Schools, data protection and online services

As we make greater use of technology in our schools we make greater use of online services.   We might make use of an online communication tool to improve on communications with parents.   We might make use of Google Apps or Office 365 to allow staff and students to have cloud storage so they can access their files when away from the school or on any device.    We might engage with an online maths tutorial site so students can undertake self directed study online and further develop their maths skills.    We might make use of a site to manage trips or resource bookings within our school.    The number of online services we are using in schools is increasing and therefore we are sharing more and more data with online service vendors.

The above is important to note given the new general data protection regulations are speeding towards us.    These new regulations will come into operation in May 2018 and will put a focus on all organisations to prove that they comply.     It is therefore important that all organisations including schools get a handle on the data which they have and how it is stored and processed.     For schools part of this includes examining where third party services are being used such that the schools data is processed and/or stored by these service providers.    We need to be asking what these service providers do to ensure the security of our data.

To aid the above, the need to review third parties, and the increasing use of third party online sites, the government has created their Self Certification process for vendors to self-certify their provision in relation to data protection where they offer cloud software services for schools.    You can view this here.     The thing that worries me is that as I write this there are only 38 vendors listed which appear to have submitted a self certification.     This represents only the very very tip of the iceberg which represents the vast range of services being used by school.

We all need to push vendors to answer questions in relation to the protection of our school data.   We need to push them to self-certify and to share what they are doing.   We need to ask the difficult questions now before they are asked of us later.

Have you considered the data protection of school data on third party services lately?    It is time you did!

 

 

Cyber thoughts from the train

Sat on the train going on my way back from London and I noticed my Samsung Galaxy phone was displaying a message telling me that it had detected a Samsung Gear device near me and wanted to connect.    The connection it was trying to establish was via Bluetooth which was enabled to allow my phone to connect to my cars audio system.   I hadn’t even thought to disable it.

As I look around the train I can see various people making use of mobile devices including laptops as we speed through the countryside.    The train is equipped with Wi-Fi thereby allowing everyone to remain connected even as they travel.

Two things worry me about the above.  The first worry is that of stray connections such as the one my phone tried to make with another passengers Samsung Gear.    As the various people on the train sit watching their video on their device, listening to music or working away their mobile devices are constantly seeking to make connections.    To connect to Wi-Fi for internet access, to connect via Bluetooth to external speakers, wireless headphones or in car audio devices.    As we use more and more technology our devices become more and more interconnected.    In doing so though we expose ourselves to an increasing risk of inappropriate connections being made either due to device error or due to human error, such as if I had accepted the connection which my phone was trying to make without reading the actual message.    These inappropriate connections may then give rise to unauthorised access and download of our data or to malicious acts being committed via our devices.

The other thing that worries me is the free Wi-Fi.    Now I suspect most people assume that the trains Wi-Fi is sufficiently secure although I cannot be sure of this.   The issue is the ease with which a passenger on the train could bring their own Access Point and set up a dummy Wi-Fi network, pretending to be the train providers network, for other passengers to connect to.   By doing so the owner of the dummy AP could gather data from those on the train who connect to the dummy AP.   This just seems all too easy.

The third thing that worries me is general awareness and consideration of security.    I doubt many people other than myself was giving cyber security of the many devices in use in the train carriage I sat in much in the way of consideration.    I would love to be able to survey people on a train or in another public space where free Wi-Fi is available in order to prove or disprove this assertion.   My belief, until I have any evidence to the contrary, is that we are a little too accepting.

Events such as the recent National Health Service ransomware attack highlights the issue of cyber security however the impact is not limited to big incidents occurring to big organisations like the NHS.   It affects each and every one of us, every day, even when sat on a train.    Also we cannot afford to be outraged and concerned only when a large breach like the WannaCry virus occurs, before almost instantly returning back to normal and forgetting all about security and the potential risks and implications.

We need a societal shift in terms of our perception of cyber security.

