Ransomware – A criminal enterprise

A recent story of a ransomware incident impacting a hospital for sick children highlighted for me how ransomware, and by extension other cyber-crime, is often a criminal enterprise.   It is run by individuals and groups in much the same way that a conventional business or enterprise would be run, but to a criminal ends.

The story in question related to a ransomware incident which impacted on SickKids just prior to Christmas this year (you can read more here).    The incident was reported as resulting in longer patient waiting times however where this story diverges from the normal ransomware story is that a ransomware gang publicly apologised for the attack and provided resources to help the hospital in the form of a free decryptor tool.   Now it is unclear if the decryptor worked on all or some of the effected systems, or even if it was used at all, as using a file provided by a criminal operation doesn’t come without its risks.   The ransomware gang also acknowledged that the attack came from a “partner” and that they have been expelled from the ransomware gangs “affiliate program” for violating the gangs rules.

If we change the context to a simple and legal business operation a lot of the above would still make sense.   Affiliate programs, business or partnership rules, a public apology for an error plus the offer of support;   This is what you might expect from an conventional business operation, not a criminal gang.

This I believe is the big challenge for education and the wider world, that we need to accept that some see a business opportunity, an opportunity to make money off the illegal activity of cyber-crime.   While this continues to be the case criminal gangs and cyber crime will continue to exist.   And if we consider increasing technology usage and increasing data volumes being gathered in society as a whole, this opportunity can only be viewed as continually increasing.    Additionally, if we extend the business analogy these illegal gangs will likely be constantly seeking to improve, expand existing revenue streams and create new revenue streams in much the same way as a conventional, and legal business would do.

So cyber crime is likely to continue to grow as a threat and this is pretty inevitable.   What do we therefore do to try and protect ourselves?    For me it comes down to a number of things, to organisations but also to individual staff, to seeking to regularly review, test and improve defensive measures, while also preparing to deal with an incident when it should eventually arise.  It is about building awareness as to the risks and preventative measures and building a wider cyber culture in organisations.  

All of this makes me think of business competition, where two business fight it out in a given sector or product market, to see who wins.   Coke vs. Pepsi for example.  Here however one business will be legal, fighting against another illegal, criminal enterprise.    I can’t help but think that this is an inherently unfair fight but one that will continue to become more and more common!

Advertisement

Privacy and OSINT

The more time I spend looking at cyber security the more concerned and paranoid I become and the more I realise how, in general, we don’t pay enough consideration to the data we share online.  Take for example a recent post I saw online where an individual was celebrating the purchase of a new house.  

They posted a lovely photo of the front of the house, with the for sale sign showing as sold.   The photo didn’t include the door number however it wouldn’t take much effort to find the address of the individual concerned.    Their photo showed the name and telephone number of the estate agent giving a rough area based on the UK area code.    A quick search on the estate agents site would give details of houses they had for sale along with photos from that period in time.   A quick comparison and you have an address, plus the name of the individual is included in their social media profile.   So, we now have a name and an address, plus from the social media profile we know about what they do for a living and various other bits of info.

The above is an example of OSINT or Open Source Intelligence, using freely available information to track someone down or create a profile on an individual.   It is all too easy given the information we make available online plus the various search tools which are now available. A logo, identifiable vehicle, company name or any manner of other things can help in tracking a person down.

In another post I saw an individual posted regarding repairs being done by the water board and how the works blocked their driveway.    The house number is in sight in the photo as is a house name plate.   Again, there is enough information to track the individual down and identify their address, with their name and job identified through their social media profile.

We all too often post photos online, such as photos from our evening run or photos with family, almost always giving away more information than we intended.   We equally may share information from health or fitness apps, possibly including run routes, again giving away more information than we intended.

This is yet another area of digital citizenship which we need to be discussing in our schools, with staff and with students.     If we don’t, it is likely that our continual sharing online will continue to compromise our privacy and potentially could result in some individuals putting themselves at risk.

JISC Security Conference Day 2

It’s been a few days since the JISC Security Conference however I am only now seeing light at the end of the tunnel, having spent the last few days catching up following my two days out at the event.   As such I thought I would share some thoughts following Day 2 of the conference.

