Data Privacy & Security Service
Issue 7 Data Privacy & Security Service
Spring 2018 (Issue 11)
Cybersecurity Education
Data Privacy & Security Service
Issue 11
CYBERSECURITY EDUCATION IN SCHOOLS Cybersecurity encompasses the strategy, policy, and standards regarding the security of and operations in cyberspace, and the full range of threat reduction, incident response and recovery policies and activities. In today’s world, industry, governments, and educators are looking to introduce students to online security earlier in their K-12 careers in the hope of encouraging their continued academic study of the topic and their awareness of careers in the field. Weaving cybersecurity principles into core academic subjects allows students to troubleshoot and experience the management of cyberattacks in real time. Check out the articles below to see ideas involving incorporating cybersecurity into aspects of computer science, programming, circuitry and robotics. When Should Cybersecurity Education Start? Some Say Elementary School http://blogs.edweek.org/edweek/DigitalEducation/2017/12/cybersecurity_education_K12_NICE.html?cmp=eml-enl-eu- news3&M=58301069&U=1425207 Delaware turns to high schoolers to bolster cybersecurity workforce http://statescoop.com/delaware-turns-to-high-schoolers-to-bolster-cybersecurity-workforce
District creates revolutionary computer science program for K-12 students https://www.eschoolnews.com/2017/11/28/revolutionary-computer-science/?
In This Issue Page 1:
GIRLS GO CYBERSTART- ONLINE CYBERSECURITY COMPETITION
Cybersecurity Education in Schools Girls Go CyberStart– Online Cyber- security Competition for Girls Page 2: Spotlight: Cybersecurity Curriculum in BOCES Schools Crash Course: Computer Science Courses on YouTube Page 3: What Do Cyber Professionals Teach Children About Security Page 4: Comptroller’s Corner 5 Tips to Protect PII in Schools Cybercurriculum Resources Page 5: Feature Interview on Fake News & News Literacy Page 6: 7 Ways to Spot Fake News Here’s What Happens When Mom or Dad Steals Your Identity Page 7: New Senate Bill Introduced to Hold Companies Accountable New IRS Tax Scam with a Twist
The NYS Office of Information Technology Services (ITS) has designed an innova- tive program to help educate and inspire the next generation of female cybersecu- rity professionals. Girls Go CyberStart is a free online cybersecurity competition for high school girls. It provides them with the opportunity to learn basic cyberse- curity skills and test their cyber aptitude in order to consider a career in cyberse- curity. Girls are exploring topics such as cryptography, penetration testing and dig- ital forensics through a series of fun and interactive challenges. Participants do not need prior cybersecurity knowledge or programming experience; all that is required is a computer and an Internet connection. This program is made possible through a partnership with the SANS Institute, which provides information security training and certifications across the globe. The 2018 challenge took place in February. For more information on future pro- grams, and eligibility requirements, visit the Girls Go CyberStart challenge website at https://girlsgocyberstart.com/ . Questions? support@girlsgocyberstart.com
1
Data Privacy & Security Service
Issue 11
CYBERSECURITY EDUCATION IN SCHOOLS SPOTLIGHT: CYBERSECURITY PROGRAMS IN BOCES SCHOOLS
Rockland BOCES and Erie 1 BOCES are preparing their students for future careers in cyber- security with Rockland’s Cyber Technology program and Erie 1’s Cybersecurity and Net- working program. They are two of only four BOCES that are offering a cybersecurity fo- cused curriculum throughout NY State.
