FALL 2022 DPSS DIGITAL DIGEST
Data Exfiltration is "so hot right now" What we can learn from student hackers Guidance from the NYSED Data Privacy Office Data Privacy and Security Resources and Tips Why October is our favorite month IN THIS ISSUE
Issue 27
Data Security and Privacy Service
Cyber Attack Trends: Less Ransomware, More Exfiltration
The Identity Theft Resource Center (ITRC) released their data breach report for the first half of 2022. The findings showed a decline in ransomware attacks between quarter one and quarter two, the first time ransomware attacks have declined since 2019. Security researchers speculate the decline could be related to the war in Ukraine and cryptocurrency losing value.
EXFILTRATION IS SO HOT RIGHT NOW
The Hacker News also shared some insights as to why ransomware is less popular with cyber criminals. They agree that crypto is no longer a profitable payment option and organizations have recovery systems in place. This has forced cyber criminals to switch tactics and embrace data exfiltration attacks. A data exfiltration attack happens when cyber criminals steal sensitive data and threaten to release it unless a payment is received. The attackers do not need to lock users out their systems with ransomware to execute this attack, In fact, it benefits the attackers to lurk undetected on the network to gather the juiciest bits of information. Educational agencies and organizations can reduce the risk of a data exfiltration by patching systems, maintaining (and testing) backups, and monitoring networks for unusual behavior. Download the ITRC H2 2022 Report here The Hacker News: The Rise of Data Exfiltration, and Why it is a Greater Risk Than Ransomware
Issue 27
Data Security and Privacy Service
Student Hacks and Rickrolls His School District in 2021, Presents at DEFCON 2022 in Las Vegas
Back in April of 2021, a student named Minh Duong in Township HS District 214 planned a senior prank that exploited the vulnerabilities in the district's IPTV system and within a new bell schedule system to "Rickroll" every classroom, a prank he and his friends called "The Big Rick."
This artfully executed takeover did not just occur in one high school building; It was deployed to ALL SIX high school buildings. The mastermind behind this scheme documented the entire process in this blog post. The students shared a 20+pp Pen Test Report with school administration after the event. The district's Director of Technology thanked them for sharing their findings and requested a meeting to review the information together. The students were assured they would not be disciplined but still met with administrators anonymously via Zoom after graduation. Thankfully the meeting was a success and the school district is now safer for it.
THE TAKEOVER WAS DEPLOYED AT ALL SIX HIGH SCHOOL BUILDINGS
DEFCON 2022 Minh Duong shared his process at DEFCON in Las Vegas in August 2022, as seen in this Twitter thread. He was probably one of the youngest (if not the youngest) presenters at the DEFCON conference this year. Cory Doctorow, a self-proclaimed "activist, author and enthusiast," posted a Twitter thread on Minh Duong's DEFCON presentation that expressed his admiration for what this student was able to accomplish and for the district's reasonable response. The Takeaway- Consider building student IT/Cybersecurity programs in your districts.
Issue 27
Data Security and Privacy Service
COMPTROLLER'S CORNER
Information Technology Network User Accounts Information Technology User accounts Network Access and Information Technology Assets Unused IT assets User Accounts and Software Updates Inventory Technology Equipment Inventory Safeguarding of Personal Private and Sensitive Information on Mobile Computing Devices The Office of the Comptroller conducted district audits on: The results demonstrate a clear need for districts to better manage all user and network accounts, to have written policies and procedures in place, to develop and adopt a comprehensive IT contingency plan, to maintain up-to-date IT asset inventory records, and to provide IT security awareness training.
Eleven districts did not properly manage or disable unnecessary network user accounts. Four districts did not establish written policies or ensure procedures were in place to add or disable user accounts and permissions. Three districts did not update or maintain IT asset inventory records. Two districts did not have sufficient documented guidance or IT contingency plans to follow to recover data and resume essential operations in a timely manner. Two districts did not provide adequate IT security awareness training for all employees and contractors. Two districts did not adopt a complete and accurate IT equipment inventory. One district did not develop a comprehensive acceptable use policy (AUP) and monitor employee computer use. One District Did not adopt a comprehensive written policy for establishing and maintaining IT equipment inventory. One district had three policies that detail proper usage of IT assets that were not consistent. Out of the 12 districts audited:
Issue 27
Data Security and Privacy Service
DATA PRIVACY AND SECURITY RESOURCES & TIPS
DATA PRIVACY CHECKLIST
A Parents' Bill of Rights with the correct email address for the NYSED CPO, privacy@nysed.gov A Supplemental information page listing third-parties that access student PII and/or teacher/principal APPR data. General information on state and federal K-12 data privacy laws The district data privacy and security policy Instructions on how parents, eligible students, principals, teachers, and other staff of an educational agency can submit concerns related to compromised data Districts can start off the new year on the right foot by following this "Data Privacy and Security Page" checklist. Ideally, this page should be easily accessed by parents when searching the district website by the keyword "privacy" or via website menus, and should include the following:
The Identity Theft Resource Center (IRTC) provides a free resource to search for data breach information. The service is called "Notified" and consumers can search for breaches that may impact them directly. Visit https://www.idtheftcenter.org/noti fied to conduct your own search. You can also sign up for the ITRC's Newsletter "In the Loop" and to receive ITRC alerts. Consumer Reports now offers a security planner designed to help people stay safe from phishing scams, identity theft and more. Visit CR's planner page to get started.