Defend as one

During the course of the 2nd day of the conference I attended a number of sessions where various educational institutions shared their experiences of cyber incidents.   I will admit it was good to hear their experiences as generally all we get to hear of in relation to cyber incidents in schools, colleges, and universities, is the news posts which lack any of the detail as to the cause and impact of the incident, or of the resulting recovery operations.   It would be good to hear more of the details around cyber incidents in schools, etc, as there is a great opportunity for use to learn from the experiences and collectively seek to be more secure, with this being summed up by the JISC conference tag line, “Defend as one”.    I will however note the challenges in relation to this due to the sometimes sensitive nature of such information.

Cyber:  An IT issue?

Now the event itself was very useful for me as a Director of IT, being surrounded by others in similar roles however, as identified by one of the speakers, this also represents a challenge.    Technology security is not solely the responsibility of IT.    It is the responsibility of all those who use technology, who manage or are the owners of data, who lead departments and who lead or govern within educational institutions.      Equally all these people need to be onboard and considering what they might be doing in the event of a critical technology incident where they will need to try to keep operations going while the IT team focusses on the technical issue.     Yet the JISC security conference was mainly attended by IT people.   Clearly there is need for others to be more engaged, and I will certainly be looking to try and encourage other non-IT senior staff to attend events like this in the future.

Third Parties and supply chain risk

As the second day proceeded, I started to see some key themes and messages coming out, some of which aligned with some of my thinking, with one of these being the risk associated with third parties and the supply chain.   Increasingly we are using more external solutions, either online based solutions, or solutions where we have technology solutions from a third party running on our networks.   Examples might include a third party hosted web-site solution, a CCTV solution hosted on site, or a visitor management solution hosted on site.    These solutions have access to school data or may be on the school network, and as such may either represent a risk to the data should they suffer a cyber incident or could represent a risk to the school network.   If on the school network, they might introduce vulnerabilities, which we are unable to address and where instead we must wait for the supplier to identify and resolve by developing and deploying an update or patch.   So this risk highlights the need for due diligence before introducing new solutions.  This didn’t really happen during the pandemic, as we sought to act quickly to address the challenges so there is work to do in carry out the due diligence for systems now in use.   Also, due diligence at the point of purchase represents a snapshot;  Most technology solutions evolve over time, with new functionality being added or existing functionality adjusted and changed, meaning the due diligence which was originally conducted is now out of date and inaccurate.  This highlights the need for periodic review, but this is then yet another task or piece of work which needs doing, and who does this due diligence where departments across a school, college or university as sourcing their own solutions?  For me the key here is we need to look to do more in relation to examining the cyber resiliency and disaster recovery plans of the third parties we use.

Prioritisation

Another theme which came across was the extent of the cyber incidents described.   Basically, in some cases it meant going back to scratch, turning everything off and rebuilding.   But this takes significant time running into weeks and months.    This means it is key to identify the priorities for the recovery.  What systems and processes need to be recovered first?    If we don’t stop and consider this now, when things are running, we will likely find ourselves in the middle of an incident with every department and users screaming that they system or process is most important, and we will then waste significant time trying to debate and decide.    Clearly there is need to examine all the systems and technology in use and then identify a clear and documented priority order for these systems such that when an incident occurs there is a clear priority order with which to work with.

Data Governance

The issue of data governance was particularly notable in discussions related to HE, to universities and this is likely due to their size and scope when compared with schools and colleges.   That however is not to say that the same challenges don’t also exist in schools and colleges.   The key question here is about the basics of data management and knowing what data we have, why we have it, where it is and likely most importantly who is responsible for it.   And in terms of responsibility, I am not referring to IT teams being responsible as they run the systems the data is stored on, but who the owner of the data is.  For example, admissions data doesn’t belong to IT, it belongs to the admissions team, while pastoral data belongs to the pastoral team.    IT can never know the processes and uses of all the data stored by different depts on IT solutions, therefore they cannot therefore be responsible for the data management side of such data.   It is the data owners that are responsible for what data they gather, how it is stored, how long they keep it, etc.    It was key from some of the discussions that greater effort needs to be made to ensure all understand who is responsible for what data. 

Conclusion

There was a lot to think about on Day 2 and to be honest I havent as yet had a sufficient amount of time to properly stop and reflect on the day or on the wider conference as a whole.   And I suspect it will be a few weeks and maybe the end of term before this will properly happen.

That said the above represents some of my initial thoughts based on some of the copious notes I took during the course of day 2.

