcing is used by 11% of respondents. Okay. Um, and you know, and it’s dangerous when you outsource because you better be outsourcing the right stuff and holding them to the right Yeah, criteria, Right. Service criteria, Service level, you know, zealous or I don’t know, there’s just a lot of ways to take advantage of schools, I think that are already somewhat ignorant, you know, as to what information security risk is. That’s a great opportunity for somebody to come take advantage of it.

[00:40:52] Brad Nigh: Uh Well, yeah, you get we’ll be that sourced it. We’re good. Right. It’s like, yeah, how that works.

[00:41:01] Evan Francen: Either A concerning 10% of respondents have an ad hoc approach and do not have anyone assigned to monitoring their schools, their districts. Network security.

[00:41:15] Brad Nigh: You know, it’s so to me, it’s funny because like that 75% seems about right. But then 10% seems really low. And that I wonder how many of that 75% actually do anything security related because they’re so busy with all the other aspects of their job is just part of it. Are they actually monitoring it?

[00:41:37] Evan Francen: Right. Yeah, we’ve seen that plenty of times where you’ve got maybe yeah, we’ve got Splunk.

[00:41:46] Brad Nigh: Mm hmm.

[00:41:48] Evan Francen: Well, okay. Yeah, there’s a lot more to it. But, you know, mhm. Uh And there’s a lot more to information security and monitoring the network. You know? For sure. Because page 15 and page 15 says when it comes to maintaining network security. So again, we’re so focused on network security. And so this is all, you know, our traditional definition of cyber security is over pertaining to computers. Whereas information security is a broader definition that accounts for people that accounts for physical security. We we you know, you and I tend to like the broader definition because it does help put things into context better. Mm hmm. Odd scope does make sense. Um Sorry? Yeah,

[00:42:43] Brad Nigh: Yeah. That narrow scope. You you just miss so much.

[00:42:47] Evan Francen: Right. Right. Well, and nowadays you can’t separate out. You know, I’ve said it before and you can’t separate out information security, privacy and safety.

[00:42:59] Brad Nigh: Yeah. There are so intertwined at this point,

[00:43:01] Evan Francen: Right? I mean, Yeah. I mean, your door control systems are on the network So they’re together. Um yeah. Anyway, 69% of districts say they are proactive or very proactive in maintaining network security. I don’t know what that means. Yes. Uh If you’re if you’re just proactive and maintaining network security,

[00:43:28] Brad Nigh: but Well, what’s interesting is 13% describe their activity as reactive or very reactive. So wait. And in fact this is decreased from 23%. Right? So 13% react to what they’re seeing what the other 87% doing just watching it and what are you gonna

[00:43:51] Evan Francen: do or being proactive So they’re just Well,

[00:43:55] Brad Nigh: The reactive part, right? 13% of reactive I don’t know. Even if you’re proactive it’s still as well maybe I guess. I don’t know. I don’t

[00:44:08] Evan Francen: either man.

[00:44:11] Brad Nigh: Yeah. You can be proactive but you still need to we can’t stop everything. So you have to be able to be reactive When something gets through so you can do a good job and stop 90% of what’s coming in. But that 10% that comes in. You have to react to

[00:44:30] Evan Francen: Well, right. And you’re talking network security. And you know, if fishing is the biggest attack vector, most significant attack vector. Well then you’re most certainly going to have more than 87% of Oh yeah. Little districts falling for those attacks. Which means. And you’re probably not going to pick up with that pick up on that with your network security monitoring. Yeah. Yeah. You see, Ramsey into. Its just a disconnect. I think there’s there’s a lot of work to do in K 12 where I think we can just make sense of things. Simplify things. Help them make better decisions based on a holistic view of information security as opposed to this Myopic one. Yeah. um so 13%. Yeah, only 13% say there describe their activity as reactive or very reactive. Um I mean, I think we’re making we’re moving in the right direction but one of the things I think it’s going to get that’s sad is if we’re moving in the right direction but not taking all the I don’t even know it’s the right direction because we’re neglecting other parts of information security. That may be more significant risks. Maybe we’re not moving in the right direction, Maybe we’re fooling, maybe we’re fooling ourselves.

