Data Guardian: Cybersecurity for Educators
Purpose of This Course
You will learn:
The purpose of this course is to broaden your knowledge of the tools available around safeguarding sensitive information.
- Why it is important to secure data
- How to encrypt it
- How to protect your passwords,
- Best ways to secure your data and device(s), as well as what you put in the cloud.
Menu
- Module 1: Become a Data Guardian
- Module 2: Encrypt Your Data
- Module 3: Protect Your Data
- Module 4: Secure the Cloud
- Module 5: Know Your Tools
Module 1: Become a Data Guardian
What’s the one thing you don’t do in fantasy novels? Wake the sleeping dragon. You don’t poke the sleeping creature that has the power to destroy you and wreak havoc on your reality. Yet, that’s exactly what we do every time we fail to safeguard sensitive data.
Why This Matters
One of the most important things you can learn about safeguarding sensitive data is the vocabulary describing the theft of data. We’ll be exploring that vocabulary, as well as how and why data breaches occur. Often, being aware of the situations that set you up for data theft can assist you in avoiding them.
An important consideration is when you and your organization are liable for data breaches. Most states, including Texas, provide for protections for individuals and organizations under certain circumstances.
In this module, we’ll unearth some of those circumstances as well as learn how data encryption can protect your privacy and that of those you serve.
Is There a Problem?
Are Your Personal Records CyberSecure?
Government agencies, businesses, hospitals and universities are the frequent targets of staggering data breaches that can affect millions of people. Two examples:
- Texas Dept of Agriculture compromises the data for 39 school districts (ransomware attack on an employee’s laptop)
- Office of Personnel Management case, 21.5 million workers were impacted.
- Equifax breach with several million affected).
- FAFSA (Student Financial Aid Program by IRS)
Individuals’ personal information is scattered to unknown reaches of the globe.
Are IT Directors/CTOs/CIOs Keeping Student/Staff Cybersafe?
Experts say K-12 schools are also at risk — from outside threats and students who want to stir up trouble — as they rely more on technology for day-to-day operations and incorporate more software, apps, online programs and Web-based testing into classes.
“I don’t think there’s a school district in America that doesn’t have important digital assets sitting on a computer somewhere that needs to be protected,” said Michael Kaiser, executive director of the National Cybersecurity Alliance. “We know schools sometimes don’t like to report incidents. Responding right away and bringing in law enforcement should be encouraged.” Adapted from Source: Cybersecurity in K-12 Education
Consequences for Schools
There can be various consequences to not securing data, such as the following:
- Direct costs are incurred by school districts for having to notify individuals whose confidential data has been compromised, as well as notify credit agencies.
- The cost of paying for credit protection for individuals affected.
- The school district may suffer damage to reputation.
- Staff may be disciplined or terminated depending on the severity of the data breach.
Ongoing bad press as identity theft cases mount.
2-Exploring the Vocabulary
There is a beguiling amount of jargon and vocabulary relevant to cybersecurity (systems and things) and cybersafety (people).
Let’s explore this vocabulary in more detail.
Cybersecurity
- Cybersecurity: Cybersecurity is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access. In a computing context, security includes both cybersecurity and physical security (Source)
- Content Filters: On the Internet, content filtering (also known as information filtering) is the use of a program to screen and exclude from access or availability Web pages or e-mail that is deemed objectionable (Source)
- Data Breach: A data breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorized to do so. Data breaches may involve personal health information (PHI), personally identifiable information (PII), trade secrets or intellectual property (Source).
- Denial of Service (DOS)/Distributed Denial of Service (DDOS) Attack: A denial-of-service (DoS) is any type of attack where the attackers (hackers) attempt to prevent legitimate users from accessing the service. In a DoS attack, the attacker usually sends excessive messages asking the network or server to authenticate requests that have invalid return addresses (Source). In a DDoS attack, the incoming traffic flooding the victim originates from many different sources – potentially hundreds of thousands or more (Source).
- Firewall: Software/hardware that blocks external attacks from malicious attackers
- Malware: A catch-all term for malicious software targeting computers and mobile devices. 170M malware events in 2014 (Source).
- Personally Identifiable Information (PII): Personally identifiable information (PII), or sensitive personal information (SPI), as used in information security and privacy laws, is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context (Source).
- Phishing: An attack that impersonate user(s) to obtain data access via email. Nearly 50% of users fall for this.
- Point of Sale (POS) Intrusion: An attack that targets a device transacting a sale. Account for 30% of data breaches.
- Ransomware: A form of malware in which rogue software code effectively holds a user’s computer hostage until a “ransom” fee is paid. Ransomware often infiltrates a PC as a computer worm or Trojan horse that takes advantage of open security vulnerabilities (Source).
- Safe Harbor: The concept of “Safe Harbor” refers to specific actions, example; encryption of private data, that an individual or an organization can take to show a good-faith effort in complying with the law. This good-faith effort provides a person or organization “Safe Harbor” against prosecution under the law (Grama, 2015, pg.253). The State of Texas Statute 521.002 states that when a an individual’s first name or first initial and last name are combined with other private information, example, Social Security Number, that the information must be encrypted. (Source)
Web App Attack: A web-based attack that relies on http/https protocol to target a website. Ten to twelve percent of data breaches occur as a result of this form of attack (2014) (Source).
3 - Developing Policies and Procedures
Failed cybersecurity efforts represent a problem at large for society. The consequences are also felt in schools given improperly trained staff, students, and a lack of policies and procedures.
Cybersafety has a direct impact on the cybersecurity of an organization. The less cybersafe staff and students are, the greater the threat to personally identifiable information (PII).
The best way is a concerted approach to safeguarding sensitive data.
Get the ebook (ePub) | Google Docs
Cross-Departmental Collaboration
“Process. The process has to involve HR, Business Office, and M&O,” said David Jacobson (Lamar Consolidated ISD). The Executive Director of Technology for Round Rock ISD agreed. “It’s the processes and procedures, working with all the other customers. We have to get them to understand the importance of planning. One way is to do tabletop exercises to practice to see what we would do in the event of an event,” said Mark Gabehart (Round Rock ISD).
