Cyber Security: A Survival Guide

Districts everywhere recognize that their growing mountain of information provides significant potential for improving educational outcomes and administrative efficiency-but also for mischief, disruption, and malice. So, how do we protect ourselves?

Heads nod when we suggest the increasing importance of careful information management, but given the broad spectrum of possible risks, how does anyone know where to start? Probably the biggest misconception is that cyber security is solely the responsibility of the district's technology point-person, who we'll call the chief technical officer. When things go wrong with anything connected to technology, the CTO will get the call, even if she or he has no way of identifying or solving the problem.

But, if the CTO can't be held accountable, who can? And how do we begin to understand what cyber security means to teachers, students, administrators, and parents?

The "High Stakes Test" that follows presents hypothetical examples culled from actual experiences of districts around the country. As a springboard to the body of our feature, we suggest you first test your security awareness in a team situation before turning the page for an in-depth analysis of the issues, challenges, and solutions. Good luck!

High Stakes Test: Risky Business

For each scenario below, identify the security risk and supply a worst-case result. Turn to page 34 for sample fallout mini-dramas.

1. The Secretary

At her desk, alone in the main office except for a familiar truant sitting in detention, the secretary mutters under her breath, "Password?" "Password?" She opens a desk drawer to look for a sticky note with the answer. A few minutes later, her attention is grabbed by scuffling in the hallway. She quickly closes the data entry screen and steps out to see two students pushing each other around. She tells them to join their friend in her office, but they manage to delay their entry, and hers, for a couple of minutes.

Talking points: Where's the risk and what's the fallout?

2. Vice Principal

The high school vice principal presents the school board with a money-saving plan to squeeze a few more minutes of instruction into the school day and save at least 180 clerical hours a year by automating attendance-taking with wireless handhelds (PDAs). The existing wireless network has until now provided only Internet access. The curriculum director chimes in, enthusiastically recommending the devices for scheduling, recording grades, and making records easily accessible at all times. The skeptical school board is grudgingly convinced, and the local media trumpets the cost-effective innovation.

Configuring the handhelds for encrypted connection to the wireless network proves difficult. The IT department asks to postpone deployment, but the vice principal is committed to starting the school year with the new technology.

The day before school starts, teachers receive two quick training sessions on their PDAs, and they are pleasantly surprised at how easy they are to use. With time short, the training concentrates on the basics of network connection and attendance taking, with a promise from the trainer for follow-up sessions on how to link to e-mail and scheduling tools.

Talking points: Where's the risk and what's the fallout?

3. The Network Administrator

At 5:30 in the morning, the high school network administrator gets a call from the chief custodian. "I think you'd better get in here quick. There's a flood in the server room."

A 10-year-old water heater located in a closet immediately above the server room had succumbed to age. Hot water leaked through to the room below, irrigating two old servers sitting on the floor, sparing only the new rack-mounted servers awaiting final configuration.

Talking points: Where's the risk and what's the fallout?

4. The Principal

In an attempt to revitalize instruction, the principal decides that a more technologically-intensive curriculum is needed. It's time to integrate the Internet into daily instruction. The IT director assures her that although the network is showing signs of age, it will continue to support current levels of use. But he adds that the Acceptable Use Policy could use an update.

The principal hires an Internet education guru to energize the teachers in three consecutive in-service training days before school begins. Invigorated, the teachers begin the year by assigning motivating Internet-based investigations. Classroom and lab computers schoolwide hum with activity, and students are engaged.

Talking points: Where's the risk and what's the fallout?

5. The Teacher

As summer winds down, a veteran teacher brings her home laptop to school to copy new lesson plans to the school server. Her kids had played computer games on her machine during a vacation, but except for a nearly-full hard drive, the laptop is working fine. She knows how to configure the laptop to connect to the network, and she logs in, figuring that a simple file transfer can do no harm.

Talking points: Where's the risk and what's the fallout?

6. The Superintendent

Andy Antinomy, a 10th-grade teacher struggling for control of his classroom, hotly returns an insult hurled at him by an impudent malcontent. That evening, in a public open-mike school board meeting, a parent complains that a pattern of verbal abuse shows that Antinomy is unfit or incompetent. The school board chair quickly shuts off public discussion, but the superintendent knows he's got a front-burner problem to deal with.

At home that evening, the superintendent fires off a message from his home e-mail account to the high school principal, describing the incident and urging an immediate response. "We know Andy Antinomy took time off a few years ago because of a mental breakdown. It's possible his problems are resurfacing," he writes. "I'd like you to personally take control of the situation. He can't be left alone in the classroom unless we're sure he won't 'lose it' again."

Talking points: Where's the risk and what's the fallout?

