The Cybersecurity and Infrastructure Security Agency (CISA) has released Teleconferencing Guidance for education. Remote classroom teleconferencing has continued to grow. As a result it has been a tempting target for cybercrime.
Recommendations for K-12 Schools
School districts are increasingly using teleconferencing tools to deliver their services. These tools have increased in availability and capability. Their use however, comes with risk as the volume and sophistication of cybercrime continues to grow. As a consequence, schools and school districts must assess risks to both school IT networks and individual users.
Threats to Teleconferencing
Cyber threats are posed by nation-states, criminal organizations, and people inside an organization. Common tactics used include:
- Exploiting unpatched software vulnerabilities.
- Hijacking video teleconferencing with inappropriate content.
- Use of teleconferencing applications to infiltrate other applications.
- Penetrating sensitive meetings through social engineering to deceive people into divulging private information.
- Some products may share or sell customer information to third parties. This data sharing can unintentionally expose student and school information.
Teleconferencing Guidance for Teachers and Students
CISA guidance for teachers and students include:
- Only use organization-approved software and tools to host and schedule meetings.
- Consider sensitivity of data before exposing it (via screen share or upload) to video conferences. Ensure that only data needed to be shared is visible.
- Close or minimize all other windows and consider turning off alerts for incoming messages.
- If displaying content from organizational intranet sites in public meetings, hide the address bar from participants before displaying the content.
- Use common sense—do not discuss content you would not discuss over regular telephone lines.
- When having sensitive discussions, use all available security measures.
- Ensure all attendees of the meeting are intended participants.
- Do not attempt to install software not approved by your school.
- Do not make meetings public unless they are intended to be open to anybody.
- Have a plan for what circumstances constitute termination of a meeting, who has the authority to make that decision, and how the meeting will be terminated.
- Require passwords and use a waiting room to control admittance of guests.
- Provide links to meetings directly to specific people and share passwords in a separate email.
- Manage screensharing, recording, and file sharing options. Limit who can share their screen to avoid any unwanted or unexpected images. Consider saving locally versus to the cloud. Change default file names when saving recordings. Make sure to consult with your organization or district’s counsel about laws applicable to recording video conferences and sharing materials through them
- Make certain that your audio and video surroundings are secure and do not reveal any unwanted information.
- Move, mute, or disable virtual assistants and home security cameras. Do not conduct meetings in public places. Consider using headphones.
- If using a personal device
- Require passwords to log in to device.
- Only use elevated privileges when performing administrative functions on the device.
- Close all non school related windows before and during school activities.
- Keep operating systems and relevant applications up to date.
- Turn on automatic patching and Anti-Virus software.Check and update your home network. Use complex passwords for your home Wi-Fi network. Enable router with encryption protocols such as WPA2 or WPA3. Disable legacy protocols such as WEP and WPA.
- Check and update your home network. Change default settings and use complex passwords for your broadband router and Wi-Fi network and only share this information with people you trust. Choose a generic name for your home Wi-Fi network to avoid identifying who it belongs to or the equipment manufacturer. Update router software and ensure your Wi-Fi is encrypted with current protocols (such as WPA2 or WPA3), and confirm that legacy protocols such as WEP and WPA are disabled.
- Be wary of links sent by unfamiliar addresses, and never click on a link to a meeting sent by a suspicious sender. Verify that meeting links sent via email are valid.
- Do not share student credentials or links, with strangers who may use them to disrupt classes or steal information. Do not share passwords with anyone.
- Carefully review meeting invitations sent for sessions. Check to see if the meeting originated from a known teacher or other school employee. Verify that the address has the district’s or school’s name in the URL.
Teleconferencing Guidance and Cybersecurity Practices for K-12 Organizations
CISA recommends the following Security Practices for K-12 Organizations:
- Assess organizational needs and determine the appropriate products.
- Establish organizational distance learning policies or guides to address physical and information security. Based on these documents, develop easy to understand (e.g. one-page) summaries for teachers, students, and parents.
- Limit and minimize the number of authorized collaboration tools to reduce the overall amount of vulnerabilities.
- Maintain the latest versions of software and remove all obsolete versions from managed devices.
- Instruct users to join web (browser) based sessions that do not require installation of client software.
- Prohibit end users from installing client software on school- or district-managed devices.
(including removing local administration rights).
- Prevent system administrators from using collaboration tools on the system while logged on with administrative
- Prohibit the use of collaboration tools and features that allow remote access and remote administration.
- Clearly educate employees legal, privacy, and document retention implications of using teleconferencing tools.
We all have family and friends who are teachers, students, or education administrators, and we acknowledge the difficulties they are enduring during this pandemic. Therefore we are providing this Teleconferencing Guidance for education for our community.
CVG Strategy cybersecurity experts are committed to keeping organizations’ information secure. We help businesses and organizations implement ISMS solutions that fit unique requirements and provide the training required to make them work. Contact Us today to see how we can help.