School Safety: K-12 Cybersecurity (S2:E46)

January 12, 2023

Humans in Tech returns for season 2! A common thread on our podcast last year was the discussion around cyber threats becoming more and more sophisticated. John Guerrero, CEO, Identify Systems, joins us this time to chat about K-12 cybersecurity. We cover the critical need for multi-factor authentication (MFA) in protecting school-age children and how FIDO2 technology specifically can prevent cyber attacks.

Full Transcript

Voiceover: You're listening to Humans in Tech. Our podcast explores today's most transformative technology and the trends of tomorrow, bringing together the brightest minds in and outside of our industry. We unpack what's new in physical access, identity verification, cyber security, and IOT ecosystems. We reach beyond the physical world, discuss our digital transformation as a species, and dive into the emerging Phygital [00:00:30] experience. Join us on our journey as we discover just how connected the future will be and how we will fit into that picture. Your host is Leigh Dow, VP of Global Marketing at Identiv.

Leigh Dow: Thanks for tuning in. Our guest today is John Guerrero, CEO of Identify Systems, and John's here to discuss K through 12 cybersecurity with multi-factor authentication through FIDO2. Thanks for being here today, John.

John Guerrero: Thank you, Leigh. It's always great to be invited.

Leigh Dow: [00:01:00] One of the things that we talk about quite a bit on this podcast is how cyber threats are becoming more and more sophisticated. And in October of 2021, President Biden signed a K through 12 cyber security act into law. And that act is focused on enhancing the cyber security of our nation's K through 12 educational institutions, which as we all know is very important. This bill requires the cybersecurity and infrastructure security agency, CISA, to study the cybersecurity [00:01:30] risks facing elementary and secondary schools and develop recommendations that include cybersecurity guidelines designed to assist schools in facing those risks. So obviously schools can't ignore the need to plan for cybersecurity threats in their emergency operational plans. What are some of the best practices for schools and school districts, their cybersecurity managers, systems administrators, their technical staff, to enhance their school and or their districts cybersecurity posture?

John Guerrero: [00:02:00] First, let me say that you're right on the money. Schools, like any other organization really can't ignore the fact that cybersecurity is a prevalent threat across all verticals now. It doesn't matter if it's education, healthcare, finance, it is an extreme threat. And with most organizations, whether they be enterprise, smaller, medium business, the best way to prepare and counteract a cybersecurity attack is to have a great MFA, multi-factor authentication [00:02:30] solution, in place that really prevents and restricts the hackers from being able to get into your network to access all that vulnerable data that's just sitting there. And with a good plan in place that fits the needs of the vertical, whether it be the K through 12 or any other institution, you can really do some great things to prevent that from happening.

Leigh Dow: One of our guests, actually very recently, talked to us about [00:03:00] a lot of that with respect to schools and how when schools face these security attacks and things like that, when there is a breach, how economically disabling it can be for a school because if it's a ransomware attack or something like that, they don't have that kind of funding to combat that. So the best way to combat it is by having great programs in place.

John Guerrero: That's absolutely correct. I mean, not only do you have your concern about ransomware where they're capturing the information, you have to really be [00:03:30] concerned in general about the risk of getting that information out there. And like with any other organization, schools, elementary schools, K through 12, they have teachers, teachers are basically employees, and you have all their information on file that's available. So you have their social security number, you have their address, their home, and their phone number. You have a lot of information there. And then that's somewhat obvious, but when you look at what the students are, and even though they're younger in age, [00:04:00] you still have those records on file for them, potentially medical records that are on file if that's required. Or you have social security numbers in some instances that are on file. And you really don't want that information leaked out there. Nobody does. So you have to do all the necessary steps to put in place to make sure that that's prevented.

Leigh Dow: Well, yeah. I just think about as a parent, every year we have these emergency authorization cards that you have to fill out when your kids are in school. There's a lot of personal [00:04:30] information on there, not just about your student and what medications they can take, what kinds of maybe disabilities they might have, and accommodations they need, but it also has information about you, parents, who the emergency contacts are. There's a lot of information on those cards.

John Guerrero: Exactly. And that falling into the wrong hands can be used for malicious activity against you. And the problem is, is that most people really don't understand the gravity of the situation. [00:05:00] So it really needs to be brought to the light of the risks that are available out there. And as you said, yes, those cards contain a lot of information and they aren't just keeping those cards on file in an index paper somewhere. They're uploading it to a system in their server. And without the proper security measures, it's vulnerable.

Leigh Dow: What happens if it's not addressed at the national, state, and local levels?

John Guerrero: If it doesn't get addressed at those levels, then technically [00:05:30] people ignore what I call checking the box situations, where if the state and local government or the federal government isn't requiring or mandating the educational institutions to take the proper actions, then they won't. Simply because actions, regardless of what they are, whether it's a employee having to do something physically on the computer or [00:06:00] acquiring a necessary multifactor authentication solution to prevent this, it costs money. And if you're not required to do it, then people are going to default to the easiest method and potentially continue to use username and passwords because not only is it easy, it's typically pretty much available to anybody at a minimal, minimal cost.

