Data Privacy & Security Service Digital Digest Summer 2017
Data Privacy & Security Service
Issue 8 Data Privacy & Security Service
Summer 2017 (Issue 9)
The Internet of Things (IoT)
Data Privacy & Security Service
Issue 9
INTERNET OF THINGS
Remember the childhood song about bones being connected: the shin bone is connected to the ankle bone and so on. Well, the Internet of Things (IoT) can replace that song with lyrics such as the toaster is connected to the refrigerator; the refrigerator is connected to the light bulb; the light bulb is connected to the car; the car is connected to the fax machine, and so on. The IoT may not be that simple, but it does connect everyday devices in homes and businesses. And the data it collects is big business with an estimated $7.1 trillion worth of data equaling 50 billion IoT objects within the next three years. For more information on how companies are currently using the IoT, click here.
Internet of Things Privacy: What should people look for?
In This Issue
Page 1: Internet of Things Privacy:
By Adam Vincent, CEO, ThreatConnect
What should people look for?
Page 2: IoT (Continued) Will the Internet of Things ever be safe? Page 3: IoT (Continued) Is your IoT Device Putting you at Risk? Embracing the Internet of Things Doesn’t Necessarily Mean Forfeiting Privacy Page 4: IoT Policies How Will the Internet of Things Im- pact Education? How the IoT in Education is Chang- ing the Way we Learn? Page 5: School Buildings on Autopilot Comptroller’s Corner Page 6: Teens and Social Media Apps Recent Data Breaches
What’s Changing?
Our lives are constantly connected to the inter- net, and we love it. We count our steps, we measure our heart rate, we even avoid traffic using the internet. If you’re not reading this on a computer or tablet, you prob- ably still have a device on or near you that is monitoring your user behavior and col- lecting data via a network connection. Some call this Smart Interactivity. Our homes are becoming automated, our cars can make phone calls, even our grocery shopping is easier thanks to network connected devices known as The Internet of Things (IoT). These devices have become smarter, faster, and cheaper, making them more accessi- ble to multiple industries outside the tech world. Schools have taken advantage of the growing benefits of these network-connected devices to better store data, automate grading systems, and teach in innovative ways. Students can use wearable technology, such as a pedometer, to gather and measure their fitness data. Educators can easily access a student’s data and profile information to make quick informative decisions. Additionally, school staff can pro- vide more security with auto-locking door systems and video surveillance systems that are often connected to a network. It’s an incredible time for innovation. While educators know they are collecting and storing various amounts of student data on purpose, there are vast amounts of data being collected and stored simply through the sensors and Internet connection in the device. Read more about this here . So, what has changed? Internet connected devices have been around for years. The biggest change is one we don't even notice; the ability of your device to report data without your direct control.
Questions to think about:
Where is your district data?
Who is responsible for data in your district? Do those responsible for data know what to do and what not to do?
1
Data Privacy & Security Service
Issue 9
IoT (Continued)
What should we watch out for?
Will the Internet of Things ever be safe?
There is a sweeping number of devices that now have access to the Internet and the number is infinitely growing. It is with this functionality that we need to consider the question: are we in fact keeping up with the times? As in any business or institution that runs on a large network, Chief Information Officers in school districts have the responsibility to enforce state policy when it comes to the protection of student data and privacy. The tech industry is moving fast- er and more efficiently than ever before. Devices such as laptops, which are not new to schools, have quickly moved from word processing machines that could store and retrieve data, to network-connected devices with webcams and microphones. As we pause to think about privacy with IoT, we must ask ourselves, “what is connected, and how much data does the device collect?” We already know that devices can automatically send data to apps where companies can analyze user data. Two recent examples show devices you may not have considered to be risky, but may make you reconsider as they have been transferring data without your knowledge:
Are you safe? “It’s no longer a question of ‘if’ cyber criminals will target you—it’s a matter of ‘when’.” As more and more devices are connected to the Internet via the IoT, cybersecurity experts are be- coming increasingly concerned about the potential “weaponization of IoT” with only 30% believing their organizations are fully prepared for the risks associated with the IoT. Security measures are se- verely lacking on most IoT connected devices. What can you do to attempt to safeguard your- self?: Create a network fortress by using two-step authentication (also known as 2Fa) and com- plex passwords that change often Protect access to your home Wi-Fi by making sure it is secured Accept updates on devices as these usually combat viruses Keep up with the latest cyber threats Review user agreements
For the complete article, click here .
