Rick Rolling EDU at DEFCON

Have you ever been “Rick Rolled”?

Let me tell you about a DEFCON story?I came across recently on Twitter from Cory Doctorow (@doctorow)???(Link to tweet at bottom)

The session was a confession of sort by a very intelligent young man Minh Duong (@WhiteHoodHacker)

Minh and some fellow classmates hacked into the entire districts PA and Video Projectors to play a little prank on the district on April 30th, 2021.?

They took advantage of a weakness that most organizations on the planet suffer from.?Not knowing every IT asset in their network environment.?This problem is magnified in K12 due to the number of devices per IT Staff ratio that dwarfs that of their commercial brethren.?A quick scan of the Internet revealed an average of about 150/1 in the business world to 500/1 or more in the education space.?To complicate matters further there are always some internal threats in K12 that are actively hacking at the network. Luckily, Minh and his friends were more curious than intent on evil or it could have been much worse for the district.?Minh and team even turned over a 26-page pen test report to the district with their findings of other vulnerabilities as well. Luckily, the district was smart enough to take advantage of this information and worked with them and incorporated some of the students' suggestions to make things safer.

The tools used were just everyday utilities, many of which are built into the operating systems. This was not some complex state sponsored brute force attack. These students used these utilities to find applications in use that had known vulnerabilities, including an especially buggy one that was used to monitor students' activities on school owned equipment. Sadly, much of this could have been prevented had the district had an accurate and up-to-date inventory of not only the devices on their network, but also any applications in use. The first step in protecting your house is to know where all your windows and doors are so that you can make sure they are working properly and are locked. ??Not know all the applications and devices in your environment is like putting out the welcome mat out for bad actors with the key underneath, yet this is a common scenario especially in education where they are understaffed and underfunded and lack the ability to compete with commercial entities which can pay considerably more for talented IT staff.

So, what can be done to turn this around?

I am glad you asked. (NOTE: If you are an IT leader please feel free to skip to the end of the article as many of you know these things below. In fact this list came from many of those discussions with you over the years.)

1. The first thing that needs to change is to view technology as a critical success factor to enabling a strong academic program. It is necessary to provide a reliable and secure foundation from which to enable teachers to do their best work. Those schools that I have seen be most successful have this mindset and the technology budgets reflect it.
2. To be fair I have talked to many people who want to embrace the item above but lack the funding to do so. Their funding models were designed at a time when the public cloud and the “As a Service Model” did not exist. Because of this they heavily rely on a capital budget from selling bonds. Unfortunately, accounting rules prevent them from purchasing cloud services because they cannot put an asset tag on it and depreciate it. I am not an accountant, nor did I sleep at a Holiday Inn last night, but other than not being able to put an asset tag on it or have a $1 buyout at the end, how is purchasing some virtual servers or a technology platform to deploy, manage, and secure the fleet for 3-5 years any different?
3. Regionalizing some of the more complex things like a Security Operations Center at a state department of education or regional service center so that they can scale the talent and technology. This is especially needed at smaller schools where the bus driver is also the IT person.
4. Finally, organizational changes where Info Sec and Operations are on the same team and both report to the Superintendent. These have become extremely specific skill sets and having the ISO officer under the CIO used to make sense but no longer does. Even more importantly they need complete visibility of what each side is doing so that they can provide a unified front and expectations are a known quantity.

I know that these suggestions are a radical change for some people, but these are blockers I have heard for over a decade and fall into the “we’ve always done it that way” bucket and it needs to stop, or nothing will change.

I have also seen orgs that make these changes do amazing things. ?I remember when schools told me that they could not enable remote learning at scale because it is too difficult, don't have time, don't have (Fill in the blank) yet watched them do just that in a couple of months when COVID hit. That excuse can no longer be used.?Organizations who have made these changes have transformed their security posture.

One of my favorite movies is Moneyball.?There is a scene where the coaching staff is trying to pick a minor league player to replace a big player they just lost.?The coaches are talking about how good of a hitter he is.?How the ball sounds coming off the bat. Etc.... Brad Pitt is the manager and asks a simple question. “If he is such a good hitter, why doesn’t he hit good?”

So, I'll ask you that same question. If what you are doing today is working, why isn’t it working? Do you stay awake at night worrying about those windows and doors being secure that you don’t know about or are you 100% sure that you don’t have video projectors that will suddenly start playing Rick Astley? That is not a pleasant wake up alarm for sure.

If you would like to talk more about this please send me a DM.

https://twitter.com/doctorow/status/1558583331070955521

#storytelling #transformation #notechsplaining Tanium