Leigh Dow: 100%. It's really, I just think so nuts that if you watch school districts today, a lot of school districts spend a lot of time and [00:06:30] money and energy training educators on the dangers of social media and they talk to students about social media and some of the malicious things that can occur through social media. Those same school districts, many of them do not put money behind protecting a potential leak of personally identifiable information of students and teachers.

John Guerrero: You're exactly right. And [00:07:00] that's what it boils down to is if the funding's not there already to support this, or if there's no excessive funding available, then they will default to the fact that, "Well, there's no requirement for me to do this, so we won't do it." And unfortunately that's the reality of the situation today.

Leigh Dow: Yeah. So to combat cyber attacks, school districts need to increase their awareness obviously and their preparedness, but what else needs to be done?

John Guerrero: Well, [00:07:30] when you look at it from a preventive maintenance perspective, I mean installing the right solutions is always going to be paramount. Not every educational institution will have the same requirements, but as we've migrated to a very consistent and increasingly remote, and I won't use workforce here, I'll say educational force, in the space today, [00:08:00] you have more and more people that are going online. So you have a larger, let's say enterprise, vast enterprise of people, students that are online with their teachers. And you really have to make sure that the solution that you put in place will address anything from video Zoom or Google Meet privacy protections. It will protect the network itself from somebody piggybacking [00:08:30] onto a signal to get into somebody's server or on their network. So you really have to look at all the things that can be exploited and then design a solution that's best for the school to defend against that.

Leigh Dow: I haven't read anything about this, but I would assume, I hope it's an accurate assumption, that the pandemic really forced a lot of schools to revisit all of that and get a better understanding. [00:09:00] We all have seen the Zoom bombs and stuff like that at the start of the pandemic when schools were trying to figure out how do we continue to deliver education in a new way on a new platform for them.

John Guerrero: Yeah. And we've seen it on our end as a supplier for multi-factor authentication solutions from Identiv. We see a lot of interest from education, not just K through 12, but up and down the system. But we see a [00:09:30] lot of interest in the various solutions. Now, where it comes into play the most is you've absolutely mentioned the Zoom bombs that were coming in when people were really remote, but the increase in the cyber hacking has really made it prevalent because of, as we discussed earlier, all the personal information that's being held. And I think that's where I've seen the most increase in the last, [00:10:00] I'd say 12 months, is that yes, initially when the pandemic started there was a big concern because of all the Zoom meetings and everybody being hacked. But coming out of that, I think that Zoom bomb awareness created additional awareness for people to understand, "Look, if they can get into my Zoom meeting that easily, then they can probably get into my network fairly easy." And we have to protect that data. And as we know [00:10:30] today, it's a very, let's see, how do I say this, litigation society.

Leigh Dow: Yeah, litigious?

John Guerrero: There you go. You really want to make sure that you protect all your information so that it doesn't backfire on you because a breach, regardless of whether it's in a K through 12 institution or it's at a major online retail brand, a breach is a breach and it's going to cost a significant amount of money to [00:11:00] repair that.

Leigh Dow: Well, I think that if you don't work in this industry, I think a lot of people are very numb to how much personally identifiable information you give out on a day to day basis to do things that you can't do without giving it up. So like medical attention, education, even retail, you go into a store and they'll ask you for your phone number now [00:11:30] or your email. Those are two pieces of information that now you're giving up just to buy a shirt. And you kind of get numb to how much of that information you give out on a day to day basis to receive just very simple day-to-day services.

John Guerrero: Yeah, you're absolutely correct. And it's become the necessity that you put these preventive maintenance in place for these cyber security hacks. And I [00:12:00] think what scares people is prior to COVID, and let's say even going back five years before that, most of the solutions that out there were very, very expensive. They required a heavy lift to integrate into the system, into your network, and then they required a heavy lift to maintain them for the life cycle of the solution as well as to keep current on recycling the hardware that may be required or even just [00:12:30] the ongoing licenses. But that's drastically changed. So there are more cost effective solutions out there, simpler solutions that are easier to deploy, that make it more attractive and more tolerable for let's say budget regulated industries like the educational institution to put these measures in place to prevent these things.

Leigh Dow: So MFA being one of those measures, how does MFA help prevent [00:13:00] cyber attacks?

John Guerrero: Well, just like with any other organization, when you install an MFA solution, it's really about the number of authentication factors that you put in place. The more you authentication factors you put in place, the more secure your information is. Now, you really just need to be concerned with right off the top of the game here to eliminate passwords. [00:13:30] People are way too dependent on passwords because they're simple and easy, but everybody knows that 70% of the people out there, if not more, use the same password for home and for work, and they reuse the same password for all the different applications that are available. And once a hacker gets a hold of information and they build a profile and they deduce your password, whether it be through sniffing or capturing data, [00:14:00] well then they have your password for everything. So the more you can put in place from an authentication perspective, whether it be a PIN and a token, FIDO key or a biometric measure, the more instances you can put in place, the more protected your data is.