[00:45:56] Brad Nigh: Yeah, it’s uh no there’s no easy

[00:46:02] Evan Francen: third party risk. Yeah. Yeah. You know, in the private sector anyway, and I don’t know if they’ve ever done a study in K 12 but in the private sector, Some of the studies say 60 65 Of all data breaches come directly or indirectly through 3rd parties. Where does that fit?

[00:46:24] Brad Nigh: Well, you know, I’ve had uh you know school districts to reach out that had a vendor that had a breach and impacted there data. You know, it was a student data and it was it wasn’t anything that the district did, but they still had to address it. Right. And this is one of the better security programs that I’ve seen in general. Not not just cave in 12 can’t you just can’t prevent these guys from doing this stuff.

[00:47:02] Evan Francen: Is that the one that you were volunteering to some Metro time and stuff like that? Yeah, well I’m thinking okay. And I wonder if we could uh use them as somewhat of a case study too because they have gotten so much right mm information security and I think it could provide some real, You know, I openers, potentially for the rest of K- 12.

[00:47:24] Brad Nigh: Well I can tell you right now and it’s not just them. It’s every school district and I have talked to and I’m sure Ryan would back it up basically. Everything has been put on pause to support distant learning, distance learning.

[00:47:39] Evan Francen: Right? But I think we’re going to be coming out of that pretty soon. Right. They’re going to start getting ready pretty soon for the fall.

[00:47:44] Brad Nigh: Yeah. They sent through through june through the end of whenever their school year was.

[00:47:49] Evan Francen: Yeah, So about a month now. So that would be the time to at least make it a thought process. I sit down in planning and God please don’t spend money until you understand what you’re spending money on, you know? Yeah. All right. Well, good stuff. I mean, and again kudos to coz in it’s a, it’s a, it’s a fantastic study. I really appreciate the great work that they do. I also appreciate. Uh, it was mary mesothelioma who pointed this out to me, really appreciate the stuff that source well does here in Minnesota and elsewhere. Um, just keep up the good work. But you know, fight the urge to do shortcut security. Fight the urge to narrow scope on what information security is. Uh, don’t miss the basics like doing risk assessments right. Doing fundamental, basic holistic risk assessments. That’s where everything should start. Um, so no doubt we have a lot of work to do in K 12. It is our obligation as parents, as citizens, as Governments to do everything we can to help our K- 12. That’s the future, yep, Bross. Um I want to know, you know, brad you want to give your kids every possible opportunity to succeed and I’m the same way.

[00:49:17] Brad Nigh: Yeah, every kid, not

[00:49:20] Evan Francen: just right. So let’s do what we can and you know, volunteer time. Do you know? Whatever, right? If you’re an information security expert and you’ve got some time and you’re at home, go donate some time go call the school district and see if there’s something you can do to help potentially. Yeah, it’s nothing can do.

[00:49:41] Brad Nigh: And be some cool stuff coming out from from a separate ski about that type of stuff here shortly.

[00:49:47] Evan Francen: Cool, awesome. So at security studio we do have free resources and there’s a link in the blog Evan francine dot com. You know, and they’re free. There’s never strings attached when we say free. Um so go check them out. If there’s something you’d like us to create for free, we’ll do it. I mean unless it’s going to take, you know, a few 100 hours of development time. Most of stuff isn’t doesn’t take that much time. Um and then do a holistic information security risk assessment. There are many out there. If you want to develop your own. We obviously are partial and biased to the s to school assessment that we developed earlier this year. We make that very low cost so that you know, will anybody can do it. Uh and put information security into perspective. Please make it get much better for you and everybody. Right.

[00:50:43] Brad Nigh: Absolutely.

[00:50:45] Evan Francen: All right, so bad digs what I’m saying and I did what you’re saying. Yeah, I do. Alright, so news, good talk. Thanks brad. Thanks for the sanity check to sometimes you know, I’m saying this stuff and I’m like God, I feel like I’ve said this before.