Kim Bell, Principal of Rockland BOCES wanted to offer a STEM/computer related program while preparing students for a growing cybersecurity job market. John Wodjeski, Principal of Erie 1 BOCES, also recognized the growing market for cybersecurity jobs and added cybersecurity to their networking program about five years ago. Both Rockland and Erie 1 BOCES have seen enrollment increase once cybersecurity was added to their technology programs. Stu- dents learn about networking, hardware, multiple operating systems and various cybersecurity topics. The programs teach stu- dents how to identify vulnerabilities within a variety of operating systems and networks, then the students work to eliminate them using different techniques. The curriculum also addresses identifying and removing Malware and Spyware. Students have the opportunity to attain a variety of certifications, including A+, TestOut, Netplus, and CCNA. Erie 1 BOCES also offers a Kali Linux Pen Testing certification for advanced Kali Linux users. Rockland BOCES collaborates with Rockland Community College in an articulation agreement that grants students six college credits aligned to a certification exam. Students also compete in cybersecurity competitions. Rockland BOCES students compete against college and graduate level stu- dents in the National Cyber League (NCL), a collegiate cyber competition, to prove their mastery of cybersecurity skills in real world scenarios. Erie 1 BOCES students compete in the Cyber Patriot National Youth Cyber Defense competition in association with the U.S. Air Force. Teams compete head to head with other US teams to find and patch vulnerabilities. For example, teams may need to restrict access of one user to protect the network. To prepare students for tech careers, Erie 1 BOCES offers real world job training opportunities. Their school-based business tech desk utilizes an in-house “Geek Squad” of students who repair various devices for clients with instructor guidance. There is also a three-week professional internship opportunity for seniors, with some internships taking place within the Western New York Re- gional Information Center, their home district IT departments, or local businesses. Both principals attribute much of the success of these programs to their talented instructors. Mr. Wodjieski credits Erie 1 BOCES’ two full-time energetic, knowledgeable and adaptable instructors Raphael Estrada and Joe McNamara. Estrada helps the stu- dents whenever opportunities arise and makes sure they are having fun while they learn. Ms. Bell likewise praises their Rockland BOCES instructors. Alberto Rodriguez has degrees in Cybersecurity and Engineering, along with 10 years of experience as an IT professional who brings out the best in his students. In addition, Kaitlin Bestenheider offers a fresh holistic approach to teaching cybersecurity and works to promote women in Cyber Technology. She also coaches the stu- dents in the National Cyber League competitions. We hope these BOCES programs encourage more BOCES and districts to offer cybersecurity programs in the near future.
CRASH COURSE ON YOUTUBE
The Crash Course YouTube Channel offers tons of awe- some courses! Carrie Anne Philbin teaches computer science, including courses on Cybersecurity, Hackers and Cyberattacks. Use this link to view their Computer Science courses and click to play the video for the Cybersecurity course.
2
Data Privacy & Security Service
Issue 11
WHAT DO CYBER PROFESSIONALS TEACH CHILDREN ABOUT SECURITY
Authored by Amy Burnis, Senior Manager of Marketing Communications at CyberArk, the global leader in privi- leged account security January 9, 2018 | Security and Risk | Amy Burnis ; original post: https://www.cyberark.com/blog/cyber-professionals-teach-children- security/ Winter break is over, and children have returned to school with new phones, laptops and other devices. I witnessed the excitement of a pair of fifth graders receiving laptops for Christmas. I can’t recall what I wanted at that age—probably games or a bike—but surely a lap- top wasn’t on my list. I watched one sister help the other to set up her laptop. Her father set up hers first, and after he left the room, she decided she knew enough to help her sister. She paused the wizard once to ask me if they should accept the software update. These eleven-year-olds cre- ated their own login credentials, entered their home network password and quickly finished the set up process. I asked what they planned to do with their laptops. School work was the first answer, watching videos on YouTube followed, and then I zoned out because I was distracted by a moment of fear, considering all of the bad that comes with the good of having access to the Internet. My follow up questions focused on what they learned in school about cybersecurity. The answer—not that much, even in their upscale neighborhood elementary school. They have basic awareness with terms such as “attackers,” and they know not to share passwords, but the learning curve is steep. Parents have to take and maintain a leading role in cybersecurity education, and they also should establish guidelines and rules that can be followed / monitored. At the very least, like everything else in life, they need to provide enough infor- mation to help children make good, informed choices. Obviously, there are many articles available to help parents inform children , but let’s face it, many adults don’t even understand or fol- low best practices. I couldn’t help but wonder, do parents who work in the cybersecurity industry do a better job of teaching children about cybersecurity best practices? I asked a few of my colleagues about what they teach and what information they believe to be the most important. I was pleasantly sur- prised to learn that many of them volunteer as guest speakers on the subject at local schools. From these conversation three themes stand out: Privacy : The lives of children are documented in an unprecedented way considering the high volume of photos, selfies and other information that is shared online from a young age—often by parents who are thrilled to share every milestone. Explaining the con- cept and value of privacy is an important lesson. Children frequently use devices to share pictures, experiences, thoughts and more, so they have to learn there are lasting consequences – their digital profile builds over time with every action. Screenshots are just one way to extend the reach and shelf life of a message or image. Encourage them to think of examples of what they shouldn’t share including inappropriate pictures and potentially offensive posts. Remind them everything is public. After all, there aren’t secrets online. It’s easy to make a mistake that might be irreversible and hurt many. Power : One of my colleagues recently had a session with high school students. They talked about the concept of security and the consequences of being unsecure. He used some examples to help students think like an attacker in order to better understand the importance of defense. Students today have access to powerful tools that are freely available online and can do a lot of damage if
used inappropriately. For example, there are encryption packages available for download, there are open source offensive tools in GitHub, and there are services that provide extreme compute, storage and analytics resources. Such resources can support brilliant and cool pro- jects, but these tools could also be used “offensively” to spread ransomware and other mal- wares or to attack websites using DDOS attacks. Perhaps here, children can draw lessons from their favorite superhero and decide to use power appropriately and ideally for good intentions. (continued next page)
READ ALL ABOUT IT!
