Podcasts
Threat Vector
Ep 89
Threat Vector 10.16.25
Ep 89 | 10.16.25

Securing Pre-K-12: A Tech Leader's Perspective

Show Notes
Transcript

David Moulton: Welcome to "Threat Vector", the Palo Alto Network's podcast where we discuss pressing cybersecurity threats and resilience, and uncover insights into the latest industry trends. I'm your host, David Moulton, Senior Director of Thought Leadership for Unit 42.

Mohammed Saleh: Always try to turn a technical angle into a non-technical way, or explain a technical aspect in a non-technical way, and the buy-in becomes the easiest thing. But if you spin it in a way where they understand, you put it in a language where they understand, the buy-in becomes so much easier. [ Music ]

David Moulton: Today I'm speaking with Mohammed Saleh, Associate Chief Technology and Management Information Systems Officer at Patterson Public Schools. Mohammed is a seasoned technology leader with over a decade of experience in educational technology, cybersecurity, and strategic planning. His work focuses on securing school networks while ensuring accessibility for both students and educators. Today, we're going to talk about securing the K-12 education environment, a sector that faces increasingly frequent and damaging cyberattacks despite limited budgets and resources. We'll explore how Mohammed's team is creating a resilient digital infrastructure through innovative practices, smart policy design, and the strategic use of cloud-first tools. [ Music ] Mohammed, welcome to "Threat Vector". I've been really excited to have you here since we kicked off a couple of weeks ago talking about this episode.

Mohammed Saleh: Hey, David. Thank you for having me here today. I'm excited to be here.

David Moulton: Talk to me a little bit about your journey to cybersecurity leadership in public education.

Mohammed Saleh: Sure, so my career started out actually as an intern. When I was a high school student, I used to stop by my high school's technology office and ask for work. And through there, when I graduated as a senior, I was actually offered a full-time job as a technician. So really my career started in education as a technician, and from there I continued working in technology. I really loved working in education. It gave me a deep sense of purpose and understanding, and it's a very satisfying field to be in.

David Moulton: Mohammed, I sense that you're one of those folks that if you don't have a deep calling to something, it's not going to, you know, tickle your brain in the way that maybe education and security does. You get that sense of you're delivering something that matters into the world. So, you know, kudos for you for figuring out how to traverse that internship to a tremendous leadership position today.

Mohammed Saleh: Thank you. I appreciate that.

David Moulton: Can you talk to me about some of the most pressing cybersecurity threats that you currently face in that K-12 environment?

Mohammed Saleh: So, educational facilities are really no different than some of the enterprise organizations that are out there. And I've listened to a few episodes of your podcast, and it's really, it was kind of shocking and surprising where, you know, some of the folks are saying some of the things that I also was dealing with. And I realize that we're not alone in this journey and the threat actors are non-discriminate. They go after whoever is available, and so some of the main issues that we deal with obviously is ransomware. We also have insider threats. So here in Patterson, I have 46, 47 buildings that we have to manage. They're also community centers. We have folks who aren't affiliated with education coming in, trying to hook up to the wireless or plug their device into the network. We have threats from all around the world trying to gain access to our systems. A lot of the student information also is for folks that are under 18. So, our databases are gold mines for some of these threat actors trying to exfiltrate the data from some of our databases, knowing that that data is relatively clean. There's most likely no credit history or address or anything on file. So, our student data is probably one of the top things that we're always trying to protect, making sure that we have internal protections in place, and then also our outside providers are also being held to higher standards.

David Moulton: In our previous conversation, you'd mentioned implementing MFA and cybersecurity training following a business email compromise. Can you walk us through that incident and your response?

Mohammed Saleh: Sure. So that was a very humbling situation that I dealt with. It was also a great learning experience that I dealt with. About two years ago, we had a business email compromise where one of our staff member's email account was actually, it was compromised. That teacher's account had a threat actor in there. They emailed their payroll department for a direct deposit account change. And since our payroll department thought that it was coming from an internal email, it was safe, it was okay, it's legitimate. Technology is protecting us, we don't have to worry about it, that teacher is exactly who they are. And when payday came around, that money went to a completely random account that was not the teacher's bank account. And that's when we immediately got a phone call. We had our team put together and we started to investigate. We had our insurance department involved. A lot of the different things that we learned was proper logging, looking at the various items, what are the key things to look for there. And really, we took that disaster and we learned so much from it. So through that incident, our physical security director has a sign in his office and it says, "Never let a crisis go to waste". And that stuck with me when we had that opportunity there.