[00:51:03] Brad Nigh: I know how many are we repeating or do we do this episode already? Right,

[00:51:12] Evan Francen: This is episode 79 and 69 53 40 12. Right? Pretty much. Okay, so a couple of news stories that got my attention. The first one is comes from the Chicago tribune. And this is a suit, the title is suit filed against Lourie Children’s Hospital over data breaches. And this caught my attention because one is a Children’s hospital, Two were in the middle of a pandemic and I know that health care is really struggling right now. Um Yeah, I mean every healthcare organization I’ve talked to is in dire straits that they’re losing money

[00:51:56] Brad Nigh: which is a whole that’s a whole other discussion.

[00:51:58] Evan Francen: Oh man. It’s it’s super sad. Yeah. In the midst of all of this now you’ve got a lawsuit filed because you didn’t maybe you did, maybe you didn’t do security correctly. But in a way a breach happened in Alabama, her four year old child have filed suit against ANn and robert h Lurie Children’s Hospital of Chicago.

[00:52:22] Brad Nigh: I will say from what is in there in terms of a breach now I’m not to downplay any but this seems to be you know pretty low in terms of you know the severity now we don’t know what exactly happened and what that was used for but it’s and it’s not acceptable by any means. It clearly had some issues with some access control and how their permissions and things were set up but right may be interesting to see what happens.

[00:52:55] Evan Francen: Yeah. Either way it’s sad that it affects the hospital that oh yeah hospitals are trying to you know save lives treat people.

[00:53:07] Brad Nigh: Yeah. Well and what’s That’s sad about that one is it’s that wasn’t easy to prevent one right? You had people going in and doing unauthorized access. They were accessing medical records, they didn’t have identified need to, it’s an easy thing to have in place. So the breach itself maybe isn’t as severe but it does point to maybe some more significant underlying issues there.

[00:53:34] Evan Francen: Yeah. Yeah agreed. And even if they’re not found negligent, they’re still going to have the legal fees, you know to deal with it and respond. So yeah, it’s sad that anyway that’s why I caught my attention but you’re right, it was just uh the people had so the people at the hospital workers had access but they didn’t have the need to know right? And so they violated that second um concept and access medical records for people that they didn’t have any business need to. Um And that that’s a allegedly what happened for the breach, got the lawsuit. Um And really you know you gotta gotta give Lourie a little bit of credit because they could have probably brushed that under the rug and nobody would have known right. That happens so many times.

[00:54:29] Brad Nigh: Well yeah you wonder if there, I’m sure it happens all the time. Somebody probably said something that they had to say it

[00:54:38] Evan Francen: have responded to more than a dozen breaches where it was clearly a hipaa violation where was clearly a reportable breach and you make the um recommendation to the entity that this is reportable, you should really report it and by law you have to report it and then if they meet the choice not to okay man I can’t do anything about that. I suppose I could just stop doing work for you but. Mhm. Um You know I’m under contract so I have a legal obligation to not violate that and the laws it’s not a criminal matter. Yeah.

[00:55:20] Brad Nigh: Right. It’s a tough place to be in.

[00:55:25] Evan Francen: It is but you know and I give lori credit because they did this could have gone undetected easily without anybody knowing but they did report it. You know they did reach out and notify the affected families and then you get sued for it, right?

[00:55:41] Brad Nigh: Yeah. Yeah. It would be interesting to see how that please. I don’t

[00:55:45] Evan Francen: Yeah, for sure.

[00:55:46] Brad Nigh: Let’s just go away.

[00:55:49] Evan Francen: Yeah, but either way, I mean you still have to pay the legal fees, right? It’s awesome. Something. Anyway, the next one is from mary Talk, which is uh mary Talk, it’s a blog post from Dwight Weingarten from mary Talk. And it’s a survey quoting a survey most firms not adding to cyber training during pandemic.

[00:56:15] Brad Nigh: Yeah, I well do it at your own risk. I guess

[00:56:22] Evan Francen: 53% of participants in the work study index said their firms have not provided additional cybersecurity training on the risks associated with remote work Uh study of 4000 business leaders across the world. So it’s not just the United States, I don’t know, You’ve you’ve got, you know, we we talked about it last week, you know, the number of remote workers went grew 15 now to 49, so you’ve got a bunch of people who’ve never worked remote before,

[00:56:59] Brad Nigh: you’re not doing anything extra for them. And we know that the risk of Malware on home devices is 3-7% higher than it is on corporate uh networks. Yeah.