K12 SIX provided a free Incident Response Runbook that can be found on the K12 SIX Essentials Series page, along with three other "essentials".
Questions? Contact your local RIC.
Issue 27
Data Security and Privacy Service
From the NYSED Privacy Office: The Supreme Court and Privacy
You may have heard that the Supreme Court’s recent decision in Dobbs v. Jackson Women’s Health Organization which overruled Roe v. Wade has dramatically reduced American’s right to privacy. As we know “privacy” is a broad term and can take on various meanings. The Dobbs decision reduced the scope of federal constitutional protection for privacy, especially for protections not explicitly addressed in the United States Constitution (i.e., abortion and potentially the right to contraception, same sex marriage etc.). Fear not however, the decision far from eliminates all privacy protections and the privacy protections that we concern ourselves with daily (student personally identifiable information) remain intact. For example, consider that in July 2021 the same justices in the Dobbs majority contemplated privacy concerns in Americans for Prosperity v. Bonta, a case regarding a requirement that charitable organizations disclose information about their major donors to the California Attorney General’s office.
Shared by NYSED Chief Privacy Officer Louise DeCandia
In this case the Court found that a “gravity of privacy concerns” supported shielding the identities of donors to charities. The Supreme Court relied upon the First Amendment’s freedom of association (the ability to donate to a charity without having to reveal your identity) to rule that such information is protected and does not have to be released. In reaching its decision the Court considered that California had breached the information about donors in the past and quoting a previous concurrence by Justice Alito, author of Dobbs, which stated that the risks of revealing donors is heightened because, “anyone with access to a computer [can] compile a wealth of information about’ anyone else, including such sensitive details as a person’s home address or the school attended by his children.” [page 17] The scope and application of privacy laws is, as evidenced by the above, ever changing and rest assured will continue to change but, the Dobbs decision should not implicate the role of DPOs and CPOs, who must continue to protect student personally identifiable information.
You can contact the NYSED CPO by emailing privacy@nysed.gov. Additional resources for DPOs can be found at http://www.nysed.gov/data-privacy-security/data-protection-officer-resources
Issue 27
Data Security and Privacy Service
Data Privacy Legislation
CT'S NEW DATA PRIVACY ACT The new Connecticut Data Privacy Act (CTDPA) protects consumer data and gives consumers the right to access, correct, and delete their personal data. CT is now the fifth state to establish a consumer privacy law of this magnitude. The law affords consumers the right to obtain a portable copy of their data and the right to opt out of specific types of data processing, including targeted advertising. Data "controllers" and "processors" must be transparent, minimize data collection and protect the data they collect, The law also stipulates that sensitive data can only be collected if consumers opt-in for consent. The CTPA goes into effect on July 1, 2023. Akin Gump : Connecticut Data Privacy Act- What Businesses Need to Know CYBERSECURITY BILLS TO SUPPORT NYS SCHOOLS Senator Kaplan has sponsored two bills to help schools prevent and recover from cyber attacks. NY SB 348 "Requires the Department of Education to provide annual notifications to school districts to combat cyber crime" NY SB 349 "Establishes the school district cyber crime prevention services program."
CPO GUIDANCE ON ED LAW 2-D The NYSED CPO released guidance on August 9, 2022 related to the "Applicability of Education Law 2-d to the clinical experiences required in New York State registered educator preparation programs." The memorandum confirms that placements in educational agencies for clinical experiences do not require an Ed Law 2-d agreement, and that the candidate should be considered a "school official" under FERPA. The guidance also recommends providing the candidate with student data privacy and security training at the start of their clinical experience as an Ed Law 2-d best practice.
Both bills was passed by the Assembly and the Senate and are now awaiting signature from the NY Governor. Once signed into law, NY SB 348 will take effect on July 1, 2023 and NY SB 349 will take effect April 2023.
Issue 27
Data Security and Privacy Service
October is Cybersecurity Month!
Enabling multi-factor authentication Using strong passwords and a password manager Updating software Recognizing and reporting phishing The four key behaviors of focus in October will be: Click here to become a Cybersecurity Awareness Month Champion #BeCyberSmart
The Nationwide Cybersecurity Review (NCSR) is a no-cost annual self- assessment tool based on the NIST CSF. The NCSR opens on October 1, 2022 and will close on February 28, 2023 . Visit https://www.cisecurity.org/ms- isac/services/ncsr to watch an overview and to register.
Issue 27
Data Security and Privacy Service
Page 1 Page 2 Page 3 Page 4 Page 5 Page 6 Page 7 Page 8Made with FlippingBook Online document maker