I will end on an important message as I see it; This can all seem like doom and gloom.  The “when” rather than “if” of a cyber incident, the size and impact of such an incident and the multiple things we need to be doing to prevent and prepare, but against the backdrop that no matter what we do it may still happen.    We cannot allow it to be all doom and gloom.   My view is therefore that we need to simply seek to continually improve, to not try and do everything, but to try and seek to be more secure today than we were yesterday.

JISC Security Conference Day 1

I thought it would be useful for this weeks blog to focus on the JISC Security conference in Wales, which I am attending today (Mon 7th Nov) and tomorrow, plus which includes a third day held online.

So, lets start with my usual travel difficulties.   This shouldn’t have been a difficult one as have driven to the event however my car decided to develop some engine issues, including the engine warning light deciding to stay one plus occasionally flash alarmingly at me.   I noted a reduction in engine power which meant my cheeks were firmly clenched as I crossed the Prince of Wales bridge in the wind and rain;  Not somewhere I would want to break down.   Thankfully the car got me to my destination and can now have a rest before the return leg.

So the event itself, as I write this opening part of the blog I am sat waiting for the event to begin.  I have high hopes for the conference as there are so many different talks all focussed on the very important topic of technology security in education, principally in Further Education and Higher Education.   As a topic technology or cyber security is increasingly important in schools, colleges and universities as cyber criminals seem set on targeting education.   One presenter at the JISC conference suggested education was the number 1 target for ransomware attacks.   It makes sense sadly due to the data schools, colleges and universities hold, plus due to the fact the focus is on education with cyber security relegated to a secondary or even tertiary concern, often reserved for those working in IT roles.   Given the focus of the whole conference is on security I was very hopeful that I will take away quite a bit from the two days.

One of the big take aways from Day 1 for me was a document which presented 16 questions for University Vice Chancellors to answer in relation to cyber security.   The purpose of the 16 questions being to prompt discussion in relation to cyber security at the highest levels of management in universities.  It was clear from conversations with a few people that although this document had been sent to all universities, it hadnt necessarily been disseminated and discussed.   Looking at the 16 questions I could see how they were applicable not just to universities but also to colleges and even schools.    This did make me wonder about the need to share ideas and how, at the moment, there are various organisations sharing advice on cyber security, however no-one really collating this and providing it across sectors.   For example the DFE shared guidelines for schools while JISC developed and shared guidance for universities, yet both publications contained some common themes.   Wouldn’t it be good if this was shared centrally but with all educational institutions regardless of stage/sector?

Another discussion that I found interesting related to how we know or can assess how we are doing in relation to cyber in our own organisations.   Each school/college should be doing some form of risk assessment but it would be useful to be able to take this and assess your security against other similar institutions.   In HE this could be done using the 16 questions, but would rely on universities self assessing and then sharing their findings with a body such as JISC who could then calculate the “average” preparedness for universities.  This average could then be used as a benchmark with which to compare.   For schools, rather than the JISC 16 questions, the DFE guidelines could be used in a similar fashion.

If there was one big take away from day 1 of the JISC event it was that universities, colleges and schools are all subject to similar risks in relation to cyber crime and cyber resilience, albeit with different resources available to address the challenges.    As such there is a need to collaborate more across sectors, sharing experiences and knowledge where possible.    Currently the sharing is very silo’ d, so schools and MATs share, independent schools share and universities share, but each sharing separately.   There is a need, in my view, to bring this all together.

Disaster Recovery Planning

Part of cyber resilience is considering what to do when the worst happens.    And that worst case scenario is sadly likely to inevitable at some point.    This worst-case scenario will take the form of a significant incident, a disaster from which the school or college needs to recover, and in planning for this a Disaster Recovery (DR) plan should have been created.   But what should such a plan look like?

I have given this quite a bit of thought.    Is this disaster recovery plan a long and detailed document or something much more simple and digestible?  

On one hand we might want the long document and all the details as in the event of a disaster we will want as much information as possible to help us with first isolating and managing the incident and then later with recovery.    The issue with this is that when the fire has been lit under the IT Services team due to an IT incident, the last thing anyone wants to do is wade through a long and complex document.   I have seen a disaster plan which included lots of Gantt charts with estimated timelines for different parts of the recovery, but how can we predict this with any accuracy against the multitude of different potential scenarios.   Additionally, the information you will actually need is likely to depend very much on the nature of the incident.

