CYBERSECURITY_101

OUR PROCEDURES for Cybersecurity Training.

I. Read through the Cybersecurity Policy before you take this training. TEXAS CyberSecurity Framework

II. Watch these Slides before you continue reading: CYBERSECURITY SLIDES

III. Read below and

IV. Then take the Quiz

Goal 1. Develop security habits and procedures that protect Information Resources.

  • #1st Tip. Lock your PC when you are away.

  • #2nd Tip. Change your passwords if you believe they are compromised. Use this link to check your passwords to see if they are compromised, weak or in multiple applications. passwords.google.com Click on Password Checkup, then Check Passwords. Log in to email. Get your report and please take care of any compromised passwords OR Weak Passwords. To be totally secure, these need some attention with most users.

  • #3rd Tip Consider physical Security. Where can you keep your computer so that others do not have access especially to critical data? This may mean, teachers should not allow students behind their desks while they are logged in. This may mean that all servers and switches be locked to public access. This may mean that secretaries have a partition between their computer and the public.

  • #4th Tip. Keep your software up-to-date. (Run NINITE each week and make sure that your Windows updates have run properly)...

  • #5th Tip. Have an antivirus installed on your computer? (keep Malwarebytes and Symantec up-to-date)

  • #7th Tip. Ensure that you have Backups. (Google backs up your data in File Stream, Arp ISD backs up all data through Spanning and all critical data to the UT Health Science Center) Do not store files permanently on your desktop. FYI: This would violate FERP & HIPAA laws. See HIPAA G Suite Article

Objective 1.1 Principles of Information Security:

(a) Users should be aware of what "information security" means.

Information systems security, more commonly referred to as INFOSEC, refers to the processes and methodologies involved with keeping the information confidential, available, and assuring its integrity. It also refers to:

  • Access controls, which prevent unauthorized personnel from entering or accessing a system.

  • Protecting information no matter where that information is, i.e. in transit (such as in an email, or phone conversation, fax or printing) or in a storage area.

  • The detection and remediation of security breaches, as well as documenting those events.

There are three primary components of an Intrusion Detection System (IDS):

      • Network Intrusion Detection System (NIDS): This does analysis for traffic on a whole subnet and will make a match to the traffic passing by to the attacks already known in a library of known attacks. Malwarebytes Enterprise Version & Meraki MDM assist the district with NDS.

      • Network Node Intrusion Detection System (NNIDS): This is similar to NIDS, but the traffic is only monitored on a single host, not a whole subnet. Symantec reports to us when a host (single computer) is attacking our network through malware or viruses. If this computer is under BYOD, we remove it from access. If it is a district device, we shut it down until it can be disinfected.

      • Host Intrusion Detection System (HIDS): This takes a “picture” of an entire system’s file set and compares it to a previous picture. If there are significant differences, such as missing files, it alerts the administrator. Google helps us with this for individual data stored in File Stream.

(b) Users should be aware of the types of information (e.g. confidential, private, sensitive, etc.) they are responsible for safeguarding. You can safeguard this information through shredders, lockable storage, secured cloud encryption, and through confidentiality training.

      • Example of confidential information is covered under HiPAA, IDEA and FERPA.

      • Example of private information: Information that a user wishes to keep from public view. Credit card, social security, health records, and financial account numbers, along with passwords to websites and other venues, are commonly kept private.

      • Example of sensitive information: The three main types of sensitive information that exist are: personal information, business information, and classified information.

(c) Users should be aware of the forms and locations of the information they are responsible for safeguarding.

      • Examples of forms of information - student information (PEIMS), health information, HIPAA, IDEA, FERPA, 504, discipline.

      • Sensitive information should be locked in a file cabinet or if placed in Google File Stream, that folder should be locked to access from those not legally involved in attending to that information. Nursing staff should make HIPAA Secure folders in Google File Stream. Counselors, Special Ed Teachers, and Staff should make Secure folder in Google File Stream. All faculty members should create secure "Non-Share" folders for discipline, 504, Spec Ed, and other sensitive information.

      • To accomplish this:

        • Create a Folder

        • Right Mouse Click on it and Click on Share

        • Click on Advanced

        • Select - Link Sharing Off - Specific People

          • and then give access to just the folks that can legally use this information. OR you may ONLY share with yourself.

Objective 1.2 Best Practices to Safeguard Information (All Forms) and Information Systems

(a) Users should be aware of how to safeguard against unauthorized access to information, information systems, and secure facilities/locations. Want to learn more about Ransomware & Trojans in Texas & education? Read Here Ransomware (optional) Read Trojans (optional) What is Ransomware? Payroll Scams

ARP ISD:

      • has all physical areas of concern marked with signs that prohibit public access under the CJIS Security Act.

      • has physically blocked access to secretaries and their computer systems

      • requires all users of computer systems to be trained on the Acceptable Use Policies

      • requires that only authorized devices through the BYOD contract be on the premises of Arp ISD

      • requires all quests to be logged in to their device by the Tech Dept. We do NOT give out that password. Guests are ONLY allowed to access the Internet wirelessly and are NOT to be connected to any Arp ISD networked device (wireless printer, wireless projector, or to connect using a network cable) Please make sure your guest has visited with the Tech Dept and is connecting wirelessly in common areas where projectors are available to guests (Libraries, Workrooms, Cafetorium, etc.)

      • requires all passwords to be complex (capital, small, numbers and weird character) Arp ISD passwords should also be unique (not the same as other passwords you might be using)

      • requires all users to maintain their own usernames and passwords and to safeguard their systems against unauthorized use.