Being Digitally Literate

Over the past 2 weeks I have been regularly posting my thoughts in relation to Digital Literacy over on my new blog site as www.beingdigitallyliterate.wordpress.com

So far I have posted on 6 different areas related to digital literacy:

  • Digital Literacy: Some initial thoughts on what the term means
  • Evolving Technology: How the pace of technological change impacts of digital literacy
  • Cross Platform Skills: The need to develop the ability to work across different platforms and software and to learn how to use new solutions as they arise
  • Awareness of Technology: We use technology all of the time but are more aware of some technologies we use than we are of others
  • Encryption and public safety: The internet provides a safe place for all including those who wish to do that which is evil or illegal but weaker encryption isn’t the answer
  • Where’s my data: We sign up to more and more services in doing so share more and more data with the internet

I hope to continue adding the site with regular posts, with each post posing questions to promote thinking and/or discussion.    Hopefully over time the site will build to become a useful resource.

 

Being digitally literate

Have today started a new blog site called “Being Digitally Literate” focusing on ideas around developing digital literacy in students.    My hope is to create a site which explores and asks questions as I explore and ask questions, and that by doing so it might help others to also explore ideas.

As a starting point I have decided to re-post my first entry from the site below:


What does it mean to be digitally literate?

We often speak about the importance of developing digital literacy in our students.   The issue with the intention is the lack of clarity as to what it means to be digitally literate, the areas which should be covered in developing such literacy and also the methods or approaches which should be used in this development.

I intend to post my thoughts on this matter over the coming weeks and months.   I will admit that I suspect a number of my posts will pose more questions than they answer, however my hope is that the act of posing questions will promote further thought even if this is just within myself.

To get the ball rolling I would like to just define in very general terms what I believe we are looking to achieve in developing digital literacy.    I believe the fact we are even discussing digital literacy is an acceptance that we are living in an increasingly digital world.   We are surrounded by ever increasing levels of technology in our work life, social and home lives.     As such the previous literacies, of languages and communication, including reading and writing, and of mathematics are no longer sufficient.   We need digital literacy.

Given this seeking to develop digital literacy is seeking to ensure that our students are sufficiently literate with this new technological world and with its technologies, to be successful in their lives.   To be able to understand the technologies and use the technologies appropriately and effectively.

Does the above definition cover what is meant digital literacy or is there something missing?   

Reflections: 2017 so far

Having just turned 41 years of age, it makes for a good time to reflect a little on the year so far.   Firstly I think its important to note that this year appears to be disappearing very fast.   I feel at this point as if the Christmas period was only yesterday.   I suspect a quick review of past posts will show a similar perception throughout the year.   I may be able to draw positive conclusions from this, in that time flies when you are having fun, or negative conclusions in that I am that busy I am unable to stop and truly experience or review the events that have occurred.    A third option, and the one I think I will stick with on this occasion, is the that this clearly highlights the frailty of our memories to accurately reflect past events.

During the last few months I have taken to journaling to try and keep a record of the things I have done and how I have felt.   Sadly this has been a little hit and miss with some weeks consisting of daily records of each day while other weeks have been empty of record.    This is something I want to try and be more consistent with and I have been considering that maybe I will need to reduce my blogging in order to release time to facilitate this.   Given that one of the reasons for blogging is to have personal records of my thinking, which is the same reason for having a journal, this trade off seems logical.    As such this may represent the last of my blogs for a little while at least.

I found the recent Secret Teacher article in relation to English teachers not reading quite interesting given that I had set one of my targets or pledges to be reading at least 1 book per month.   I continue to progress well on this target with the hope that I will continue to do so.    I am finding the act of reading to be relaxing but also thought provoking as I explore subjects such as stoicism, culture and also how we think.     The Secret Teacher article strikes me as representing gross generalisation, which is often a feature of online educational discussion, although generally this is backed up by some research.