The flip side is the much more managable document which is easier to digest and look to in a crisis situation, when things are high stress but its shortness will lack some of the detail you may want.   That said, a shorter document will be easier to rehearse and prepare with when running simulated and desktop incidents such that staff remember the structure and are largely able to act without needing to refer too often to the supporting DR plan.   It is also more likely to be applicable across a wider range of scenarios.

The above however suggests only two options, being the detail or the brevity and ease of use, but my thinking on DR has led me to think we need to have both.    We need to have a brief incident plan which should be general and fit almost all possible incidents.    It should consider how an incident might be called and then which roles will need to be implemented including contact details for the various people which might fill each of the roles.   It should consider the initial steps only, getting the incident team together so they can then respond to the specific nature of the incident in hand.  It is the outline process for calling and the initial management of an incident.

Then we need to have the reference information to refer to which will aid in the identification, management and eventual recovery from an incident.   Now most of this should already exist in proper documentation of systems and setup and of processes, however this is often missed out.   When things are busy its often about setting things up, deploying technology or fixing issues, and documenting activities, configurations, etc, is often put off for another day, a day which often never happens.    I think the creation of this documentation may actually be key.

Conclusion

The specifics of a DR plan will vary with your context so I don’t think there is a single solution.   For me there are 3 keys factors.

  1. Having a basic plan which is well understood in relation to calling an “incident” and the initial phases of management of such an incident.   This needs to be clear and accessible so as to be useful in a potentially high stress situation.
  2. Having documentation for your systems and setup to aid recovery.  This is often forgotten during setup or when changes are made, however in responding to an incident detailed documentation can be key.
  3. Testing your processes to build familiarisation and to ensure processes work as intended, plus to adjust as needed.

DR planning is critical as we need to increasingly consider an incident as inevitable, so the better prepared we are the greater potential we have for minimising the impact of the incident on our school or college.

EdExec Live

Yesterday I presented at the EdExec Live event in London where I discussed cyber security with a session purposely mis-titled as “Preventing cyber attacks: is your cyber security up to scratch”.    The reason the sessions title didn’t really reflect the content of the session is my belief that cyber attacks are now inevitable and that the thinking behind trying to be “secure” or “up to scratch” involves a mental model which doesn’t fit our current reality and especially the reality in busy schools with limited IT resources, and even lesser resources to focus on cyber security or cyber resiliency.   As such the session was aimed at trying to highlight this belief.

Now at this point you might be thinking I am showing some nihilist tendencies in the face of the growing cyber security threats and risks, however I am certainly now advocating that we consider incidents inevitable and therefore simply down tools and don’t bpther with any cyber mitigation, prevention or preparation activities.

What I am however advocating is that we accept that we can never do enough, never be up to scratch, so all we can do is to do what we can.    The approach to cyber in schools needs to be to seek to take little steps rather than seeking to reach an imagined point of being cyber secure, a point that is both likely to be unreachable and also a point which is likely to constantly shift in response to new technologies, new vulnerabilities, new threat actors and new methods of attack.

I concluded the session with 6 recommendations which are outlined below:

There is no enough so do what you can

As mentioned above there is no “enough” so this kind of thinking is no longer appropriate.

Carry out regular risk assessments

We need to treat cyber like health and safety and try to identify the risks and then decide on mitigation measures where possible.    If we explore and think about the risks which impact on use we are likely to be able to better prepare and respond.

Carry out a desktop exercise or “war game”

Our plans and processes often include assumptions.   We need to challenge these assumptions with staff from across the school involved in desktop exercises playing out an example cyber scenario.   By playing such incidents through we are likely to be better prepared when incidents happen for real.

Deliver ongoing user awareness

Users continue to be one of the most common factors in cyber incidents so the more training we can provide the better, but such training needs to be dynamic and ongoing rather than an annual refresher presentation at the start of the year.    Cyber needs to come up in meetings, in briefings, it needs to be part of the schools culture and a constant point for discussion.

Address the cyber security basics

Cyber criminals will take the easy opportunities where they can and therefore it is important to cover the basics such as patching servers, keeping backups, etc.   This is about increasing the friction an attacker might feel in the hope that they will move on to a easier organisation to attach.

Reach out

Schools and colleges are all in this together, suffering similar challenges and issues in relation to cyber, so collectively we are so much stronger.   As such, share with other schools, use groups like the ANME, and let’s make a collective effort to protect our schools from attacks and prepare for the inevitable incident.