In these situations, it is important to 1) recognize the need; 2) clarify the depth of the hole the organization is in; and 3) present a plan to never be in that hole again. Make sure your district has an equipment replacement plan. And that is then followed by a disaster recovery and business continuity plan.
Systems Approach and Assessment
Conducting a needs assessment remains a critical first step. Moving forward from that benchmark assessment can involve developing a design of how data flows in the district.
You need to how it can best be maintained, backed up, and set up for disaster recovery/business continuity.
- District Policy & Procedure (End of Year)
- Safeguarding Sensitive Data handbook
- Securing Data in Cloud Storage
- Encryption: Friend or Foe in Texas Schools?
- Safeguarding Student Privacy
- Data Security: Questions to Ponder
- Sample Letter: Dealing with a Data Breach
4 - Encryption Safe Harbor
What steps should you take when your school or district organization has been hacked?
- Contain
- Assess
- Recover
- Disclose
Recommendations
- Create strong cybersecurity foundations: Invest in the basics, such as security intelligence, while innovating to stay ahead of the hackers.
- Undertake extreme pressure testing: Don’t rely on compliance alone; identify vulnerabilities to be able to outwit and outpace attackers.
- Invest in breakthrough innovation: Balance spend on new technologies, such as analytics and artificial intelligence, to scale value.
Source:Accenture, 2017 Cost of Cyber-Crime Report
Encryption Safe Harbor
Did you know that if data is encrypted and a data breach occurs, you are not obligated to report it? This is the power of data encryption and can potentially spare the District from unnecessary litigation and expense. This is known as an encryption safe harbor. Texas defines a data breach in terms of sensitive personal information only if the data items are not encrypted (Source: Data Breach Charts, Baker-Hostetler).

CyberSecurity Frameworks
NIST CyberSecurity Framework
This voluntary Framework consists of standards, guidelines, and best practices to manage cybersecurity-related risk. The Cybersecurity Framework’s prioritized, flexible, and cost-effective approach helps to promote the protection and resilience of critical infrastructure and other sectors important to the economy and national security. Watch a long video overview | Watch short videoView Framework in Google Sheets format (find most up to date copy at NIST)
MITRE’s ATT&CK Framework
MITRE ATT&CK™ is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge. MITRE started this project in 2013 to document common tactics, techniques, and procedures (TTPs) that advanced persistent threats use against Windows enterprise networks.
The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. Watch video shown right to learn more. Listen and Learn about MITRE’s ATT&CK “CyberThreat Encyclopedia”
Module 2: Encrypt Your Data
In this module, you will learn how to encrypt files or folders using free software. Creating encrypted backups for placement on external hard drives or saving to cloud storage (e.g. Google Drive, Microsoft OneDrive, Dropbox) will also be modeled.
Ready to Encrypt Your Data?
Obstacles to Overcome
Recent attack vectors have left educators reeling from massive data breaches due to ignorance and a lack of consistent procedures for safeguarding sensitive data.
Just as hackers employ encryption to deny access to data on an ransomware-infected machine, so can educators and students learn to use encryption to prevent unauthorized access to data. Popular data encryption tools are available. Are you using them?
Obstacle #1 - Not a Priority?
For many districts, safeguarding sensitive data isn’t a priority. Some tips for making it one:
- Conduct a benchmark assessment of current practices
- Get executive leadership to form a stakeholder committee
- Develop Policies and Procedures for Safeguarding Sensitive Data
- Review paper processes
- Review digital processes
- Compare them to what other’s do
- Develop incident response team
- Provide professional learning
Obstacle #2 - Enterprise Level?
Establish procedures for handling sensitive data in your classroom and/or office. Ensure that data containing personally identifiable information (PII), as well as usernames/passwords to popular services, is encrypted.
Obstacle #3 - Shoulda, Woulda…
Did you know that if data is encrypted and a data breach occurs, you are not obligated to report it? This is the power of data encryption and can potentially spare the District from unnecessary litigation and expense. This is known as an encryption safe harbor.
Texas defines a data breach in terms of sensitive personal information only if the data items are not encrypted (Source: Data Breach Charts, Baker-Hostetler). See other links to the left.
This is a question you will get. Make sure you keep your response simple and make it a requirement of dealing with sensitive data.
- Avoid embarrassment and high-cost of identity theft protection for students and staff. Texas Safe Harbor law protects organization that encrypt data should that data be lost or stolen.
- Avoid sending decrypted confidential information via email or as email attachments. Phishing attacks can compromise users’ accounts and spread to all quickly via email groups (a.k.a. distribution lists). Decrypted data on compromised accounts can be a treasure trove and lead to costly issues. Encrypted email attachments are no big deal on a stolen smartphone, tablet or laptop. Decrypted email attachments or files on stolen devices puts the district at risk for liability and lawsuits.
- Avoid saving decrypted files to portable devices (e.g. laptops, tablets) and/or storage media (e.g. USB flash drives, pendrives, sticks, hard drives).
- Always encrypt sensitive data before sending it to a third party solution provider. Negotiate up front, over the phone how you will encrypt data and come up with a solid password to use. If data is transferred from a server, encrypt it FIRST before placing it on the server, then use Secure FTP to transfer it. An alternate approach is to grant the 3rd party solution provider Virtual Private Network (VPN) access to a specific device. This may be easier since you can setup a network share, a mapped drive, to make it simpler to create and share files quickly. Again, it is better to encrypt than to have decrypted files at rest on an intranet server.
NEVER place decrypted sensitive files online on an internet server and/or in cloud storage.
- Are Schools Easy Targets for Cyber Threats? The Latest Report Says “Yes”
- Texas Privacy Laws
- Safe Harbor and State of Texas Breach Notification Laws
- TCEA Responds: Securely Back Up and Encrypt Data
- Encrypt and Protect Sensitive, Confidential Data
When Will I Use This in the Real World?
This is a question you will get. Make sure you keep your response simple and make it a requirement of dealing with sensitive data.
- Avoid embarrassment and high-cost of identity theft protection for students and staff. Texas Safe Harbor law protects organization that encrypt data should that data be lost or stolen.
