your account and keeping the district information      the mindset of when it’s going to happen to you,
        safe, too.’”                                           you are narrowing that down to when it’s going
                                                               to hit you.”
        Robles  cautioned:  “Don’t  give  users  too  much
        power.”                                                Why  is  education  such  an  attractive  target?
                                                               “It’s because we’re low hanging fruit,” Gerardo
        As a way to achieve a more secure method of            said. “We lack resources, we lack training. Our
        authentication, he discussed password-less             adversaries know that. In almost every breach,
        authentication. “It eliminates user interaction        the source comes from an email.”
        during  authentication,”  Robles  said.  “It  can
        restrict login only from an employee work station.     Gerardo said school districts can prevent someone
        It is resistant to phishing and interception. It uses   from imitating your email address and you can
        device-specific authentication, making  AITM           send your email securely.
        attacks impractical.”
                                                               “Take  steps  like  updating  your  email  records,
        Although password-less authentication is on the        so  your email system can verify  the sender's
        rise, less than 5% of organizations use it because     authenticity,” he said. “If the email fails these
        they feel sufficiently safe  – they don’t  believe     checks, it's flagged or rejected, preventing
        they are bait for phishing.                            potential fraud and protecting your organization
                                                               from financial and data loss.”
        “That’s  not  true,”  Robles  said.  “Speak  to  your
        employees how phishing can affect them in their        He cited various email configurations to consider.
        own personal life – make it personal.”
                                                               For example:

        Regarding business email authentication, AASBO         SPF (Sender Policy Framework) prevents email
        members were told that is when threat actors           spoofing by allowing domain owners to specify
        impersonate a business to trick individuals or         authorized mail servers, validated through DNS
        organizations into transferring money, services or     records. It tells the recipient server that an SPF
        sensitive information.                                 record is in place.


        “Imagine you receive an email from your boss           “There are many free resources on the internet to
        requesting an urgent wire transfer or maybe 15         make sure your SPF is working,” Gerardo said.
        gift cards for $100 each,” Robles said. “The email
        looks legitimate, but it's actually someone posing     DKIM (DomainKeys Identified Mail) ensures
        as your boss using an illegitimate email address.      email integrity and authenticity by allowing
        Without the proper authentication, it makes its        senders to sign emails with a cryptographic
        way through.”                                          signature, verified  by  using  the  sender's  public
                                                               key in a Domain Name System.
        Gerardo  noted that we’re  living at a time when
        we are no longer shocked when a corporation is         DMARC (Domain-based Message Authentication,
        affected, but he advised, “If you have not adopted     Reporting  and  Conformance)  specifies  how  to
                                                                                            CONTINUED ON PAGE 24



                                                                                                                 23