Conclusion

At the end of the session, I concluded with a little question in relation to terminology.   Cyber security as a term is now out of fashion due to suggesting that being “secure” is possible when most now acknowledge this is no longer possible.   Cyber resiliency is now the term of choice however I feel, although better, it still suggests a “resilient” final state is possible where I believe it is now.   My suggestion, which doesn’t have the same ring to it of the above, was continuous cyber improvement, however my request was for someone to come up with a better alternative that wasn’t quite so much of a mouthful.

Is your cyber up to scratch?    If you think it is, I suspect you are up for a fall at some point in the future or at least that’s what probability would suggest.   Are your efforts continuous, regularly reviewed and involve repeated incremental improvements?    If so, I think you are most likely going about things the right way, so well done, keep at it, and try not to worry too much!

You can view the slide deck from my session here.

And for those who have followed my usual travel woes, this time I managed to get to London and back with only a 20min train delay, so unusually uneventful by my standards.

Going phishing?

Phishing emails continue to be one of the most common attack vectors used by cyber criminals, in attacking individual and organisations, and in attacking schools colleges and other educational organisations.   In schools, where things are increasingly busy, it is important that staff and students have had appropriate training and other resources provided in order to build their awareness and hopefully make them better at identifying such phishing emails.   The challenge though is how do we know if our phishing awareness programme is actually working?

I was originally very reluctant to make use of phishing awareness tests, where a fake phishing email is sent out to assess how many staff would fall for a phishing email plus how many staff might report receipt of a phishing email.    I felt at the time that it was a little unethical in trying to entrap people who work for my school.    I was also worried people would feel it unfair and adding to workload at a time when everyone is already busy.      It wasn’t until an IT conference event where I got discussing the issue with someone working within the police force that my view changed.    The catalyst for this change being this point; would I rather identify how susceptible the school is to phishing emails and how good individuals are in relation to reporting malicious emails due to a real phishing email, and the likely compromise of user accounts, or would I prefer to gain this information through a safe test where I would be able to respond and do something about the findings. It didnt take me long to realise I was better off testing awareness on my own terms rather than waiting for a cyber criminal.

Since this change of views I have set about regular phishing awareness tests on small groups of users, refining the approach and the follow up messaging and training materials as a result of the findings.    Tests might be targeted on certain areas or departments based on recent events or based on trends we are seeing in the types of phishing emails being seen or reported.    Follow up training might focus on the users who were tested or might take the data from a test and share it with all staff to highlight specific concerns or areas for improvement.   In some cases individuals have felt unfairly treated or “entrapped” however generally have been more understanding when my changed reasoning has been explained to them.  The main aim is for the testing and the related awareness development programme to be dynamic in nature, constantly changing in response to the external context and the internal awareness levels and habits as identified from the test data.

Phishing awareness testing doesn’t improve cyber security or users phishing awareness however it can provide a snapshot of where we are at a particular moment of time and in relation to a specific style or type of phishing email.   This, when used in combination with dynamic training materials, can be powerful in building up user awareness of phishing emails, of how to identify them and of what to do when things go wrong and you fall for a phish.   Where phishing tests are conducted regularly, with the appropriate follow up training, communication and awareness development, it can also go to help develop a culture of cyber security and this, ultimately, is what we really need to achieve.

Data protection and modelling

While at the School and Academies Show one of the discussions I had focussed on general EdTech and the need for teachers to model appropriate digital, including cyber security, behaviours for students. As the discussion progessed it then moved over to the topic of data protection, and I think this hit a chord with me.

Seeking solutions

The pandemic has required us to be agile in quickly finding solutions for issues, ways to engage learners and bring about the best learning experiences where students are either all online, away from the classroom, or where we have a hybrid situation, with some in the class and some not.   The issue is that the resulting search for solutions has led to tools, which may have pedagogical benefit being adopted which the due diligence as to data protection.

All staff need to appreciate that where signing up to an online service they are giving away some data.   It might seem as simple as an email address and password, but the reality is most services will also look at IP addresses, which gives away some rough geographical information, plus information on the device being used such as the browser, device type and operating system.   Then dependent on the nature of the service itself, they will then gather further data as provided by us, but also in relation to when we access a service and how often, and also which others in similar geographical areas, based on IP address, tend to access the service at the same time.

And this is all before, as a teacher, I then get students to sign up for the same service as it is useful in the teaching of my given subject or a specific topic.   So now, students are also giving away data but at my request.