The area of fitness continues to be one of my weak areas.   Still I am unable to keep up more than a sporadic attempt at physical exercise.    As I have repeatedly said before this is an area which I need to continue to work at.    I am starting to wonder whether the issue here is that I am basing my targets on what other people do while my aspirations should clearly be much lower.     A quick glance at twitter highlights various teaching colleagues across the world who have engaged in their daily or weekly run.   Am afraid the best I can hope for is a monthly or yearly doddle.   Maybe the fact that it is in my mind and therefore I am making sporadic attempts is the best I can hope for.    I suppose I can also be positive in that I have played an hour or so of football with my son on the last three nights.   Progress is progress, even if it is little and infrequent!

My connectedness is another area which is giving me similar thoughts to the above.   I feel that I should be doing more in terms or writing blog pieces, contributing to twitter chats, contributing to publications, etc.    Now again this may be comparisons with others who appear to be doing more.   Again, twitter and other social media seems to present us with models to follow however I am increasingly wondering if these are the right aspirations.   Are the few education stars on social media distorting what I perceive as normal expectations or more accurately my expectations?   These stars are a very small percentage of the overall educational body of individuals across the world yet they are very public and visible.   If plotted on a graph of connectedness they would be outliers, being significantly more connected and active than most, however this has an effect of significantly changing the average connectedness.  Take them out of the equation and the average would be significantly lower.    In addition to this there is the psychological factor in that they are very public and therefore come easily to mind.   This ease with which they come to mind makes then seem common which again impacts on the perception as to the connectedness of the average educator.   This makes me think of Coveys book, “First things first”, and that there may be a need for me to reflect on what actually is my “first thing”.

Five months of 2017 have now be completed and I must say that they seemed to have passed quickly.   The summer period is now not that far away and I look forward to using some of the time over this period to reflect and plan for the start of a new academic year, to energise and also as discussed above, to re-evaluate and identify what truly is important.   I may also look back and review my previous evaluations of the year, as I have posted year over the last year of so with some regularity, to see if any patterns are emerging, however that’s for another day!

 

 

 

 

Cyber threats: Some thoughts

The recent WannaCry ransomware outbreak clearly identified the importance of keeping operating systems and other apps up to date to protect against identified vulnerabilities.   Given the high level of news publicity it is likely that a lot of us went home and updated our home PCs and also checked with IT departments to make sure they had done the same with company machines.    The outbreak, in my opinion, highlights a number of critical issues.

The vulnerability in this case had been previously identified and a patch made available by Microsoft, as such had all machines in the world been patched the impact would have been minimal.     But what if the vulnerability had not have been previously identified?    Had this been the case the attack could have been considered as a “zero-day” attack as it would have been on an unidentified vulnerability.    This would therefore have required the identification of the vulnerability followed by the coding and release of a patch, all post the initial infection.    In this case the impact of the ransomware would likely have been much more significant than it was.

The WannaCry Ransomware was specific to machines running Microsoft operating systems.    This has already resulted in a number of comments online suggesting people make use of Linux or Apple as these weren’t affected, suggesting that these may be safer systems.    As an operating system Microsoft has the predominant share of the desktop and laptop markets although the specific figures are difficult to ascertain.    This makes Microsoft machines a preferred target as there are simply more machines to attack.    Although there are differences in how the operating systems are managed, with Apple using a very closed development process and Linux using an open source approach, Apples OS, Linux and also Microsoft OS’s are all equally complex.   It is in this complexity that lies the risk of as yet unidentified vulnerabilities with equal risk across all the above OS’s.    The difference currently lies in the fact that Windows is the most common desktop OS, however if we were all to go out and buy an Apple or install Linux, it is likely the threat of attack would follow the masses.

My final issue is that of the devices we don’t give much thought to.    We think about the operating system of our laptop or desktop and even these days of our phone, and in thinking about these we carry out, or not, the required updates.    Our homes however increasingly contain more and more internet enabled devices and I would suggest we don’t give these the same level of thought.   My router, with which I connect to the internet, runs software in order to allow it to connect, to allow it to present an admin page along with providing other functionality.   This software is basically its operating system.     Your SMART TV runs an operating system which allows it to respond to your voice commands, search the internet and also carry out its other functions.    Your web connected home surveillance system runs an operating system which allows it to connect to cameras around your house and to allow you to connect in to view footage remotely, again, along with other functions.   And what about your wireless printer?    The above is the tip of an ever growing iceberg, however do we know how to upgrade the software in these devices to protect against identified vulnerabilities?   Do we know whether these devices automatically update or how to change the update settings?   Do we know how to check the version number or when the last update was done?

