OETC Spotlight

Dark web search engines, “zero-trust” models and your weakest link

Eight actionable cybersecurity practices your institution should follow according to Jack Maynard

With decades of leadership and technical roles in cybersecurity, Jack Maynard has worked for brands like HP, Accenture and most recently Gap Inc. as the head of the Security Engineering & Operations team before turning to focus on educational technology consulting.

In advance of our one-day cybersecurity workshop that Jack will lead on behalf of OETC, Highline Public Schools and ACPE, we asked him to share some actionable tips, info and resources with our membership.

1. Schools can and should stretch their money by taking advantage of free security tools and services

“There are a wealth of open source security tools that districts can take advantage of. Some companies also allow education organizations to have free licenses for commercial versions of their security tools — some that can cost as much as $2,000 annually that schools can license for free. Two that come to mind are Shodan and Intelligence X.”

2. Don’t forget that it’s more than IT infrastructure that connect to the internet

“Shodan is a search engine for the internet of things — anything that is connected to the internet, Shodan will scan and make note of the information about it. It allows you to see what you have that’s internet-facing that you may have forgotten about, and it checks service banners and shows different pieces of information about that IP address, whether it be open ports or services running that might have vulnerabilities. Shodan Monitor, a feature of Shodan, will automatically monitor your internet-facing IP address space and notify you if a new service appears, a certificate expires, or a vulnerability is detected.”

3. You can do some sleuthing on your own

“Intelligence X search engine allows you to do regular internet and dark web searches for domains, URLs, IPs, CIDRs, hashes, email addresses, names and phone numbers, about 20 different search keys across multiple data sources. So, if information about your district has leaked to the dark web, you can do your own reconnaissance.”

4. Smaller districts don’t have to worry as much as their larger peers, though they still must be vigilant

“There’s really two primary threats for districts. One is a data breach, exposure of info that can be monetized, because student and staff identities are valuable. But in a district with 200 kids, it’s not a high-value target as compared to something like San Diego Unified, who suffered a data breach in 2018 that affected 500,000 students and staff.

The other primary threat is ransomware — over 1,000 districts in the U.S. last year were hit by ransomware, but there’s just not a lot of money in it for criminals to go after very small districts. That said, small districts should still pay attention to security fundamentals such as endpoint security, vulnerability management, patching and security awareness training.”

5. While the details may change, the fundamentals of security stay the same.

“You really have to be careful with your security investments. You should spend as much as necessary to ensure you have a good next-generation firewall. You should have a security information and event management tool (SIEM) that can correlate all of your log files to understand if there’s someone in your network that shouldn’t be.

But overall, with security the basics don’t really change much from year to year. There’s a set of fundamental controls to stick to, and if you do those fundamentals well, you’re 80 percent of the way there. I always recommend the CIS 20 Critical Security Controls to help districts prioritize their efforts and investments.”

6. There’s a usual progression of attack, and you need to think about protecting more than the perimeter

“Phishing users is usually the first step in a credential compromise. Then those credentials are used to gain access to your internal network. Malware-infected emails when clicked also provide a path into your network. Once criminal hackers are on your network, they’ll try to escalate their privileges to critical resources. From there, they’ll install whatever additional malware they need to complete the attack.

Related Spotlight: What if one email cost you $1.5 million?

How Salem-Keizer School District uses KnowBe4 to fight the rising tide of phishing attacks

So it’s really important for districts to not just depend on their perimeter security. They have to manage internal risk and make sure their internal network is very secure as well. The industry is moving towards a “zero-trust” model.

Contractors, vendors and other folks are coming and going on your network. You just have to assume that someone can get onto your internal network and do harm.”

7. Remember that transparency is great, but security is also important

“What I see from a criminal hacker perspective is districts sharing too much information in a way that can be used against them. Most of the time, when I go to a district’s web site staff directory, I can generally scrape the entire staff directory quickly and easily. If you put in an ‘A,’ you get every employee whose last name starts with an A, so it only takes 26 lookups to have every name in the district. Require a minimum of three letters or more to make the search lookup exponentially harder.

And because districts want to be transparent and helpful, the listing’s got a name, it’s got a phone number, it’s got their role or job responsibility, email address — everything you need to set up a perfect phishing campaign.”

8. End users are always the weakest link, and while training is necessary, punishment shouldn’t be part of the equation

“When my company does penetration tests and social engineering attacks … sometimes people make the wrong choice and it’s really an opportunity not for punishment, but to learn why they fell for that particular attack.

If someone gives up their credentials or they’re tricked into sending a payment for an invoice that is not real, those are opportunities for training.

Companies like KnowBe4 and others that do security awareness training, that’s a very critical part of a security program, making sure that you’re educating users in the right ways to handle those types of attack while making sure you’re also putting in some technical controls around emails that will allow you to filter out most of the bad stuff — and then rely on your staff to do the right thing.”

OETC members use KnowBe4 to prepare their staff to face cybersecurity threats.

Let OETC’s team help you find out how KnowBe4 can work in your district.

Learn More

Past Spotlight Posts

Six employee communication tips from Know Your Team’s Claire Lew

Q&A: Tricia George on being named a Top 10 Innovative technology director

PSU CIO Kirk Kelly on how a department-wide overhaul landed them in the top 100 IT workplaces

Q&A: John Peplinski of Beaverton School District

Silverton kids get hands-on — and paid — with IT

How Salem-Keizer’s Bob Silva thwarted a $1.5-million phishing scam

Q&A: University of Oregon CISO Leo Howell

Newberg Superintendent Joe Morelock uses data to find invisible problems — and surprising solutions