      • requires all BYOD users to sign a Responsible Use Policy before they bring their devices to the district.

      • requires all employees to be trained in the confidentiality laws for IDEA and FERPA

      • requires all students 6-12 grades and all employees to be trained in Security Policy, Security PD and to take the Security Quiz.

      • implements security alerts against accessing dangerous Websites. These are automated thru Symantec and Malwarebytes. Employees/Students are NOT to try to go around these alerts

      • No matter the device (cell phone, laptop, desktop, iPad) must be aware that emails and all other online communications are not private and subject to the open records act. Employees, PLEASE READ HOUSE BILL 944 Letter to Employees on Cell Phone Use.

      • TAKE Phish Quiz Challenge - capture the screen and email tech@arpisd.org the results.

FBI Recommendations for Business Dept: The FBI had these tips, specifically aimed at helping employees to avoid these payroll scams:

  • Use secondary channels or two-factor authentication (2FA) to verify requests for changes in account information.

  • Ensure the URL in emails is associated with the business it claims to be from.

  • Be alert to hyperlinks that may contain misspellings of the actual domain name.

  • Refrain from supplying login credentials or PII (Personally Identifiable Information) in response to any emails.

  • Monitor personal financial accounts on a regular basis for irregularities, such as missing deposits.

  • Keep all software patches on and all systems updated.

  • Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s email address appears to match who it’s purportedly coming from.

  • Ensure the settings on employees’ computers are enabled to allow full email extensions to be viewed.

(b) Users should be aware of best practices related to securely storing information.

ARP ISD:

      • does not allow unauthorized devices: These include any device from home (laptops, tablets, or iPads), flash drives, thumb drives, SD cards or external drives in the district. These are NOT considered secure at any time. Many of these are able to load keyloggers on your computer which will track all your keystrokes, including bank account numbers, passwords, and more!

      • does not allow students to attach their cell phones to any system in the district. Cables from home are not allowed. If students need to recharge their phones, they may use district cables and power chargers (used for district iPads).

      • requires all data to be stored in the cloud under the user's username and password. Sharing of files and folders must be done with the appropriate person or persons according to confidentiality guidelines.

      • requires that all saving and/or exchanging of student data via non-district supported cloud services such as DropBox, is NOT allowed. Student data may be saved and/or exchanged on district-supported or authorized cloud resources such as Arp ISD Google Drive.

(c) Users should be aware of best practices related to securely disposing and sanitizing information and information systems.

ARP ISD:

      • has disposal schedules in place for all information types. Disposal requires shredding or destruction by qualified personnel. Arp ISD has adopted the Texas Library Association's Disposal/Retention Policies for all types of documents and data.

      • destroys all hard drives before sending the devices to a recycler. The recycler certifies the destruction of any data storage device.

      • uses low-level format techniques to clean any device they sell or give to Arp ISD students/faculty members.

Goal 2: Best practices for detecting, assessing, reporting, and addressing information security threats.

(Objective 2.1) Users should be aware of the meaning of "threat", "threat actors", "risk" and "attack".

ARP ISD:

      • prepares all students and employees with guidelines - "if you know, you must tell". This assists the administration in detecting and reporting any threats to students, student data, or security issues.

      • audits all traffic and systems on a regular basis.

      • uses BARK, a logging system that assesses any security threats to systems, students, or personnel.

      • has a robust firewall that protects against most hackers and fraudulent users. The biggest threats to Arp ISD's network are network users who are not careful about what they click on.

      • gets regular reports from Meraki MDM on threats to the wireless components in the district

      • gets instant reports from Symantec and Malwarebytes Enterprise for any threats to computer systems.

      • monitors bandwidth usage for systems that might be infected.

      • is aware of guidelines from TEA to report any security breaches that affect sensitive data in the district.

      • requires all employees to go through Security Training to keep all users in the loop for phishing schemes and security threats.

      • does not allow users to access malicious sites such as Facebook and LinkedIn on any district device. (Read about Identity Theft)

      • does not allow cell phones on the network as their cloud resources are not protected from hackers.

      • Tech Dept keeps up with the latest threats through journals, listserves, tecsig, and KnowBE4.

      • requires that all employees receive up-to-date security alerts during current threats

      • requires all software that is downloaded to be approved by the Tech Dept. Software for teachers is located at \\host03\share\teachers\software . Software applications are to be ONLY downloaded to a district device from this location. Downloading software from the Internet is VERY dangerous.

(Objective 2.2) Awareness of how to identify, respond to, and report on information security threats and suspicious activity.

(a) Users should be aware of how to identify indicators for common attacks.

ARP ISD:

      • is a Google Suite user. Google will notify users if there is suspicious activity in their accounts. The Tech Director is also notified and given the opportunity to reset passwords for any account that is being attacked.

      • employees know to take screenshots of any weird warning that comes up on their computer. They know to send that screenshot to the Tech Dept and to wait for notification of either turning off their computer or sending the device name to the technicians so they can remote to it.

      • will continue to train employees to watch for bogus emails with geographical irregularities and phishing scams.

      • Tech Dept monitors suspicious traffic on the network which might include: large # of requests from the same file and other log-in red flags.

      • alerts all cell phone users to the fact that Google Drive and Email on a public wireless access point is hackable --ie NOT private.

The better employees’ security knowledge, the safer your network will be protected. Employees are the weakest link when it comes to cybersecurity!

REQUIREMENT: Users must be able to identify acceptable information security habits and procedures, detect or identify basic information security threats, and be able to address and report basic information security threats.

QUIZ

RESOURCES: