美国教育部回应thedarkoverlord攻击新的网络咨询

Its gratifying when advocacy efforts have an impact. Last week, this blogger spent a good amount of time talking with Kathleen Styles, Chief Privacy Officer of the U.S. Education Department. We discussed  the  TheDarkOverlord attacks on the education sector and I urged the Department to try to warn schools how to better protect themselves.
I am pleased to see that they have now sent out the following advisory (yes, even though they dont link to any of my reporting on this issue):
Cyber Advisory – New Type of Cyber Extortion / Threat Attack
Summary
Schools have long been targets for cyber thieves and criminals.  We are writing to let you know of a new threat, where the criminals are seeking to extort money from school districts and other educational institutions on the threat of releasing sensitive data from student records.  In some cases, this has included threats of violence, shaming, or bullying the children unless payment is received.
These attacks are being actively investigated by the FBI, and it is important to note that none of the threats of violence have thus far been judged to be credible.  At least three states have been affected.
How to Protect Yourself
The attackers are likely targeting districts with weak data security, or well-known vulnerabilities that enable the attackers to gain access to sensitive data. This may be in the form of electronic attacks against school/district computers or applications, malicious software, or even through phishing attacks against staff or employees.
IT Staff at Schools / Districts are encouraged to protect your organizations by
conducting security audits to identify weaknesses and update/patch vulnerable systems;
ensuring proper audit logs are created and reviewed routinely for suspicious activity;
training staff and students on data security best practices and phishing/social engineering awareness; and
reviewing all sensitive data to verify that outside access is appropriately limited.
What to Do if This Happens to You 
位置定位服务LBS泄漏私密信息
If your organization is affected by this type of attack, it is important to contact local law enforcement immediately. Its not mandatory, but if you are an affected K12 school, please contact us at [email protected] so that we can monitor the spread of this threat. Additionally, the PTAC website contains a wealth of information that may be helpful in responding to and recovering from cyber attacks.While this new threat has thus far been directed only to K12, institutions of higher education should know that they are required to notify the Office of Federal Student Aid (FSA) of data breaches via email pursuant to the GLBA Act, and your Title IV participation and SAIG agreements.  Additional proactive tools for institutions of higher education are available at our Cybersecurity page on ifap.ed.gov
Copyright © Privacy Technical Assistance Center, All rights reserved. http://ptac.ed.gov
Note that despite what the cyber advisory suggests, this threat is not confined to K12, as TheDarkOverlords recent tweets suggest that they are also busy attacking institutions of higher education. 
当宣传努力产生影响时,这是令人满意的。上周,这位博客作者花了大量的时间与美国教育部的首席隐私官Kathleen Styles交谈。我们讨论了 对教育部门的 thedarkoverlord攻击我敦促部门试图警告学校如何更好的保护自己。

我高兴地看到,他们现在发出了以下咨询意见(是的,尽管他们不涉及我在这个问题上的任何报告):
网络咨询
总结
学校一直是网络小偷和罪犯的目标。 我们写信是想让你知道一个新的威胁,其中犯罪分子试图从学校和其他教育机构对学生记录释放敏感数据的威胁勒索钱财。 在某些情况下,这包括暴力威胁、羞辱,或欺负的孩子除非收到付款。
这些攻击是由美国联邦调查局积极调查,并注意到暴力的威胁没有迄今被认为是可信的重要。 至少有三个州 受到影响。
如何保护自己
攻击者很可能针对数据安全性较弱的地区,或者众所周知的漏洞,使攻击者能够访问敏感数据。这可能是对学校\/地区计算机或应用程序、恶意软件、甚至通过对员工或雇员的网络钓鱼攻击的电子攻击形式。
消费者在网购时不要点击任何通过聊天软件发来的商品链接,最好不要选择购买店铺主营商品之外的货物,以防落入骗子的陷阱。
鼓励学校\/地区的IT工作人员保护你的组织。
进行安全审计以识别弱点并更新\/修补易受攻击的系统;
确保为可疑活动创建并定期审核适当的审计日志;
培训员工和学生的数据安全最佳做法和网络钓鱼\/社会工程意识;
检查所有敏感数据,以验证外部访问是否受到适当限制。
如果这发生在你的身上 
如果你的组织是由这种类型攻击的影响,这是 联系当地执法部门立即重要。它不是强制性的,但如果你是一个受影响的 K12学校,请在[电子邮件联系我们
版权©隐私技术援助中心,保留所有权利。 http:\/\/ptac.ed.gov
值得注意的是,尽管网络咨询的建议,这种威胁并不局限于K12,作为thedarkoverlords最近的tweets显示他们也忙于攻击的高等教育机构。 
黑客通常会利用社交工程技术欺骗员工向他们提供信息,进而获得系统的访问和管理权限。社会工程学的问题,需要不断地通过对员工 的安全意识进行教育培训,来加以防范。

猜您喜欢

注意早晚锻练时间的安全
安全与便利——探讨智能手机的访问密码
网络安全法培训短片
网络安全公益短片之高级持续性威胁APT防范基础
GOOD-WARE PAROTEAHOTELS
网络安全宣传微视频——如何创建复杂且易记的密码