Cybersecurity Training - Presented by United States Department of Education and Kentucky Department of Education October 21, 2021
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Cybersecurity Training
Presented by
United States Department of Education
and
Kentucky Department of Education
October 21, 2021
Agenda
• Welcome and participation information
• It can happen to you!– Robert (Bob) Hackworth, KDE
• Cybersecurity – Steven Hernandez, USED
• Respond to GoSoapBox questions
• KDE data privacy and security contacts, and resource webpages
• Closing
To provide comments or to ask questions, go to https://www.gosoapbox.com/
Enter Access Code: KDEdata
2Participation information
• To add comments or ask questions:
• Go to https://www.gosoapbox.com Click Join Event/Sign In and enter access
code: KDEdata
• Have a technical issue opening the KDE Media Portal? Contact your district
technician.
• KDE presentation slides were emailed to registered participants and posted on
the KSIS Training webpage; USED slides will be available after the training.
• If you haven’t registered, go to
https://www.surveymonkey.com/r/KY_Cybersecurity_2021 or the KDE website
and search for KSIS Training.
To provide comments or to ask questions, go to https://www.gosoapbox.com/
Enter Access Code: KDEdata
3Training Credit – EILA and My Purpose
• For school/district staff – Want EILA credit? Register and complete the post-
training survey. If you don’t see the survey, check your Junk mail, filtered mail,
etc. EILA certificates will be distributed by email by Oct. 29.
• For KDE staff – Want this training on your MyPurpose training transcript?
Register for the training, complete the post-training survey by Oct. 28.
• The post-training survey will be sent to everyone who registers for the training.
• Can’t find your email with the registration link? Go to
https://www.surveymonkey.com/r/KY_Cybersecurity_2021 or go the KDE
website and search for KSIS Training.
To provide comments or to ask questions, go to https://www.gosoapbox.com/
Enter Access Code: KDEdata 4It can happen to you!
Robert Hackworth
Chief Information Security Officer
Office of Education Technology
Kentucky Department of EducationAre We Under a Cyber-attack?
School districts across the nation, including Kentucky, are facing a tsunami of cybersecurity
attacks that have ONLY INCREASED since the pandemic
Kentucky received over 4 BILLION attempted attacks annually PRE-PANDEMIC
We’re advised that cyber-attacks against K12 will INCREASE this coming school year by 86%
We aren’t worse or more targeted than other states; we just have the data about the attacks
Vast majority of these attacks are foiled by our technical defenses or alert staff, but even 1 successful attack
can result in a down district, data breach or lost funding
Attacking you is their “day job,” so crooks have PLENTY of time/motivation to research YOU
and your district! Crooks did NOT slack off during the pandemic
Cyber-criminals have researched your district and staff (via district website and social media like
Facebook) and they know who is in what key position, who pays the bills, who you do business with,
existing contracts, etc..
K12 is very service-oriented, and that makes us easy to trick
All district staff with permission or authority to see/send dollars or data need to be especially careful
and trained in order not to be fooled.
All district staff need to be made aware of scams and threats
To provide comments or to ask questions, go to
https://www.gosoapbox.com/ Enter Access Code: KDEdata 6It CAN Happen to YOU (and anyone)
• In Kentucky
• 56 reported P-20 data breaches since 2005
• 30,164 records (THINK: Personal Information) exposed
• 12,234 records were K-12
• 4 data breaches so far in 2021
• Most of Kentucky’s data breaches and security incidents are
caused or permitted by carelessness
• Sharing a file containing PI with folks not authorized to view the data
• Posting files with PI on public websites
• Being tricked by a phishing email into sharing your password, giving an
attacker access to your email and data (with PI)
7Cybersecurity
a national perspective
Steven G. Hernandez
MBA, CISSP, CISA, CNSS, CSSLP, CDPSE, SSCP, CAP, ITIL
Chief Information Security Officer
Director, Information Assurance Services
US Department of EducationWhat is Personal Information?
KRS 61.931 – 934 (2014 HB5) KRS 365.734 Section 2 (2014 HB232) FERPA (Family Education Rights Privacy What is a Data Breach?
Act)
1st name or initial AND last name; Any information or material in any Student name A data breach is the unauthorized
personal mark; or unique biometric or medium or format, that concerns a (whether stolen or lost) release of top
genetic print or image, PLUS (1) or student and is created or provided by Name of the student’s parent or other secret data that can be reasonably
more of the following data elements: the student in the course of the family members believed to put the security,
student’s use of cloud computing confidentiality, or integrity of the data
An account number, credit or debit services, or by an agent or employee of Postal address of student or student’s at risk and cause harm to 1 or more
card number with access code, PIN or the educational institution in family individuals. Once a person’s data are
password; connection with the cloud computing lost or stolen, those data can be sold
services. Personal ID, such as SSN, student multiple times to other crooks who
A Social Security number; number or biometric record then can steal the victim’s identity,
Student data includes: open fraudulent bank accounts or
A taxpayer ID incorporating an SSN; Indirect IDs, i.e. date of birth, place of credit cards, or obtain healthcare. It
Student name birth, mother’s maiden name can leave victims, which includes
A driver's license number, or any state- children, many thousands of dollars in
issued ID; Email address Other information that, alone or in debt, depending on how long the
combination, is linked or linkable to a breach goes undetected.
A passport number or a federally- Postal address specific student that would allow a
issued ID; reasonable person in the school
Phone number community who does not have
Individually identifiable health personal knowledge of the relevant
information as defined in 45 C.F.R. sec. Any documents, photos, or unique circumstances, to identify the student
160.103 except for education records identifiers relating to the student with reasonable certainty
covered by the Family Educational
Rights and Privacy Act, as amended,
20 U.S.C. sec. 1232g;
NOTE: If these data are exposed, NOTE: Data not to be shared without NOTE: If these data are exposed,
missing or stolen, it is almost definitely appropriate use agreement missing or stolen, it MAY be a data
a data breach breach but most likely would be a
FERPA violation
To provide comments or to ask questions, go to https://www.gosoapbox.com/
Enter Access Code: KDEdataKDE data privacy and security
Contacts Resource sites
• Robert Hackworth, chief • KDE Data Privacy and Security
information security officer • Data Privacy:
• DeDe Conner, chief data officer for parents
• KDE Data Services Mailbox for schools and districts
• Data Breach Best Practice
Guidelines
• Security Guidelines for Ky. K-
12 School Districts
To provide comments or to ask questions, go to https://www.gosoapbox.com/
Enter Access Code: KDEdataThank you for your interest and participation!
You can also read
