Navigating remote and distance learning
None of the articles or frameworks above directly address what many schools realized very quickly when moving to a decentralized model of IT. As devices left our traditional network, security and IT staff needed to scramble to look for Software as a Service (SaaS) offerings that provided the flexibility needed for a remote working environment. Often, this meant taking devices that may have never left the network’s “circle of trust” (firewall, routers, content filters) and shipping them out to teachers and students. This was (and is) a whole new world for some organizations, as many of the core IT services are not available externally.
Below are a few resources that address this important shift.
Because virtual private networks (VPN) come with limited licenses and adds overhead, some schools may have migrated to O365 or Google Apps offerings. Here are some resources and checklists your IT staff can follow when configuring either environment to reduce the risk of compromise, data leakage, and other attacks.
Attacks targeting disruption of remote classwork (like “zoombombing”) continue to plague digital classrooms. Ensure both your enterprise team and remote users are aware of ways to improve the safety and security of their remote sessions.
The links below offer some suggestions on how to protect popular video conferencing solutions:
Layering security controls and maintaining defense-in-depth is always key, and it’s especially critical when devices are leaving the confines of your district’s protected network. Leveraging some sort of proxy or web content blocking on the device will help in blocking malicious and adult content. Layering a secure DNS service with filtering options can also provide you and your students some peace of mind.
The services below offer a variety of content blocking capabilities that may prove helpful. It’s worth noting that they each have their limitations and some have a cost associated.
Stanford’s Information Security Risk Classifications
As you enable a remote workforce and learning environment, you’ll run into some hassles keeping track of all the data for which you’re responsible. Stanford publishes their own standards and guides around how they protect different types of systems and data with approved vendors and checklists. You can use these to help guide your way if you get overwhelmed.
Better together: connecting with others
The importance of community and collaboration in times of crisis cannot be stressed enough. Building, growing, and managing something as complex as a security program is challenging, and the current uncertainty only adds to that. Remember, you are not alone in all of this! Take advantage of the many organizations offering support, information, and services to help you through it.
Here are a few of the groups I’ve found particularly helpful over the years.
Multi-State Information Sharing and Analysis Center (MS-ISAC)
MS-ISAC is a government-funded organization that stresses the importance of cybersecurity among State, Local, Tribal, and Territorial (SLTT) organizations, which includes K-12. They do this through a variety of free and paid programs (usually subsidized through grants) that can help with training, awareness, and vulnerability management, as well as open access to experts throughout the country. Take a look at their website to learn more about their programs and ways to register.
Research and Education Networks Information Sharing and Analysis Center (REN-ISAC)
REN-ISAC has a paid membership for colleges and universities. Member institutions benefit from threat intelligence and peer assessment services to improve security posture. They also facilitate professional training and development with webinars, regional workshops, and an aggregate purchasing program with the SANS Institute.
Peer and government communities
While serving in a K-12 role, I was amazed at the power of reaching out to members in my state and local government communities. Many of their security leaders were dealing with similar challenges, and I was able to build a network I could talk to, ask questions of, and seek insight from. We are all working towards a better, more secure future for the citizens and students we serve, and I found that most people are eager to help if you just ask. Organizations like MS-ISAC helped facilitate some of these conversations, while others required me to be more proactive in reaching out for an individual’s time. (Often with coffee!)
Talking to other educational institutions is also extremely helpful. Taking the time to collaborate and share notes with other schools helped my team continuously structure, tweak, and mature our program. We were able to create a community focused on protecting our organizations, learning from each other, and pooling resources, talent, and training to ensure our collective education objectives were met.
Organizations like Educause, ISTE, and CoSN provide other ways to get involved and speak to other K-12 organizations. Note that many of these groups require memberships, with associated fees.
Here are a few free resources from these organizations that are specific to COVID-19:
Recognize the work you just accomplished—and document it!
As the world continues to adapt to the “new normal,” the commitment, resourcefulness, and resilience of our educators, support staff, and faculty deserves to be applauded. The work you’re doing to safeguard our students in virtual settings is critical.
You’ve taken on a monumental task: migrating normal operations to multiple, distributed remote sites, all the while continuing to deliver a safe environment for your staff and students. Don’t let the work go to waste. Leverage planning time to collect what worked and what didn’t. Take time to document the tools, resources, communication plans, and processes established during your move to remote learning, as this serves as a future plan for a Continuity of Operations Plan (COOP) or an Emergency Operation Plan for future disasters and disruption events for your school.
Here is a FEMA Sample Emergency Operations Plan you can use for reference.
I hope these resources help relieve some of the burden for you and your schools, so that you can continue the important work of empowering, reaching, and educating today’s students. All of us at Red Canary take a lot of pride in being a security ally to organizations, whether or not they are customers.
If you’ve been working to secure your school’s virtual learning environment, I’d love to hear from you and collaborate. Message me on LinkedIn anytime or contact firstname.lastname@example.org with any observations or questions.