David Moulton: That's a great sign

Mohammed Saleh: Never let a crisis go to, I mean, by the time the investigation was done, we were beaten and exhausted and, you know, all of our brainpower was done. And I knew I can't just leave it here. Like, what are we going to do to make sure that this doesn't happen again? What steps should we take at least to slow this down or prevent this from ever happening again? And when I first arrived in Patterson, I wanted to enable MFA for our email accounts. I was like, I know cybersecurity, like, this is a low-hanging fruit. Why haven't we done this already? And, you know, you get immediate pushback, you know, saying, Oh, we've had email accounts for 10 years now and we haven't had MFA. We don't need MFA. It's fine. And then this happened. And so what I was able to do there was change the script from, We have to protect the district, and by doing that, we enable MFA. I changed the narrative to, I want to make sure a teacher never loses their paycheck again. And we can do that by enabling MFA. So, really just changing the narrative. The outcome was the same, but I changed the narrative as far as protecting the livelihood of the staff members and making sure that everyone gets paid, and really increasing our security to make sure that this doesn't happen again.

David Moulton: I really love how you jumped in with this idea of storytelling and making it real, as opposed to making it abstract and technical, right? Let's protect the district, turn on MFA. Let's make sure that a teacher never loses a paycheck again. And Mohammed, as you were talking about that, you were talking about the idea that ransomware is one of the things that comes in. You know, those students, they don't deserve to have the school shut down and lose their summer because they have to make up days. Education losses compound over time, all those types of things that you were saying that you were surprised other organizations have some of the same problems as you do. I actually think that you have harder problems than some of the other organizations. That's just my read on it, because a teacher who loses their paycheck in that moment is going, that's a devastating loss. It's very real. And then on top of that, they're stressed out about the fact that their pay hasn't shown up, but they still have to show up for the classroom and deliver for those students while dealing with this financial hit. So, I think that using narrative, using storytelling to allow those stakeholders that you have that may be resisted to go, Oh, I get it now, and I really want you to lead the charge on this, Mohammed. Fantastic. I just, you know, applaud your ability to figure out when to apply storytelling so that it resonates with folks.

Mohammed Saleh: Thank you. I appreciate that. I think that's really something that I've learned here in Patterson is changing culture is extremely difficult. And to change somebody's mind is one of the hardest things that you can do. And maybe just reframing something or changing the way you describe something can change somebody's outlook and perspective of how they're looking at the problem. And you immediately begin buy-in. And now we continue to push new cyber initiatives. And, you know, it always goes back to we want to make sure nobody loses their check. And they're like, Yeah, we got it.

David Moulton: Yeah.

Mohammed Saleh: We got it. What do you need?

David Moulton: Do you have other moments when you've seen a technological solution that you wanted to put in place or a security policy that you wanted to put into place, you knew that it wasn't going to land, but you reframed it so that it became not just palatable, but desirable for those stakeholders to support you on some of the initiatives in and around protecting the school, the school's networks, the educators, and maybe ultimately the students and community.

Mohammed Saleh: I try to do this with almost anything when it comes to especially the leadership piece. So, everyone's fighting for budgets. And this was on the last podcast episode was CISOs really meeting in the boardroom and saying their piece about how cybersecurity is important. And so really what I try to do is frame everything in a way that is a little bit more palatable for those non-technical folks. So annual penetration test, we never had a penetration test here. I needed my budget to be increased to make sure that we can sustain an annual penetration test. So, you know, I just clearly asked, Hey, do we get our boilers tested every year? And they're like, Yeah, of course, our insurance requires it. And I'm like, Okay, we need annual penetration tests. Like, we have to do this now.

