Data Privacy & Security Digital Digest_Winter 2022

The DPSS DIGITAL DIGEST The 2022 Winter Issue

IN THIS ISSUE: Log4j and other big cyber incidents in 2021 The best of RIC One DPSS Fun and cybergames

Log4J: What it is and why it matters

2021’s Biggest Cybersecurity Incidents & Breaches

What is Log4J? “Log4j is an open-source logging framework that allows software developers to log various data within their application and it is part of the Apache Logging Services, a project of the Apache Software Foundation.”- Medium, Log4J for Dummies. What is the Log4J vulnerability? The Log4J zero-day vulnerability, also known as Log4Shell and LogJam, was tracked as CVE-2021-44228 starting December 9, 2021 and was discovered by researchers on the

Alibaba Cloud Security Team. The vulnerability was available for a week prior to discovery and allowed an attacker to “gain control of a computer with a single line of text.” It was easy to to recreate, as demonstrated by John Hammond when he applied this exploit to Minecraft on his You Tube Channel. Why is the Log4J vulnerability such a big deal? Because Log4J is used in countless applications and websites the vulnerability was widely distributed. Jen Easterly, the Director of the Cybersecurity and Infrastructure Security Agency (CISA) has stated the Log4J security flaw is the “most serious security flaw” she has “seen in her decades-long career” and we may still be mitigating this vulnerability for “months, even years.”- CNBC Interview, December 16, 2021 What is the latest Log4j patch? Multiple patches were released to address the Log4j vulnerability. The latest version is 2.17.1 and can be found on the Apache Log4j 2 page. What mitigation resources are available? CISA reacted quickly when this vulnerability was uncovered and created an Apache Log4j Vulnerability Guidance webpage that includes technical details, mitigation guidance, an ongoing list of impacted products and devices, detection rules and additional resources. What K12 specific resources are available? ParticipatingRICOneData Privacy andSecurity service subscribers can login to riconedpss. org to access Digital Blast #196- Log4Shell Zero-day Vulnerabity that includes multiple updates on Log4J. K12 SIX also has crowdsourced a Google Sheet to track the status of commonly used K12 software products.

7 High-Profile Cyber-Incidents in 2021 While it comes as no surprise that the most “impactful” incident of 2021 was the Log4j vulnerability there were other significant cyber incidents that occured last year that made our federal government take notice. The Colonial Pipeline Attack The US Colonial Pipeline attack last May disabled the 5500 mile pipeline and disrupted distribution of “millions of gallons of fuel and triggered temporary gas shortages across a large section of the US East Coast.” Kaseya Supply Chain Attack Early last July customers that use Kaseya’s IT management software were ransomed after attackers exploited vulnerabiltiies in Kaseya’s Virtual System Administrator (VSA) technology. Exchange Server (ProxyLogon) Attacks Microsoft disclosed that a vulnerability was being exploited that gave attackers “unauthenticated remote access to Exchange Servers.” PrintNightmare PrintNightmare was the nightmare reminder of the inherent risk embedded in Microsoft’s Print Spooler technology. The vulnerability allowed attackers to “remotely execute malicious code on any system where the vulnerability was present.” Accellion This zero-day vulnerability impacted multiple countries around the world, including the US and Canada, and was found in Accellion’s “obsolete File Transfer Appliance Technology” that was used by many organizations to transfer large files, internally and externally.

Florida Water Utility Hack This attack on a water treatment facility in Florida is a striking example of how critical infrastructure is vulnerable to cyber attacks. The attacker tried to ‘poison the well’ by raising the level of lye. Thankfully the intrusion was discovered in time and the attacker was unsuccessful. Read more about each of these attacks here: Dark Reading: 7 of the Most Impactful Cybersecurity Incidents of 2021 2021’s Biggest Data Breaches ZDNet breaks down the biggest hacks and data breaches of 2021 month by month in their security publication “The biggest data breaches, hacks of 2021.” We already covered several of them (Log4j, Exchange, Kaseya) but there are other big hacks and breaches that made the list, such as JBS USA in June and Robinhood in November. The Identity Theft Resource Center (ITRC) released their U.S. data breach findings in October 2021 and their analysis showed the number of data breaches executed by Q3 of 2021 exceeded the previous year’s (2020) totals by 17 percent. In addition, “cyberattack- related data compromises” increased by 27 percent, with “phishing and ransomware” as the “primary attack vectors.” You can access the full Identity Theft Resource Center 2021 Q3 Analysis using this link.

