Full Transcript

George Kamide:
All right. Frosty Walker. Welcome to the Zero Hour. So excited to have you here.
 
Frosty Walker:
Thank you very much for inviting me today.
 
George Kamide:
All right. So today we are talking K-12 security. I think everyone who's listening has probably read some article or another on the disruptive attacks that have happened seems week by week. I'll turn it over to Ashley to kick us off. I think this is going to be a great conversation.
 
Ashley Stone:
Yeah, George is right. The headlines about ransomware attacks on school systems are coming nearly every week. Before we dive into the problems that school systems are facing, let's start on a positive note with your background and working with your current customers, what has been working well with the adaption to online learning?
 
Frosty Walker:
That's a difficult question to answer, but, considering the environment that the schools were put into back in the spring, when they left for primarily for spring break came back three weeks later and everybody was online. We've seen success stories. It's been challenging for the schools. trying to acquire enough devices for all their students, but in most cases, what I've seen is they have adequate, they're still acquiring more, but they have most of what they need. It also depends when we're talking about online learning the skillset of the instructor who was used to face, and now we have to figure out different ways to get a student to focus on that.
 
So I think what we've seen is in some cases, particularly in the higher grades, we probably see more success for that. Typically in the lower grades where our students have attention span problems we're not seeing as much success with online. But I think with the circumstances that the schools were put in, and now we've been getting to refine that process, we're seeing improvements.
 
George Kamide:
Yeah, I will say I'm friends with a number of teachers in the, K through fifth grades. And I will just go on the record as saying they are heroes. You're taking people whose technological skills that involve staplers and photocopying. And then, it sounded so easy; like we'll just go online. But we take it for granted, those of us who work in either the technology space or an office, like how natural some of the software is for us. And so you're asking older teachers to suddenly master Zoom in a matter of days much less engaged kindergartners, on a computer. So yeah, that is, a victory worth celebrating for sure.
 
Okay, so now let's turn to the problems. So we've been following the news here at SafeGuard Cyber. We also know what our customers are saying in terms of their needs and what they're looking, to protect against, but also curious to get your perspective. You're in Texas, one of the largest school systems in the country. What are you hearing from the front lines in terms of what is top of mind? What's the concern? What's the worry?
 
Frosty Walker:
The first concern we have is primarily making sure that the students have devices for all learning. And we have a constant turnover of those devices - we have students that leave, go to another school and we have limited staff. So we have to wipe, sanitize those devices and then redeploy them again. So with very limited resources we're taking away from, typical jobs that somebody is already wearing multiple hats and trying to keep that organized and keep track of those assets.
 
We have damaged assets that get returned to the schools etc. So I think that what we see right now on the online learning is that is the, one of the biggest challenges that the school districts are seeing right now. another challenge that we have is ransomware as Ashley mentioned earlier. We've had over a thousand instances since the beginning of 2020, ransomware in education, in the UN and the United States. So that's a huge amount. And we say, why is it, why are we having that impact?
 
I saw a recent study that said, 73% of the time cyber criminals are successful in encrypting data. Now, if I was a football, if a high school football coach and my offense could score 73% of the time that they touch the ball. I would not be worried about what my offense is going to look like next year, except that the next level at the college level, because I would do it for a college level. That is why ransomware is so prevalent right now is that it's 73% of the time they're successful in encrypting at least some of the data.
 
George Kamide:
And also it's a captive audience, right? It's not a school system is like Norsk Hydro where they can take things offline and go to manual systems and incur a business loss, but take their time. A ransomware attack keeps students out of school for however much time and the school systems are liable for that so they're very much caught in a bind
 
Frosty Walker:
They are. I see some schools that quickly agree to pay a ransom, whether they have insurance or not. Because the amount of time it will take them to recover their data. in many times that's just nature of the business right now.
 