Risky Business Test: "Worst-Case" Answer Key

1. The secretary

Security risk: Unprotected password

Worst case: The truant, a frequent school skipper, has often observed the secretary's password ritual. As she leaves the office, he retrieves the sticky note from her drawer and returns to his seat, certain he can log in to the system from the computer lab and access his attendance records.

A couple of weeks later, authorities arrive with a subpoena for our truant's attendance records. The vice principal prints out the requested document, receives assurance of confidentiality, and hands it to the detectives.

An enterprising reporter calls late the same day, asking how this student could have been in school on a day when he'd simultaneously appeared on a convenience store surveillance video. The baffled administrator promises to get to the bottom of the problem.

Showdown: The local television station airs the contradictory information, giving the public the impression that school administrators are unsure of their own data and aren't keeping track of students.

Hours are lost while school leaders piece together what happened. Teacher records confirm the student's absence on the day in question. The secretary, looking for her sticky again, provides the mystery-solving clue.

A quick survey convinces school leaders that since several staff members keep passwords in plain view, the AUP should be faulted for not being explicit about safeguarding passwords. IT staff say that although they recently strengthened password rules, they're too short-staffed to provide support for staff who can't remember passwords, let alone play password police.

Pain points:

  • Public embarrassment
  • Loss of community confidence
  • Demoralized staff
  • Inaccurate records

Catalyst: The IT unit toughened password rules but failed to assist users in adopting the new requirements. The secretary knew that keeping her password in her desk drawer was against the rules, but she doubted the sticky would fall into the wrong hands.

Resolution: Strengthening passwords requires more than reconfiguring a network or application log-in setting. Support must be provided for missing passwords, or the sticky notes will covertly return, undermining security.

Providing a context for improved security through awareness training should precede technical implementation of new security measures.

Any new measures should not only be supported, but enforced with the full backing of building and district administrators.

Lessons learned: Rules worth enforcing must be clear and up-to-date. Users must understand how to follow the rules and why. Without a security awareness training program, voluntary participation will remain low.

  • Policy: Password rules must be clear. Experts differ widely on the best strategy, so pick one and stick to it.
  • People: Security training must include the context supplied by security awareness.
  • Technology: Deploy consistent standards for all applications.

2. The Vice Principal

Security risk: Encryption omission

Worst case: A few tech-savvy teachers take the trainer's hint and figure out how to access e-mail on the handhelds. For fun and practice, these early adopters send sassy messages back and forth to each other.

A student, observing the teachers' apparent delight with their new toys, brings in her own wireless handheld, captures the teachers' gossipy e-mail, and publishes the exchange on a Web site.

Showdown: The silliness of the teacher exchange causes only chuckles until the IT department figures out how the security breach occurred. The new system is shut down a week after deployment. Meanwhile, the local newspaper hears about the story and asks why the wireless network was not encrypted. The IT department forwards the question to the vice principal, attaching a copy of the original warning. The vice principal knows the superintendent will have to call the school board before the reporter does.

Pain points:

  • Loss of confidentiality — private communication among teachers is exposed
  • Professional embarrassment — instead of garnering accolades, the forward-thinking vice principal is viewed as hasty, and the tech staff, who responded to the situation with alacrity, is viewed as inept Catalyst: The lack of encryption enabled the unauthorized intrusion.

Resolution: The absence of standards reflects less the concern for security than the rapid changes in technology. Wireless security standards are changing rapidly. Experts touted the 802.11b standard with Wired Equivalent Privacy as a safe choice in June 2003. Two iterations and 17 months later (we're now up to 802.11i), industry gurus consider .11b porous (true) and old (not). Bottom line: wireless networks enable rapid, cost-effective innovation, but they still require due diligence.

Lessons learned: New technology projects should be deployed only after security implications, along with other district criteria, have been properly considered. The district should establish a common framework for implementing new technology that ensures alignment with district mission, standards, and resources.

  • Policy: Establish a framework for all technology-based projects that includes:Alignment with district goalsCompliance with security requirmentsTesting, training, and documentation
  • People: Involve targeted end users in planning, testing, and deployment.
  • Technology: Verify interoperability of new technology with existing systems before implementation.

3. Network Administrator

Security risk: No contingency plan

Worst case: The flood shorted server room circuits and uninterruptible power supply units, halting all computer-dependent administrative work and shutting down the school network, the telephone system, computer labs, and e-mail.

Showdown: With the prospect of the network being down for an unknown number of days, the network administrator realizes that the decision is out of his hands, since no contingency plan exists. He calls the principal, who calls the superintendent, who decides to cancel school for the day because all emergency contact information was stored on the soggy server.

Pain points:

  • Instructional and administrative downtime
  • No access to emergency contact or other essential information
  • No emergency plans or budget for equipment replacement or data restoration
  • Overtime expense eats hole in budget

The catalyst: Proximity of the water heater to the server room-or leaving the server on the floor-or lack of server redundancy-or insufficient contingency planning. Or all of the above.

