Category Archive :Security

zero trust lock image
Zero Trust logo with lock (decorative)

There has been a lot of talk about Zero Trust, so let me try to give an overview. I’ll finish up with an example from iboss and a deep dive from AWS. First, think of it more as a methodology and not a new product category. It is a cybersecurity approach that has gained attention for its ability to prevent data breaches. It is not just for enterprise or commercial use. Educational institutions, both in K-12 and higher education, and the public sector find value in implementation as well. It’s built on the principle of “never trust, always verify” (NOT: trust, but verify). Zero Trust aims to protect digital environments by leveraging the cloud. It rethinks how we implement identity and access management and network security. Capabilities include inspection, network segmentation, preventing lateral movement, providing threat prevention, and simplifying granular user-access control.

Beginnings

It was also born out of the need to think beyond just protecting the perimeter with a firewall because trusting everyone inside the firewall was not working. Also, more resources are outside the firewall (i.e. in the cloud) and more users aren’t behind the firewall (i.e. at home or Starbucks). The approach uses information derived from Identity, Credential, and Access Management (ICAM) systems. ICAM consistently verifies all users, devices, applications, and data based on context and user activity. Have you had a website that you use a lot reverify you because you’re not in your usual place? That’s Zero Trust at work.

“Zero trust is a way of thinking, not a specific technology or architecture,” says Gartner Distinguished VP Analyst Neil MacDonald. “It’s really about zero implicit trust, as that’s what we want to get rid of.”

Gartner

ZTNA

Zero Trust Network Access (ZTNA) extends this strategy. ZTNA provides remote access to applications and services based on defined access control policies. Policies combine role-based, granular, encrypted access controls with post-connect threat monitoring. It involves micro-segmentation of the network (micro perimeters).

Existing infrastructure and technology work for Zero Trust. There are no specific products! Rather it’s an integral part of a complete modern cybersecurity architecture. The approach enables complete end-to-end visibility and rich policy-based controls to mitigate even the most sophisticated threats.

Zero Trust Principles from Gartner: Verify explicitly, Use least privileged access, and Assume Breach
Zero Trust Principles from Gartner

Don’t Do It Yourself

Leading solution providers now incorporate the tenets of ZTNA. Comprehensive, end-to-end platform architectures to address even more use cases come from a single vendor or a mix of “best of breed” suppliers. This approach offers educational institutions and the public sector several advantages. Context-based access encompasses all users, all devices, all applications, and all workloads. Zero Trust provides uncompromising security by continuously examining all content to prevent both known and unknown malicious activity in real-time.

Furthermore, it enables global and consistent access security everywhere, regardless of the location of a user, device, or application. This is best achieved through physical, virtual, and cloud-native firewalls that leverage artificial intelligence and machine learning to enable context-based access on-premises, in the cloud, in remote work environments, or across campuses. Simply put, all traffic, whether to or from campus, the office, home, or, say, a cafe, goes through a cloud firewall and a series of checks.

Example: iboss Secure Access Service Edge (SASE)

The iboss Zero Trust SASE allows all protected resources within an organization to be labeled and categorized, including Security Objectives and Impact Levels. This provides organizations with a clear understanding of where sensitive applications and data reside while providing insight into what users and assets are interacting with those protected resources. The iboss Service follows the NIST Risk Management Framework (RMF) and implements tenets from the NIST 800-207 Zero Trust Architecture Special Publication.

iboss zero trust edge diagram with network connections going through the iboss cloud.

Components

cloud icon

Overall, Zero Trust represents a convergence of secure network transport with a cloud-native security stack that includes components such as ZTNA, Secure Access Service Edge (SASE), Cloud Access Security Broker (CASB), Secure Web Gateway, Firewall-as-a-Service), Software-Defined Wide Area Network (SD-WAN), and micro-segmentation. But don’t think of it as a “rip and replace“, but an additive approach to what you’re already doing.

Deep Dive: What is Zero Trust on AWS

AWS describes Zero Trust as a security model that emphasizes strong identity verification and authorization rules before granting access to data, applications, and systems.

AWS definition of Zero Trust
AWS definition of Zero Trust

Zero Trust is not solely based on network location and operates within highly flexible identity-aware networks, which reduce surface area and eliminate unneeded pathways to data. AWS provides several identity and networking services that can be used as building blocks for implementing Zero Trust. To move towards Zero Trust, AWS says, evaluate the workload portfolio and apply Zero Trust concepts, such as rethinking identity, authentication, and context indicators.

