Once upon a time a security researcher working in K12 reported a vulnerability. The corporation informed the researcher that the vulnerability already had a patch available. The researcher realized that the patch had been around for at least 24 months but no one knew about the patch, therefore, everyone was exposed.
The researcher warned of other potential issues in the software but was dismissed. So the researcher spent more time evaluating and testing the software. The researcher discovered a new vulnerability and wrote a PoC to exfiltrate sensitive employee data. The researcher notified the corporation following the 90 day responsible disclosure model and the corporation took the information, created a patch and released said patch within the allotted time.
Unfortunately, the messaging was poor and stated that the software contained a vulnerability but only a recommendation to apply the patch. There were no further details. Frustrated, the researcher spent more time evaluating the software. Finding many issues, some just as severe as the previous exploits. This time, the researcher contacted many other School Districts and users of the software, he was able to get everyone to agree to the terms of the embargo, and in unison, submit the latest discoveries.
Under immense pressure the corporation eventually released a statement that because of the risks, the software should be removed from the public internet with further steps to harden and protect it.
The above story illustrates what the community has been exposed to time and time again. You can substitue many different vendor’s names or dates in the story. But it is one that many of us know and are familiar with.
OpsecEdu’s goal is to help change this narrative.
Continue to build a respectful and cohesive community for Edtech to collaborate, share security strategies and vulnerability discoveries, and collectively fully disclose vulnerabilities to vendors so that vendors are held accountable and Institutions can act in the interim.
Create a scoring system where vendors or their products are given a rating so that IT Directors and Managers can quantify said risk into their product purchases and implementations.
Build a framework to teach any Organization in Education how to assess and quantify risk in regard to InfoSec. Answering questions like “What is the value of my infrastructure and data to these types of bad actors (Nation States, Wholesalers, etc)? How likely am I to be hacked? How much budget should I divert to InfoSec and what is my ROI?”
Further the privacy conversation for our students. "How much data is too much and what 3rd parties are we giving it to? Do we really need to MiTM a service to monitor it? If we never delete user data, what risks are our organization and users exposed to?"