Data Protection and GDPR

I think part of the issue here is that all staff are not IT experts or data protection experts.   But yet we all sign up to services which in effect gather the data we provide, and some data we don’t quite realise they are gathering.    For me the issue here is that, although we may not be experts, we need to exercise some care in relation to data protection.    Now this might be simply looking at the privacy policy for anything which seems out of place.   It might be seeking support from the IT team in a school, or seeking support of educators the world over via twitter or other forums.   The key thing is we cant simply sign up without given some consideration to the risks and implications of doing so.

Now those in the data protection world may see the above as not going far enough, they may state GDPR UK or other legislation however the reality, in my view, is most things boil down to risk based decision making.    The role of a school is not to be as secure in its data protection as a bank or other highly regulated industry, but to facilitate learning.   So there are some trade offs, where learning takes the priority and some risks are accepted, and hopefully, mitigated as much as is possible.

Conclusion

I think all schools need to spend some time discussing the implications of signing up for online services, and to data sharing with all staff.   We can’t hope to make them experts but we can hope to educate them enough to give some reasonable consideration to the implications of their actions in signing up for a service, or where getting students to sign up for an online service.  Its about doing all we can to reasonably facilitate good data protection based decision making and behaviours, in both staff and through modelling, in students.

Thoughts on password strength

Passwords continue to be a key feature of identity management.    As such we need to continue to educate and build awareness around passwords and password management.

As such I have noted a graphic like the below (taken from Hive Systems via Tech Republic) regularly shared in relation to the time taken to crack a password based on different scenarios of password format and length.   The issue for me is that the below paints a picture, which although useful in some ways, overly simplifies the situation.

from Hive systems via TechRepublic

Statistics, statistics and more statistics

The graphic is based on the time taken to progress through all known combinations for a given password.     So, for example, to crack a password of 8 characters based on numbers-only I need to first know that the password is made of numbers-only and therefore that I am only testing these combinations.    So, I would test 1 then 2, 3, 4 and just keep going up through the options.   Now it might be fair to always test numbers-only first, expecting use of numbers-only to be common enough and therefore low hanging fruit for a cyber criminal’s point of view.   It might then equally be fair to suggest that lowercase, mixed case and numbers and mixed case with special characters might each be tested in order based on likelihood and number of combinations presented.    At this point the exercise is feeling like an exercise in obsessive compulsive disorder, in going through every possible combination in sequence, rather than an exercise in trying to quickly and efficiently crack a given password.

And to make matters worse if my password happens to be “Password” or “Password22” then I suspect it would be cracked far faster than the reported 2 mins or 3 weeks respectively.   

Human behaviours and social engineering

The issue here is, if we are truly trying to be efficient in cracking a password we would approach from a heuristic point of view and look at common human behaviours.    We would look at the need for people to remember passwords easily and therefore identify the likely tendency to pick common passwords, passwords relating to recent events or seasonal celebrations, etc.    Rather than seeking to work through every combination we would seek to work through the most common combinations and variations of these common combinations, happy in the fact that as a human set the password they may have fallen into one of these common human behaviours.    And it is at this point that the graphic no longer works for me.

We would also look towards other data as passwords are not set in isolation.   We each set our passwords against the backdrop of our everyday lives, our work, our challenges and our successes, so access to any data on these things can yield information which can be helpful in cracking a password.   And oh, does social media and a quick google search help to provide this data.  So again, the graphic starts to fail us.

What makes a strong password?

Password length definitely does help in making passwords stronger so in this feature the graphic is useful, but it isnt the single measure which I think the graphic implies it to be.    As to the mix of uppercase and special characters, etc, I think in this day and age, this makes limited, but I cant say no, impact on strength.

The factor that the graphic badly misses is the issue of how common the password is likely to be.   If it is common, so relating to a current event or a seasonal event, to the company you work for, or to something else that might be predictable based on the world we live in or you as an individual, based on what can be publicly ascertained about you, then the graphic falls flat on its face.   

So, what can we do about it?

I think sharing this graphic is useful in terms of pushing the need for longer passwords but I think we should take when sharing this graphic on its own.    I think it is useful sharing HaveIBeenPwned’s password testing functionality alongside the graphic such that individuals can use the graphic to assess the length but then use HaveIBeenPwned to assess how common a password is, in the number of times it has appeared in recorded and reported data breaches.

