CUSD428 Cyber Security

CUSD428 NetSec Team

Ben BayleCTO

Marco RoblesSystem Analyst

Ben YochemSystem Analyst

We have combined 40+ years of experience in the field with certifications in Security, Network, Server, Storage, and Infrastructure design. The team was formed 2 years ago to create policy / procedure and actionable mitigation of threats. The team has designed the Incident Response Plan and streamlined our security needs with both paid and open source products to fit our environment.

What is Cyber SecurityThis discussion is really centered around risk. How much risk are we willing to accept as a District? At this time our NetSec team feels that we are mitigating 65-70% of current threats that have been published. Time, PD, and Funding are necessary to mitigate more risk for our District.

Three quick analogies to frame Risk that can apply to Cyber Security

1. The Dentist2. The New Car3. Secure Building Entrance

What is our threat landscapeIn total we protect over ~11,000 devices daily once you include VoIP Phones, Security Cameras, Network, Storage, HVAC, Intercoms, AP’s, Door Entry, Clocks / Bells, Servers, Air Quality, Battery Backups, Copiers / Printers / Fax, Time Clocks, Digital Signage(Indoor and Outdoor), Walkie Talkies

~6,000 Chromebooks

~2,500 Windows OS Endpoint

~120 Servers from Windows OS to Linux

~250 Mac OS X Endpoints

~330 Mobile Devices for AR/VR to iPad Tablets for IEP’s / Nurse Monitoring(Diabetic Students)

~1500 Guest Devices Daily - Cell Phones, Wearables, etc.

All of these devices are actively monitored, logged, and managed.

Is there a threat?The Department of Homeland Security (DHS), Cybersecurity and Infrastructure Security Agency (CISA), and Multi-State Information Sharing & Analysis Center (MS-ISAC/CIS) have been warning, informing, and working with State and Local

governments for years.

What the data is showing is that there is an increase in threats against local agencies including school districts. In a July 30th press release on ransomware,

DHS stated “The growing number of such attacks highlights the critical importance of making cyber preparedness a priority and taking the necessary

steps to secure our networks against adversaries. Prevention is the most effective defense….”

Why is this happening? Why K-12Most districts are ill-equipped to prevent the attack. This can happen for many reasons but the most common are not enough staff, not enough professional development for all district staff, misconfigurations due to lack of PD and time, lack of policy and procedure or enforcement, and substandard funding.

The district becomes a target by Internet Activism due to a publicly trending negative publized report. Collateral damage from Geopolitical attacks(Iran). Internal users both intentionally and unintentionally misusing their credentials or access to core services. Students even have a part by triggering an attack to get out of testing, changing grades, or to get even.

The criminals are making money. The aggregate dollar value of ransoms that criminals have successfully collected from victims surged from $325M in 2015 to $5B in 2017, and were projected to reach $11.5B by the end of 2019.

What are we trying to mitigateWe do not want to be the next:

○ Rockford (Downtime 9/5 - 11/5)○ Sycamore○ Ransomware Attacks Skyrocketing○ Current attacks

■ Global Threat■ Moody’s Credit Rating Affected

Staffing / Funding / PDWithout appropriate staffing it is nearly impossible to be proactive to cyber threats. Most don’t have time to look at the logging, build policy, test, and implement solutions while maintaining functionality of critical day to day

operations. The lack of professional development for all staff, not just IT, can hamper a

district’s operations and will cause lapses in security measures. There has been a steady rise in sophisticated phishing attempts leading to identity theft, privilege

escalation, social engineering, financial losses, and a loss of trust from the communities served. Substandard funding can also impede the efforts to protect

your district.

What Laws We Need To Comply With○ SOPPA(HB3606) - Student Online Personal Protection Act - 7/2021

(State Law for Student Data Privacy FERPA with enhancements)

○ COPPA - Children's Online Privacy Protection Act (COPPA imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age.)

○ FERPA - Family Educational Rights and Privacy Act(Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. FERPA gives parents certain rights with respect to their children's education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level.)

○ PPRA - Protection of Pupil Rights Amendment(Federal law that affords certain rights to parents of minor students with regard to surveys that ask questions of a personal nature.)

○ CIPA - Children's Internet Protection Act(Addresses concerns about children's access to obscene or harmful content over the Internet.)

○ HIPPA - Health Insurance Portability and Accountability Act(privacy standards to protect patients' medical records and other health information provided to health plans, doctors, hospitals and other health care providers.)

What are we currently doing to mitigate risk?● District Incident Response Plan based on NIST(National Institute of Standards and Technology) framework● Members of

○ MS-ISAC / Center for Internet Security■ Department of Homeland Security■ Annual NCSR(Nationwide Cyber Security Report)

● We saw a 11% increase over our score last year with the creation of the Incident Response Plan.○ Illinois State Board of Elections | Statewide Terrorism & Intelligence Center

■ Illinois State Police and DHS○ InfraGard

■ FBI○ CoSN (Consortium for School Networking)

■ IETL - Illinois Educational Technology Leaders○ Fortinet Fortiguard Team○ Learning Technology Center Cyber Security Team

● ISBE○ We have established secure backup and recovery routines for our core servers○ We have introduced an Air Gapped Solution to protect these backups from infection

What do we need to enhance our security● Full time FTE for Cyber Security and Privacy - A current Systems Analyst will move into this role.

Their current Responsibilities with the addition of the Cyber Security needs and compliance with Federal and State Laws will be the core of the position. Another current Systems Analyst would move to the open role and would take their Systems Analyst Responsibilities with them. This will lead to an entry level IT Support Specialist opening to support the buildings.

● We have worked the best we can with the budget and grants. Federal funds through E-Rate(USAC/FCC).

○ I have worked with State Representatives / ISBE/LTC / MS-ISAC/DHS / CoSN/IETL / Infragard/FBI to push the FCC to fund Cyber Security. They have funded huge amounts of bandwidth but no way to protect it.

● After 3+ years with our current budget and using credible open source products we have to spend money to offset risk.

● We have established four budgetary line item accounts to track the spend on Cybersecurity to establish due diligence with insurance.

○ Cyber Security Supplies○ Cyber Security Purchased Services○ Cyber Security Equipment○ Cyber Security Dues & Fees

What we need to do to enhance our securityCASB ~$11K Coming from current budget

Content Filtering ~$12K Coming from current budget

Advanced CASB ~$12K Coming from current budget

Anti Virus ~$4k Coming from current budget

Firewall Licensing ~$25K Coming from current budget

Malware $10K We need this funding now

Pentesting through 3rd Party $10K We need this funding now

GDrive Backup $15K We need this funding now

Phishing PD $2K We need this July 2020

Vulnerability Scanner $3K We need this July 2020

Budget RequestCurrently in budget - $64K designated for specific cyber security costs

Asking for additional $40K

$35K additional for remainder of FY19-20

$40K placed in tech budget for FY20-21 and future years

Total cyber security budgeted costs = $104K

Future Funding Considerations● Move Student and Finance systems off Premise ~$25K● SIEM - Security Information and Event Management

○ We are working through Open Source solutions this summer● NAC - Network Access Control

○ Looking at Open Source solutions as well as paid● Machine Learning / AI based Anomaly Detection - conditional decision making on cyber security

incidents with a calculated response. ○ Albert ~$20K - MS/ISAC Designed○ DarkTrace ~$30K minimum 4yr agreement - District 303 just implemented○ Vectra ~$30K

Closing and Questions

“Security is always too much until the day it is not enough”-William H. Webster, former director of the FBI