Resolution: A Hobson's choice must be faced: provide network connectivity or focus on regaining access to data, vital to school administrative processes.

The network admin must articulate the options to the principal. After drying out the server room, he must either rebuild the old servers (to access data on the backup tapes) or leapfrog directly to the new servers (to provide Internet access and e-mail). The new system could be placed in service relatively quickly, but most users would struggle with the new, unfamiliar applications. Access to critical administrative data would still have to wait until the old servers are subsequently restored. On the other hand, if critical administrative processes are prioritized, all users will be forced to wait longer for Internet and e-mail access.

Lessons learned: Cyber security involves more than encryption and firewalls. Fire, floods, vandalism, and power failures can cause as much damage as a stolen password. In this story, the problem really began with the architect or space planner who, perhaps unknowingly, located the server in the room below the water heater. Although we've seen servers propped on cardboard boxes and wedged into closets, network administrators know that servers should not sit on the floor.

  • Policy: Crisis Management Plan must be updated when systems change.
  • People: Key participants in crisis management must train and practice regularly.
  • Technology: Emphasize reliability:Redundancy of key systemsSurvey of environmental and physical securityOffsite backups

4. The Principal

Security risk: Firewall vulnerability

Worst case: Almost immediately, connection times slow to a crawl, and students begin accessing 'wrong' sites. The teachers, alarmed at the inappropriate content and frustrated by the snail-like network, confront the principal with the problems.

Showdown: The curriculum project screeches to a halt: teachers sputter, students titter, parents fume. The principal huddles with her staff to discover the cause. Debate centers first on the outmoded AUP and less-than-optimal local area network. After a day of testing, the IT director determines that the firewall was unable to handle the increased traffic, explaining the slowdown, and its content filter needed an upgrade, which explained the inappropriate Web sites. Replacing and testing the firewall promises to delay a return to the principal's new project for several more days.

Pain points:

  • Parents express concern about the lack of Internet safety
  • The teachers harbor second thoughts, not confident that the technical problems will disappear
  • The principal is unsure if her political capital is exhausted

Catalyst: Even if the IT director failed to grasp the implications of the principal's plan, the firewall should have been properly patched along with all other network devices in the building. The outdated AUP clearly did not cause the problem, but given its dusty state, it had little value in preventing or resolving the situation.

Resolution: The embattled principal holds evening meetings with parents to restore confidence. After installing and testing a new firewall, the IT director joins a committee, including students and parents, that recommends updates to the AUP. The principal and curriculum coordinator take advantage of the brief hiatus to strengthen the learning objectives of the new project.

Lessons learned: Devils in the details converged to create the fiasco; routine patching of the firewall could well have precluded parent outrage by providing updated Internet content control. The principal could have convened a planning session with the curriculum director, tech director, and teachers to ensure success for the project.

  • Policy: A framework for new projects must involve participation of key contributors.
  • People: All new projects should involve the convening stakeholders invested in the project's success.
  • Technology: When new technology-based projects are tested, systems should be monitored to discover any undesirable impact on existing operations.Patch management and system maintenance must be verified on a scheduled basis.

5. Teacher

Security risk: Infecting the network

Worst case: The network administrator, taking advantage of a quiet day to tidy up the server room, receives notification from the network virus protection software that a worm, identified months ago, has suddenly appeared. A quick check indicates that the worm exploits a vulnerability that Microsoft fixed last April. Knowing that the firewall would keep the worm outside the network perimeter, the network admin guesses the worm was introduced to the network on the inside by a rogue computer. He locates it just before the teacher shuts down her laptop and heads back for one last beach weekend. The worm, meanwhile, has insinuated itself into unpatched computers on the network. No beach weekend for the network admin; he sends out a shutdown warning message and studies expert recommendations for eradicating the invader.

Showdown: A single, unpatched, unupdated laptop represents a real threat to a network unable to defend itself from inside the firewall.

Pain points:

  • Major district disruption and distraction
  • Overtime expense —IT staff supervise army of volunteers to clean every computer in the district

Catalyst: Insufficient network safeguards, inadequate policy, and inadequate user awareness converged to instigate the problem. In a district where network connections are difficult to control and where lack of standardization makes automated patching difficult, user collaboration in security practice is essential.

Resolution: After cleaning up the previously unpatched computers, the IT unit focuses on awareness, policy, and alternatives for staff or students wishing to transfer files to the school network. The teacher could have easily e-mailed the documents to herself or brought the files in on a USB memory device.

Lessons learned: In August 2003, hundreds of school districts across the country had to shut down their networks in the wake of the Blaster worm. In June 2004, unpatched computers transported the Korgo worm into networks around the world. If the school network is not configured to reject the rogue laptop, the responsibility for adhering to district policy falls to the end user.

