Category Archives: Tony DePrato

Tony DePrato has a Master’s Degree in Educational Technology from Pepperdine University and has been working as a Director of Educational Technology since 2009. He has worked in the United Arab Emirates and China where he has consulted with schools in both regions on various technology topics. In 2013, Tony DePrato released The BYOD Playbook a free guide for schools looking to discuss or plan a Bring Your Own Device program. Tony is originally from the US, and worked in multimedia, website development, and freelance video production. Tony is married to Kendra Perkins, who is a librarian.

Tony DePrato

School Admissions, What’s Wrong?

Leave a comment

Have you found joy in completing a school enrollment or admissions form? Did you find yourself smiling after submitting a school tour inquiry?

Probably not. 

As a CTO, I have seen, tested, purchased, programmed, and implemented numerous software packages to support the Admissions Process. I began my journey with these applications in 2009. 

These programs have grown in expense and features. Fundamentally though, are they delivering the outcome that schools need? Is this technology producing deeper waitlists and higher levels of future commitments?

I love forms and a good automated workflow. I have built them and watched as my creations have streamlined chaos. 

Technology as an appropriate tool saves time, creates opportunities, and allows for accountability. 

Technology developed to solve the wrong problem creates a universe of problems. If it gets popular, everyone uses it and has no idea why they are using it. People eventually feel like they have to have something because everyone else has it.

Let’s define the School Admissions problem. 

In an unknown economic condition (inflation, etc.) how do we grow our school and maintain a healthy waitlist?

Prospective parents are likely to be more discretionary with their income. They are investing in their children. How do we should them our value?

Will an expensive forms-based admissions system solve this problem or is this a human-to-human problem and a confidence problem?

Schools can build confidence by connecting new people to people who are already invested. Schools need to associate the existing with the new.

It’s not about the school tour and showing a few pristine rooms. It’s about getting parents to share stories and ideas with other parents. 

The technology needed to connect with prospective parents isn’t in a web form or workflow, it is in data analytics. 

Using Business Intelligence (BI) tools (Google Data Student, Microsoft Power BI, Amazon QuickSight, etc.), we can look at zip codes, addresses, enrollment dates, grade entry points, etc, and find clusters of people who joined the school. These clusters would be non-traditional locations. For example, the neighborhood across from a school is traditional. Everyone there knows about the school. However, a cluster might appear 30-minutes away, indicating that people moving into that area seem to prefer our school. 

After extrapolating some clusters, the next best tool to have would be a crowdsourcing solution. Existing parents in the clusters need to be offered an opportunity to host events in their communities with support from the school.

At this stage, resources are shifting. Budgets are being used for something other than software. This is the main reason to address the admissions software. Is the current resource we are paying for a potential problem? Is this resource impeding our ability to be creative and agile? Consider that two things could be true at the same time: the software works, but may not be solving the real problem. 

The investment isn’t really in software to help with admissions. The investment is in someone else’s idea of how you should do admissions. 

Thinking outside the box, and respecting data privacy (opt-in only), we can visualize the following:

  • A dashboard showing a map with hotspots of existing families and new applications
  • An app that allows existing parents to flag up dates, times, and locations to create fun and casual meetings for prospective parents
  • A self-guided campus tour that provides on-demand information (it works at the Smithsonian, it can work at a school)
  • Admission’s “offices” are located outside of the campus closer to where prospective parents are working and shopping
  • Tours booked so they are larger and happen when the campus is alive, messy, and real; tours need to be less frequent to increase demand
  • Build a system that allows prospective parents to contact the school with simple messaging (SMS, Social Media Messaging, etc); this system would be intelligent and would automatically handle some of the initial steps in providing parents options; lower the barrier for initial communication
  • Have application stations on-campus that are comfortable, coffee equipped, and allow people to get the applications started with the sense of support people need when delving into a serious investment; this eliminates most of the issues people have working from home

In this model, people become part of the community before they even formally enroll. Technology is focused on people. By the time the forms are being used, prospective parents have already decided to enroll. 

Doing two hours doing paperwork is now trivial because this new parent has invested in a lifetime of opportunities for their children. That feels like a good tradeoff.

Tony DePrato

G-Suite Enterprise for EDu, Are You ready?

Leave a comment

We have fully implemented the new G-Suite Enterprise for Edu.

For the backend people, I have gone through all the reporting and admin features as well.