Vizio has just settled a lawsuit involving its
collection of viewing data which included broadcast television, advertisements and IP addresses. The TV maker added Automated Content Recognition software to some of their smart TVs which was unknown to the consumer. Other examples with smart TVs collecting data, include Samsung’s “always on” feature to its listening microphone. Voice command has almost become a norm; how many people are paying attention to the option to disable? Since awareness has risen, more companies are asking for your permission to access data; however, devices are being exposed that did not request their customers’ permission
daily. Take a look at Bose headphones , for example. The Bose Connect app has been collecting listener information and selling it to third parties. This privacy concern becomes even more prevalent as devices that never had Internet connection, now do. Who is assessing these risks? Manufacturers want their devices to connect to the internet. So do we as consumers. Our purchasing behavior has supported this in recent studies. What users may not be thinking about is how many of these machines have Automated Content Recogni-
tion software designed specifically to track user behavior? This data is typically used for targeting an audience for ad- vertisements. But, what else can the data tell someone if they are fishing around? Privacy controls and network surveillance is key in moni- toring vulnerable access points, but as previously men- tioned, innovation is happening quickly and devices that are used for one thing often have multiple uses. iPhones are also cameras. Tablets have built in email apps. The TV on the wall in the classroom may have a built in webcam. Educators may not be aware of these functions or ever have a reason to use them, but they are there.
2
Data Privacy & Security Service
Issue 9
IoT (Continued)
What can be done now? Chief Information Officers must consider the multiple functions of the devices being brought into schools and begin to track them. There is an inherent risk to our teach- ers and schools that they may become vulnerable to cyber hacking or more simply through misconfiguration given the speed at which IoT is being deployed. Schools need to be made aware of the potential risks, to understand classes of Internet- connected devices, as well as the capabilities and incorporated risks across those de- vices. What’s more, schools need to develop a centralized approach to track what devices are used, version numbers, and how they are configured. This will allow them to audit what they have and what they are bringing into their networks, and to quick- ly respond to a device that develops a vulnerability. Existing devices in schools, and those being brought into schools must be evaluated using a checklist. Each item should be as- sessed for factors that include, but not be limited to: Additional Resources 1. New report says tech companies spy on students in school 2. What is the Internet of Things (IoT)? 3. Internet of Things: Where Does the Data Go? 4. FTC: Vizio smart TVs spied on what viewers watched Third party apps Once the risk scale is determined, devices can be measured and school leaders can base decisions on the scale’s parameters. Auditing a school’s inventory for a device’s capabilities is now at the forefront of protecting a student’s privacy. Schools should know which devices have recording capabilities and which send and receive data; it must be known if the iPad the second grad- er is using for a reading assessment has a “live mic” or if applications are sending user data outside the school’s network. It is with this type of compliance checklist that schools can better define what privacy controls need to be in place and which devic- es are too precarious. Recommendations: Build a checklist to track the functionality of Internet connected devices Measure all devices against the checklist to assess risk factors Proactively turn on privacy controls Inform educators and staff about the functionality of the devices they are using and warn them about potential exposure if the access point is left vulnerable. Wired/wireless Internet Data storage being local or in a cloud Camera Microphone, voice command software
IoT and Privacy
Is your IoT Device Putting you at Risk?
The National Law Review posted a brief online article indicating that 96% of IT pros surveyed stated that they “expect to see an increase in security attacks on IoT.” The study says that although connected devices are convenient, they lack security.
Embracing the Internet of Things Doesn’t Necessarily Mean Forfeiting Privacy Security is a concern in the world of the IoT. However, the answer may be in a blockchain. Amit Sharma, Vice President of Tech Mahindra, believes the cryptographic algorithm will be available soon when Generation Z is more equipped and ready for it. A blockchain allows secure online transactions. It is a decentralized and distributed digital ledger that records transactions across many computers in such a way that transactions cannot be backdated. Click here.
3
Data Privacy & Security Service
Issue 9
IoT and PRIVACY (CONTINUED)
IoT Policies Everyone has a policy on the Internet. Beware! Let us say that again. Beware! There were some suggestions for “consideration for IoT policies.” These suggestions were good and contained things to think about: what devices should have priority on the network; infrastructure development; standardization and interoperability of devices; format wars (competition for market dominance) or non-interoperable proprietary technologies on a network; and vulnerabilities of IoT devices. Now for the beware part. This site will provide a sample policy, but it requires a download and acceptance of “terms of use.” Not worth the click. Click here for the entire article.
IoT in Education
How Will the Internet of Things Impact Education?
The age of the smart school has arrived. The IoT can allow schools to use technolo- gy to track buses, student attendance, student ID cards, as well as monitor environ- mental controls such as lighting, heat, air conditioning and security systems. Using radio-frequency chips embedded in student ID cards, students are trackable. It may not be as magical as Harry Potter’s Marauder's Map, but it does the trick. Students can also integrate wearable devices such as watches, fitness bands and virtual reality headsets into classrooms. These devices can help teachers monitor students and make adjustments for learning styles. Click here.
How the IoT in Education is Changing the Way we Learn?
It is believed that the rise of mobile technology along with the IoT will allow schools to improve the safety of its campuses by keeping track of re- sources and enhancing access to information. The traditional lesson plan will develop into a “smart lesson plan” by incorporating the IoT. But is the IoT making teaching more efficient or is it causing more disruption in the classroom? Connecting mul- tiple devices together has a place for efficiency, but is it inside the classroom or outside the classroom? In the end, we want to create lifelong learners, not students who are multitasking without effectively getting anything done. Click here.