David Moulton: Yeah, you did. That's a sly dog move right there. I love it. No, when you're talking about this, I love how you connect the real world that we can see, feel, and touch, to the virtual world that sometimes feels abstract, is hidden from us, and yet can have just as a devastating effect. You know, the boilers go out, the schools are cold, there in New Jersey, you're not going to school. But if the systems go down, your network is, you know, compromised, you're not going to school. It's the same outcome, right? Like, the resiliency that you need transcends the real world to the virtual. And to be able to put it in terms of somebody to go like, Yeah, of course we test those boilers. Like, what are you even asking? And then you're like, Why were we testing the network? That's brilliant, Mohammad. Let me shift gears a little bit. I know that you've standardized around Chromebooks and a lot of SaaS tools to really reduce that attack surface. You know, can you talk about the impact of moving away from on-prem and devices that hold data, to moving everything into those cloud environments?

Mohammed Saleh: Sure, so we have about 30, 35,000 Chromebooks here in Patterson. We provide every student from pre-K to 12th grade with a Chromebook device and a Google email address or a Google login into Google Workspace and all the various collaboration tools. At that scale and scope, to try to do that with either a Mac, Linux, or Windows device becomes unsustainable. To have to worry about MDM, some type of endpoint protection, and then all the various management and tools, constant updates, all the different layers of security that you have to have, which is great for various environments or enterprise environments that can support that and give those resources to all of the individuals in their organization. But when you're talking about a scale of 30,000 active Chromebooks, you, we had to find a sustainable solution. I always talk about sustainable solutions. So first off, Chromebooks are a relatively budget device. We're able to buy a Chromebook, white glove, get it in the hands of a student for about $350, $400 each. That's really difficult with a Windows device, making sure that it can run all the various things that have to run. And so Google Workspace also has a built-in MDM. And now we have an MDM where we have a relatively cheap device. And since Chrome OS is an inherently secure operating system, we really don't have to worry about any type of endpoint protection. What, the pieces that we have to focus on, although they're different problems, are identity management, permissions, making sure the students have the right access, don't have too much access or teachers have too much access into the different things, that our roles are assigned properly. So we get to focus heavily on identity management and making sure that, you know, the right folks have the right access. Another piece that we're going to start working on over the next year is Chromebooks, generally you don't save to the device. It's all cloud-based. So now we're able to add protections right through Google Workspace and utilize the platform that we already have, that we're already paying licenses for. It's not an additional tool that we have to buy. And Google's done a really good job as far as adding their security center and a lot of the different tools to add DLP or context aware rules or various things in place to continue to secure those devices. So moving on to the other piece, when it comes to SaaS apps, in the past, schools generally would run, like, a complete hyperconverged or, you know, a ton of servers to run all these different apps or programs that they need to actually have a school run, whether it's a gradebook, a student information system, various databases or applications. And when I first started in Patterson, we had about 90 or so servers. We were able to scale that back to about 40, 50 servers. Any servers outside of that are really our sandbox or just some various IT tools that we might be playing with. And they're really not so critical. If we lose them today, no one is really worried about them. So, I'm almost able to reduce my footprint in half. And, really, that's relying more on the SaaS space. So now we shift the risk from us having to manage those servers, make sure they're updated, protections are in place, firewall, zero trust, whatever it is we're trying to do. We now can push that risk over to the vendor and now just have a really strong contract or hold that vendor accountable for making sure they have the protections in place. So instead of a technical control, it's now an administrative control. And then now we have legal contracts making sure that, you know, the folks are following the certain standards we want them to follow.

David Moulton: You know, I'm curious, you've got a huge age range with your students and likely a variety of technical capabilities across your faculty and, you know, some of the admin. How do you approach things like user authentication or access control with that type of population?