AWS, itself, implements Zero Trust in interesting ways. When using the console every API (application programming interface) call is authenticated. Also, when using services in an account, the services do not automatically have access to other services. You must set up a role that is authenticated when that service is instantiated and every call it maqkes. Security Groups and Network Access Control Lists are another way AWS implements Zero Trust. They can limit traffic north-south and east-west. Remember, Zero Trust is a process and architecture, not a product.

To dive deeply read Zero Trust architectures: An AWS perspective and watch the re:Invent session Zero Trust: Enough talk, let’s build better security.

video thumbnail for AWS re:Invent talk "Zero Trust: Enough talk, let's build better security"
https://www.youtube.com/watch?v=751NZpS6s78

By adopting a Zero Trust approach, educational institutions and the public sector can strengthen their cybersecurity posture and better protect themselves against the ever-evolving threat landscape. Tech Reformers is a consultancy focused on education and the public sector that can help assess your needs.

Download image for NIST zero trust

Download the full NIST publication on Zero Trust

Recently K12 Security Information Exchange (K12 Six) released its annual State of K-12 Cybersecurity, Year in Review. K12 Six has been tracking cybersecurity incidents in K-12 for several years and has been attracting a following among school district Information Technology (IT) leaders. They are perhaps best known for their heat map which is a visualization of publicly disclosed school cyber incidents from 2016 to now. Besides the map and this research, they are an information exchange where IT leaders can learn from each other, leaders in the cybersecurity field, and cybersecurity vendors.

cover of The State of K-12 Cybersecurity: Year in Review
2022 Annual Report that show cyber incidents in K-12

The definitive annual report series on cyber incidents affecting U.S. public elementary and secondary (K12) education institutions. Based on a data source that the U.S. Government Accountability Office (GAO) found to be the “most complete resource that tracks K-12 cybersecurity incidents, including student data breaches.”

U.S. Government Accountability Office (GAO)
Number of Publicly-Dislclosed K-12 Cyber Incidents by Incident Type 2016-2021. Data steadily rising for data breach, ransomware, BEC, DDOS, Invasion, and other to total about 1300 cybersecurity incidents.
K12 Six The State of K-12 Cybersecurity 2022 Annual Report

The report itself tells us what we already know: there is a growing number of cybersecurity incidents in school districts. But, it provides specific numbers, categories, and examples that drive home the problem. Note that K12 Six reports that the reporting is not what it should be. Based on anecdotal evidence, incidents occurred perhaps 10 to 20 times more often than reported.

2021 was Unique

2021 had some unique variables that may have caused the increase. With the pandemic and remote learning, a new cyber incident became evident. Dubbed “zoombombing” or class invasion, these incidents rocked the virtual classrooms of the United States. Vendors and users implemented technical and operational controls respectively to blunt this threat. Luckily, learning from mistakes and the return to the classroom should diminish this threat.

Also, 2021 became the year school districts became more aware of the need for and requirements of cyber insurance. While many school districts had insurance, they did not meet the stricter requirements of their insurer. Insurance companies got slammed over the previous years with the rise of ransomware, and now were enforcing a set of requirements on districts to keep their policies in force. With both the increased media attention to cyber incidents and the new insurance requirements, district leaders and board members, not just IT or Risk Management, began to focus on cybersecurity. So 2021 wasn’t all bad!

Ransomware – #1 Cyber Incident

Of all the cybersecurity incidents, the top incidents were ransomware, data breaches, and class meeting invasions. Ransomware, for the first time, is the top threat. In 2021 62 K-12 districts across 24 different states reported ransomware cybersecurity incidents. 2021 was the third year with over 50 incidents. Unlike a data breach, ransomware often results in class cancellations, school closures, and a breakdown of district core operations.

The Baltimore Sun headline:
Ransomware attack cripples Baltimore County Public Schools. No timeline for return to class.
The Baltimore Sun headline

The report outlines striking examples that include Baltimore County (MD) Public Schools where the cost of ongoing recovery from a Ryuk ransomware attack grew to nearly $9.7 million dollars and closed school for days and limped back for weeks.

The Buffalo News headline
The Editorial Board: Ransomware attack on Buffalo schools show again the need for strong security.
The Buffalo News headline

Similarly, the Buffalo School Board approved spending nearly $9.4 million on IT consultants to respond to a ransomware attack in March 2021.


Data Breaches

Initiator of K-12 Data Breach/Leak Cyber Incidents: 2016-2021
K-12 Vendor 55%
Other / Undisclosed 24%
Staff 14%
Students 7%
K12 Six The State of K-12 Cybersecurity 2022 Annual Report

The most significant vector for student and teacher data breaches, the loss of personally identifiable information (PII), remains school district vendors and other trusted non-profit and government partners, not the districts themselves. An exception to the Family Educational Rights and Privacy Act, or FERPA, allows districts to transfer the role of a so-called “school official” allowing a district to share educational records with third parties as part of outsourcing service that it lacks the capacity to perform itself. Although allowed, districts must vet these 3rd party vendors from the large Software as a Service (SaaS) ubiquitous in Student Information Systems (SIS) and Learning Managementment Systems (LMS) to the smallest EdTech vendors.