Ric ONE DPSS was featured in the winter NYSIR News BOCES Edition! Access the article using this link:
http://nysir.org/nysir-news/
3
Data Privacy & Security Service
Issue 11
WHAT DO CYBER PROFESSIONALS TEACH CHILDREN ABOUT SECURITY
Authored by Amy Burnis, Senior Manager of Marketing Communications at CyberArk, the global leader in privi- leged account security (continued )
· Responsibility : A laptop with an Internet connection provides a lot of power to an individual. It can be used for great projects or mal- ice. As the saying goes, “With great power comes great responsibility.” This is a foundational concept—a philosophy—we all strive to be responsible citizens, adults, parents, etc. I suppose the goal is to teach children to consider the options they have in any given situation. Encourage them to ask questions to more fully understand the consequences of their actions and the identities of those with whom they interact. It’s important to remind them not to be so trusting as people are not always who they appear to be online. Interestingly, in most states in the U.S., teenagers have to take driver’s education often either privately or at school as they learn how to drive. They practice driving many hours with adults before they take an exam. With technology, we just hand it over. Increasingly, at a younger age. Food for thought. COMPTROLLER’S CORNER Employees did not comply with the District’s acceptable use policy. Controls over the collection, transmission and storage of personal, private and sensitive infor- mation (PPSI) have not been developed. Employees and staff were not provided formal Cybersecurity awareness training, which could com- promise District assets and security. Recommendations to address these issues were provided. The auditors recommended the district implement the following measures: Review and monitor employee computer use to ensure compliance with the District’s Acceptable use policy Inventory, classify and develop controls over PPSI maintained and collected by the District. (The DPSS Inventory Tool can address this type of issue) Ensure employees receive formal IT cybersecurity training on an on-going basis that reflects current risks identified by the IT community. The Florida Union Free School District was audited last November 2017. The key findings of the report focused on data privacy and security issues, including the following items:
Digital Debrief– Interview with the New York State Office of the Comptroller
An interview was held with Randy Partridge, Chief of the Applied Technology Unit in the Division of Local School Accountability with the NYS Office of the Comptroller. Mr. Partridge assists regional offices across the state with information technology audits. He also explains how to navigate the website for the Office of the NYS Comptroller. Direct Link : https://ensemble.lhric.org/Watch/NYS_Office_of_Comptroller
Please use this link to access the full Report of Examination for the Florida School District: http://www.osc.state.ny.us/localgov/audits/ schools/2017/florida.pdf
Additional Resources
The National Cyberwatch Center designed an Information Security curricula to support the growth of cybersecurity ed- ucation nationally. Use this link to view their curriculum guide and access addi- tional resources: https://www.nationalcyberwatch.org/programs-resources/ curriculum/
5 Tips to Protect PII in Schools
1. Understand that Privacy is Ongoing 2. Develop Basic Data Governance Best Practices 3. Identify What PII Is and Know the Exceptions 4. Lay the Groundwork for Compliance with Teachers 5. Build Policies Around Digital Citizenship
To read the full article from click this link .
4
Data Privacy & Security Service
Issue 11
FAKE NEWS & NEWS LITERACY
FEATURE INTERVIEW ON FAKE NEWS & NEWS LITERACY
Dr. Jonthan Anzalone, Assistant Director and Lecturer for the School of Journalism, Center of News Literacy at Stonybrook University, re- cently answered some questions on the topic of fake news and news literacy– here is what he had to say:
Define news literacy:
News Literacy is the ability to use critical thinking skills to judge the reliability and credibility of news reports, whether they come via print, television, the internet or social media.
