2. Topics
Introduction
Is K-12 Doing What We Should?
Protecting Private Data
Preparing Kids Well
You probably came to see something cool
Let‟s Work Together
3. Introduction – Evan Francen
• Co-founder of FRSecure
• Information security expert with 20 years of experience
• Areas of expertise include information security
governance, risk management, social engineering,
compliance, and the things nobody else likes to do
• Information security evangelist
• Nickname is “the truth”
4. Introduction – About FRSecure
• Information Security is all we do…
• Methodologies; we create and use a ton of „em
• Project Leaders all have 15+ years of experience
• Transparent; we value knowledge transfer
• Product agnostic means we can more easily serve
your needs without conflict
5. Protecting Private Data
• Types of data that K-12 is responsible for
• Types of people using our technology
How are we doing?
7. Since 2005, there have been 716 breaches of
educational institutions involving more than 13
million private records*
(Source: Privacy Rights Clearinghouse - https://www.privacyrights.org/databreach/new)
These are the breaches that we know about
8. Protecting Private Data
• People are the greatest risk
• We can‟t fix people with technology
How comfortable are you with the mundane?
(people want the new cool thing, but how “cool” is policy?)
9. Protecting Private Data – Three Things
Every school should do these three things well.
• Information security governance
• Information security training & awareness
• Information security incident response
How comfortable are you with the mundane?
10. Protecting Private Data – Three Things
Every school should do these three things well.
Information security governance – what are the rules?
• Management commitment
• Information security policies
• Information security processes
How comfortable are you with the mundane?
11. Protecting Private Data – Three Things
Every school should do these three things well.
Information security training & awareness – people need to know the rules
• Training & awareness are two separate, but related initiatives
• Training – teaching the audience how to do something specific
• Awareness – keeping a specific topic “top of mind”
How comfortable are you with the mundane?
12. Protecting Private Data – Three Things
Every school should do these three things well.
Information security incident response – what do you do if someone breaks
the rules or if the rules are ineffective?
• If you don‟t know of an incident, it doesn‟t mean that one hasn‟t happened
• Incident response should be a formalized, step-by-step process
• An incident doesn‟t mean a breach
How comfortable are you with the mundane?
13. Protecting Private Data – Three Things
Common deficiencies
Information security governance
• Everybody seems to think that information security is an IT issue
• If a school has policies, they are often ineffective and critical processes are
sometimes missed
• Compliance is not measured and/or enforced
How comfortable are you with the mundane?
14. Protecting Private Data – Three Things
Common deficiencies
Information security training & awareness
• There isn‟t a formal training & awareness program
• People assume that there‟s common sense
• Training is confused with awareness or vice versa
How comfortable are you with the mundane?
15. Preparing Kids Well
For a career in information security
We have a huge shortage of good information
security professionals, and the problem is only
expected to get worse.
17. Preparing Kids Well
For a career in information security
• Is there an opportunity to teach the kids real-world
information security skills in the classroom?
• Is there an opportunity to teach the kids real-world
information security skills after school?
18. Preparing Kids Well
For life
• Are the kids taught about identity theft and how to
protect themselves?
• Are the kids taught about regulatory
compliance, policies, password management, etc.?
19. Preparing Kids Well
Opportunity
FRSecure is very willing and able to work with K-12 to help
• Can we develop courses for the students?
• Can we develop after school activities for students?
How about a “Hacking Club”?
20. You probably came to see something cool
Didn‟t you?
Pretty basic, but still pretty cool.
1. ARP poisoning for passwords
2. Bypassing Website filtering
21. You probably came to see something cool
ARP Poisoning
We use ARP poisoning to audit networks, the bad guys use it to steal
passwords.
Using Cain & Abel
Want step-by-step instructions? Give me your business card and I‟ll email
you.
22. You probably came to see something cool
Bypassing your Web filtering
Works (almost) all the time.
Using Tor
Want step-by-step instructions? Give me your business card
and I‟ll email you.
23. Let’s work together!
FRSecure exists to solve difficult information security challenges
with our clients & friends.
We don’t have to do business together in order to work together.
Two things:
1. Helping you secure your information
2. Helping equip students