Obviously, some of these features are not being used yet, but they are interesting. If anyone is interested in doing an online meeting to review the process of getting the license from a vendor, managing the licenses, and all the other ins and out, message me on LiN or email me directly. I will put something together.

I think a webinar walkthrough would be an excellent format if people are keen.


 [email protected] 
 #edtechchat #googlemeet #gsuiteforeducation


Tony DePrato | Follow Me on LinkedIn

Tony DePrato

iPads and Ergonomics the ultimate hybrid streaming solution

Leave a comment

I’ve developed a very flexible solution with iPads and some ergonomic tools/devices.   

The main goal was to have tech that was useful all the time, not just during quarantine, and tech that didn’t strain the network with video standards that can’t be handled by personal home networks. The investment would be useful for 3-7 years, or the duration of the equipment lifecycle. The tablet form factor I chose was the iPad, but this could be done with Android or Chromebook tablets.

This model eliminates document cameras, allows for hand writing on paper or real whiteboards, allows for digital whiteboards, and you can ergonomically adjust things so people feel like they are sitting next to someone. 

Teachers can freely move around the room to demonstrate labs and other experiences that are eliminated in most virtual scenarios. 

You can even do choir, band, and art. 

If teachers/hosts have laptops, this allows for  two cameras in every space. Students can flip between the iPad and the host device. 

The conferencing software doesn’t matter. You can use anything for your video conferencing. 

If people need to work from home they just take the iPad, and literally replicate their teaching environment.

This idea can be summed up in a single simple statement: The iPad is a Person in your Classroom.

If you would like to know more, please complete the form below.

https://forms.gle/5CwcQxSSd9vxmjiMA

Tony DePrato

Cybersecurity Part 4: Surviving Ransomware

Leave a comment

By Tony DePrato | Follow Me on LinkedIn

The scope of all the following arguments is for equipment owned by the school, or equipment approved to use at school. This post is not promoting policies for personal devices used solely at home, nor is this post addressing devices that may be used for entertainment or non-academic purposes.

Ransomware, in its most basic form, is self-explanatory. Data is captured, encrypted, and held for ransom until a fee is paid. The two most common forms of ransomware delivery are through email and websites.~ https://insights.sei.cmu.edu/sei_blog/2017/05/ransomware-best-practices-for-prevention-and-response.html

Ransomware is scary. Ransomware, once it begins to propagate, becomes more about survival and mitigation and less about prevention.

I have thought about how to advise K12 schools around the world how to prepare for ransomware. I have concluded that there are only two approaches everyone can follow: Reduce or Completely Remove Windows and Create Very Inconvenient Backups of Data. 

Reduce or Completely Remove Windows

I decided to compile known types of ransomware. I stopped at 106 identified types. Here is a graph, and link to the sources, that demonstrate what operating systems are vulnerable:

Screen Shot 2020-02-19 at 8.58.44 AM
Data Link

If you want to do the math:

  • 106 Ransomware programs
  • 100 Target Windows Operating Systems
  • 93%-94% of Targets are Windows Operating Systems
  • Using Windows is Riskier than Using other Systems

“Riskier” is a little weak in this case. It is very likely that Windows users will be a target, it is very unlikely that Apple and Chromebook users will be a target. 

If the goal is to live in a relatively peaceful ransomware free environment, then the majority of end-users need to be using Apple or Chrome-based devices (Linux varieties are also an option for a subset of users). 

There are tools for Windows that help defend and protect against ransomware. However, nothing is better than not being attacked at all.

Create Very Inconvenient Backups of Data

Every time I ask an IT director or IT manager about backups, they claim they are 100% compliant and 100% able to deal with any problems. I have never believed my planning was close to 100%, nor have I ever believed I could restore 100% of all data. I would say, at my best, I am 60%-70% certain that I can restore 80%-90% of data. 

Data. Not operating systems and settings. Data. Not the software that was installed. Just all the data consisting of but not limited to documents, databases, movies, music, pictures, special configuration files, scripts and code, and the inclusive content of all websites.

There is only one question a person needs to ask to confirm if backups are safe from ransomware: “Can the backup be accessed right now if we need it?”.

If the answer is ‘Yes’, then backups are going to be vulnerable. 

There should be at least two layers of backups. Layer one can be data that is backed-up and accessible on the network, in the cloud, and/or from normal workstations. Meaning, someone can sit down and create or restore a laptop, database, etc by following a workflow at their desk. 

Layer two backups are inconvenient. These backups are stored outside of the normal network. These backups are scheduled and not even accessible by network administrators without taking extra steps. These backups require some level of multifactor authentication or even a physical lock and key.

Backup

Layer two backups also need to be tested at least monthly (this is only recommended for K12 schools most businesses need to test more frequently; school districts would need to test very often and on a predetermined schedule).

Tests need to include:

  1. Data restoration
  2. Data access and use
  3. A scan for malware, ransomware, etc
  4. An iterative process to consistently reduce the size of backups
  5. An archival process to store data that will most likely never be needed, but is legally required to store
  6. Imagination. Because you never know where you will be and what the situation will be when you need to access these backups

A very low tech approach to a layer two back-up could include someone taking an external drive to the data source, moving the data manually, and then locking the drive in a safe. Do not overthink this, just start doing it and keep improving the process. If you can access these backups from your workstation, then those backups are vulnerable by definition.

If ransomware happens, and the data cannot be decrypted, this layer two data would be safe as it would be offline. Layer one backups may stay secure, but layer two backups will be secure unless you are victim of very bad timing. 

The cybersecurity industry is rapidly developing better protocols for handling ransomware. Staying educated and studying cases is not only essential, but it should also be scheduled into the cycle of work at least once every 6-8 weeks.

The data above could change. An uptick in ransomware for Chrome or Apple of even 1% is enough to review internal processes and procedures. Until then though, get the number of Windows OS users down and make better backups. 

businessman hand holding money banknote for paying the key from

Start Your Research Here

Ransomware: Best Practices for Prevention and Response

https://insights.sei.cmu.edu/sei_blog/2017/05/ransomware-best-practices-for-prevention-and-response.html
Tony DePrato

CyberSecurity Part 3: Simple Penetration Testing for K12 Schools

Leave a comment
By Tony DePrato | Follow Me on LinkedIn

Cybersecurity Part 2 will be featured in the Tie Magazine. After it is released, I will post the article on the blog.

I have been following a few online threads where schools are considering contracting penetration testers. For those who may not know, penetration testing (pentesting) is a security assessment, an analysis, and progression of simulated attacks on an application (web, mobile, or API) or network to check its security posture. The objective is to penetrate the application or networksecurity defenses by looking for vulnerabilities. These are usuallyweaknesses or flaws that an attacker could exploit to impact confidentiality, integrity, or availability. This goal is the same whether performing application pentesting or network pentesting. ~ https://cobalt.io/pentest

As a consultant, I am not opposed to K12 schools using consultants. However, I have seen some red flags out there from pentesting consultants. I want to highlight those issues, and also provide a method for K12 schools to get started on this process in an easy and low-cost manner.

Finding a Good Pentester

The Conversation

School: We are looking for someone to help test our security.

Pentester: Great. I can do that ( credentials and background presented). 

School: What do you need?

Pentester: I need a list of (x,y,z). I need an office to work from. I need to interview…

What is wrong here?

Here is how this should go

School: We are looking for someone to help test our security.

Pentester: Great. I can do that ( credentials and background presented). 

School: What do you need?

Pentester: I need a contract protecting me if I break into one or more of your services. I need a contact person to send my findings to. I need a timeline. 

A pentester’s job is to find the weaknesses and to find a way to access your organization. If you provide access, not only is the job easier, but they could simply report an issue that is unlikely to occur. I witnessed a similar scenario where a firm was asking for the keys to break into the car.

There may be a point where you want a pentester to become a student and see what a student can do with the access provided. There may be a point where you want them to test spaces used by the public during events.  If you provide and manage laptops, a good pentester will need one of the school’s laptops. 

These are reasonable requests. Asking the school to literally give them a roadmap and set of targets is not reasonable. 

Doing Your Own Testing

I have a list of standards schools should work towards to be secure. Some these do not always connect well to third party services, public-facing websites, etc. 

Over the last few months, I have developed a checklist for pentesting K12 school websites and resources. 

TestDefinition
Subscription and Services DiscoveryCan your subscriptions and services be easily discovered?
Files Exposed to the PublicAre there files publicly available that supposed to be private?
Calendars Exposed to the PublicIs calendar data that should be private, private?
Staff and/or Student Email HarvestingCan your staff and/or student PII be used to create a database for phishing and spamming?
Portals and SISAre your portals and SIS properly secured and difficult to brute force attack?
Websites and Social MediaAre websites and social media properly secured; is the media being used legally and correctly?
Cloud ServicesHave cloud services been properly secured?
Third-Party SharingIs anyone sharing your content and do they have permission?
FTP, SSH, and TelnetAre any of these protocols a threat to your school via publically accessible information?
Email BlacklistIs your email domain blacklisted?
Email Header CheckIs there any data in your header that could be anonymous or lead to blacklisting?
Email Catch-All for Non Existent EmailsIs your email set up to catch any email that does not exist and alert someone?
SMTP RelayIs your email system running services that would allow an attacker to use your email for a criminal act; send an email on someone’s behalf?
4xx and 5xx Error CheckDo the 4xx and 5xx pages on your public-facing services configured properly and supportive of trusted users?
HTML FormsAre any HTML Forms vulnerable to low-level URL based attacks? (Will also review CAPTCHA.)

I score these on a scale of 1-5 and document the issues/results. The next level is researching the solutions to correct the problems. Keep in mind, many solutions are in policies and procedures. This means issues need to be articulated for school leaders, teachers, students, and parents. 

In other words, avoid jargon and lingo.

Doing as much due diligence as possible before contracting someone will not only save time and money, but it will also help to further educate the community.

If you do not know what is actually dangerous, then everything could be sold as dangerous. 

Tony DePrato

CyberSecurity Part 1: Social Engineering

Leave a comment
cybersecurity

By Tony DePrato | Follow Me on LinkedIn

I have noticed an uptick recently in schools moving resources, money and time, to address cybersecurity concerns. The motivation for addressing security issues is genuine, but the approach and implementations I am reading about are less than effective.

Over the next few weeks, I will be writing a series of posts to address what schools should do to improve cybersecurity. Nearly every suggestion will require a change in process or culture, but not any significant financial investment.

Social Engineering

Even if you’ve got all the bells and whistles when it comes to securing your data center, your cloud deployments, your building’s physical security, and you’ve invested in defensive technologies, have the right security policies and processes in place and measure their effectiveness and continuously improve, still a crafty social engineer can weasel his way right through (or around).

Social engineering is the art of exploiting human psychology, rather than technical hacking techniques, to gain access to buildings, systems or data. ~ https://www.csoonline.com/article/2124681/what-is-social-engineering.html

Physical access to any space is the holy grail. Hacking begins with collecting information, watching people, finding the weak links within the organization, and studying how systems and people work.

Having an open friendly campuses means exposing information systems to a variety of threats that exist outside the network controls.

Allowing students, teachers, and staff to freely move around campus with few limitations or consequences, creates multiple opportunities for data to be collected on areas of the campus that generally are part of the plant or backend operations. These areas are designed for small teams of workers to keep the campus running, and these areas allow access to systems that control things like water, gas, electricity, etc. The plans and operational guides for these areas are not public, but people taking a regular stroll through these spaces eventually collect enough information to execute an exploit.

Maybe the exploit is simply students finding a way to sneak off-campus, but when one group creates a loophole, another group has the opportunity to use it. Social engineering practitioners are looking for loopholes and they are looking to mix with trusted groups of people. Their access begins with a bad policy or the improper enforcement of a policy.

It is far easier to use social engineering tactics to attack a school’s data and assets than to try and exploit the network externally. Not only is it easier, it is less risky. Generally, school policy is granting a person physical access, and therefore they are not trespassing. Whereas any attempt to breach the network would be a crime.

Before worrying about the network, the cameras, and the technology as a whole, it is imperative to reduce physical access and to design policies that balance community with access.

Defending Against Social Engineering in a Friendly Manner

Schools are not banks or government facilities. They are generally friendly and trusting environments. Implementing security measures should not create a panic, and should not create a culture a fear. Every measure taken needs to connect to another logical reason that the community can understand. Here are some ways you can reduce the risk of threats through social engineering:

  1. Let everyone know, they are free to call security and report anyone or anything they see that seems “off.” This means, not punishing people if they misidentify someone. Make the process easy, and make certain security personnel follow through and keep records. Social engineering often requires a few visits to a campus, and studying reports could identify a pattern.
  2. Lunchtime is always important on a school campus. Set a simple policy for business and operational offices to either rotate their lunchtimes and /or lock their offices. Lunchtime rotation is an excellent countermeasure. It ensures that every day, a few people are always in an office, the offices are open so people can access services, and the schedule of activity is difficult to predict. An example would be the following: Four people work in accounting. On Mondays, Wednesdays, and Fridays, person 1 and 3 choose to do lunch at 11:30AM; On those days person 2 and 4 choose to do lunch at 12:30 PM. Locking offices for an hour is safe, but it is not going to be as popular as using a rotation.
  3. Any closet or room containing computer network equipment, phone system equipment, etc. should not be used for storage. Why is this important? Because the moment a room or closet is accessible for storage, the number of people who will be opening the door becomes unpredictable. The equipment in that space would allow easy access to all the data that flows through the school. A common mistake schools make, is to use these network/electrical closets to store cleaning supplies.  Cleaners are usually very friendly and trying to help people, as well as maintain safety. So, if I wanted to access the closet and exploit the network, I would create a spill of liquid and wait for the cleaner to get into the closet. I might even distract them long enough to slide a small piece of paper between the lock and door jamb. The cleaner is doing their job, and I have gained access to the space after the cleaner is finished.
  4. Guests/Parents should have their own network. It goes without saying that allowing anyone aside from students and employees on the academic network is risky. A guest network SSID is highly recommended if the public or parents are allowed to use the WiFi. The more I consider this, the more I believe that a better policy is to simply improve the mobile network reception, and direct people to use their own data. A school can invest in repeaters and other technology to make the mobile signals from various providers strong and robust. Schools can also use services like Kajeet to deploy better mobile access. In many cases, schools qualify for FREE mobile hotspots. Why spend time and resources giving the public and parents access to limited and/or filtered academic networks anyway? Using mobile reduces the chances of a data breach, and virtually eliminates the liability a school would incur.
  5. Encourage and incentivize teachers to work outside their offices, in higher traffic areas. Teachers know each other, they know parents, and they know students. Teachers also have good instincts for spotting odd behavior. These statements are from anecdotal evidence, but if you have worked at a school for a long enough time, then you realize teachers are truly on the pulse of the organization. Teachers working in school cafes, libraries, etc see and hear more than they would if they are isolated in offices. Setting up conference rooms with glass walls, or creating PD opportunities in more public venues would greatly improve the random and increased presence of teachers on-campus. Remember, the idea is to create unpredictable patterns and to make it more difficult for someone to find a weakness and the confidence to act. The mere presence of staff in public spaces is a deterrent.
  6. Assume a good Social Engineer can get on-campus with an ID check, and plan accordingly. The core group defending against social engineering would most likely be the security team, operations team, and technology team. They should work together to plan scenarios and action plans. School leadership needs to make certain that those teams are focusing on those individuals who have enough skills to get through the external layer of security. Making assumptions that the camera system, front gate ID check, etc., will somehow prevent access, is going to create a false sense of security. Good social engineering requires imagination and creative thinking. Good defense will require the same.
  7. Work with parents to test your security and access. Parents want what is best for the school and their children. Parents also have come from a variety of backgrounds. They are a trusted group that will be honest and help measure improvements.
  8. Educate yourself first, and seek outside advice second. There is a massive amount of information about social engineering. It is worth educating a core group of people on security topics so they can inform practice and direct consultants. Remember, consults will only be useful until they leave. Build your team, and give them the time they need to learn. Much of what people need to know is free, time is the only factor.

I hope this posts stirs the pot and creates some discussion on school campuses. I am placing some resources below, including some very informative and entertaining videos on the subject of social engineering and physical penetration testing.

I am happy to do a live debate on this subject or webinar for anyone interested. Please email me at [email protected]

Resources

  1. DEFCON 19: Steal Everything, Kill Everyone, Cause Total Financial Ruin! (w speaker)- https://www.youtube.com/watch?v=JsVtHqICeKE
  2. I’ll Let Myself In: Tactics of Physical Pen Testers- https://www.youtube.com/watch?v=rnmcRTnTNC8
  3. What is Social Engineering: https://www.csoonline.com/article/2124681/what-is-social-engineering.html
  4. Passwords are Still a Problem: https://www.nextgov.com/cybersecurity/2019/01/why-computer-passwords-are-still-problem-2019/154086/
  5. Cybersecurity Stats: https://www.varonis.com/blog/cybersecurity-statistics/