Coming Soon—Fall Digital Digest:
Cyber Security Training for Staff
and Students
4
Data Privacy & Security Service
Issue 9
IoT in Education (continued)
School Buildings on Autopilot
The Connecticut town of Cheshire upgraded six of its pub- lic schools with IoT technology and in so doing cut its elec- tricity bill by 84%, saving approximately $390K from its annual budget of $65 million. How did they do it? They replaced outdated lighting fixtures with LED fixtures with sensors and cloud-based servers that automatically turned the lights off in empty rooms or adjusted bright- ness as necessary.
Additional Resources
1.
What’s Stopping Education IoT?
2.
IoT in education: the Internet of school things The psychology of privacy in the era of the Internet of Things Personalized Learning and the 'Internet of Things:' Q&A
3.
4.
When an IoT device is developed with the capability of integrating and being con- trolled, it can all make sense. For example, “The device periodically ‘phones home’ with data, and the online server makes re- mote changes accordingly. Let’s say it’s 8:15 a.m., and biology class is about to start in room 201. As the first student or teacher enters, the room’s sensor detects movement and sends data through the school’s network to be analyzed on an Internet server. The server sends a command back to the fixture to turn the lights on and set the light level based on how much light is streaming through the windows. About two seconds later, the lights are on. At 9 a.m., after the class is finished, and the room empties, the lights dim to 20 per- cent. When the next class starts, the lights return to full capacity. After 5 p.m., when the room is vacated for the day, the lights shut off automatically.” (District Administrator ¶ 4-6, 2017). The Gartner Group claims that 4.9 billion IoT devices were sold in 2015 and nine million of those devices went to schools. We had better learn what to do with the devices very quickly. Click here .
COMPTROLLER’S CORNER
This month’s Comptroller's Corner features an audit of the Island Park School District on Long Island. The key finding of this audit is that Island Park should implement rigorous IT inventory and management procedures. This includes a
formalized process for inventorying IT assets when they are received in district as well as a process for a yearly IT asset audit. It is noted in the district’s response to the Comptroller’s office that they clarified several of the issues raised by the audit. To see the full details of the audit Click here .
Did you know that the Office of Information Technology Services publishes exemplar IT policies that can be utilized by your district? The published policies are a helpful starting point for your district in creating a comprehensive IT Security Policy framework. As we have highlighted in previous issues, the Office of the State Comptroller relies on district’s policies and procedures in assessing a district’s compliance with IT standards. Therefore, it is important that districts adopt rigorous IT policies and procedures. To view the published Security Policies Click here .
5
Data Privacy & Security Service
Issue 9
RECENT EVENTS
Data Privacy and Security Service Digital Digest Summer 2017
Teens and Social Media Apps
Social media apps are highly addictive; in fact, they are as addictive as smoking and heroin. Most adults have a hard time dealing with this addiction. Just think of how often you check your phone during the day. When that familiar “ding” goes off, how quickly do you reach for your phone? Recent studies show that this addiction may affect the brain and
teens have an even harder time dealing with this addiction . Couple the addictive- ness of social media with the stigma of adolescence, the potential for a teenage meltdown could be the result. Many years ago, let’s say, back in the last century, when a teenager wanted to say something really nasty about another teenager, they wrote it on the bathroom wall in the school. The custodian then came in and cleaned it up. Whatever was written lasted a day or two and in the collective mem- ories of teenagers even less time. Today, nasty “notes” are published on social me- dia such as Facebook, Twitter, SnapChat and never go away. In some cases, these notes have led some teens to commit suicide( 1 , 2 ). The Netflix show 13 Reasons Why brings this to light. Parents and schools need to talk with children and teens about responsible use of social media and constantly monitor that behavior . The Suicide Prevention Center of NYS offers trainings, presentations and talking points for adults and teens.
For further information, contact your local RIC. Click here to find your local RIC contact.
For Subscribers to Service:
Digests & Archived Digests
Digital Debriefs
Recent Data Breaches
Inventory Tool
Information Security Online PD for Teachers
In the Winter Edition of the Digital Digest , we includ- ed a section about districts being targeted by a Phishing Attack requesting W-2 forms from district staff. Below you will find several articles from around the country where school district staff fell
Digital Blasts
prey to the Phishing Attack and shared confidential information with the hackers. The articles below serve as an example of why it is critical to educate and inform staff about the threat of Phishing Attacks. Districts should immediately notify their staff when they become aware of an attack so appropriate precautions can be taken.
Digital Blast #17 announced the launch of the RIC One DPSS web- site . This website places all of the DPSS resources in one easy, con- venient location. Archived issues of the Digital Digests and Digital Blasts are available on the site.
Palomar College reports data breach involving W-2 tax forms All Groton school employees subjected to data breach Glastonbury Schools Phishing Scandals Impacts 1,600 Workers Redmond police investigating major data breach Phishing Attack Leads to Theft of $40,000 from School District
The Nassau BOCES DPSS site will be shut down shortly.
6
Page 1 Page 2 Page 3 Page 4 Page 5 Page 6 Page 7Made with FlippingBook flipbook maker