Empowering users to collaborate on technology issues is almost always a good idea, but for districts that cannot afford to standardize all desktops and upgrade the network and network monitoring tools to automatically control old computers that connect to the network, such collaboration is essential.

District leaders must understand the limitations of the IT infrastructure and the user community when creating and approving policy to cover technology use.

  • Policy: All users must understand limitations on use of district technology and infrastructure.
  • People: Awareness of limitations, and the reason for them, is essential for compliance.
  • Technology: Security requires a layered approach — defense in depth:A good firewall doesn't mean you can skip patching all computersNetwork management software can stop unauthorized or non-compliant computers from accessing the network

6. The Superintendent

Security risk: Unencrypted e-mail

Worst case: Three days later, the superintendent takes a phone call from the teacher in question. "Are you labeling me as a mental misfit?" Andy wants to know. "Are you qualified to pass judgment on my health?" The superintendent holds his breath and then asks what prompted the teacher to make the call. The teacher explains that the superintendent's e-mail message was published on a blog frequented by students in the school.

Showdown: School districts profess adherence to a high level of confidentiality. But updating procedural and technological safeguards often lags behind the zeal of envelope-pushing hackers.

Pain points:

  • The release of confidential information by the superintendent is a buck that cannot be passed
  • A possibly-troubled teacher is humiliated, and the controversy provokes mistrust within the district and community
  • A terse memorandum forbidding electronic transmission of confidential information creates long-term uncertainty, even after safeguards have been updated
  • By publishing the confidential message, the hackers cast doubt on information security in general

Catalyst: Failure to encrypt e-mail and lack of policy on confidential communication (requiring the use of encrypted e-mail). The superintendent may have been told that his office e-mail was secure, but he failed to grasp that his home e-mail account might be configured differently.

Resolution: The IT department scrambles to configure the e-mail system to accommodate encrypted messages and hires a consultant to perform a security audit. The superintendent publicly apologizes for the security breach and privately handles the teacher's performance.

Lessons learned:

  • Policy: The need for confidentiality hasn't changed, but the strategies for ensuring confidentiality must evolve in response to vulnerabilities created by advances in technology.
  • People: No technological safeguard will stop a superintendent, or anyone else, from inadvertently creating a security problem by using alternative technology (home e-mail, for example). The only possible solution is awareness training that's mandatory for everyone.
  • Technology: Given staffing levels, training requirements, and system monitoring, the temptation to leave security configurations at minimal levels is understandable. But hidden in the decision to leave security configurations at the default level is an implicit policy.

Chris Seiberling is the manager of the technology audit and planning program for Mass Networks Education Partnership.

Stonger Passwords

"Using passwords as a defense mechanism to improve Windows security"
www.windowsecurity.com/articles/Passwords_Improve_Windows_Security_Part1.html

"Stupid Password Tricks"
www.securitypipeline.com/showArticle.jhtml?articleID=21800256

Awareness

"A Beginner's Guide to School Security" by Wesley A. Fryer
Sept 2003 Technology & Learning

"Secure Your Wireless Network" by Jane Bloomquist and Atif Musa
www.techlearning.com/article/13872

"Cutting the Cord: Wireless Computing Comes of Age" by Kristen Hammond and Judy Salpeter
www.cosn.org/resources/compendium/3.pdf

Intrusion Detection Software
www.intrusions.org/ids/products

Incident Handling Resources
www.intrusions.org/

Cyber Security Planning Protocol
securedistrict.cosn.org/tech/Planning/flowchart.html

Contingency Planning

Disaster Preparedness and Response
www.edfacilities.org/rl/disaster.cfm

NIST Contingency Planning Guide for Information Technology Systems
csrc.nist.gov/publications/nistpubs/800-34/sp800-34.pdf

Security Product Vendors

3Com
www.3com.com

Cisco
www.cisco.com

Computer Associates International
www.ca.com

Enterasys
www.enterasys.com/solutions/education

Fortres
www.fortres.com/products/cleanslate.htm

F-secure
www.f-secure.com

GF
www.gfi.com/languard

Internet Security Systems
www.iss.net/publicsector/education.php

LANDesk Software
www.landesksoftware.com

McAfee
www.mcafeesecurity.com

MessageLabs
www.messagelabs.com

Microsoft
www.microsoft.com/security/default.mspx

Shavlik
www.shavlik.com

SonicWALL
www.sonicwall.com/industries/education.html

Sophos
www.sophos.com/products/sav

SurfControl
www.surfcontrol.com

Symantec
www.symantec.com

Trend Micro
www.trendmicro.com

Zone Labs
www.zonelabs.com

Feel free to reproduce this test and article for professional development purposes, but let us know. E-mail techlearning_editors@cmp.com