Mohammed Saleh: So, access control for the adults, teachers, staff members, it's the same level of an enterprise that you would think of. We have MFA enabled for email. We have different security restrictions in place, password length, complexity. After that business email compromise, these are all the things that we turned up to 11, at least comparative for this organization. We really were like, Look, we got burned once. Let's make sure it doesn't happen again. So, and then for our IT teams, again, we have MFA all up and down all the different systems. So that's a little bit different. And we've been enforcing MFA on any applications or SaaS apps that have it available. We've really been trying to implement that. Now for the student piece, we're actually in the middle of the project right now. We're, we have some automation in place to create the account. But as far as putting them in the right groups, the right roles, setting passwords, that's a project that we're working on right now. And so what we're doing is we're splitting it up into three different groups. We have our high school kids, 9 through 12. We have our middle school folks. And then we have our elementary, K to 5 or K to 3. And so our high school students, we try to prepare them for the real world. We try to give them practices that they really should be doing at home as well. So we have 8 or 10-character passwords, uppercase, lowercase, and a number. It has to be unique, no passphrases, can't be your name, it can't be your email. So it's as close as we can get to making sure that they're prepared for the real world. If the students have MFA, we do allow them to set up MFA. I know this becomes an equity issue. Not everyone has a cellphone or some other form. that we can do MFA. For our middle school students, again, 8 to 10-character password, a little bit of complexity, you know, one uppercase, one number. And then for our younger students, the passwords are simple. But what we've been able to do is through the identity and access management platform, we can create QR codes. And we can enable their Chromebooks to turn on their camera at the login screen. And they're able to scan their QR code. And that is their identity. So the teacher can really assist with the student logging in. You ask a fifth grader to remember their username and a 12-character password, it might be a little bit difficult. You know, they're still trying to remember what they had for breakfast or what they plan on doing for the rest of the day. So we had to come up with an easy solution for them to be able to sign in. Now, to tie all that in for the students, how do we do MFA equitably, right? MFA is a second form that they can verify who they are. MFA is something you have, something you know, something you are. So I, with the Identity and Access Management Platform, as we go through the year, something that we'll be implementing, although it's not exactly that follows the best practices of MFA, it is a second form to authenticate. And one thing that we can do is when they go to sign in, we can put up a few pictures of let's just say sports balls, basketball, football, soccer ball, tennis ball. And during the initial sign up, they can select what's your favorite sport. And they can click on it. And that's their second form of signing in. So, after we finish a lot of the automations for the account creation and enrolls and permissions, we'll be implementing that MFA for our students and making sure that we have something in place. Is it the best thing? No, but it is an acceptable level of risk to have something rather than nothing.

David Moulton: Yeah, I like that. It actually makes it simple for a kid to be able to come in and participate in their security in a way that's not impossible for them and disruptive to, you know, a faculty member, a teacher trying to provide a lesson or provide some education, and instead becomes an extension of the IT, you know, support, trying to get folks logged in there in the classroom. [ Music ] What role does cybersecurity awareness play in your strategy for maybe both staff and your student population?

Mohammed Saleh: So, I actually have two separate things. There's cybersecurity awareness for me to continue to remember that I'm talking to non-technical folks and gain strategies. So, I actually helped lead a nonprofit called the New Jersey Association of School Technology Officials. And these are leaders from all various school districts. And we come together and have roundtables. And I'm able to share ideas and different concepts that really help put together these ideas for raising awareness. What are some of the best practices you're doing in your school? What are some of the practices you're doing in your school? And then I'm able to take it and put it together for my own school. So that's a really helpful group that I think helps me put together a robust security awareness. And I think, you know, as far as our awareness, we've been doing simulated phishing campaigns. That's a big one. When I first started here in Patterson, we started phishing simulations and then folks got really mad at me, and we tried to make it a little bit fun and we had a 10% phish click rate. And again, going back to that business email compromise, we mandated cybersecurity training. And I'm able, through exact data metrics, show that that training is working because, actually, our last school year, '24-'25 school year, our fish click rate went down to 4%.

David Moulton: I've got to say, that's unusually amazing. Some of the orgs that I've been a part of, you know, getting to 12% within an enterprise was considered about the best you could do. You're at 10 with a highlight of 4. Something's working there. That's fantastic.

