ALWAYS | NEVER |
|---|---|
|
|
41.3% failure rate, over 240 individuals clicked on the link, many provided their District login and password.
How does a computer become infected with Ransomeware? - Often spread through phishing emails that contain malicious attachments or unknowingly visiting an infected website where the malware is downloaded and installed within the user's knowledge.
What's the impact? - Passwords, accounts & data compromised, (personal and district), files encrypted and possibly lost, downed network services; including internet, phones and access controls for days or weeks, loss of instructional time, not to mention potentially tens if not hundreds of thousands of dollars.
Why should we worry? - The frequency and severity of cyber attacks targeting school districts has increased significantly this year, not to mention become increasingly challenging to detect.
Previous Phishing Email Look-Fors
Phishing Attacks - Being Aware & Being Vigilant!
More Significant Than Ever!
Spring 2019: Over 20 staff members fell victim to the recent Phishing attack targeting our District entitled; "District Proposed Salary Schedule". Most of those involved downloaded the .pdf attachment while a few went as far as accessing the website linked within the attachment and inputting confidential information, resulting in their District accounts being compromised. Remember to be skeptical of every email and when in doubt, contact the Tech Dept.
What happened as a result?
Close to 300,000 emails were generated from the compromised accounts to various accounts around the world.
Our email domain was "blacklisted" on two global SPAM filters forcing us to remediate until removed from lists.
Our Internet Service Provider threatened to block all district, email traffic due to receiving multiple complaints from other Districts & organizations.
What could have happened?
All data on the devices related to the compromised accounts completely lost.
Any programs or services related to the accounts, including data & information available within each program, could have also been compromised.
This includes any sites with login credentials stored using Google Password Manager such as banking, credit card & other personal websites
Student and staff personal and/or financial information compromised - See San Diego School District Data Breach Hits 500k Students
Moving Forward
Increasing efforts to heighten staff awareness and vigilance, including more frequent & challenging Phishing Training Campaigns
Increased accountability for those succumbing to Phishing attacks, both real and District generated
Improved communication and remediation efforts related to actual Phishing attacks
Improved security procedures and strategies at all levels
Be Aware! - Review every email with skepticism
Ask yourself the "Key Three" questions below. When in doubt, ask the Tech Dept!
Who is the Sender and what is the email address listed?
Is the Sender asking me to open an attachment or click on a link? Hover over the link/attachment
Does the email seem odd? Is there an urgent message / not typically something the Sender would write? Mistakes?
Student Device Management Expectations
Document and assign students the same computer to use whenever possible. Remember, the 1st login on any device takes more time.
Be vigilant. Actively monitor student use and assess the laptop/desktop after every use. Can be accomplished in less then 1-2 minutes.
Report negligent or malicious behavior and submit a work order IMMEDIATELY if there is an issue.
Students MUST LOGOUT after every use.
Laptops should be rebooted, (powered off) at least once a week if not daily.
Designate a staff member to be a Cart Manager to assure all the laptops have been returned, are plugged in and the cart secured at the end of each day.
Be sure that the cart is plugged in and ALL laptops are charging after use.
The Cost for damages exceeding normal wear and tear will be charged directly to the building/department and repeated damages to the same cart/cabinet will result in the removal of devices from use. Damages & repairs will be tracked by the Technology Department within the new Web Helpdesk Asset Manager.
To reiterate . . .The cost for replacing (3) Dell 3340 student laptop keyboards = one new Chromebook
Information related to the Child Online Privacy Protection Act (COPPA) is provided via the link below. This new federal law requires that websites notify parents and obtain parental consent when collecting personal information from children under the age of 13. Under the law, schools are permitted to provide consent to the collection of personal information on behalf of its students, eliminating the need for individual parent consent be given directly to the web site provider. For more information on COPPA, please visit; https://www.ftc.gov/tips-advice/business-center/guidance/complying-coppa-frequently-asked-questions.
Educational web-based tools and applications provide our teachers with resources to enhance, enrich and differentiate curriculum delivery and instruction to our students. Our district carefully reviews online resources for the program's ability to meet our students’ needs while protecting the confidentiality of personally identifiable information.