Why do you think fake news is becoming a growing trend today?
A number of reasons.
The first is that technology makes it much easier to create disinformation, and then to spread it quickly and widely. Not long ago, if you wanted to create a fake New York Times, you would have had to pay to print it and distribute it. Now, with little effort and no cost, it's possible to create a fake story that masquerades as the Times or any other news outlet, and then tweet it or post it to Facebook for hun- dreds and even thousands of people to see and share. Purveyors of fake news have capitalized on the public's eroding faith in mainstream news outlets by offering alternatives, and also on the fragmentation of the news-consuming public by offering them fake news that affirms their beliefs. At a time when partisans retreat to their corners and consume information that conforms to their personal biases, purveyors of fake news have found receptive audienc- es. Finally, there are incentives in spreading fake news--not only attention but also money from advertisers. A teenager in Macedonia, where a lot of fake news originates, can make thousands of dollars a month from his fake news website in a country where the average monthly income is a few hundred dollars. For the reasons mentioned above, fake news is far more common and the problem is growing worse. Also, as more people access news on social media, fake stories blend in with credible journalism so that it's hard to tell them apart. We've seen fake news have an impact. BuzzFeed found that in the months before the 2016 election, fake news stories outpaced credible journalism in user engagement (clicks, likes, shares). No matter who one supported in the election, this was an alarming trend. Also alarming: An armed man drove from his home in North Carolina to Washington, D.C., to investigate claims of a child trafficking ring in the basement of Comet Pizza. This was the nonsensical Pizzagate conspiracy theory that falsely implicated Hillary Clinton and a num- ber of her associates. Though no one was harmed when the man opened fire in the pizzeria and he was quickly arrested, his actions illus- trate what can happen when fake news circulates on the internet and social media. Stakeholders have proposed a number of ways to address the problem of fake news. Some have targeted the supply side and invested in programs to train future reporters and fund the work of journalists. This is great: the more high-quality journalism the better. But news stories would still compete with fake news and other misleading information. Such journalism programs do not help the average con- sumer sort fact from fiction. What good is great journalism if it gets lost in all the noise? Since a growing number of consumers access news (and other information) on social media and through search engines, what they see is often determined by an algorithm rather than by an editor or expert. Often search results, as determined by algorithms, appear at the top of the screen because they are popular or they match the consumer's interests--not because they are reliable. For more than ten years News Literacy teachers have had students type "Martin Luther King" into Google, and every time the website martinlutherking.org appears in the top ten search results. The problem with this site is that it's run by a white supremacist group called Stormfront. Better journalism and better algorithms may be part of the solution, but our goal as a society should be to cultivate the critical thinking skills of students so that they can evaluate information for themselves. The responsibility for generating, evaluating, and sharing reliable information is ultimately on the consumer. The goal of News Literacy is to help the public not only spot fake news, but also to distinguish between news and opinion, between journalism and advertising, and between high-quality journalism and weak reporting. A public that is equipped with News Literacy skills will be better informed and more active as citizens. If fake news had always been around, why is it such a concern today? What is news literacy and why is it the answer over better journalism, algorithms?
5
Data Privacy & Security Service
Issue 11
FAKE NEWS & NEWS LITERACY 7 WAYS TO SPOT FAKE NEWS
In the article “7 Ways to Spot and Debunk Fake News” Richard Hornik, a former editor and correspondent for Time maga- zine who now teaches news literacy at Stony Brook University, shares a checklist on how to avoid falling for false stories. Here are some tips: Check whether the story actually supports the headline, and beware of head- lines all in capital letters. Always ask, “Says who?” We tell children not to take candy from strangers. Well, don’t take information from strangers. Who is responsible for the story? Is it a known journalist or news outlet? If not, how many friends, followers does the source have? What have they posted in the past? If you follow a link to a website, do all the links seen there work? What does the “About Us” page say? When was the information updated? Check whether fact-checking websites such as Snopes.com or FactCheck.org have investigated the information, or just type the claim into a Google search and add the word “hoax.” Cut and paste images into reverse search engines like TinEye.com. Startling images often are not fake, but rather have appeared before in a different context. Beware of stories that come from people you trust — even from your friends and relatives. Don’t confuse the sender with the source of the information. To read the full article use this link: https://www.newsday.com/opinion/7-ways-to-spot-and-debunk-fake-news- 1.12695382
SUPPLEMENTAL LINKS & RESOURCES
HERE’S WHAT HAPPENS WHEN YOUR MOM OR DAD STEALS YOUR IDENTITY
Student Data Privacy Debate Comes to U.S. House (Again) Why cybersecurity skills should be taught at business schools Want to host a hackathon and teach real-life STEM skills?