- Avoid sending decrypted confidential information via email or as email attachments. Phishing attacks can compromise users’ accounts and spread to all quickly via email groups (a.k.a. distribution lists). Decrypted data on compromised accounts can be a treasure trove and lead to costly issues. Encrypted email attachments are no big deal on a stolen smartphone, tablet or laptop. Decrypted email attachments or files on stolen devices puts the district at risk for liability and lawsuits.
- Avoid saving decrypted files to portable devices (e.g. laptops, tablets) and/or storage media (e.g. USB flash drives, pendrives, sticks, hard drives).
- Always encrypt sensitive data before sending it to a third party solution provider. Negotiate up front, over the phone how you will encrypt data and come up with a solid password to use. If data is transferred from a server, encrypt it FIRST before placing it on the server, then use Secure FTP to transfer it. An alternate approach is to grant the 3rd party solution provider Virtual Private Network (VPN) access to a specific device. This may be easier since you can setup a network share, a mapped drive, to make it simpler to create and share files quickly. Again, it is better to encrypt than to have decrypted files at rest on an intranet server.
NEVER place decrypted sensitive files online on an internet server and/or in cloud storage.
Encryption Tools
In the individual exercises, you will explore how to encrypt both text and files using AES-256 encryption. There are various ways to accomplish this. Find the way that works best in your environment and implement it consistently.
Make sure to use a secure password generator and to protect sharing that password with end to end encryption tool (e.g. Signal).
Text Encryption
You can use a variety of text encryption solutions. These are ideal for text/email messages you might send on your smartphone, as well as via a computer.
Tool #1: Paranoia Text Encryption
- iOS | Android | Windows | Mac | Web version
Tool #2: Browser-based Text Encryption
Activity - Encrypt and Decrypt Text
Part 1 - Decrypt Text
To facilitate decryption, open the Paranoia Text Encryption Online tool (via the web browser on your device, including smartphones) and paste in the text that appears below. Use the password - kQgWbQhc58wc - and send it to “mguhlin@tcea.org” via email. Obviously, this password would not be shared on a web page for anyone to access. It is shared here for demonstration purposes.
==Begin Encrypted Text Below (only copy encrypted content, not anything with == in front of it)
fIqoBFlGIJibGhbYnHhdKkrpjQs2a]DKvDuxGOIEosjfgk)bHvqKB693PuPdSGCbtT9rS]KB3PFNo0MVKm95B)yF06rj)]KrLJnPfpogU1yIT]DgCzbsw8PlqxSZ]ndqcefwocfLOX9)q3tDSWtNg9WPw85yMyI47H6t8y1)LESw3P3roKKx3)3QscDPifOOTPhwOzmMkvl5ZgzvkzIbX8gQrcXrXJR2O9r5axA63]L6Ja9L6UeVt1Q810oZlDkLD2RIu0RS6ilV8aIR)TIrs66MxYYOqgh2HQ1UgSuI33EMuV8jGENDYxjxGA)5K]g6YJekzBGr5iWGYymUTP)UQvRIU2TSfmkIYzpAIozEMcBsrZ9KBzfchP1LdkB7oOH6ZSnFIrDskFwgx31AjCGeOEjy8bhkvF9gx2UkCDr28rMfR6DIPUGX7vjZY5fuDR])blioTUqE1I66ltMkJ9lMHTjntNQhu1rED232iV727yBPuNHJWu1qfNDgQLNsxngWIuxu7Y2Wt3jH1ql3IpePG3w1sjicGwmfzsj]1lW)1MoXzkFuLI8fC5556Q8FSG6R44XS)Sy5z5Xq412u6XPPU4M3HanQrIb1SGGTcjf1QDStWTREzQQKeT9G5blz499O8YxWqq9Q4Q1poQYFqDXYBPZjV9i93AiP9W4JStyShTU)ezjqBWpQmEy4UVCPD7yR]QLBcSUZT7OshQ)Ow6lxZm)lU6A!
==End Encrypted Text Below (only copy encrypted content above)
Part 2 - Encrypt Text
To encrypt text, type your own message in the Paranoia Text Encryption Online tool and then send the encrypted text to “mguhlin@tcea.org” with subject line of “Encrypted Text.” Use the password - T5ecaJiMepSU - to encrypt. Or, if you prefer, use a different password.
File Encryption
Encrypting files with AES-256 can be done with a variety of tools. Here are a few you can use that are free. A few tools include:
- 7zip for Windows - This is a zip/7zip compression program that combines multiple files into one. Works great with a wide variety of files. Think of it as putting a folder of files into ONE file that is compressed for space and encrypted for security.
- Keka Zip for Macs - This is the same thing as 7zip but for Mac computers.
- Paranoia’s Secure Space Encryptor (SSE) - Here is (what I think) is the best cross-platform encryption tool available. It works on the most platforms (e.g. Android, Mac, Windows). One of the features is that it can take a folder of files and encrypt them all into ONE file.
- FileLock.org - A browser-based solution that works well for Chromebooks. Encrypt individual files via your web browser.
Another video on encryption tools.
Activity - Encrypt and Decrypt Files
ParanoiaWorks Secure Space Encryptor
Part 1 - Encrypt File(s)
- Get Secure Space Encryption (SSE) tool, 7zip (Windows) or Keka (Mac). Set it up on your computer.
- Find a file or folder (avoid folders with hundreds of files for this activity…a folder with 2-5 files is sufficient).
- Encrypt the file/folder with your preferred tool using AES-256 encryption protocol. Use this password: M9pXYbENF5mp
- Send the file as an attachment to Miguel at “mguhlin@tcea.org” with Subject: Encrypted File
7zip Encryption
Part 2 - Decrypt File(s)
- Save the file available online and decrypt it. A copy of the encrypted file is available in ZIP (*.zip) or SSE (*.enc) encrypted format.
- Open the files successfully on your device.
Final Step
Make sure to shred/wipe the ORIGINAL decrypted files/folder(s) when “at rest.” Of course, first check that your decryption password works.
Dragging items to the Trash/Recycle Bin is insufficient since they can be recovered using a free tool like Recuva or Kickass Undelete on Windows or your hard drive accessed on a GNU/Linux system then files recovered.
