I had the good fortune to attend the 2024 Texas Computer Education Association (TCEA) event here at the Austin Convention Center last month. Gradient Cyber had a booth, of course, and that wound up being fruitful - both in terms of meeting new IT and school system leaders as well as connecting with a few of our Texas-based K-12 customers.
I'll have to say what impressed me about the show was just the sheer abundance of robotics, programming, 3D printing, and AI-assisted learning tools available for modern education support. It would be hard to walk the show floor and not feel excited by the 'what and how' of today's educational experience - at least in the science, technology, engineering, and math (STEM) sectors. It gave me renewed hope for the future of our nation and planet.
But the highlight of the event for me was speaking with Dr. Brian Brown, who sits on the executive committee of TCEA’s Board of Directors. Dr. Brown has a unique perspective - able to converse about technology infusion into education at large, the evolving role of IT in schools systems, and not surprisingly, the challenges that arise circa information security. Dr. Brown has seen a lot - having served in both K-12 and university IT roles, and currently in the capacity of CTO for Duncanville ISD.
Thought I'd share a few things I learned from Dr. Brown:
You take care of IT - and by extension, security - for a relatively large school system. What's that like?
Never a dull moment. Our district serves four communities: the city of Duncanville as well as portions of Dallas, Cedar Hill, and DeSoto. That's about 12,000 students across 18 campuses: nine elementary, three intermediates, three middle schools, one high school, and two alternative campuses. The campuses are interconnected with a fiber metro net, so in essence it looks like a small enterprise. Unlike most enterprises, we are more limited in how we can lock things down in terms of information security - and I say 'information security' and not 'cybersecurity' for a specific reason.
Why do you say 'information security'?
If I use the term 'cybersecurity' with educators, their response is "that's your problem". But if I couch discussions in terms of ''information security', the feeling is more "that's our problem". That puts me in a much stronger position to get their attention, get them to take responsibility for things like password management, actively participate in security awareness training, and heighten awareness for appropriate budget and staff resources.
What does the security stack look like for an ISD these days?
Well, it depends a lot on the size and spread of the ISD. You can sort of break ISDs - at least here in Texas - into three bands: under 2,500 students, 2,500-15,000 students, and greater than 15,000. Duncanville ISD is in the middle band. Interestingly enough, it will be hard for us to grow into the larger band. Even though we have a great reputation, and it's a sought after area to live, we are hemmed in - surrounded by other ISDs in every direction.
With respect to the security stack, most of our campuses are fronted by a firewall. Most servers, and teacher or admin machines, have an endpoint detection and response (EDR) agent. Yet, even if we could drop EDR agents onto student devices, it's not really worth it. They mostly use smart phones and tablets - devices that don't have the same attack surface as desktop endpoints. They can't add our key apps to these devices, so they are relatively low risk. And, in our case, we do have a managed extended detection and response (MXDR) service - which tells us a lot just from network traffic analysis.
Of course ISDs are at risk of outside attack. But, how much do you worry about insider attacks, e.g., students hacking for fun or worse?
It's interesting. The days of script kiddies, a.k.a. hacking for fun, is probably less of an issue than it used to be. Never say never, but I think most of our kids fall into one of two buckets. The first bucket is composed of students who aren't that interested in computers and networks per se - not to say they don't have aptitude or interest in other equally technical subjects. So chalk that one off. The second bucket is composed of kids who intend to pursue a career in engineering, computer science, etc. These kids have the ability to be dangerous, but probably lack the motivation. First, they are very heads down trying to get the best grades possible for access to top universities. Second, they definitely do not want a blemish on their record, so the risk of getting caught just isn't worth it.
Do most ISDs have a threat detection and response play of any sort?
I'd say most of the bigs probably do, a good chunk of the mediums do, and most small ISDs don't. And with those that do, there is churn as vendors and relationships are ever evolving.
Regardless of the adoption, I'd say it's one of the most important defense-in-depth plays a school system can have for the simple reason that we just don't have the time - and often not the expertise - to crawl all the alert and log activity, make sense of it, and initiate a fast, meaningful response.
What worries you most from an attack perspective...ransomware, phishing attacks, denial of service, data loss, etc.?
All of those and more. We have 12,000 theoretically clean credit histories. We have personal information on 2,000 employees, That's enough to make us a juicy target.
What does the typical security team look like for an ISD?
Well, for our ISD, we have five campus support technicians plus the helpdesk, but they are truly consumed with IT affairs on a daily basis - so very little time for digging into security anomalies or suspicious activity. Then we have four IT folks who operate in a 'centralized' capacity - responsible mostly for keeping the network and systems up and running smoothly. Read that as zero time for threat detection and response.
From my interactions with many other ISDs - through close professional relationships as well as involvement through organizations like TCEA - it’s usually the case that the IT team is already strapped for time just keeping systems up and running for the primary purpose of education. It’s not that security is an afterthought. It’s simply that it’s so specialized and requires so much careful attention that it can’t be served well with in-house resources.
This is why a managed threat detection and response service makes so much sense for us, and I'd imagine any ISD - small, medium, or large.
How do you manage security with such a small team, mostly consumed by IT responsibility?
I hold an OpSec meeting every week. In that meeting, we review each and every SitRep produced by our managed threat detection and response service provider. From there, decisions are made that can affect things like patching priority, security awareness training hotspots, areas of our network that maybe need more stringent segmentation, oversight, tighter security policies, etc.
Who do you answer to, and how savvy are they at Infosec?
Texas school districts and charters are overseen by school boards. The boards of independent school districts are elected by the citizens of their communities, while the boards of charter schools are appointed. In the case of Duncanville ISD, I'd say our board is security aware. I provide an update to them annually in a special meeting where they receive a summary of all SitReps we've seen in the last year. Having a managed threat detection and response service that catches things early in the kill chain means there is minimal concern about data loss, financial loss, outage, reputation loss, etc. ISDs are not profit centers. Our board members are there for the greater good, responsibility to the community, furthering the cause of education, etc. What they want from me concerning security is to not have Duncanville ISD on the front page of the newspaper for the wrong reasons.
To wrap up, I’d first like to thank Dr. Brown. He gave me a good hour of his precious time. That means a lot - especially given the constant pull for his presence and attention at an event like TCEA. Second, it’s great to see so much cool technology being infused into our educational system. This was no boring show floor by any stretch. Last, it’s just great to rub shoulders with savvy IT and security professionals (stretched though they are) in our K-12 and higher education sectors. Their work is far reaching, and they make a real difference by helping to shape our future leaders.