Leigh Dow: One of Identiv's top MFA solutions is the uTrust FIDO2 NFC security key. Can you explain how the tool works and how the login is performed?

John Guerrero: [00:14:30] Sure. The key is a great authentication measure because it's basic functionality is to provide cryptographic key pairs. Now, what happens is you take a key and you physically register that key with your application. So if you are, let's say registering or authenticating to Windows and you're logging in your system remotely or even at the educational institution, you simply register [00:15:00] your key with the Windows environment, you use the key on a standalone device to authenticate. And without that key, you really can't authenticate to your device so it makes it cyber proof from the fact that any hacker that's trying to gain access to the network will require your key to do that.

Once they've registered the key, [00:15:30] then they can use that FIDO key to register. The same key will register to many applications, all that support the FIDO technology. So then you have one key to register to your Dropbox in case you're sharing information with your students. That same queue will also register to Gmail so that you can send emails out to your students. And then your student receiving the email, [00:16:00] typically if it's K through 12, it's the parents can authenticate for them and grab the email. It makes it very secure so that information exchanged you know is safe. You've proven who you are. And with FIDO, you definitely know it's you that's authenticating and you are the person that should be accessing that information.

Leigh Dow: Would a school purchase something like that kind of how they do Chromebooks where it's just like a bulk purchase and then you hand out the [00:16:30] technology that you're giving to students at the beginning of the year or collect it back at the end of the year?

John Guerrero: Yeah, and that varies obviously when you're talking K through 12, on the younger side, you typically don't get that. You don't receive that Chromebook. It's something that your parents are issued and it would be along the same lines. You would issue a key to your students. We see it done all the time. The best practice is to have two keys. The reason you want two is you want to register [00:17:00] both of them. And just like you would a key to your car, a key to your house, you have one that you would use every day, and then you have one that in case you lost it, you have a backup.

Leigh Dow: John, we're talking about kids so you mean when you lose it.

John Guerrero: You're absolutely right. I guess I should have corrected myself. When you lose it. And you see, you're talking to somebody who doesn't have kids, so there you go. So when you lose it, yes, you have a backup key that's there. And then once you've authenticated, if you did [00:17:30] lose that key, you would simply have, again, you're talking kids, you'd have your parents go and they would deregister the first key that was lost. And even if they lost that key, we're talking about multifactor authentication. It's typically not just a FIDO key that they're using. It can be a FIDO key and a PIN that's required. And so if somebody picked up that key, they would still require a second form of authentication. And if somebody just picked the key off the ground, it's kind of like a house [00:18:00] key or a car key. If you found a key walking in the parking lot outside of the grocery store and you're looking at a hundred cars in the parking lot and you just have a key, you don't know which car that key will open up.

Leigh Dow: Another act, another federal law is the Children's Internet Protection Act, CIPA. And that's a federal law that's enacted by Congress to address concerns about access to offensive content over the internet on school and library computers. [00:18:30] What MFA solutions can be effective solutions for enhancing that CIPA compliance for K12 classrooms?

John Guerrero: So good question. And the Identiv uTrust FIDO Key is a good example. You kind of talked about issuing a key out to students to take home. Well, the same can be done in internally when you're at a library or you're at [00:19:00] a lab, computer lab within the school. You simply check in. You can be assigned a key. That key will allow you to authenticate to their applications that are available to them. And then once they're done, they can return the key. Now, the good thing about the keys is that they are reusable. You can reset the PIN, you can reset the application that they're for. It's reusable. And to [00:19:30] date, I have not yet seen a key that has failed because you've registered to multiple applications. It's longstanding and it's very easily done. It's simply a tap. Once you register to authenticate and you're on.

Leigh Dow: John, it's always great to have you on the show. Thanks for joining us and we really appreciate you taking time to participate in the Human Tech podcast.

John Guerrero: Thank you for having [00:20:00] me.

Leigh Dow: And if you enjoyed this podcast, please do us a solid, we drop a new episode every Thursday, so like and subscribe.

Voiceover: The problem is in security. It's awareness. Velocity Vision is the future of visual surveillance. An intelligent video management solution that delivers real time situational awareness in an open security platform. Integrate with your existing systems, verify your environment in one pane of glass, and increase the efficiency of your security [00:20:30] operation. Get full control of your environment when and where you need it. Learn more at Get access control anywhere, anytime for less money out of pocket. Highly secure Freedom Cloud is a cloud-based access control as a service offered through a cost effective subscription model, allowing users to control, manage, and maintain their physical access control systems via Freedom's intuitive, always up to date, browser- [00:21:00] based web administration. Learn more at Physical security, identity verification, the IoT. The hyperconnectivity of our lives will only grow more pervasive as technology becomes more automated and experiences more augmented. It's up to us to preserve our humanity and use new tools and trends for good. The only question is, are we up for the challenge?