Another significant source of K-12 data breaches is school district staff and school board members,
who inadvertently share the PII of students and/or staff in the course of their duties. Two common examples are losing an unencrypted district device or emailing a spreadsheet of data.

The other K-12 cyber incident types disclosed during 2021 as reported by K12 Six include:

  • Business Email Compromise (BEC) where district emails are spoofed or stolen to fraudulently request gift cards, W-2s, and invoice payments;
  • Class Invasions where malicious actors gain access to classes or meetings;
  • Email invasion where the district email system is breached for spamming;
  • Website and social media access where lack of controls leads to defacement or worse by a 3rd party;
  • Denial of Service (DOS) attacks to bring down systems and testing periods.

Responsibility for Cyber Incidents

The research shows where most of the incidents are occurring. Incidents per 100,000 students, which compensates for the size of the district, show that the states of Montana, North Dakota, Connecticut, Maine, and Hawaii have more than their expected share of K-12 cybersecurity issues. Larger school districts and wealthier ones appear to be at a greater risk of cybersecurity incidents than small school districts and lower-income districts. This may be because cybercriminals are targeting districts with more money and the ability to pay a ransom.

So who is responsible and why do these incidents keep occurring? K12 Six found 4 groups.

  • Teachers, administrators, and board members who have a lack of training
  • Tech-savvy students who are not monitored
  • Suppliers and vendors who are not properly vetted
  • Cybercriminals (of course) who realize that school systems are “soft targets”

Key Finding

There is a lot of great information in the K12 Six report that is backed up by well-researched data. While they come up with several conclusions, there is one main point that comes from the data. K-12 school districts need to implement commonsense cybersecurity controls and practices. As a district leader, you do not want to risk the money, lose productivity and class time, or get on the K12 Six K-12 Cyber Incident Map. Read the full report here: The State of K-12 Cybersecurity Report Series — K12 SIX.

Next Steps

Tech Reformes is hosting a webinar, The Ransomware Hostage Rescue Checklist: Your Step-by-Step Guide to Preventing and Surviving a Ransomware Attack. In this webinar Roger A. Grimes, KnowBe4‘s Data-Driven Defense Evangelist and security expert with over 30-years of experience will take you step-by-step through best practices for preventing ransomware attacks and a post-attack response plan. Join us May 11, 2022 11:00 am PDT, 2:00pm EDT. Don’t be a victim of the #1 cybersecurity threat in K-12.

New Webinar
The Ransomware Hostage Rescue Checklist:
Your step-by-step guide to preventing and surviving a ransomware attack. Avoid cyber incidents!

The Russian invasion of Ukraine increases the risk of wiper malware spilling over to the US and our education infrastructure. You may remember NotPetya, which caused billions of dollars of downtime damage. The Wall Street Journal (WSJ) reports that Symantec observed wiper malware was put in motion just hours before Russian tanks arrived in Ukraine.

WSJ Reports

The WSJ said: “The wiper malware—this version is being called HermeticWiper by researchers—could mark an escalation in cyberattacks against various Ukrainian targets, security experts said. Websites of government agencies and banks were disrupted on Wednesday, and on Thursday, that of the Kyiv Post, an English-language newspaper.”

“On Wednesday, Slovakia-based cyber firm ESET said it also detected the wiper strain on hundreds of machines in Ukraine, adding that timestamps indicated the malware had been created nearly two months ago in preparation for deployment.”

The WSJ noted that “On Thursday morning, CISA Director Jen Easterly tweeted a Wired magazine article on the 2017 NotPetya hack, which emanated from a Ukrainian accounting firm and caused billions in lost sales and other damage to businesses including FedEx Corp. and Merck & Co. Inc.”

“While there are no specific threats to the U.S. at this time, all organizations (including school districts) must be prepared for cyberattacks, whether targeted or not,” Ms. Easterly wrote.

Recommendations

So, Tech Reformers strongly recommends to:

  • Make sure your backups work and test your restore function, not for just files but whole servers
  • Patch all known vulnerabilities and test the patches
  • Deploy strong MFA to as many employees as possible (some MFA can be easily circumvented).
  • Step all employees through at least a 15-minute security awareness training module to keep them on their toes with security top of mind.

Also, warn your staff: cybercriminals will start new, devious charity campaigns that claim to help people in Ukraine. Be prepared for the wiper malware.