The Groove and Rhythm of Cybersecurity

Using Data Management, Policies, and Configurations to Create Security Baselines.

Have you ever listened to a song that really grooved? How about a song that you couldn’t help but dance to? Recently I was listening to Mutemath’s self-titled album from 2006, which is an absolute banger, and found myself unconsciously bobbing my head and tapping my feet while listening to its complex yet simple grooves. What I realized is that even though the album has a wild and chaotic style, underneath the chaos lies the stability and reliability of a rock-solid rhythm section (drums and bass) keeping everyone together and in time with one another which in turn allows a constant groove to permeate throughout the entire album. Now, believe it or not, this same concept is also found in cybersecurity. Every day new vulnerabilities and attacks are being found, new detections and prevention methods are created, and security tools are always evolving. However, what lies underneath all the flashy attention-grabbing headlines is the rock-solid rhythm section of data management, policies, and configurations.

Now, I know I just oversimplified this topic and compared it to music but I know as well as anyone that creating a cybersecurity rhythm section that grooves can be a bit harder than just a generic rock beat with four on the floor. With that in mind let’s walk through how we can create strong data management, policies, and configurations so we can build up the rest of our cybersecurity implementations over time. 

The best place to start is by creating and maintaining a data inventory. Just like how hardware and software inventories are critical to best security practices, creating and maintaining a data inventory is crucial to ensuring the confidentiality, integrity, and availability of your district’s data. At a bare minimum, your district should be keeping an inventory of all sensitive data but ideally, the inventory should include any data that the district both ingests and shares out. Additional information to include in the inventory is data sensitivity levels, data owner, data retention information, handling requirements, and disposal requirements. The inventory should be regularly maintained and at a minimum reviewed on an annual basis and should only be accessed by individuals with the appropriate permissions. It is best practice to use an ACL, access control list, to manage what and when users can access the data inventory.

In addition to having a data inventory, the district should also have a data retention policy and a data disposal policy. These two policies go hand in hand with a well-maintained data inventory as these policies are used to inform how long the district can keep certain types of data as well as any steps or processes that need to be followed when the district is disposing of data. Often there are additional laws, regulations, or policies that will specify parameters for the district to follow when it comes to data retention or disposal for certain records. The most common federal law districts need to comply with when dealing with data records retention and disposal is FERPA, The Family Educational Rights and Privacy Act.

The second piece of our cybersecurity rhythm section is implementing and maintaining secure configurations for all devices and software. For devices, these configurations could be saved as a device image that gets put onto the device as the device is assigned to a user, as server hardening guides that are followed when a new server is added to the environment or even as securely stored config files that are used for configuration of new network infrastructure before deployment. All of these methods are great to use as long as the configuration process is logged, documented, and secured. Additional hardware configurations to consider include automatic session locking to force the user to log back in after a set idle period time, usually, this time is 15 minutes, and ensuring that the configured device is behind a physical, virtual, or operating system firewall. For software, configurations might include the most up-to-date software versions, up-to-date operating system versions, or the change of any default usernames or passwords that may come out of the box from the software publisher.

One of the best ways to ensure these software and hardware configurations is through the use of dedicated management tools and software like SCCM, Microsoft’s System Center Configuration Manager, or similar tools like SolarWinds Patch Manager or ManageEngine’s Endpoint Central. These tools allow systems administrators to create custom images with prepackaged software to then deploy on managed devices, easily deploy software or application updates and patches through automated deployment, or even connect to devices remotely to change specific device configurations when needed. Another option that many districts leverage is to have a 3rd party company deploy, manage, and maintain these configuration managers on their networks. These 3rd parties are called Managed Service Providers, MSPs, and offer a variety of services that may benefit the district to free up the district’s technology team to focus on other tasks and projects.

When I was still working as a technology coordinator in various schools I would often see districts flying by the seat of their pants with no data inventories or no implemented configuration management. These districts often had an understaffed technology team that just couldn’t tackle these projects. Some even knew they needed to make this a priority and couldn’t climb out of the hole of endless tickets to work on the projects. Now, I can see that while these projects do take time and labor to implement and enforce they reduce the amount of time spent working on additional issues after implementation in half. The main reason for this is standardization. When a district can standardize technology across all grades, buildings, and classrooms through administrative measures like inventories or technical measures like configurations, the technology team’s efficiency can double its current rate.

If your district has not implemented data inventories or secure configuration management, now is the time to start planning how to tackle the problem. Don’t put it off any longer. Create a multi-step plan with all the needed processes laid out. Remember, attackers aren’t going to wait until your district is secure to attack. They attack when your district is the most vulnerable and your technology team has reached its limits. Don’t be another ransomware statistic – start the data inventory and configuration management process today.