- File Shredder (Windows)
- Bleachbit (Windows/GNU-Linux)
Email Encryption Tips
You can easily encrypt emails in Google Suites or Outlook using one of these tools. Remember that you can also use ProtonMail or Tutanota encrypted email providers for personal use.
- Virtru Email Encryption - Encrypt email messages you send to anyone (e.g. Gmail, Yahoo, etc.) (Watch video)
- Mailvelope - Another way to encrypt email using public/private key encryption (Watch video)
Paranoia Text Encryptor (PTE) - Call someone, give them the password then email the encrypted text (Watch video)
PGP/GPG Tools (free and open source)
“Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications. Phil Zimmermann developed PGP in 1991.” (Source: Wikipedia).
OpenPGP Tool, Option #1 - Gpg4win
Gpg4win is the official GnuPG distribution for Windows and provides the high cryptographic standards of the GNU Privacy Guard. GnuPG follows the recommendations regarding algorithms and key length of the German Federal Office for Information Security (BSI).
To create OpenPGP and X.509 certificates Gpg4win uses a key length of 2048bit by default. The default algorithm for signing and encrypting is RSA.
- Sign single files or complete folders directly from the Windows Explorer with GpgEX or Kleopatra. You can select multiple files and folders to sign and encrypt them recursively into a gpgtar archive.
- The provided Outlook plugin GpgOL allows to sign and encrypt emails directly in Microsoft Outlook. Attachments can be encrypted as well, in one go with the email body. Verifying signatures and decrypting messages is done directly in Outlook too.
A step-by-step installation guide is provided as part of the Gpg4win Compendium.
Download/get Gpg4win now
OpenPGP Tool, Option #2: GoAnywhere
Open PGP (free), also known as GPG, is a popular encryption standard that protects the privacy and integrity of sensitive files. Open PGP implements asymmetric (public key) cryptography to provide strong security and repudiation of files. GoAnywhere MFT provides robust support for PGP, allowing you to:
- Encrypt files with one or more Public Keys
- Decrypt files with Private Keys
- Sign files with Private Keys
- Verify digital signatures in files using Public Keys
- Generate full audit logs of all PGP encryption and decryption processes
Open PGP software is used by banks, financial institutions, healthcare organizations and other highly regulated industries to protect their most sensitive files. (Source)
3 - Data Backups to Local/Cloud Storage
From ransomware to simply human error, it’s easy to lose data. That’s why it’s important to make regular data backups. Most people don’t know how, so they tend to rely on cloud storage or nothing.
One way to avoid that is to get a USB external drive (2 terabytes is plenty. USB external drives last three to five years on average, so you may want to invest in one every three years to backup your data). You can use free tools to automate backups.
One free automated backup solution is FileFreeSync. Watch these video tutorials to get started.
Another tool is Free Commander (Mac alternatives).
Take advantage of these tools, and spend the time to learn how to backup your files.
4 - Encrypted Data Containers
Cross-Platform Solution: VeraCrypt
VeraCrypt is a source-available freeware utility used for on-the-fly encryption (OTFE). It can create a virtual encrypted disk within a file or encrypt a partition or (in Windows) the entire storage device with pre-boot authentication (Source: Wikipedia).
Veracrypt has fixed problems identified via an audit of its predecessor, TrueCrypt. This makes it MORE secure and an excellent solution.
“VeraCrypt supports two types of plausible deniability–the existence of encrypted data is deniable because an adversary cannot prove that unencrypted data even exists. Hidden volumes reside in the free space of visible container volumes–space which would otherwise be filled with random values if the hidden volume did not exist. Hidden operating systems exist alongside visible operating systems. If an adversary forces you to hand over a password, you can just give them the password for the visible OS” (Source: Five Best Disk Encryption Solutions).
Windows Only Solution: CipherShed
CipherShed relies on TrueCrypt’s code, is primarily available for installation on Windows.
You can build the program from the source code for Mac and GNU/Linux, but you can save yourself some headaches and skip that. Best to use a solution like VeraCrypt that’s well-supported and cross-platform with OS specific setup programs.
Disk Encryption Solutions
There are many types of encryption. Ask yourself, “Do I really need to encrypt this data? Do I need to have it around unencrypted?”
That’s why I have two separate folders on my hard drives. One is encrypted and has top secret files that I wouldn’t want to get out (e.g. medical, personnel, financials). The other is encryption free and where I store family photo albums, public work files, and more.
You can see in the image (left) that file/folder level encryption allows you to encrypt individual files or folders, but your operating system works without encryption.
Full-disk, or whole-disk, encryption, involves putting your whole hard drive, including the operating system, into a lock box. While this is desirable in some situations (e.g. you’re a spy), it can cause a serious performance hit. And, if there is a hard drive failure of any sort, you lose all your data.
Which solution works best for you?
Bitlocker and FileVault
The main benefit of these two solutions, neither of which is open source, is that they come with your device. That said, I don’t recommend either.
Bitlocker is a Windows specific solution that offers whole disk encryption. Some organizations use it, but due to the performance hit, many avoid it. Instead they rely on encrypted data containers (e.g. VeraCrypt) or file/folder encryption with AES-256. FileVault is Apple Mac specific.
Scenarios to Consider
Scenario #1 - External Drive
“John,” began Liz, the PEIMS Data Clerk at the high school. Tears started to stream down her face. “I saved some work out of iTCCS to take home and analyze last night onto my USB drive. This morning, when I went to pick up my coffee from Starbucks, I think it fell out of my purse while I was paying. I can’t find it and I’ve looked everywhere.”
Liz paused then said, “I had the entire freshman class’ data on an encrypted file. What do I do?”
Scenario #2 - Emailed File
“Melodie,” said her superintendent. “Turn on the news.” It was 5:30pm and Melodie was just getting home from an after-school event.
As she watched the news broadcast play on the television, her heart dropped into her stomach. “What do we do, Jim?” she asked her super.
“Let’s plan to meet tomorrow morning after Cabinet to discuss what our next steps are. While I am meeting with Cabinet, take a moment to discuss this with Charles (the tech director). Come up with our next steps and we’ll figure this out.”