Microsoft called the recent attack a “wake up call”.   I tend to agree.    We need to be more aware of the implications of the use of each technology item, be it hardware or software.   We need to be aware of the risk to which usage exposes us as well as the precautions which we need to take.

My biggest take away from the whole incident is a reminder of what Nassim Taleb described in “The Black Swan”.   On Thursday 11th May all was well, systems were generally safe and precautions were in place.   Largely we didn’t expect a serious whole world cyber incident.   By the following day it was clear all was not well and that significant vulnerabilities existed.   A global cyber incident was underway.   A lot changed in a day and we didn’t do too well at predicting and preparing for it.    What shape will the next incident take if we can’t predict it?     And are those areas where we believe we are the safest those which are most at risk given we are unable to predict the unexpected?

A cyber learning opportunity

The global cyber attack of yesterday marks a learning opportunity in relation to discussing cyber security with our students.     It is important that our students are aware of the implications of such attacks including the impact and also the measures that can be taken to protect against attacks being successful or at least minimise their impact.

So what are the key learning points to take away from this incident and to discuss with our students:

OS and Software Updates:

One of the key points to take away is ensuring that desktop and server operating systems are regularly updated.  This includes updates and also upgrading of versions, for example upgrading from Windows 7 to Windows 10.    Older operating systems eventually stop receiving support from those that produced it, meaning that new security flaws which are identified go unaddressed leaving users vulnerable.  Support for Windows XP ended back in 2014 so users of XP would be vulnerable to flaws identified between then and now.     For more modern operating systems such as Windows 7 and 10 the key here is the updates.   These updates provide the fixes to security flaws as they are identified and therefore it is important to keep your system updated to make sure vulnerabilities are promptly addressed.      This expands beyond operating systems to application software as well, as equally applications which have not been updated may expose users to vulnerability which the appropriate updates would have addressed.

Data Backup:

In the case of ransomware backup is critical as the virus will encrypt all files it can get access to.  As such at this point you can either pay the ransom which may or may not get you your files back, or, assuming you have kept backups, roll back to your latest backup with only minor loss of data.    As such regular backups represent the best protection against ransomware attacks.   The more regular the backup the less the loss so a weekly backup means a loss of up to a week worth of work, whereas a nightly backup reduces this loss down to 1 day worth of work in the event of a successful ransomware infection.

User Awareness:

The weakest point in the network is usually the user, the human being making use of the system.   An IBM report from 2014 identified that 95% of security incidents involved a human being.    It is unlikely that this figure has changed much.   As such it is important to try and educate users to exercise caution and to be aware of the precautions they should be taking in relation to suspicious emails, password security, etc.

Anti-virus:

While not protecting you against zero day attacks or new variants anti-virus will provide some protection against existing identified threats.   It is also worth noting that new anti-virus products are introducing new capabilities such as heuristic based identification of threats and sandboxing to provide additional protection.

Segmentation:

A key security maxim has always been assignment of minimum privileges required.   This means ensuring that users only have access to the files that they need to have access to in order to carry out their role.    This includes defining whether a user is limited to reading files or can in fact modify or delete them.    This also includes whether users have access to specific networks or whether their access is limited, such as in the case of a guest user.     By limiting access in this way we limit the impact of ransomware or other viruses to some extent.   As such in looking at the resources on our network assigning the minimum privileges is a key step.

Conclusion:

The recent attack is the largest attack I can remember since the Love Bug Virus which I vaguely remember from back in 2000.   It is likely that such attacks will become more common as we become more and more connected and reliant on technology, adding more and more connected devices into our homes and using more and more software apps in our daily lives.   As such, in preparing our students for the future, it is important that we take every opportunity to discuss how these attacks can and do impact on us and how we might all take appropriate precautions.    With the latest incident so widely reported in the news, now is a good time.