Data Privacy & Security Service, Issue 24

Page 1 Data Privacy & Security Service, Issue 24

Page 2

The Best of RIC One DPSS We have compiled a “best of” list of RIC One DPS service offerings to ring in 2022. Here’s to another year of providing data privacy and security support to our component districts.

Helping kids avoid a life of cybercrime

Police in the UK are engaging in a campaign to disuade young people to engaging in cybercriminal behavior. The police claim that they have seen “children as young as nine” that have launched DDoS attacks. The National Crime Agency (NCA) has developed a program called Cyber Choices: Helping you choose the right and legal path to help young people make “informed choices and use their cyber skills in a legal way.” There are resources for parents, guardians, carers and teachers, as well as for young people. The NCA has also partnered with an Internet Service Provider (ISP) to show a warning message when students try to visit a

site that can lead to cybercrime. The message suggests a “redirection” to the Cyber Choices website where students can learn about “the Computer Misuse Act and the consequences of cybercrime.” The deputy director of NCA’s National Cyber Crime Unit (NCCU) John Denley believes that “Education is a key pillar in preventing [cyber] crime” and that “this initiative will continue to help divert young people away from [cyber] criminality.” Read more about this cyber education initiative: infosecurity- NCA: Kids as Young as Nine Have Launched DDoS Attacks

Most Viewed Digital Blast: Digital Blast #196- Log4Shell (Log4j) Zero-day Vulnerability with 764 views.

Best Tweet:

Big changes for 2022

Most Viewed Digital Digest: The “Cyber-Spooky” 2021 Fall Issue

The New NYSED Privacy Office The NYSED Office of the Chief Privacy Officer has been renamed and is now called the NYSED Privacy Office . In addition, Louise DeCandia is SED’s new Chief Privacy Officer and Ethics Officer. Correspondence regarding data privacy issues can be sent to: Correspondence regarding ethics issues can be sent to: status/1402256600103067650?s=21

DPSS Training Modules • 271 districts were activated in the 2021- 2022 school year • 30,898 individual employee user accounts were added • 16,327 employee user training have been completed so far.

New Year, New Look! The new RIC One Data Privacy and Security Leadership site has been redesigned with a fresh new look to meet ADA compliance standards. RIC One Data Privacy Resources can still be accessed from the landing page while Data Privacy and Security Service subscriber resources can still be accessed via Login.

RIC One DPSS NIST CSF Tool 107 districts have entered data in the newly released DPSS NIST CSF Tool.

Data Privacy & Security Service, Issue 24

Page 3 Data Privacy & Security Service, Issue 24

Page 4

Fun and Games and Betty White

Try a cybersecurity word puzzle! Improve your cyber security awareness with a word search puzzle. Train staff using a Cyber Escape Room Living Security’s Cyber escape room combines fun with cybersecurity awareness training. See the video and schedule a demo here. Cybersecurity Games from Texas A&M’s Division of Information Technology The Texas A&M Division of Information Technology has an annual tradition of creating a campus-wide IT security game to observe National Cybersecurity Month. Games date back to 2013 and can be found on their Cybersecurity Games page.

CISA Cybersecurity Games One of our favorite agencies, the Cybersecurity and Infrastructure Security Agency (CISA), has partnered with Pacific Northwest Laboratory to develop a series of educational cybersecurity games. “Each game presents simulated cybersecurity threats, defenses, and response actions” and the mobile apps are designed for Android and Apple iOS devices. Learn more about these games here. Security Awareness Games from the Center for Development of Security Intelligence (CDSE) The CDSE Security Awareness Games page has a long list of game options that cover cybersecurity topics in multiple game formats.

And now, Betty White will share her thoughts on Multi-factor Authentication. We miss you Betty.

Data Privacy & Security Service, Issue 24

Page 5

Page 1 Page 2-3 Page 4-5 Page 6

Made with FlippingBook Annual report maker