In this article , BuzzFeed reports that minors are attractive targets for identity theft due to:
their young age
clean credit reports
2018 NYS CYBER SECURITY CONFERENCE
lack of discovery until early adulthood
The 2018 NYS Cyber Security Conference will take place on June 5-6, 2018 at the Empire State Plaza in Albany New York. Visit their site to learn more: https://its.ny.gov/2018 -nyscsc
Most of the time their identity is stolen by a family member with bad credit and saddled with debt. The bigger issue lies in the banks’ methods for verifying cred- it applicants’ identities. They need to use multiple data points which is not the case at the moment. Read the full article here: https://www.buzzfeed.com/ leticiamiranda/what-happens-when-your-parent-steals-your- identity?utm_term=.wtdWzWWex#.yp8bQbbg4
6
Data Privacy & Security Service
Issue 11
RECENT EVENTS & CYBERSECURITY NEWS
Data Privacy and Security Service Digital Digest
NEW SENATE BILL INTRODUCED TO HOLD COMPANIES ACCOUNTABLE
Senator Elizabeth Warren along with Senator Mark Warner introduced a cybersecurity bill (Bill S.2289) in January that would impose strict financial penalties when data breaches occur and require higher recovery compensation for customers of hacked credit reporting agencies. If passed into law, the bill would give the U.S. Federal Trade Commission the authority to inspect the companies that collect vast amounts of financial data on consumers to make sure they're protecting that information. It would also let the agency fine them in the event of a data breach, to the tune of $100 per affected consumer as a minimum. Half of that money would be redistributed to the consumers caught up in the data breach. To read more please check out the following links: Huffington Post: https://www.huffingtonpost.com/entry/elizabeth-warren-equifax- bill_us_5a561c07e4b03417e873e3c9?section=us_politics Fortune: http://fortune.com/2018/01/10/elizabeth-warren-mark-warner-equifax/
For Further Information Contact Your Local RIC. Click here to find your local RIC contact
THERE’S A NEW IRS TAX SCAM THAT COMES WITH A TWIST
The IRS warns tax payers to be aware of a new tax scam. Cyber-criminals steal taxpayer data from tax professionals and then use that information to file fraudulent tax returns. Once the tax refund goes into the taxpayers’ bank account, the criminals use a variety of strategies to convince the taxpayer to turn the money over to them.
“It’s a new twist on an old scam,” wrote national tax writer Kelly Phillips Erb.
For Subscribers to Service:
In one scenario, criminals may try to pose as debt collection agents working on behalf of the IRS. They explain the refund money was deposited in error and provide information on how to forward the money to the collection agency. In another scenario, the taxpayer may get an automated call from the “IRS” threatening the taxpayer with fraud charges, an arrest warrant and a “blacklisting” of their Social Security number. The pre-recorded message provides the taxpayer with a case number and a number to call to return the refund. Take note– the IRS will never communicate with a taxpayer with a phone call or email. If you are contacted by the “IRS” using these communication methods it’s a scam. Why does it work so well? Because the taxpayer has a refund in their bank account as “proof.” The scammer will know the exact amount of the refund and may share other per- sonal details about the taxpayer they have acquired. If you cashed a paper check of a fraudulent refund, return the money to the IRS immediately via personal check or money order, with a note explaining it is a repayment of a false refund. Do it fast to avoid paying interest on money that wasn’t really yours. Also , contact your tax preparer immediately. Thieves are targeting tax preparers using phish-ing and other tactics to obtain client data for their scheme.
Digests & Archived Digests
Digital Debrief
Inventory Tool
Information Security Online Professional Devel- opment Digital Blasts
Read the full article here: https://www.huffingtonpost.com/entry/new-irs-tax- scam_us_5a85cdd6e4b004fc31901085
7
Page 1 Page 2 Page 3 Page 4 Page 5 Page 6 Page 7 Page 8Made with FlippingBook - Online Brochure Maker