Is your network as secure as you think it is?
The reality is that any IT Helpdesk can be vulnerable to IT security breaches, particularly in the education space (see the recent Flagstaff, AZ, school cyber attack).
So, with back to school coming, we wanted to pick the brain of one of the thought leaders in this matter.
Erich Kron is a technology evangelist and cybersecurity specialist at KnowBe4.com, one of the largest security awareness education platforms in the world.
Ten IT Security Questions: The Erich Kron Q&A
Patrick Clements (SherpaDesk Founder & CEO): Hi, Erich, tell us a bit about yourself, what you do, and what you're passionate about.
Erich Kron (KnowBe4 IT Security Expert): Hi, my name is Erich Kron, I work at KnowBe4, and our focus is training end-users and doing simulated phishing attacks to help avoid them. We all know that phishing is a big issue lately. My background has been working in IT Security since back in the mid 1990s. I've worked in government, worked in the private sector, and in all kinds of different types of organizations throughout the years, and one of the things that I’ve noticed going on for quite a few years now is that the human element is one of the things that keeps making us insecure, which is why I'm where I am now (an Ethical Hacker conference) because I'm very passionate about trying to eliminate a lot of the problems that people are having or at least reduce the number of issues that we're having due to the human element in IT Security breaches.
Patrick: There's a trend of using social engineering when hacking a lot of networks today, so one of the biggest challenges that IT security experts in school districts face is educating their teachers and technicians on how to reduce the risk of social engineering. What’s the best advice we can give them?
Erich: Yes, it's tough because Schools are getting targeted quite a bit these days. We're also seeing a lot of ransomware which is really unfortunate. My in-laws worked in education for a long time and they poured their heart and soul into it, and now teachers are having to deal with things like ransomware attacks where they lose all of their lesson plans and things like that so it's heartbreaking.
When it comes to teaching people in the education field, what we need to understand as IT Security Professionals is that quite often we may be dealing with people that are not technical, and unfortunately technical-minded people like us tend to get really in the weeds on things that don't matter. I like to tell my students that when we're trying to educate people on IT security (whether we're talking to the marketing department or HR or whatever) we need to avoid overly technical explanations. We need to make sure that we teach people to understand how a particular IT breach will impact them and how IT security precautions relate to them more than all of the technical stuff behind it, and that's something where unfortunately, we tend to fall short as IT security experts.
Patrick: We've been in the helpdesk and IT support business for education almost 12 years now and one of the things that we face is that we're not only dealing with IT experts, but new teachers that are learning how to use our system and even facility maintenance staff. This can become a challenge for us. We're trying to train them on how to use our platform, but we find that we also have to teach them the most basic IT security practices so it's always a little bit challenging. Do you have any tips and tricks to get non-technical users to avoid unsafe IT security practices, like not to use certain types of passwords or security logins?
Erich: It all comes down to making it relatable, it really does. We have to make them understand why. It's all great to be able to say don't do this, but people don't listen unless they understand why, and oftentimes why it benefits them, not just the organization, not just their school, but them personally.
Patrick: Given the particular challenges that school IT departments meet, what are the vulnerabilities that they will face now and in the near future?
Erich: The human factor is going to be a part of it, and it has been for a long time now. Let's face it, when it comes to scams, whether it's financial scams, or whether it's getting into the systems, social engineering is something that's going to be around for a while, and we're not going to solve it. We haven't solved it in 20 years! But what we need to do is try to reduce it as much as we can. Then there’s the fact that the people running technical attacks are also upping their game and doing things like ransomware which are just brutal. We also need to understand that younger people in schools have social security numbers that are very valuable to attackers. Schools have a lot of valuable data, and if you couple that with the lack of resources, financial and otherwise, it's definitely going to be a challenge for people in IT Security in Education for the foreseeable future and that's a shame.
But I also think that one thing that we can do within schools is start some campaigns that help people understand these scams and that these things happen. We need to start even just trickle up IT safety education campaigns. It doesn't have to be all in your face once a year. We need to start doing things that can be pretty low cost and can really help people deal with what's coming up, so as threats progress and different kinds of scams happen (and that's what we see, we see these hackers changing how they're doing attacks quite suddenly), and sometimes there's new new attacks, so we need to be able to keep our folks in the loop as to what's going on and what they're going to be facing because a lot of these attacks are getting more complicated. These hackers are gaining experience and they're able to make them work much better, and this is both in technology and the human side so I still think we're going to face those resource shortages and we're going to have to come up with new and more clever ways to help offset what's going on. A key thing is letting people know what they will be facing, both on the tech and on the human side, that helps.
Patrick: Yes, being more preventive on the front end versus reactive on the backend is key. We’re always trying to stay ahead of the game by educating our users and trying to always be more preventive on security. You alluded a little earlier about young people being introduced into IT networks and that it has become a big initiative now with the so-called one-to-one initiative in which most school districts are starting to issue Chromebook laptops to each student, so now you've not only just doubled, tripled, but sometimes augmented by 10x times the amount of nodes that are on your network. Can you speak a little bit about that what are some of the concerns that school districts should think about when starting a one-to-one initiative with students, not only using laptops but also mobile phones on a network?
Erich: It's kind of amazing how that's all changed, right? In the industry we had ‘BYOD’ back in the day which basically meant a phone, but now what are they connecting? They’re connecting all kinds of devices. But I will say that I love that a lot of schools are using Chromebook type devices because those are a lot better than Windows machines frankly, they're easier to manage etc. I think when it comes to planning and setting these things up a lot of care has to be taken to isolate your dirty network. That’s the network that will have all of these devices that are uncontrolled, or possibly uncontrolled. I mean kids get a Chromebook and they can still plug in USB devices, their phones and stuff like that, and keeping those separated from the real assets as much as possible and monitoring the traffic that flows between them wherever possible is the key to that sort of thing because devices are going to happen. Kids are going to start bringing in mobile versions of Alexa and putting them on their desk, they’re so used to this, it's a part of their lives and how they manage data, and their calendars and all. We can't fault them for wanting to use this technology, but we sure got to watch how they're connecting it to things and be aware that those things they connect can reach out to the protected parts of the network.