George Kamide:
We were talking before we started recording about Clark County in Nevada, where they had refused to pay the ransom and, they just dumped the student's data anyway. It was like, they released that data exfiltrated ahead of the attack. So then you're caught in a PII and compliance issue. That's student records, social security numbers, just out there on the dark web, but we'll get to that in a second. It sounded like what you were saying in terms of the front lines and device management, endpoint management, IT teams are strap just trying to keep the lights on, just keep things running and maintain.
 
When we dig into this problem, which seems so intractable, I think the most obvious core issue that comes up is probably budget, right? School systems don't have SOC teams.   I read this quote in a recent article in the Wall Street Journals. April Mardock of Seattle public schools said the opponent is fighting with cluster bombs and we are fighting with muskets and slingshots.
 
Given that budgets, aren't likely changing anytime soon, what do you think school systems can do with what they have right now in terms of security protocols or giving their IT teams the best shot at defense?
 
Frosty Walker:
I think one of the things that's that schools can do is utilize a framework.
 
There are some States that require schools to use the NIST framework, which is pretty complicated. And for example, in Texas, we took a framework that's now called the Texas cybersecurity framework that only has 46 elements from NIST. A nd we use that for, agencies and higher education and have encouraged our schools to use that.
 
But I would recommend any type of framework there is. For example, the center for internet security has a framework or set of controls that is only 20. And basically those are just general ideas are a framework to say where exactly you need to have an inventory of your hardware.
 
You need to have an inventory of your software. You need to have an inventory of where your, sensitive information is located. What applications are those in? You need to have cybersecurity policies that ensure your users understand how and what appropriate usage is. So those are the types of once they've looked through the frameworks then they can identify potential risk.
 
And I'll give you an example. So when you say, okay, we use endpoint protection to have antivirus and prevent malware on our end points. And that includes desktops, laptops, and servers. Okay, that's great. But you also have tablets and you possibly have mobile devices. Are you also doing endpoint protection on those? If you're not, that's a potential risk.
 
So then that helps you identify where your risks are. once you have your risks identified, then it, then you have to prioritize those risks. You have to look at them and say, okay, we need a lot of improvement in this area and that's a pretty high risk. So I'm gonna try to budget for that this year. Cybersecurity is not like a weekend getaway. It is a journey. it's a constantly moving journey, but in the budget world, you have to be thinking ahead of that. And schools are behind in that situation.
 
There is some budgeting, but there are also a lot of things with the existing resources the schools have using a framework to identify risks and then prioritize and develop a mitigation plan. In many cases, schools just don't understand where their risks really are located.
 
Ashley Stone:
Yeah, that's a great starting place is identifying the risks, prioritizing them and starting to address them. Knowing that you can't address everything at once, especially as we're talking about budget constraints, what can be done about budget constraints, especially with your experience at the state level?
 
I think this can't be an awareness issue. These ransomware attacks were surging last year. They're still trendy this year. Is it a municipal or a state level budget issue?
 
Frosty Walker:
I think it's three levels, local, state and federal, all of those, need to take a look at it. Yeah. your board of directors at your school district need to understand that their systems, potentially contain some of the most valuable information that we have today.
 
According to the FBI, student information potentially has the highest market value on the black market. And they said, why is that? The reason for that is if you or I had our identity stolen, we would recognize that in a couple of months, at the most. But a student, let's say a second grader, potentially is not going to ever know that their ID has been stolen and being used, until they, till they turned 16 or 18 and get a job or until they go to college.
 
It's a much longer time to utilize that data, so that makes that data much more valuable than mine or yours.
 
Ashley Stone:
That's a scary thought.
 
George Kamide:
Yeah. You mentioned federal level but I want to go we go back to state. Either one, does this require greater awareness in the budgeting process?
 
I think school budgets get allocated out of other services, parks and rec. emergency services, stuff like that. But if you're part of a municipality like New Orleans, Baltimore that has gotten hit at the government level also, does there need to be either a cybersecurity line item in each of those budgets or kind of an umbrella, cybersecurity budget. That's going to protect all of the public infrastructure, or go to protecting all of the public infrastructure.
 
Frosty Walker:
And I think both, again, both of those are applicable. We're seeing more and more communities that are trying to form that umbrella across all of their resources, which I think that's a good idea.
 
In many areas they're still independent. They have to look at budgeting, for cyber security and each of those levels. I think another thing that schools can also do is security awareness training. I know two years ago, in the last session legislation passed a requirement for all schools and local governments as well to provide security awareness training to all of their employees.
 
And that training had to be certified by a state agency as to whether it was a good course or not. There's about 150 of those now that are certified out there. Your users, when we talk about ransomware, still, the number one avenue that ransomware is introduced into an environment is email.
 
And that's about 45% of all ransomware attacks come through your email. So you need to work with your users to have a better understanding of recognizing well, should I open this link that I got from Frosty Walker? I've never heard of this guy. Where is he, what is he doing?
 
Those are types of things that once again, you can potentially do. A school could even have some of their students come up with some short videos or, that they could play back to their employees to encourage their employees, to be mindful of not clicking on links and being cautious about reading email. I haven't used any of my resource time.
 
George Kamide:
That's right. Let's pay high schoolers to red team their teacher.
 
So now returning to the federal level, we've seen just last Friday, representatives, Matsui from California and Lanovin from Rhode Island have introduced a bill to shore up K-12 cybersecurity, and they want to track incidents at the federal level and create a $400 million grant program. Of course, there's probably a time to value issue there because the attacks are happening now and by the time it wind its way through Congress, it would be too late.
 
But, I'm interested in the tracking incidents at the federal level. Do you see, that level of coordination being helpful to understand either the malware families or for, the lures that are being used? Is that a resource that would be helpful?
 
Frosty Walker:
That's a good point. At the federal level, I'm not so sure about that. At a state level we do have legislation here in Texas that requires schools to report a breach of student data. We also encourage them to report any type of breach of data, or any type of attack.
 
And the reason for that is we may hear from two or three different schools within a location that are experiencing similar things. So then we can alert more schools about that. We also in Texas have 20 regional centers, which serve schools within their community. So we use that as a way to disseminate information back quickly to those schools.
 
Another thing that we did in Texas is we require all the schools to identify a cybersecurity coordinator. You say, what qualifications does a cybersecurity quality coordinator need?
 
None except that they are willing to work with the Texas Education Agency and potentially other schools. So if a coordinator, if they see something unusual, they can notify TEA and then TEA can quickly broadcast a message out to all the cybersecurity coordinators in the state to let them know that there's a potential threat out there that will help.
 
And so schools can also then look up and say, Hey, what are you doing for this type of issue? What type of tool are you using for this? When you work collectively together, it makes it much easier because there's probably not too many issues out there that we're going to see today that somebody hasn't already addressed.
 
We just don't know about it. So it makes it much easier when you're able to contact and share information like that. So I think it's important at least at the state level and potentially the States could then roll that up to a federal level. So you could see that across the country.
 
George Kamide:
Yeah, I think that's a good point that they don't necessarily need to be a cyber expert in a school context, but you need to have someone put their hand up and be like, I will own this process of sharing this information at the most basic level.
 
Frosty Walker:
That's correct. we could send that out to the superintendents, but they've got other things on their plate, so just to identify a cybersecurity coordinator, we'll work with.
 
Ashley Stone:
Yeah, that's great. And quickly share that information between all the schools because otherwise you're just sitting in silos again.
 
Frosty Walker:
That's correct. And you shouldn't be an island or a silo. We're all in this together.
 
Ashley Stone:
I love that and thinking about, the teams and we're all in this together, setting aside budgets, is there a deeper issue with roles and responsibilities as it comes to school security? You think about technologies really fall into IT teams, which is tricky and hard for an I-Team to manage if they're smaller or only one or two people.
 
So I'm curious, what's been your experience with school systems establishing these clear roles and responsibilities for security issues like adding in that cybersecurity coordinator.
 
Frosty Walker:
You know that, and that is again, a real issue:
resources, human resources within the schools. Very few schools have a dedicated cybersecurity person. They use their IT team.
 
I spoke with the district last week that has about 9,000 students and they said, Oh, we have three network administrators. And we do all the endpoint, refresh and we were monitoring the network for issues and cyber issues. And you're going, that's a large amount of students let alone the staff that they're working with and we have three people working on that.
 
So I think that funding would help. But, I'd like to see more schools have a dedicated person. If they can't - some schools are small, they can't afford a dedicated person. There are programs out there available for virtual chief information security officers, where schools share someone. I think sharing a resource like that. Now I think that's an outstanding opportunity for schools to to share with that.
 
George Kamide:
Yes, I was. I think I was, I guess I was definitely joking initially about high schoolers red teaming their teachers. But, now let me revisit that scenario. So I know that for example, the University of Oklahoma has a SOC that is staffed both by full-time and university students, people who are majoring in cybersecurity, they rotate through that SOC. For at least at the high school level where we know that cybersecurity is a burgeoning industry with a skills gap.
 
I'm just thinking out loud here, live on the podcast, that there could be a way to roll in some student talent, because you do have students who've been like arrested for DDoSing their school district. I if they have those skills, could we go to bring them into the fold?
 
Frosty Walker:
Re-channel that energy into a positive. There is potential there. I mentioned that here in Texas we have regional centers. I talked to a regional center last week that said they just completed standing up their SOC. Within that, they provide services, network service for me, the schools.
 
And they said, it's amazing how many DDoSs we have and how often we can push the button and prevent that now. Because we have the talent and the capability of doing that. Again, that's about sharing resources, for those. We're also seeing, some, information sharing organization ISALs or ISACs being formed here in the state of Texas again, primarily for that capability that include higher education, state agencies, and the K-12.
 
George Kamide:
Cool. Okay. So let me get back on track to roles and responsibilities. And I got two questions. We'll start with IT. Earlier this year, you joined us on a panel with Jason Rooks from, a school system in Missouri.
 
And he had said that he is being asked to monitor for bullying and self-harm, and also being asked to retain evidence trails of those communications for families, for investigation, stuff like that. Which just sounds like a cruel joke because you're piling on yet one more responsibility onto an IT team.
 
Like we said, you have three people trying to manage end points for 9,000 students. And now you're asking them to monitor communications. Like it's inhuman. No one can reasonably do that. So we were talking about budgets and then you turn to talk about human resources. Is this a time where school systems should now reconsider what those resources look like?
 
Do you need to bring guidance counselors into the technology fold? Do you need to bring social workers into it? Because that cannot reasonably be ITs responsibility.
 
Frosty Walker:
That's a good point, and there are tools now that allow you to monitor social media and collaboration tools. And I think we're going to see more and more of that within the schools and in the next few years. And they need to be looking at that.
 
I know that SafeGuard Cyber and CrowdStrike did a case study at a school district that had 1200 students for the first 10 days of virtual learning and they, they captured, analyzed and archived about 125,000 messages.
 
George Kamide:
Yeah. That one was ridiculous. We were surprised by that volume. Most of the students were logging on at two in the morning.
 
Frosty Walker:
But then when I look at that study and I say, you encountered, almost 2,000 instances of inappropriate conduct and another 180 mentions of violent activity and 74 references to drug use.
 
Oh. And by the way, we also indicated seven malware in attachments and links. So oftentimes we think about the cyber threats as being malware, but we also see the way that students are using these tools. It's all so surprising.
 
George Kamide:
Yeah. and it's tricky, right? Because the school is the general principle is in Loco parentis. You have to provide a safe space. If that space is moved from a physical location, into a virtual space, I don't know that the law sees those two things very differently. So I think that's incredible.
 
Frosty Walker:
I do think we'll see more schools move in towards this. I'm seeing some schools in Texas that have moved already into this environment. I think you're going to see more schools as they can clearly point out how they've been able to help students that are having problems and, in monitoring that.
 
George Kamide:
Okay. So that was the poor IT staff. So we've been talking at the bottom of the ladder and they're in the trenches, but you had mentioned schools as needing to think ahead to anticipate needs. What are the risks? What do I have protected? What don't I have protected? My question is in terms of roles and responsibilities in that foresight, do you think that there needs to be more awareness about these risks at the superintendent level?
 
I know superintendents have traditionally been focused on kind of the, just the operational aspects of a school system. But when you read these articles about ransomware, the person who gets quoted or the person who's on the hook for answering is the superintendent, but I feel like security and IT that's their corner of the responsibility pool.
 
So do you see for school board superintendent that there's not enough awareness at that level?
 
Frosty Walker:
Yeah. I do not think that there is enough awareness at the superintendent and school board level. It reminds me a few years back out, I made a presentation and we were talking about moving things to the cloud and a gentlemen in the back of the room stood up, waited for a microphone, said, my name is John Keel. I am the state auditor of Texas. And I just want to remind everybody of one thing. You can outsource anything except responsibility. And I, that quote really stands out to me now, cybersecurity today, because it is the school board, it is the superintendent that is ultimately responsible for that data, whether it's in the cloud, whether it's through a partner, they still have the responsibility of making sure that data is protected properly.
 
George Kamide:
Yeah. Interesting. I feel when you look at local school boards, which tend to be made up of citizens in the area, those citizens are parents and they're concerned with quality of education and they don't come to the table with necessarily, unless you're in a major metropolitan area, knowledge of the technological risks.
 
Frosty Walker:
One thing that I do see more of now on with your school board is that there are many cases there they're local business people who may have also encountered ransomware have a better understanding of that than maybe even the superintendents. They understand how disruptive that is to a business. So in many cases, the school board will be more supportive of that.
 
Ashley Stone:
Yeah, that's great. We started our conversation, looking at the positives of education, we love our teachers, we've got teachers in both of our families. So what would your advice be to superintendents, IT staff, security staff who are worried about the attacks and feeling that burden and responsibility, but also feeling hamstrung by their lack of resources?
 
Frosty Walker:
Yeah. And I think, what we talked about:
security awareness, training. Security awareness training. A 15-minute course can go a long way in improving your security posture. So I think security awareness is key. Like I said, also using some type of framework or guidelines that helps you identify where your risk are, that then you can prioritize those risks so that you can then budget for those risks over a long period of time. And that's a continuous process because there they're new risks that are discovered every day.
 
George Kamide:
That's more sustainable than hoping for some, golden check to appear from the sky that will allow you to buy everything . Is to just develop a sustainable process that you can, you can go through every quarter or every nine weeks, depending on whatever your school cycle is.
 
Frosty Walker:
Yeah. Yeah. And I recommend that you look through that framework every quarter. For one thing, you can quickly identify what you've changed. If you do it once a year, things have gone too far. You do it every two years, you're starting over. But quarterly, it doesn't take very much to be able to say, what did we change?
 
Did we change any policies? Have we added procedures? Have we updated procedures that would improve our security posture in these areas? It makes it much easier if you do that. When I was the chief information security officer to TEA and did that on a quarterly basis, it took me a couple of hours to update that on a quarterly basis. Made it pretty simple.
 
George Kamide:
Yeah. So we come back to the age old adage, right? Ounce of prevention is worth a pound of cure. So if we could just stay on top of it, stay ahead of it, and make it. Repeatable, we'll be in good shape. That's good.
 
Frosty Walker, thank you very much for your time again, for joining us and lending your expertise on these issues. We feel for the schools and it's good to have a frank and candid discussion about what can be done about
 
Frosty Walker:
I'm always glad to see schools making improvements. Schools are really struggling like we said, with the online, a brand-new challenge, but they've really stepped up to that challenge.
 
They didn't have a choice but to step up to that challenge. We get by this hurdle, and maybe we can begin to focus back on threats so that they can have a better security posture in the long-term.
 
George Kamide:
Cool. All right. Thanks so much for the time and I hope we get to talk again soon.
 
Frosty Walker:
All right. Thank you very much. Thank you, George. Thank you, Ashley. Y'all have a great day.