Mohammed Saleh: Maybe because it's mandatory. The first year we made it voluntary and I think, you know, I only had, like, 200 people do the training and I was like, This is not good. But once we made it mandatory, I mean, we saw improvement, immediate improvement. And we initially started with the basic phishing emails that, you know, you're really able to tell it's a phishing email. And now we're starting to increase the complexity. We're also starting to tie in a lot of the annual holidays or various things into our fishing campaigns. So Christmas season comes up, you know, whether are the fake Amazon or USPS, tax season comes up, those fake IRS emails that go out there, cyber security awareness. So, I think just starting to send information to our users has really raised that awareness. Now, I also, anytime that I go and speak or do a training in front of anyone, I always try to tie in some type of cyber security in there, and I generally try to do it with a little bit of a sense of humor. And one of my favorite videos that I generally show during our new teacher orientation is a video from Jimmy Fallon. I think it's about eight years old and he goes to the streets of LA and he just starts asking random people what their passwords are. And people start to tell them, because they feel special, right? There's a camera, it's a Jimmy Fallon, and they put a microphone in front of them, and they're like, Hey, what's your password? Oh, it's my grandmother's name. you know, What's your grandmother's name? Oh, it's, you know, Granny. So that's your password? Yeah, it is. It's like, Why would you say that, right? And so, but I tied that in, that humor, with like, This is not what to do. Don't do this. This is a bad idea. These people are trying to make you feel special.

David Moulton: So let's talk about AI and deepfakes and how those impact your environment. You know, how are you preparing your school to deal with these new and emerging threats like deepfake technology or AI tools that give somebody incredible capabilities beyond what they've, you know, maybe trained on or should be expected to have at their fingertips.

Mohammed Saleh: So again, I have a, of my organization are non-technical folks, so I really have to think and consider, How do I portray this message in a non-technical way without scaring everyone? Because some folks do get scared, and then they go in their corner, and you never, you know, you never see improvement from them. And it generally goes back to, first off, that sense of humor. Last week, we had our Superintendents Institute, which is a group of all the leaders throughout the organization. It's about 300, 400 folks, all the principals, vice principals, supervisors from all throughout the organization. And I, during my time slot, I tried to show people that AI deepfakes are a real thing. And I'm not sure if you saw that video of the bunnies jumping on a trampoline. And so, you know, I tried to turn it into like a little bit of a humor where I pulled up the video and I asked folks, Is this real or is this AI? And, you know, I was I was actually generally surprised that half the room thought it was real and the other half thought it was A I. I was pleasantly surprised that at least half the room was, maybe they saw already because it went kind of viral. But they were like, Yeah, that's A I. And then I was able to show you know, a news clip that analyzed the video and how it's deepfake and start to really just spread that awareness in the staff of like, Hey, these are the things that are out there. I, myself, I'm trying to keep up with it, but it changes every day of the week. So, I don't know what next week is going to look like. This is what today looks like. Next week, maybe it's an even better bunny trampoline video. But think before you act. Consider all of the various variables that might be coming up to whatever it is you're watching or seeing, and have that vigilant mindset. Again, if it's too good to be true, or if it's out of standard procedure, or if something just feels off, pick up a phone, call somebody on a known number, ask for help. We're here to help. Don't think that everything you see online is real.

David Moulton: You know, I've been trying to tell that message to people for decades, that just because you saw it on the Internet doesn't make it real. And, man, deepfakes certainly aren't helping. Mohammed, you spoke at the Superintendent's Institute this summer. What were some of your key messages?