Patrick: One of the things I want to talk about is the growth of IOT and the risk of spyware and ransomware. The IOT is starting to become ubiquitous in everyday hardware and consumer products like cameras and monitors. What are the things that school districts need to think about when they start introducing these IOT type devices, where are we seeing the biggest security breaches and safety policies?
Erich: For me it's segmentation. Keep IOT devices on their own network. This has been a challenge for several years now. A couple years ago there was a college campus that got hacked by hitting their smart light bulbs in what became basically a denial of service attack. Their smart light bulbs and vending machines were on the same network and hackers got into the vending machines via the smart lightbulbs. We have to understand that IOT devices are going to be insecure and that's a fact of life. We're not getting firmware for light bulbs! We’re not going to get firmware for vending machines and things like that, so we have to treat them as potentially hostile devices no matter what we do, and that means keeping them far away from the real networks, and as we add these IOT objects, we know that the support is not going to be there, so we have to plan for that.
Patrick: So that gets us a little bit into what some of our users in education face. Not all school districts are the same. We have some districts that are super advanced, but we also deal with a lot of school districts that are rural and don't quite have the same access to budgets. What would be your advice for IT security professionals talking to an IT team that may be very small, or in a very rural location, what would be some good habits and techniques to try to encourage them to implement?
Erich: I think what happens a lot of time is that we think we have to apply technology to fix everything. That way of thinking unfortunately is in our industry everywhere because, frankly, marketing teams work great jobs. Unfortunately, a lot of organizations (and this is in corporate America or it's in education) leave some of the foundational things out, so I would tell people to focus on the foundational things like patching. It’s not very expensive and patching matches are usually free but it's one of these processes that can be cumbersome and not much fun, but is so important!
My colleague Roger Grimes wrote a book called The Data-Driven Defense and I love the approach that he takes, which is basically: 'Look at what's causing you your problems and tackle that first.' A lot of companies go through checklists that someone else has put together that says you need to do this, and you need to do that, but does that really apply to you? If you already have limited resources, can you really afford to put resources towards the things that aren't your threats? So in other words, if you're dealing with malware all the time, if that's your big headache, if computers are getting affected every week, and you're having to run around and do that, does it make sense to deal with a flash patch on a server? So, you need to look at what your individual issues are and then try to focus on that, especially the fundamentals, things like 'Principle of Least Privilege' so where if one person doesn't need access to files or folders they shouldn't have it. It doesn't cost a lot to apply, it's already there. It takes time, but if you don't have the budget that's something that is absolutely vital to your security.
Patrick: That's good feedback. Definitely segmentation of access is a great start. I want to talk about some stuff that I think is super interesting. We’ve written a couple blogs that talk about Ethical Hackers. I want to get your perspective on ethical hackers. Are they the good guys? Should we use them? Should we hire them?
Erich: I personally love ethical hackers. Right now, I’m actually at one of the bigger Ethical Hacker conferences in the country and these people are just as passionate about security as we are. Having more eyes on your network security measures is huge advantage. I also like to see things done with bug bounties, so I use services like Hacker One which has some things in place to make sure that their folks are vetted that are doing ethical hacking, and there's some legal things that you need to take into account when it comes to hiring somebody who just reached out to you. You don’t want to use just anyone out there, so I recommend using services that do things like vetting their hackers. When putting up a bug bounty you need to define the scope, that's important. Some people are tempted to not include the things that they know are going to fail, which is probably the wrong approach. I view ethical hackers as hardworking people that have a passion for finding your vulnerabilities before the bad guys do and exploit them and cause problems. We don't always know all the things, right? So it's always good to extend your network and see if you can get some other eyeballs on it, will they be able to find vulnerable spots that you missed.
Patrick: I totally agree with that. We always hear about Blackhat Hackers, do you ever see black hat techniques as necessary to protect your business?
Erich: Black hat is a misnomer because ethical hackers use the same hacking techniques that ‘black hackers’ use. That may be social engineering. The only difference between white hat and black hat hacking is what the intent is. There are some shady things on the black hat side that I don't recommend, so you have to be very careful with that sort of stuff. You don't want to a threaten people with bodily harm and stuff like that when you're doing social engineering. You don't want to be the one that's saying: “Hey, I've got your kids” and so on. You can kind of see the difference there, I hope that illustrates
Patrick: That’s perfect. You’ve got to keep some level of ethics and morality in play when you're doing these things absolutely.
Erich: Absolutely, and that needs to be spelled out in the scope. You need to come to that agreement before you have an ethical hacker going into your network. I do know that most people that do ethical hacking for a living already know where the lines are drawn, but organizationally you also need to understand where you're comfortable having them take it so that there isn't a disagreement later.
Patrick: It was amazing getting your feedback today. I would love to give you the final word as far as what message you would you like to leave us IT Helpdesk professionals with.
Erich: Honestly and I mean this sincerely, keep up the good fight, it's well appreciated. I've spent a lot of time in the trenches myself and I know we don't get a pat on the back all the time. Don't forget that there are great communities out there with support so take advantage of these conferences especially the free ones things like B-Sides where you can learn a lot for next to nothing, those are just fantastic
Patrick: I can't really thank you enough for taking the time to do this. Thank you very much!
SherpaDesk Q&A With IT Security Expert Erich Kron Full Interview