Some web-based programs require some student data to create accounts. KCSD does not require nor encourage students to provide additional personal information beyond what is required to create student accounts. Each provider offers information about their organization's collection, use, protection, and disclosure of data through their unique privacy policies, which can be found on their websites.
- For parents/guardians of children under the age of 13, you are required by COPPA to agree to the online consent form included within the KCSD Parent Portal in order for the District to allow your student to access online educational services for the upcoming school year.
- For KCSD Staff, any programs not included on the KCSD Educational Services list must be pre-approved by a Building Administrator before acquiring parent consent to create accounts for children under the age of 13.
Related Resources
- KCSD Educational Services and Children's Online Privacy Protection Act (COPPA) Overview
Student Privacy Pledge - https://studentprivacypledge.org/signatories/
iKeepSafe - https://ikeepsafe.org/
Already Implemented
- District wide randomly generated, student password reset
- Substitute Laptop Restrictions - Accessed using Substitute Guest Accounts only, refreshed on a weekly basis
- Local Administrator Access Revoked on Staff Devices
To Be Implemented
- Annual District wide randomly generated, student password reset
- Annual District wide staff password reset (individually created during staff laptop assessment)
- Progressive consequences for staff with multiple failures from Phishing Attacks (Real/Training), “3 strikes & out”
- Restricted email access to internal email only then restricted internet access
Future Consideration
- Staff Devices - Access restricted to staff only; no student access allowed
- Student Devices - Access restricted to students only; no staff access allowed
- Reduce Auto-Lock duration for staff and students
KnowBe4 Tip of the Week
KnowBe4 Security Tips - What Are Browser Notifications?
Most internet browsers allow websites to offer browser notifications. The first time you visit a website that offers browser notifications, you will see a pop-up message at the top of your browser window asking you to either allow or block notifications. If you choose to allow them, browser notifications can be displayed at any time, even when you are not on that website. These notifications are typically used for things like blog updates, social media interactions, and upcoming sales. Unfortunately, cybercriminals can also send their own malicious browser notifications to steal your money and information.
How Do Cybercriminals Use Browser Notifications?
Cybercriminals can use two different methods to send you malicious browser notifications. They can either hijack a legitimate website and offer fake notifications from that website, or they can trick you into allowing notifications while visiting a malicious website. For example, in one scam, cybercriminals used a malicious website that appeared to be a video player and instructed users to click "Allow" before they could play a video. Once cybercriminals are able to send you browser notifications, they can use the notifications in several ways:
- They can display excessive pop-up messages, inappropriate content, or other disruptive material in your browser. This tactic allows cybercriminals to hold your system hostage while they demand a ransom.
- They can send you malicious advertisements, also known as malvertising. Malvertising is when cybercriminals use ads to spread malware, trick you into providing sensitive information, or steal your money using fake storefronts.
- They can include malicious files and code within browser notifications. If you click on one of these malicious notifications, your system may be automatically prompted to download a piece of malware.
Hints and Tips to Stay Safe
Use the tips below to stay safe from malicious browser notifications:
· Think before you click! Whether it is a browser notification or another kind of pop-up message, always read and consider a prompt before taking action.
· Check the permissions settings within your browser and only allow notifications for websites that you know and trust. Most browsers include a list of websites that are allowed to send you notifications. Some browsers also allow you to globally block notifications for all websites.
· Keep your browser and other software up-to-date. Software updates often include security patches that help close known vulnerabilities. We recommend enabling automatic updates to ensure that your browser is always up-to-date.
Be Aware, Be Vigilant, Be Skeptical!
Security Tips of the Week Archive
KnowBe4 Tip of the Week
KnowBe4 Security Tips - Exploiting the Coronavirus: Watch out for These Scams!
Look out! The bad guys are preying on your fear and sending all sorts of scams related to the Coronavirus disease (COVID-19) outbreak.
Below are some examples of the types of scams you should be on the lookout for:
- Emails that appear to be from organizations such as the CDC (Centers for Disease Control), or the WHO (World Health Organization). The scammers have crafted emails that appear to come from these sources, but they actually contain malicious phishing links or dangerous attachments.
- Emails that ask for charity donations for studies, doctors, or victims that have been affected by the COVID-19 Coronavirus. Scammers often create fake charity emails after global phenomenons occur, like natural disasters, or health scares like the COVID-19.
- Emails that claim to have a "new" or "updated" list of cases of Coronavirus in your area. These emails could contain dangerous links and information designed to scare you into clicking on the link.
Keep in mind, these are only a few examples and these scam artists are constantly coming up with new ways to fool you.
What Can I Do?
Remain cautious! And always remember the following to protect yourself from scams like this:
- Never click on links or download attachments from an email that you weren’t expecting.
- If you receive a suspicious email that appears to come from an official organization such as the WHO or CDC, report the email to the official organization through their website.
- If you want to make a charity donation, go to the charity website of your choice to submit your payment. Type the charity’s web address in your browser instead of clicking on any links in emails, or other messages.
Be Aware, Be Vigilant, Be Skeptical!
KnowBe4 Tip of the Week
KnowBe4 Security Tips - Safeguard Your Personal Data During the 2020 Census Season
It’s that time again. Every 10 years, United States residents are required to respond to the Census survey. The primary purpose of the census is to provide a count of every member of the U.S. population.
By law, each household is required to complete the census survey. From a cybercriminal’s perspective, this is a perfect opportunity for their social engineering scams. Scammers might send emails or other messages that appear to come from the U.S. Census Bureau, or they might even pose as official Census Bureau workers and show up at your door!
This census season, keep the following tips in mind so you can safeguard your household’s sensitive information:
- If you receive an email to complete the 2020 Census survey, delete it! The U.S. Census Bureau will only send the official survey notification by mail, or if your survey response is late, an official Census Bureau worker may come to your home to ensure you have received the census.
- If a Census Bureau worker visits your home, verify that they are who they claim to be. A valid ID badge should have the worker’s photograph, a U.S. Department of Commerce watermark, and an expiration date. If you’re still unsure, call your Regional Census Center and speak with a Census Bureau representative.
- Remember, the Census Bureau will never ask for the following: your Social Security number, your bank account or credit card numbers, anything on behalf of a political party, donations, or money.
Be Aware, Be Vigilant, Be Skeptical!
KnowBe4 Tip of the Week
KnowBe4 Security Tips - Scam of the Week; Protect Yourself Against Card Skimmers
With the convenience and seemingly secure way of paying at the gas station pump and using drive-up ATMs, cybercriminals are now targeting these locations. They are using this technology called Card Skimmers to read and record your card information in a matter of seconds. With each Card Skimmer being able to hold details on about 80 cards, protecting yourself at gas station pumps and ATMs should be a priority now more than ever.
How Does It Work?
Card Skimmers are physical devices that cyber criminals attach to the credit card reader. The card skimmer then reads the magnetic strip on the card to gather your full name, the card number and the expiration date. Once the skimmer reads your card information, the cybercriminals can then sell your information or use it to gain access to your bank account. These skimmers are designed to fit tightly over the real card reader at the gas station and ATM making them undetectable if you don’t know what to look for.
How To Avoid Card Skimmers?
To protect yourself against the cybercriminals that are using Card Skimmers, follow these helpful tips:
- Pay with cash. Paying with cash will completely eliminate the risk of coming in contact with a Card Skimmer.
- Shake and pull the card reader. If it doesn’t seem right, pay inside and report it.
- Go inside. Paying inside of the gas station or going into the bank will reduce the risk of coming in contact with a Card Skimmer since it is less likely that the card readers inside have been tampered with.
- Use mobile payment options if they are available. Use options like Google or Apple Pay to eliminate having to use your card.
- Download a Skimmer Scanner app. These apps, which are available on both the App Store and Google Play, will warn you about where Card Skimmers are located in the area.
Be Aware, Be Vigilant, Be Skeptical!
KnowBe4 Tip of the Week
KnowBe4 Security Tips - Scam of the Week; Coronavirus Phishing Attack
The global threat of the coronavirus has everyone’s attention, and the cybercriminals are already taking advantage of it. The bad guys are using the coronavirus as clickbait so they can spread malware and steal your personal information.
They’ve crafted their phishing emails to look like they’re coming from health officials such as doctors or national agencies, such as the Center for Disease Control and Prevention. Some of these emails suggest clicking a link to view information about “new coronavirus cases around your city”. Other emails suggest downloading the attached PDF file to “learn about safety measures you can take against spreading the virus”. Don’t fall for it! If you click the phishing link, you’re brought to a webpage that is designed to steal your personal information. If you download the PDF file, your computer will be infected with malware.
Always remember: Never click on a link or download an attachment that you weren’t expecting. Because of the alarming subject matter, the bad guys expect you to click or download without thinking. STAY ALERT! Don’t be a victim.
Be Aware, Be Vigilant, Be Skeptical!
KnowBe4 Tip of the Week
KnowBe4 Security Tips - Multi-factor Authentication
What is it?
Multi-factor Authentication (MFA) is the process of verifying that you are who you claim to be when logging in to a device or an account. If you're reading this from your work computer, you probably logged in to your computer - that's single-factor authentication. But single-factor authentication is no longer enough to keep your accounts secure. Learn more below about the various ways you can digitally-authenticate your identity.
Understanding the Types of Identity Claim Factors:
- Something you own. This is using a mobile phone or device that you have in your possession to prove your identity. Typically, the device provides a code via an application, text message, email, or voice call. You then enter this code, and for successful authentication, your code must match what is expected by the service you’re attempting to log in to.
- Something you know. This is something you’ve memorized or stored somewhere, such as a PIN. You must supply the correct PIN to log in to your device or service.
- Something you are. This factor is something about your physical body that cannot be altered, such as your fingerprint or retina. Biometric scanners or readers are used to confirm you’re physically the person that you’re claiming to be.
Why do I need it?
In our digitally-driven world, passwords are no longer enough to keep your information safe. These days, it takes minimal effort for hackers to break into, or social engineer their way into, accounts that are only protected by passwords. Adding an extra step to access your accounts, such as entering an authentication code, means that hackers would also need to have your phone to break in.
Create an additional layer of security and make it harder for criminals to access your data by using two-factor or multi-factor authentication.
Be Aware, Be Vigilant, Be Skeptical!
KnowBe4 Tip of the Week
KnowBe4 Security Tips - Holiday and Seasonal Scams
With the ever-growing popularity of online shopping and online communications, you should always have your guard up in the cyberworld. Criminals will use any situation to their advantage–especially when it comes to annual holidays.
Below you’ll find a few examples of commonly used seasonal and holiday scams, and what you can do to protect yourself.
Fake Shipping/Postal Notifications: End of the year holidays invite a greater likelihood of this common phishing attack, but this is a scam you must be cautious of all year long. Scammers send fake notifications that appear to come from postal service companies. The emails include dangerous links that, if clicked, could install malware on your computer or take you to a fake login page where your credentials will be stolen.
What can I do? To check the legitimacy of these types of claims, always log in to your online account or service through your browser–not through links in unexpected emails.
Travel Deals and Offers: Scammers know that their potential victims travel for holidays throughout the year. Cybercriminals send emails offering fake travel deals from well-known travel sites. They’re even known to create phony websites for cheap hotels and flights so they can rob you of your money.
What can I do? When something seems too good to be true, it probably is. Never click on links in unexpected emails. Before booking through an unfamiliar service, do your research and ensure the company is legitimate.
Social Media Deals and Sales: All social media advertisements are not created equal. A “paid advertisement” may seem trustworthy, but be warned: Anyone can pay to put an ad on social media. During holidays and popular shopping seasons, fraudsters buy ads that offer deals for items that you’re more-than-likely interested in–considering social media ads target the buyer market. The ads typically contain phishing links that lead to fraudulent websites where they will steal your credit card data. Even if the malicious ad is reported and removed, the bad guys typically only need one victim to fall for their trick to make it worth their investment.
What can I do? Always hover over links and URLs before clicking to check whether the URL will take you to a dangerous or unexpected site. If a social media ad appears to be from a company you’re familiar with, check the company’s website instead of clicking on links from the ad.
KnowBe4 Tip of the Week
KnowBe4 Security Tips - Staying Safe Around Always Listening Devices
With the overwhelming popularity of always-listening devices such as Alexa, Google Home, and smartphones, you’ve probably heard stories of these devices joining in on conversations without being prompted. Perhaps it’s even happened to you!
While this idea can be alarming and unsettling, there are ways to protect your private information, and conversations, from these always-listening devices. To help you stay safe from these devices, here are some tips:
- Review and delete voice recordings: Your device will store your search and activity history to create a customized experience for you. However, you can review and delete these recordings from the device of your choice in order to protect your privacy.
- Mute the microphone: You can mute your microphone to ensure that your device is not listening and recording when you are not using it. The recording capabilities will remain off until you turn them back on.
- Don’t link accounts with sensitive information to your device: If you have any accounts containing your sensitive information in them, it is best not to link those accounts to your device. This will keep your sensitive information secure from potential data breaches.
- Change the settings to automatically manage data stored by the device: Personally managing what data is being linked with your account will give you more control on the information that is being stored by your device and will save you time when deleting your history.
- Turn off your device when you’re away: When in doubt, turn it off. If your device does not have a power button, simply unplug it.
By creating a habit of unplugging and deleting voice recordings from these always-listening devices, you can help to make sure that there is an extra layer of protection between your always-listening device and your private information.
KnowBe4 Tip of the Week
KnowBe4 Security Tips - Post-its are not for Passwords!
Do you keep a login and password written down on a Post-it or piece of paper near your desk?
If so, you should get rid of it immediately! You should use a paper shredder to dispose of the Post-it.
Do not simply place the Post-it in the trash.
While it may be tough to remember a login and password for all of the sites and portals you belong to, writing the passwords down on a piece of paper, or keeping them in an unsecured document on your computer, is a bad habit to have.
This can put you and the entire District at risk.
Try to use passwords that are easy for you to remember, but hard for others to guess.
KnowBe4 Tip of the Week
KnowBe4 Security Tips - Think Before You Shop!
The bad guys are taking advantage of mobile shoppers this holiday season! By using mobile apps, they can trick you into giving your personal information or installing malware onto your smartphone. This can give them access to your credit card information or lock your smartphone with ransomware, forcing you to pay a fee to unlock it. To stay safe this year, never download apps from offers that sound too good to be true, never download from unofficial app stores, and do your research. Make sure to check for any fake reviews, the number of downloads the app has, spelling errors, or strange logos. When in doubt, only use retailers you trust through their official sites or apps.
Stop Look Think - Don't be fooled
*Click images to enlarge
Visit Connect.kcsd.org to stay "Kennett ConnectED"
- KennectED - District Technology; News, Events & Celebrations
- KCSD Cyber Safety & Security Awareness
- KCSD Newsletter
- CONNECT Dashboard inc. Student Resources
- Kennett ConnectED - KCSD Technology Vision & Goals
- District Website
- Why Kennett?
- Visit us on Twitter; https://twitter.com/KCSD"building"
Bancroft Elementary School: https://twitter.com/KCSDBancroft
Greenwood Elementary School: https://twitter.com/KCSDGreenwood
New Garden Elementary School: https://twitter.com/KCSDNewGarden
Mary D. Lang Kindergarten Center: https://twitter.com/KCSDMaryDLang
Kennett Middle School: https://twitter.com/KCSDKennettMS
Kennett High School: https://twitter.com/KCSDKennettHS
Kennett High School Sports: https://twitter.com/KCSDKHS_Sports
More more information please contact:
Dan Maguire, Supervisor of Technology Services dmaguire@kcsd.org or 610.444.4136