Back to School: Education Through Security

No more pencils, no more books, no more teachers’ dirty looks. We can all remember singing this as we skipped out of school on the last day of the school year. Some of us had more specific things we sang about; for me, it was my second-grade teachers glaring looks and homework assignments. However, summer vacation was always too short, and before we knew it, the dreaded moment had come to walk back into the same halls with new classes and new teachers.

For many students and parents today, there are added anxieties they didn’t expect or plan to be facing at the start of a school season. In March of 2019, an educational software company, Pearsons, announced it was breached. This breach affected over 13,000 schools and the data belonged to more than 100,000 students. Students’ first and last names, dates of birth, and email addresses were contained in that data, leaving them vulnerable to cyber-attacks. Many of these students were under the age of 18 and considered minors, which left their parents worried what cybercriminals could do with this information.

With new data breaches like this happening almost every day and the dangers that lurk online, back to school season can be overwhelming for all. While these types of incidents are nothing new, the rate and intensity of attacks has certainly raised the alarm for many. So how can students and parents protect themselves and their loved ones? This month, we will discuss this topic and provide tips and resources to help navigate the school year safely.

University Breaches Leave Students Vulnerable

According to the 2019 Verizon DBIR, there were over 380 confirmed, reported breaches that targeted educational services. Out of those breaches, 55% of the data compromised was personal data and 53% of the breaches targeted credentials and logins. For those students enrolled in these affected locations, their information was potentially compromised. For instance, in July of 2019, a phishing attack on Lancaster University in the U.K. was reported. The breach gave cyber criminals access to data for the 2019 and 2020 undergraduate student applications, including students’ names, physical addresses, telephone numbers, and email addresses. After this cyber-attack, some students started receiving fraudulent “invoices” from the school. Despite the school becoming aware and warning students of the fraud attempts, it was too late for some, as unnecessary payments were already made.

This example highlights some important facts. First—now more than ever— educational institutions need to be more sophisticated when it comes to taking preventative measures around cybersecurity. By taking the security risks seriously and putting training processes in place, they can begin to shield against future attacks and protect their students and employees.

Second, those who are enrolled in these institutions need to not only take precautions, but also be proactive about protecting their information. We spoke with Dr. Catherine J. Ullman, Senior Information Security Analyst at the University of Buffalo. As a security analyst, she frequently sees threats that are currently affecting students. Dr. Ullman has helped develop policies and reporting processes to assist students affected by cybercrimes. Her advice to students who find themselves involved in a cybercrime is to take these steps as soon as they’re aware they were involved in a scam:

    • Immediately stop any further communication with the email address associated with the scam.
    • The criminal may threaten you or use your identity for another scam. Don’t panic and don’t give in to their demands.
    • Change all passwords on any account(s) that were involved in the scam (email, banking, school login, etc.)
    • Contact financial institutions involved and report that your account was involved in a scam.
    • If you were a victim of fraud, make a report to your local law enforcement agency. Contact the university police as well (if your university has a unit).

 

Know Your Footprint

The task of protecting your information after a breach may seem daunting. Especially because much of the information accessed is personally identifiable information (PII) and the solution is not as easy as “changing a password.” Taking steps to protect yourself is important. Reports show that 1 in 3 data breach victims also become a fraud victim within the same year. The number one antidote to fear is preparation, and for many, there is plenty of time to prepare before anything happens.

Stalk Yourself: We all know how to do it and admit it: you’ve “cyber stalked” your ex, your bizarre cousin, or the crush you had in your psychology class. But we don’t often think about stalking ourselves. But doing so is key to keeping yourself safe. The digital footprint we leave behind is important to know, because what we leave behind us can be maliciously used against us.

Start with Googling yourself. Search your name in quotations with the city you live in, the school you attend, e.g. “John Smith” “Roswell, New Mexico”. Take note and organize what you find with each search and then continue to add terms to your name until you have a good idea of what is publicly available about you.

Shut It Down: Now that you know what is available about you, it’s time to do the footwork of erasing that data! Remove pictures or posts that reveal too much information, especially anything that may answer a security question on one of your accounts. Deactivate or hide old social media sites that are no longer in use (the 90’s called and said you can shut down that MySpace account.) Remove yourself from tagged images, posts, or other content that you do not want to be public. Don’t want your name on that family tree website? Take steps to remove it. Check and recheck your social media privacy settings. While Twitter offers a handy do-it-yourself guide, social media sites like Facebook will need to be rechecked often, as they change their settings frequently.

Rinse and Repeat: Unfortunately, with the Internet, your information cleanse is not a one-and-done situation. The process will have to be repeated often to ensure that new information has not surfaced. We recommend setting a reminder for yourself somewhere, whether that be a calendar event on your phone or a sticky note on your desk, to check on what personal information has become available. Do this by whatever schedule works best for you; monthly, quarterly, or yearly. In between checks, set up Google alerts so you’ll get an email notification as soon as anything becomes publicly available about you.

NOTE: While all of this does help and is recommended, all readers should be aware that there are ways for individuals to still find the information you have deleted. Due to things like Google Cache and the Internet Archive: Wayback Machine, it is possible to still view these past pages and information. By keeping an active security conscious moving forward, you can help control the amount of publicly available personal information.

Minors are Not Immune

Child protection is something that is very important to us here at Social-Engineer. A couple of years ago, our CEO Chris Hadnagy created a 501(c)(3) nonprofit that works closely with law enforcement to help find and prosecute those who are actively trying to harm children. The Innocent Lives Foundation (ILF) has assisted in hundreds of cases by providing actionable evidence to stop predators from doing harm to those who should be leading innocent, carefree lives. They work tirelessly on not only helping those who are already victims but trying to protect those who have the potential of becoming victims.

As parents, we are always trying to protect our children. When they were little, we stopped them from touching the hot stove. Then as they grew older, we made sure they wore their helmet when they rode their bikes. But now, we find that we also have to protect them from things unseen. In 2017, a study showed that 80% of teens (ages 13-18) and 23% of all tweens (ages 8-12) owned their own social media accounts. These children use social media to post pictures, talk to their friends, create videos or talk to those that share interest in their favorite video game or hobby. Innocent enough…until they meet someone who isn’t who they say they are. The ILF helped one such girl, Becca*, who was a normal 11-year-old girl who loved to use social media. Becca became friends with someone online who understood her well. Her new friend was a “14-year-old girl” who Becca shared her thoughts, feelings, and even pictures with. Becca’s new friend eventually told her she wanted to meet in real life. Fortunately, Becca’s parents became aware of their daughter’s new friend—who wasn’t really 14, or even a girl—a 32-year-old male child predator. Fortunately, with the ILF’s help, the predator was caught. This story highlights a very important point: this could be any of our children. And the only way to protect those who can’t protect themselves is to be proactive.

So, where do you begin? ILF has created an easy-to-follow formula to help you get started:

    • Frequently Communicate: Have free-flowing communication with your children about their use of the Internet and social media. When your child feels comfortable talking with you, they are more likely to share with you what they’ve been doing and who they have been talking to. As was in Becca’s case, transparent sharing could save your child’s life.
    • Educate: Arming your children with the knowledge they need to make smart, educated decisions when it comes to Internet safety is one of the best things you can do. There are several sites that can give you the tools you need such as, NetSmartz.org and InternetMatters.org.
    • Establish Boundaries: Detail your expectations when it comes to your children’s use of social media accounts. Create an “approved list” of apps and websites. Write a list of what kinds of photos and videos are OK to share. Outline who they can talk to online and what information they should never post (address, school, phone numbers).
    • Monitor: Many parents feel the need to take privacy one step further and use programs that help them monitor their child’s use of the Internet. Once installed on the phone, monitoring software can be used to audit the phone’s location history, call and text message history, and to track apps and their uses.

Security Throughout Education

While there are plenty of reasons to be concerned and worried for the safety of our children and our information, there also needs to be balance. Balance is especially important for our minor children, whose focus should be on their education and having fun. We should never let the reports and statistics and social engineering attacks scare us into forcing our child to completely unplug from everything. But with guidance and our own good example, we can teach our children to make smart choices and safely use the privilege of an online life.

For those in college, Dr. Ullman’s advice is to be alert and vigilant. “If someone (or an online form) is asking for your social security number (SSN) for example, ask whether it’s absolutely necessary before providing it. [Use] two-factor authentication wherever possible to protect accounts. Be skeptical and suspicious of any email that comes in asking for money or credentials. Don’t ever put PII on social media or send through e-mail.  It’s also a wise idea to make sure that you are monitoring your credit by obtaining a credit report from each of the 4 credit agencies (Experian, TransUnion, Equifax, and Innovis) once a year, which is free.”

The dangers may be mounting, but we hope that your school year is educational, fun, and most importantly: safe.

Written By: Amanda Marchuck

*Name has been changed

Sources:
https://enterprise.verizon.com/resources/reports/dbir/2019/educational-services/
https://www.social-engineer.com/social-engineering-training/
https://mashable.com/article/pearson-data-breach-students/
http://money.com/money/collection-post/2791976/data-breach-victim/
https://www.social-engineer.org/newsletter/social-engineer-newsletter-vol-06-issue-84/
https://twitter.com/investigatorchi
https://www.social-engineer.com/dont-pay-the-price-is-your-company-prepared-for-invoice-fraud/
https://www.newsday.com/entertainment/celebrities/familytreenow-com-how-to-remove-yourself-from-the-genealogy-website-1.12955422
https://www.google.com/amp/s/amp.cnn.com/cnn/2018/06/22/health/social-media-for-kids-parent-curve/index.html https://archive.org/web/
https://www.innocentlivesfoundation.org/core/uploads/2019/03/ILF-2018-Annual-Report.pdf https://www.innocentlivesfoundation.org
https://www.consumer.ftc.gov/articles/0155-free-credit-reports

Join our unprecedented training conference, SEVillage Orlando 2020, Feb 20-22. Find out more and register now at SEVillage.org!