[00:57:17] Evan Francen: Number of rats has increased significantly. The number of vulnerabilities has also increased significantly because these people are more vulnerable than they were Because they’re working at home and even the people that were already working at home. The 15% now. They’ve got all sorts of other distractions that they’re dealing with on a day to day basis with kids at home. Maybe the responses at home. Um just a covid anxiety in general. So you’ve got all these things going on and it wouldn’t make sense to maybe put them through a training class and awareness class or something. Hey, we got a tool

[00:57:58] Brad Nigh: right? It’s true. Just do something. Even even send them. There’s so many resources that say like, hey do these things

[00:58:09] Evan Francen: right to go to s to me that that I owe. There you go. That’s all you have to do, email your employees say, hey, go to ask me, I’ll take this test. It’s for you. Love you. Why? Yeah. Okay. Last one I’ve got for news is Idaho, I’d just like to say the name of that steak. So I think it’s funny and makes me giggle inside every time I say it. Idaho names longtime cyber professional as new C. So see so these stands for chief information security officer, this guy’s got some chops, I was just uh shout out to them, keith Tresh is their new lead. So shout out to him and they got a good one. I think that’s pretty cool. Yeah, you can find that. I find that of tech dot com.

[00:59:05] Brad Nigh: Yeah, I was impressed for that higher. Looks like he’s, it’s pretty good eggs are good background

[00:59:15] Evan Francen: heck yeah. Retired us army colonel. You see his picture on that? Yeah, it’s pretty badass. I would I wouldn’t Yeah, I wouldn’t go after him.

[00:59:24] Brad Nigh: Yeah,

[00:59:26] Evan Francen: But he also has a lot of a lot of good background with the state of California. And I think uh they’re so I think Idaho is uh on the one hand, I think Idaho’s information security is good hands. On the other hand, I don’t know why anybody would take a state C. So job. Mhm. Okay. Time. It’s like the impossible job, man. Yeah.

[00:59:51] Brad Nigh: Yeah, I would. Uh Well, you know, some people like that challenge.

[00:59:57] Evan Francen: Yeah. I don’t know. Not me. Yeah, I mean, you just can’t do it. I don’t know. Maybe every state is different. The states that I’ve talked, you know, worked. It’s just like, my God, man, I feel so bad for you because it’s like it is the impossible job.

[01:00:17] Brad Nigh: Yeah, It’s uh Yeah, I’m glad somebody’s doing it kind of be similar to the school. Right.

[01:00:25] Evan Francen: Right. Right. Well, I think North Dakota has shown some good examples with kevin ford up there and and Sean Riley. Um you know, maybe I does, you know, kind of going along that same path. It would certainly be good. Yeah.

[01:00:40] Brad Nigh: More, you know, more states seem to be doing

[01:00:42] Evan Francen: it. Be

[01:00:44] Brad Nigh: proactive,

[01:00:46] Evan Francen: Yes. Yeah, proactive, whatever that means. All right. Lots of stuff, man. Good stuff. Episode 79. I’m gonna try to get some more rest before next week’s episode. So you can be a little more, maybe I’ll be in a better attitude. Uh brad. You got any shout outs for anybody.

[01:01:07] Brad Nigh: I mean the easy one is it was mother’s day yesterday. So shout out to all the moms.

[01:01:13] Evan Francen: All the mothers. Yeah, for sure. For sure. Them just one for me, Mary Mesut homer who did send me, you know, kind of the content. And I started the content, but the inspiration for the content for today’s podcast. Uh huge thank you to our listeners. We love the encouragement you guys give us and we don’t take the advice lightly. So when you have some, send it our way, keep questions and feedback coming. Send things to us or to our email at unsecurity@protonmail.com. If your social type socialize with us on twitter, I’m @EvanFrancen and Brad is @BradNigh. And unless you’ve got something else bad, I think we’re done.

[01:02:00] Brad Nigh: That’s it. Good show.

/by