Scenario #3 - Paper
“I just need a quick print-out so I have something I can reference in my hand,” Jill exclaimed. As Darlene printed out the report from iTCCS, she promised to put the document in Dropbox so Jill could get to it more easily. Jill dropped the sheaf of papers into her briefcase and ran out the door.
“Maybe,” she thought to herself, “I’ll have time to stop at HEB on the way home tonight, get a good night’s sleep so I’ll be fresh for this data presentation tomorrow morning.” She looked at her briefcase, carefully locking it in the trunk and casually throwing a blanket on top of it, just in case.
Scenario #4 - Outside Our Control?
“I have thought about disaster recovery, but I haven’t given any thought to our hosted solutions and how we’re backing up that data.
How am I going to ensure that data is protected when it’s outside of my control?”
Module 3: Protect Your Data
No matter how you access data (e.g. documents) or software you install, each brings with it the potential for malware. That is, an opportunity for those who mean you harm to infect your computer with viruses and spyware. While your organization may protect your work device, it may not do so for your personal devices. In this module, you will learn to protect your personal devices, including your home computer and smartphone.
Password Management
Scenario: Teacher Password
A teacher has written down his login information to the new student information system on a sticky note and put it on his desk. While he is gone, a couple of students discover the note. They then use the teacher’s login to access the system after hours and change students’ grades. Additionally, since the teacher used the same password on other internal systems, the students were also able to access other systems with sensitive employee data, including Social Security numbers and other private information.
- Have I Been Pwnd? OR Firefox Monitor
- How Secure is Your Password?
- Secure Password Generator
- Password managers: Keepass or Bitwarden
- Turn On Two-Factor Authentication Tutorials
Did You Know?
Passwords are growing increasingly complex and difficult to make secure. Encourage users to develop secure passwords they can remember. Also, use a password keeper (e.g. Keepass, Bitwarden). Learn more here.
AntiMalware Tools
Microsoft Defender Antivirus is the next-generation protection component of Microsoft Defender for Endpoint. This protection brings together machine learning, big-data analysis, in-depth threat resistance research, and the Microsoft cloud infrastructure to protect devices in your enterprise organization. (Source: Microsoft).
Malwarebytes Free
Cleans up your device after an infection. Try Premium to stop infections before they happen.
Malwarebytes AdwCleaner
Gets rid of sneaky programs on your PC that slow you down and bombard you with ads.
Malwarebytes Browser Guard
Blocks ads and scams in Chrome, Edge and Firefox for a cleaner, safer browsing experience.
3 - Registry & Defragmenting Software
What is the Windows Registry?
The Windows Registry stores much of the information and settings for software programs, hardware devices, user preferences, and operating-system configurations. For example, when a new program is installed, a new set of instructions and file references may be added to the registry in a specific location for the program, and others that may interact with it, to refer to for more information like where the files are located, which options to use in the program, etc. (Source).
Tip: Avoid Registry Cleaners and other software online. They are unnecessary.
While you can address some issues, they are not critical in newer versions of Windows.
What is Defragmenting Software?
Defragmentation improves your computer’s performance. It relocates all the bits and bytes of the files on your computer and puts them together to speed up reading them. Over time, those file bits get mixed up and defragmentation software sorts them out and puts them back where they are supposed to be.
Glary Tools
Available in free and pro flavors, this is a wonderful solution for keeping your computer in tip-top shape. You will have to decide if the cost is worthwhile. It includes over 20 tools, including registry cleaning and hard drive defragmentation. While defragmenting tools are available via Windows 10, some prefer to use external tools. Do keep in mind that solid state drives (SSDs) should not be defragmented since it will lead to drive failure sooner than later, unlike hard disk drives (HDD).
Wise Registry Cleaner: Free Registry Cleaner and Optimizer
Clean registry junks, repair Windows registry errors, defragment Windows registry, and keep your PC at peak performance. Wise Registry Cleaner is one of the safest Windows registry cleaners and registry defragmenters. It automatically backs up the system before any cleaning is performed. You can use the backup to restore the system to an earlier state.
Defraggler
Defraggler is free defrag software from Piriform, the creators of other popular freeware system tools like CCleaner (system/registry cleaner), Recuva (data recovery), and Speccy (system information).
This is unique defragmentation software because it can selectively move fragmented files to the end of the drive if you don’t access them often, essentially speeding up access to files you do use. Source: LifeWire
Data Recovery & File Shredding
It’s so easy accidentally delete your data. Many don’t know that when data is put in the Trash can or Recycle bin, all that happens is that a marker for that data on your drive is changed. It switches from “visible” to “invisible.” With the right software, you can recover that data and make it available again. You can also use software to “shred” or “wipe” that data beyond retrieval. Let’s explore both.
Data Recovery
KickAss Undelete (Free)
This free, open source, Windows only software offers recovery of deleted information on your local storage drives. The website claims the following:
“It finds all of the deleted files on your hard drive, flash drive or SD card and allows you to recover them. Undeletion works best if performed as soon as possible after file deletion. When you delete a file, the data is not lost - but new files being written to the hard drive may overwrite your data permanently, making recovery impossible.”
Recuva (Free or $19.95)
This Windows only software offers recovery of deleted information on your local storage drives. The website claims the following:
“Recuva recovers files from your Windows computer, recycle bin, digital camera card, or MP3 player! Recuva can recover pictures, music, documents, videos, emails or any other file type you’ve lost. And it can recover from any rewriteable media you have: memory cards, external hard drives, USB sticks and more! Unlike most file recovery tools, Recuva can recover files from damaged or newly formatted drives. Greater flexibility means greater chance of recovery.”
EaseUS Mac Undelete (Free)
This free, open source, Mac only software offers recovery of deleted information on your local storage drives. The website claims the following:
“EaseUS Mac Undelete is the most reliable Mac undelete software, it automatically scans your hard disk to recover deleted files in a fast and secure way. Features claimed include: Quickly & completely recover deleted, formatted, inaccessible and lost data; Recover videos, photos, music, documents, emails, archives etc. from Mac hard drives and most storage devices; Preview lets you enjoy data recovery in advance.”
Disk Drill (Free or $89 Pro)
This Windows, Mac, Android and iOS software offers recovery of deleted information. The website claims the following:“Recover any file or folder or reconstruct 400+ file types with multiple recovery methods. Connect your storage device & recover data in minutes. Disk Drill supports iOS and Android recovery as well.” Watch video.
Shredding or Wiping Data
Since deleting files on your computer or device does NOT remove the file contents, this means the data can be recovered through the use of software shown above. Oftentimes, that is not desirable due to the sensitive nature of the data. There are plenty of horror stories of hard drives being thrown out, USB flash drives picked up and then confidential data accessed. To stop data recovery efforts, it’s important to “wipe” or “shred” the data. In this way, deleted data is overwritten beyond recovery.
Bleachbit (Free)
This free, open source software offers shredding of data on your local storage drives. It works on Mac, Windows, and GNU/Linux computer platforms. The website claims the following:“With BleachBit you can free cache, delete cookies, clear Internet history, shred temporary files, delete logs, and discard junk you didn’t know was there.
Designed for Linux and Windows systems, it wipes clean thousands of applications including Firefox, Adobe Flash, Google Chrome, Opera, and more. Beyond simply deleting files, BleachBit includes advanced features such as shredding files to prevent recovery, wiping free disk space to hide traces of files deleted by other applications, and vacuuming Firefox to make it faster. “
ShredIt ($25)
This Windows, Mac, Android, iOS software offers shredding of deleted information. The website claims the following:
“ShredIt is the file shredder / hard drive eraser that offers all the features you need to clean a hard drive.”
Secure Delete GUI (Free)
This Windows software offers shredding of data on your local storage drives. The website claims the following:
SDelete GUI is an Open Source app that provides an alternative option to the command-line only SDelete from Sysinternals.
But to be clear, SDelete GUI uses Microsoft Sysinternals SDelete to perform file and folder deletions via the DOD 5220.22-M algorithm. But for those that are not comfortable performing the deletion process via the command-line, this will be perfect.
SDelete GUI allows you to add a “Secure Delete” option in the Windows right-click context menu. The Secure Delete addition will securely and permanently delete all selected files and folders.
Darik’s Boot and Nuke (Free)
This “personal use only” software offers shredding of your entire hard disk drive (HDD). Note that Solid State Drives (SSD) are not supported. The website claims the following:
“Delete information stored on hard disk drives (HDDs) in PC laptops, desktops or servers. “Note: I’ve used this many times and it works great on older drives. It has not been updated since 2015, and does NOT work with solid state drives (did I say that already?).
Looking for another way to get the job done? If you have experience with GNU/Linux, you can boot a GNU/Linux distribution from a USB drive, then run the “DD” command outlined here. This works on various drives, however, if you have a solid state drive (SSD), these instructions for wiping an SSD may work better (or try an alternate set of instructions).
Firewall
Software Firewalls for Windows and Mac
When Microsoft Windows lacked built-in firewall support, it was customary to install an external firewall software. Now, Microsoft Defender boasts a firewall and that is sufficient. You can find other firewalls you can add but they may not be needed.
The main purpose of a software firewall include blocking incoming attacks from the Internet and allowing you to decide apps on your computer may connect to the internet. Why would you control what apps can connect to the Internet? Imagine if those apps are malware. A firewall would stop outgoing connections from your computer’s malware.
Software firewalls will give you MORE control. Unfortunately, they may also interfere with how Microsoft Windows works.
Mac user? Try one of these firewalls:
- Lulu (Free): LuLu is the free, open-source firewall that aims to block unknown outgoing connections, protecting your privacy and your Mac.
- Murus Lite (Free): In three different flavors, Murus Lite is available for free, noncommercial use and offers standard features.
- Radio Silence ($9): Radio Silence lets you keep a list of apps that aren’t allowed to make network connections.
And, if you are more concerned about outgoing connections, give Little Snitch (Mac only, $47) a spin.
Set up Multi-Factor Authentication
MFA is quite simple, and organizations are focusing more than ever on creating a smooth user experience. In fact, you probably already use it in some form. For example, you’ve used MFA if you’ve:
- swiped your bank card at the ATM and then entered your PIN (personal ID number).
- logged into a website that sent a numeric code to your phone, which you then entered to gain access to your account.
MFA, sometimes referred to as two-factor authentication or 2FA, is a security enhancement that allows you to present two pieces of evidence – your credentials – when logging in to an account.
Your credentials fall into any of these three categories:
- something you know (like a password or PIN),
- something you have (like a smart card), or
- something you are (like your fingerprint).
Your credentials must come from two different categories to enhance security – so entering two different passwords would not be considered multi-factor.Source: National Institute of Standards and Technology (NIST)
Find a list of websites that offer MFA here and step-by-step instructions for enabling it for your accounts here. You can even use this browser extension lets you know which of the websites you use offer MFA—and makes it easy to call out those that don’t.
Authenticator Apps for Your Smartphone
Authenticator apps have undergone significant changes in the last few years. Here are a few for your consideration that offer backup options to the cloud, as well as excellent security. Microsoft Authenticator has gone away, and Google Authenticator hasn’t kept up with the times.
- Ente Auth: Open source 2FA authenticator, with end-to-end encrypted backups (my favorite and free)
https://www.youtube.com/watch?v=joSZ\_xdO1fI
- Bitwarden Authenticator: This offers an excellent solution for passwords, passkeys, and authentication codes, but it does work a little differently. The free Bitwarden authenticator app is open source and generates time-based codes for multi-factor authentication, adding an extra security layer to protect your digital life.
Module 4: Secure the Cloud
Many people place sensitive information about students, their medical health, financial transactions in cloud storage. Others may create a spreadsheet file with all their top secret passwords to banking websites.
These individuals have given little thought to what might happen if hackers compromise their login credentials. Often, individuals may rely on hotel or coffee shop WiFi to transfer confidential information. These WiFi-friendly venues, including your home, may be unsecured and open to packet-sniffing.
Cloud-Based Data Scanners
Several solutions exist that will scan your district’s Google Suites for Education domain or Microsoft 365 tenant seeking any possible sensitive data that may have been shared with intent or not. Two solutions that I am aware of include the following (in alpha order):
CloudLock
Cloudlock helps K-12 organizations protect data in their cloud collaboration applications while enforcing regulatory, operational, and security compliance easily and effectively. School districts use Cloudlock to reduce data exposure risk, and increase staff and student productivity in the cloud.
SysCloud
Automatically backup and restore your cloud data to make sure user errors, malware, and ransomware don’t derail your business. Features include:
- Scan backup archives for Ransomware
- Backup multiple domains in the same account
- Secure store your G Suite data on your cloud. SysCloud uses Amazon AWS, Microsoft Azure, and Google Cloud to encrypt and store your organization’s data.
Summary
Both solutions offer a variety of features, essentially scanning your cloud storage provider (e.g. Google Suites for Education or Office 365) for sensitive data. What’s more, additional rules can be set up to restrict placement of sensitive data online to prevent or quickly catch rule violations. You will want to explore these solutions through an official request for proposals (RFP) process aligned to your particular district’s processes and procedures.
Educate Against Attacks
An attack that impersonates user(s) to obtain data access via email,” reads the definition of phishing introduced earlier. Do you know how serious it phishing is? Check out these statistics:
- Phishing is the most common form of cyber crime, with an estimated 3.4 billion spam emails sent every day.
- The use of stolen credentials is the most common cause of data breaches.
- Google blocks around 100 million phishing emails daily.
- Over 48% of emails sent in 2022 were spam.
- Over a fifth of phishing emails originate from Russia.
- Millennials and Gen-Z internet users are most likely to fall victim to phishing attacks.
- Phishing was the most common attack type against Asian organisations in 2021.
- The average cost of a data breach against an organisation is more than $4 million.
- One whaling attack costs a business $47 million. (source)
Campus principals, finance/business department staff are primary targets for phishing attacks that gain people access. There’s a lot more you can learn about phishing, the types of attacks that arrive via email.
CyberSecurity Resources
Doug Levin has been tracking the publicly disclosed K–12 incidents on a color-coded map on his website, K-12 CyberSecurity Resource Center. His sources include media reports, DataBreaches.net and the Privacy Rights Clearinghouse.
Some cyber incidents at U.S. K–12 schools that Levin has tracked include:
- phishing attacks that procure personal data;
- ransomware attacks;
- denial-of-service attacks;
- “other unauthorized disclosures, breaches or hacks” that disclose personal information; and
- other cyber incidents that have caused school disruptions or closures. (Source: THE Journal)
Access free training on CyberSecurity Topics and CIO Insight
Cloud Encryption Tools
The easiest solution (which isn’t that easy) is to avoid placing sensitive, personally-identifiable information online in a public folder where it is unknown who has access to it.
If you must place sensitive data in the cloud, encrypt the file first. Once the person has obtained the file, remove the file. At no time should a decrypted file be placed online in cloud storage or emailed as an attachment.
Encryption works in a transparent manner. You see your files with regular filenames, while others (e.g. cloud storage maintainers, hackers) only see encrypted filenames.
Boxcryptor (Annual Pricing)
Boxcryptor encrypts your sensitive files and folders in Dropbox, Google Drive, OneDrive and many other cloud storages. It combines the benefits of the most user friendly cloud storage services with the highest security standards worldwide. Encrypt your data right on your device before syncing it to the cloud providers of your choice. The security of Boxcryptor has been confirmed in an independent code audit by Kudelski Security.
Cryptomator (FREE)
With Cryptomator, the key to your data is in your hands. Cryptomator encrypts your data quickly and easily. Afterwards you upload them protected to your favorite cloud service. Most cloud providers encrypt data only during transmission or they keep the keys for decryption for themselves. These keys can be stolen, copied, or misused. Thanks to Cryptomator, only you have the key to your data in your hand. Cryptomator allows you to access your files from all your devices. It’s easy to use and integrates seamlessly between your data and the cloud.
Another Free Option
A free solution for file/folder encryption is Secure Space Encryptor (SSE) from Paranoia Works. It’s free, open source, and works on Mac/Win/Linux/Android. Or, create a VeraCrypt encrypted data container and save that on your cloud storage. There are advantages and disadvantages to both.
Safeguard Email File Attachments
Ready to safeguard email file attachments? You have several options. Let’s go over those. Many of the options that encrypt the body of your text message fail to protect your attachments to your emails. Sending a colleague a report about a student special education progress? Even if you encrypt the body of your email, the attached PDF or Excel sheet is unencrypted.
Encrypt Email and Attachments with These Email Providers
- ProtonMail: Available for free, but a PLUS account is $50 a year
- Tutanota: Available for free but an account with more features is available
- Hushmail: Free option available but pay for more features
What PROCESS do you have in place? Let’s review some simple steps you can put in place.
Process To Follow
- Connect with your email recipient (the person you are writing to). Decide on what file/folder encryption tool you will both be relying on to send protected content. Some options that work well: Secure Space Encryptor (SSE), 7zip, or FileLock. Decide how you are going to verify receipt of the encrypted file attachment.
- Send the top secret password you will be encrypting via a secure messaging tool, such as Signal. Avoid sending it via email since your email message is a postcard (anyone can read it) unless it is encrypted. Verify receipt.
- Encrypt your file attachment, such as a Word, Excel, or other document using your preferred option (e.g. FileLock, SSE).
- In the body of your email message, keep it simple and attach the encrypted file (filename.enc).
- Send message to your email recipient, then verify receipt.
Encrypted Data Conduits
Virtual Private Networks (VPN)
“A VPN creates a private “tunnel” from your device to the internet and hides your vital data through something that is known as encryption” (Source: NameCheap).
Types of VPNs include:
- Standalone VPN Services (e.g. Private Internet Access, MullVad VPN and Browser)
- Browser Extensions (e.g. PIA Chrome extension, Opera browser built-in VPN)
- Router VPN
- Corporate VPN (more on that in a moment)
VPNs for Individuals
“Virtual Private Networks provide an important element of privacy protection for users,” Electronic Frontiers Association says…
VPNs [are] one of the most effective tools for protecting privacy when using the Internet, due to the degree of anonymity they provide when accessing online services.If the hotspot you’re using…[is] simply unsecured, hackers nearby can eavesdrop on your connection to gather useful information from your activities. Data transmitted in an unencrypted form (i.e., as plain text) may be intercepted and read by hackers with the correct knowledge and equipment. This includes data from any services which require a login protocol (Source).
Whether in your hotel, restaurant, or conference space, protect your device with a virtual private network. Here are some quick recommendations that you can put in place. Be aware that free VPN solutions offer little protection.
Most VPNs offer mobile apps you can use, as well as Chromebook extensions. This means you can connect all your devices using ONE VPN solution.VPN Alternative? Not ready to invest in a VPN solution for your smartphone? Then, try Cloudflare, which features the Warp VPN built-in. It’s free, works on your iOS and Android smartphone. It will give you some protection while sitting at the coffee shop.
Online publishers like PC Mag and CNET suggest NordVPN, StrongVPN, TorGuard, and Private Internet Access (PIA) as the top-rated tools available.
VPNs for Organizations
Securing Confidential Files for Transfer
If you are an IT Director, you may be called upon to transfer files in a secure manner. In school districts, there are several ways to accomplish that. Each way is briefly explored below and solutions offered.
1- Secure FTP Solutions (Automated)
This approach entails creating an encrypted conduit through which unencrypted files will be transferred from a server or your computer on a nightly basis. You will need to be able to automate this process and rely on a secure File Transfer Protocol (sFTP) solution or FTPs (read how sFTP is different from FTPs). This may entail you purchasing and implementing a secure FTP solution on a district server outside the firewall.
Server Side sFTP Solutions
Client Side sFTP Solutions
- WinSCP (other clients)
Some of the features most need include:
- Automating the transfer of files from one server to another
- Securing the files with encryption (e.g. GPG/PGP)
- Verification that files were sent and received
- Encrypted transfer of files
2-PGP/GPG File Encryption (Automated / Manual as needed)
Using a Pretty Good Privacy (PGP) or open source equivalent (GPG), such as OpenPGP Encryption Tool (GoAnywhere MFT for automated encryption). You can write scripts that automate this using PowerShell if on Windows or other solutions if on GNU/Linux or Mac. Exploring the use of scripting solutions for data encryption is beyond the scope of this webinar.Some have eschewed this approach in the favor of an sFTP solution or simply encrypting data using a tool like 7zip or SSE (Step 3) with AES-256 encryption (more on that below).
3-Virtual Private Network (VPN)
“A virtual private network extends a private network across a public network, and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network” (Wikipedia).
When we talk about using a VPN in a school setting, we’re not discussing consumer-level VPN tools like those used for individual protection.
Some solutions in use in Texas schools:
- Cisco VPN or appliance (Cisco Firepower 2110)
- Microsoft Direct Access (popular)
- Palo Alto Networks (popular)
- Sophos SSL VPN
- TeamViewer
Module 5: Know Your Tools
Now that you have a deeper appreciation for a variety of encryption tools, cloud storage, and more, let’s revisit some tools you may already use. These tools often offer rudimentary protection that may be insufficient for safeguarding sensitive data. Having a clear understanding of these ensures you won’t use the wrong tool when working with data.
Encryption Protocols
Wondering whether you can trust the encryption in Microsoft Office? OneNote? Your favorite note-taking tool? The answer is, “You may not.” That said, you can use some encryption protections to keep your secretary (or child) out of files they shouldn’t be looking into.
Consider these levels of encryption protocols:
Level 3 - Top Secret
These are files/folders that must be protected against unauthorized intrusion. They contain confidential, personally identifiable information (PII), HIPAA, or embarrassing content. Release of these indicates a data breach. Identity theft protection would be purchased for individuals affected.
Protocol: AES-256 or better. If paper, they should be shredded when not in use or under lock-n-key in a desk drawer or file cabinet.
Level 2 - Private
These files are private, it might be unfortunate if they were viewed, but no major scandals or lawsuits would result.
Protocol: AES-256 or built-in document passwords. If paper, in a locked room.
Level 1 - Public
These files are considered for public consumption. You can have them on your desktop and it’s no big deal if people see them.Protocol: Secured in a work storage location.
Microsoft Tools
Password Recovery Tools
As encryption software has gotten easier to use, it’s also found its way into a variety of programs. Here are a few solutions (no guarantees) that may facilitate password recovery. These solutions range from inexpensive to expensive. The more expensive solutions are often used in digital forensics.
Word Password Genius
Professional Word password recovery software to recover open password for MS Word 97/2000/2003/2007/2010/2013/2016/2019 documents(*.doc,*.docx).
Passware Kit Basic ($49)
Intended for home use, Passware Kit Basic recognizes and recovers passwords for 50+ file types, including MS Word, Excel, and web browsers. You can use it to reset a local Windows Administrator password and security settings using a bootable USB drive or CD.
Small PDF - Unlock PDF
strip your password-protected PDF file of its security if no strong encryption exists. Your PDF will be unlocked and ready for download within seconds. When you upload a file it is transmitted using a secure connection. Files are deleted one hour after processing.Alternate solution:I Love PDF’s Unlock PDF Files
PDF Password Remover ($29.95)
This is a shareware tool to remove PDF restriction from protected PDF files on Windows and Mac OS X. After removing PDF password, you copy the content text from the decrypted PDF and use the text wherever you want.
The tool is a shareware application that can decrypt encrypted or restricted PDF files. Without this tool, you cannot modify, print or convert restricted or password protected PDFs. If you have such files on your PC, start your download now. As soon as you get this tool, you will remove any password that is preventing you from accessing, converting or printing your PDF files.
Kali Linux
Kali Linux is one of the best open-source security packages of an ethical hacker, containing a set of tools divided by categories.
Kali Linux can be installed in a machine as an Operating System, which is discussed in this tutorial. Installing Kali Linux is a practical option as it provides more options to work and combine the tools.


