As is often the case, as we seek to find and communicate a message, making it as simple as possible we start to lose some of the detail, and in this case I think the importance of how common or predictable a password is, is a key detail which mustn’t be lost.

References:

Lance.W. (2022) ‘How an 8-character password could be cracked in less than an hour’, TechRepublic, 7th March 2022. Available at: How an 8-character password could be cracked in less than an hour | TechRepublic (Accessed: 12/04/2022).

Cyber and Learning

In schools we need to keep student data secure however equally we need the flexibility to use different learning platforms and tools in the search of effective learning experiences.   There is a clear tension between these two requirements, where it would be fair to consider then the opposite ends of a continuum.    On one end you could have a very secure system, similar to in highly regulated industries like a bank, but in doing so you would lose some of the flexibility needed by teachers.   Alternatively you could have a very open and flexible setup but in doing so would likely open your schools to increased cyber risk.   So how do we navigate the continuum?

The security paradigm

In my view, part of the challenge here is the security paradigm of keeping systems and data secure.    The reality is that we can only measure this after the event, so for every day we don’t suffer an incident, we have achieved this requirement, and we need to achieve this requirement indefinitely.   A single incident would therefore represent total failure.    In the complex world of IT with ever changing threats, this model doesn’t work.

I think we need to accept that if we look far enough ahead there is a certainty of an incident.    As such, we need to make sure this is understood at the senior levels of the school, and then seek to do everything reasonably possible to make sure that incident stays in the future, or failing that, limit the damage caused by an incident.   In considering probability of an incident it’s almost like the doomsday clock, ever moving slightly closer or further away from global catastrophe.

Risk Appetite.

One of the first decisions which I think schools need to identify is their risk appetite.   The more risk you are willing to tolerate, the closer the doomsday clocks hands are to midnight, but the more flexibility you have available.    The less risk you are willing to tolerate, the further away from midnight the doomsday clocks hands are, but the less flexibility you will have.    All schools will have a risk appetite somewhere between the two opposite points, but the question is where on this continuum and how much closer it is to cyber security or to flexibility and learning.

Risk Assessment

The next thing to consider is risk assessment.  How can you seek to manage and mitigate risks if you don’t know what they are?   The more flexibility you need the more risks you will likely need to document.    One of the benefits of risk assessment is to spend time considering what the risks might be, their likelihood and their potential impact.    This then gives an opportunity to prioritise resources to those risks deemed important to the school.   I think it is also worth noting that any risk assessment should be a working and living document, as the nature of schools is one of constant change.

Documenting decisions

It is important that senior staff are aware of the decision-making processes, decisions and risks and therefore it is critical that the risk appetite and risk details are shared with those staff to ensure they are appropriately informed.   This can help with identifying where there is need for additional resourcing but also to identify where risks remain due to mitigation measures being cost or otherwise resource restrictive.   If your focus is on learning, you need to ensure you clearly document the resultant risks which the added flexibility will have opened up.  

 It is also important to remember we will only be able to identify failure in the future, after an incident.   When this happens, we will want to look back to see if the incident was the result of decision, and if so why we took this decision.   Or was the incident simply something which we didn’t consider in our examination of the likely risks?  This requires the decisions around risks to be clearly documented.

Near Misses

Am also going to mention near misses, something I frequently forget to mention.   There is a lot to be gained in terms of knowledge and experience from those “almost” incidents where we come close to a cyber incident.   We need to therefore find ways to capture such incidents, to encourage users to report near misses, etc as otherwise we will have lost valuable intelligence, leaving us only with actual incidents to learn from.

Conclusion

There isnt one answer or solution for all schools in relation to navigating between cyber security and learning/flexibility, however each school will need to consider and make their own decision in this respect.     It needs to be based on context, needs, resources and a variety of other factors, and it should be a concious decision rather than something that simply happens.

On the cyber security side of things, I believe the focus has been for too long on prevention.   Schools don’t have significant cyber security resources but are an enticing target for cyber criminals, so prevention on its own isnt enough.    We need to accept that an incident will happen and therefore shift to a focus on minimization or delay, mitigating risks to delay the incident further into the future, or mitigating risks to reduce the damage when the incident finally does occur.   For this reason I increasingly like the term “cyber resilience” in preference to “cyber security”, as it hints to the need to ready to respond and recover from the inevitable cyber incident.  

Maybe we should all start including a cyber doomsday clock in regular communication with senior staff;  Is this the way forward?    

%d bloggers like this: