School district networks are being used for instruction, business, and information
sharing on an ever-increasing scale and are increasingly interconnected. Information and data have become the primary assets of most major corporations.
The Information Security Officer (ISO) serves to protect confidentiality, integrity, and availability of electronic assets.
Confidentiality in information security ensures that systems and data are exposed only to those persons that require access.
Integrity ensures that data is not modified or manipulated without authorization and that data can be trusted to be accurate - that data is authentic.
Availability is concerned with users being able to access systems and adata.
The ISO is responsible to write policies, implement policies, audit systems, evaluate vendor postures, and ensure that the division is incorporating information security concepts into decisions.
Piotr Kaminski, ISO
& Information Security Officer
What is your technology background? How did you get started in this field?
My interest in technology started from early childhood. I grew up exposed to some of the first commercially available home computers and internet providers. I would desperately try to understand what my father was doing when he was creating CAD designs in DOS. When asked what kind of toys I wanted, I would always say Lego or something from Radio Shack! Taking things apart and seeing what I could create with just the pieces and motors was exhilarating. Later on, when I finally moved from a “family” PC to my very own, I developed an interest in gaming. To stay on the cutting edge, and maybe due to boredom – I would tinker with upgrading and replacing components. I continued building PC’s and naturally became quite good at fixing them for friends. I went to study Computer Science at VCU and rediscovered the joy of programming. An appreciation and understanding of both software and hardware has served me well as I’m always interested in breaking or fixing something new.
What made you interested in security/data privacy? Has there been any particular event or action that drives you?
Due to my interest in breaking and fixing for fun, I’ve always wanted to push the limits to know what’s possible and therefore how to stop it as well. As systems become more interconnected and people with less experience become users and owners of increasingly important data, I feel the need to step in to protect and educate. Countless times I’ve attempted to save heartbroken users from a malware infection or lost data. I feel every step in the right direction counts.
What do you think is the biggest cybersecurity threat to K-12 schools?
Security is a shared responsibility. Historically, systems were created primarily with functionality in mind. As data becomes more accessible and converged, the responsibility of stewarding that data is imperative. I’m frequently asked “why so many passwords?” to which I make an analogy – before, a weak password was like leaving your safety deposit box unlocked. Now it’s leaving the entire bank open to anyone in the world at any time. Reusing the same password for your email and a coupon site could expose your entire identity if that harmless coupon site becomes compromised or was a trap all along.
How do you stay aware of current trends and news topics in cybersecurity?
While we take every measure to safeguard our systems, there is no perfect security. I’m exposed to reports of the newest problems on a day to day basis. Reading whitepapers and documentation on vulnerabilities helps identify potential weak spots that can be assessed and addressed. Each new platform, service or device we offer or are asked to support has to be strongly vetted and meet ever increasing standards of security and quality. Thankfully the cybersecurity community has a shared interest in discovering, responsibly disclosing and discussing security on various message boards and sites.
What initiatives does the school division need to be focused on this year?
Building from the ground up, we need to continue Security Awareness Training for all staff. Users need to be trained to at least recognize potential threats and realize this is a shared responsibility and an ongoing process. This will be a step towards meeting industry standard policies and procedures such as the CoSN Trusted Learning Environment (TLE).
How do you handle cybersecurity in your personal life? Can you provide examples?
As with all things, there is a balance to be struck. Perfect security is inconvenient and what is convent is insecure. I take security very seriously but I’m human like everyone else. At the very least I follow the same advice I give:
I use Two Factor Authentication on important accounts to create additional barriers. I use a device I have (my phone) to augment something I know (my password).
I use a password vault with unique passwords for every single service. I’m less worried if one service becomes compromised, as I can control potential data loss or exposure. The tradeoff to using a vault, especially a web based one such as Lastpass is that your master password needs to be unique and change frequently.
I minimize my digital footprint. I use bogus information when creating accounts that ask for my birthday, address and security questions like hometown and mother’s maiden name. I tighten the privacy settings on any social media accounts to only include those I trust.
I regularly update software on my home computer and my phone. Updates to Windows, iOS and Firefox sometimes feel like a nuisance but bring security and peace of mind.
Finally, I always question the details of news reports that mention cybersecurity. What information was leaked? How did the attackers obtain it? What can I do to minimize this in the future? I use it as an opportunity to review my own practices and adapt my security posture.
What are three things that staff could do right this moment to increase their cybersecurity posture?
Users should take stock of what kind of information they reveal voluntarily or otherwise. When creating accounts, consider - does this service really need to know your hometown and mother’s maiden name? Is your birthday publicly visible on social media? Take every effort to minimize this kind of data as it can be used to impersonate you and bypass security measures.
Enable Two Factor Authentication on at least your email and ensure the recovery device (likely your phone) is encrypted. Two factor assists by creating another barrier of entry into your account. Since almost everything these days has a “send me a recovery email” it is imperative you have total email security to prevent the complete compromise of your identity.