Mohammed Saleh: We had that institute last week. I always try to go through a lot of the wins that we did at the Technology Department. I always have to tie in cybersecurity, passwords, making sure you have strong passwords, enabling MFA. And I always share that the things that I'm sharing with you folks, you should take at home as well. I know it may seem annoying. Yes, you do have to type in a code when you're trying to sign into your account, but you should be doing that at home, too. So this year I shared with them three of the low-hanging fruit that you should do here and at home is strong passwords, MFA, and making sure your device is updated. If you have an iPhone that hasn't been updated in three years, take the hour, put the phone to the side, and update it. And so we force updates on all of our devices after we've verified the update. You should be doing that same thing at home. We mandate MFA and strong passwords. You should be doing the same thing at home on all of your accounts, not just, you know, your bank account, but whether it's your Facebook or anything along those lines. I also try to share with them as public employees, our emails are subject to OPRA. So that means don't do anything personal on your account because somebody can request those emails, and they can read. So, if you have your Amazon or your Facebook tied to your work account, that's a really bad idea. And then we started to implement a phishing alert button inside of Outlook. Now we have a phish click button built into our platform. So right as soon as they see that email, they can click the phish click. They can try to categorize it, whether it's spam or phishing. And we get an alert when that happens. Our system processes the email and then determines whether it's a high risk, low risk, and if it's a high risk, it will automatically go through our environment and start to pull those emails from everyone else's inbox. So, it's really starting to build automation around our operation, which makes things a lot more efficient for us and easier for us. In the past, we would have to, you know, first get the email. Somebody would have to tell us, Hey, this is spam. And then we would have to search, find the emails, pull it from everyone's mailbox. Like, that's stopping whatever you're doing, whatever you're working on, whatever, you know, project you're trying to implement, to deal with this emergency. And then communicate that and then go back to your project. It can really be a time waster. So building that automation was huge. And then again, AI was a big thing, letting the staff members know, you know, Google has, we run both Outlook and Google, and Google has, at least for the education license, I'm not sure if they've done this for the enterprise license, they have data protections in place and then also enabled Gemini and Notebook LM for all of our accounts. So, I gave them a quick sneak peek, just to let the folks know that, Hey, you know, inside of all of these other AI tools, make sure you're anonymizing your data. We do have platforms that give us data on students, and I know a lot of these administrators try to do analysis or look at data in different angles, and AI is really good at doing that. And so I let them know if you're going to put it inside of any other generic AI model, you either have to remove all the PII or anonymize it, or you can use Gemini with your Patterson Schools account, and the data protections are built in automatically. So that's a couple of the key items that I shared with them this year.

David Moulton: Mohammed, I like to ask every guest, What's the most important thing they should take away from today's conversation?

Mohammed Saleh: I understand that cybersecurity can feel like the sky is always falling. There's never enough money. There's never enough resources out there. And especially when it comes to educational facilities, every department is trying to get a piece of the pie and every department is important. Because we're all trying to do the same thing, is have efficiently run school that teaches kids. But there are a number of free resources out there that you can leverage and use to make sure that you are securing your environment. There are things that you can do to secure your environment that don't cost anything. They're already built into your platforms. And then also knowledge is just making sure that you're setting up your systems, you're setting up systems to monitor those systems, and make sure that you're following the best practices, whether it's NIST or whatever platform you want to, or framework you want to follow, set that up. It doesn't take money, it takes time and effort. And if you put time and effort into securing your systems, you have a far better security baseline than a lot of the other schools that are out there or other organizations that are out there, and hopefully become such a deterrence that those threat actors decide to look somewhere else. [ Music ]

David Moulton: Mohammed, thanks for this awesome conversation today. You know, I really appreciate what you do specifically. I think that securing kids and an educational environment has got to be one of those things that's personally satisfying but is hugely, hugely important.

Mohammed Saleh: Thank you, David. It was a pleasure being here today. I'm always excited to share our stories here and glad to be here. [ Music ]

David Moulton: That's it for today. If you've liked what you heard, please subscribe wherever you listen and leave us a review on Apple Podcasts or Spotify. Your reviews and your feedback really do help me understand what you want to hear about. If you want to contact me about the show, email me at threatvector@ paloaltonetworks.com. I want to thank our executive producer, Michael Heller, our content and production teams, which include Kenne Miller, Joe Bettencourt, and Virginia Tran. Original music and mix by Elliott Peltzman. We'll be back next week. Until then, stay secure. Stay vigilant. Goodbye for now. [ Music ]

Threat Vector
Podcast Info
HOST(S):
Sherrod DeGrippo

Meet David Moulton, the voice for Threat Vector, the Palo Alto Networks podcast dedicated to sharing knowledge, know-how, and groundbreaking research to safeguard our digital world.

Moulton, leads Thought Leadership for Palo Alto Networks, draws on a rich background of experience, including roles in design, strategy, marketing, and sales, to connect with experts from across the globe.

Schedule: Biweekly, Thursdays
Credits: Executive Producer is Michael Heller, Show production by Kenne Miller, Joe Bettencourt, Virginia Tran and David Moulton. Editing and audio engineering by Elliott Peltzman.
Creator: Palo Alto Unit 42
Threat Vector