Risky Business

Maintaining the security of your IT systems has never been more important— or more of a headache. “Critical” Windows patches come almost weekly, worms and viruses run rampant and even Oracle, which CEO Larry Ellison once called “unbreakable” back in 2001, announced a record-breaking 44 vulnerabilities in September. Your resources are limited and there’s no way to bulletproof your entire IT infrastructure. So what’s a school technology leader to do?

The answer lies in the art and discipline of risk assessment. Experts will give you various definitions of what this entails, but put simply, risk assessment is triage— prioritizing which areas to protect and making sure you deal with the most critical problems first. The classic metric for assessing and prioritizing risk is to multiply the probability of occurrence of an undesirable event by the severity of consequence if it does occur (see the Assessing Risk sidebar). That may be fine for insurance purposes, where there’s an explicit set of hierarchical definitions of “severity,” but what does “severity” really mean in real-world terms? Every school system may need to develop its own particular categorization of relative severities, but the bottom line is that you need to be able to identify, quantify, analyze, and assess your most serious risks.

COMMON RISK FACTORS

First, let’s examine the nature of the risks. Greg Shipley, chief technology officer of Neohapsis, a Chicago-based security consultancy that’s performed numerous risk assessments for K–12 and higher educational institutions, identifies common high-level risks often underexplored by schools.

Unpatched Computers: By far the biggest risk commonly found in K–12 environments is unpatched computers, specifically Windows-based clients and servers. A recent SANS Institute report found that unpatched Windows computers connected to the Internet lasted an average of only 20 minutes before they were found and hacked, a stunning and worrisome statistic. The good news is that automatic patching systems in most modern operating systems, such as Mac OS X and Windows XP, can help mitigate this risk by automatically applying patches as soon as they are released. Ideally, controlled updating is best—this involves having a lab where patches can be applied and tested before widespread deployment— but uncontrolled or automatic updating is better than nothing.

Hostile Code: One tremendous new risk factor is the increasing prevalence of scripted worms, viruses, and Trojan horses. Script kits make them easy to create, and once unleashed, a worm often targets any and all hosts it can see. “Hostile code doesn’t care whether you’re a research facility, a Fortune 500 pharmaceutical firm, or a school,” notes Shipley. Having a strategy in place to combat the propagation of these robotic intruders is a must. This can include elements such as regular system patching, perimeter and internal firewalls, routerbased filtering, intrusion-detection systems, network traffic analysis, and log file monitoring, but at the very least, you need to have a clear action plan for what to do if and when you discover you’ve been hacked.

Illegal Outbound Traffic: Assessing risk doesn’t mean just focusing on preventing illicit access to IT assets and information. The Recording Industry Association of America lawsuits over illegal file sharing have made it clear that what comes out of your computing systems is just as important as what comes in. Students’ access and use of tools such as e-mail and chat at school fall into this category as well. At Fairfax County Public Schools, for example, a little-noticed computer used for A/V presentations in a school auditorium was hacked by students and turned into an open FTP server for illicit files. Alert staff noticed unusual activity and shut the server down before it became a serious problem.

Multiple Technologies: The Fairfax example points out some of the difficulties faced by K–12 managers when assessing potential risks. First, you’re dealing with a wide array of equipment dispersed throughout the school system, making regular maintenance, patching, and monitoring more difficult. This increases the potential for intrusion. In many districts, at least part of the existing equipment may have been purchased and installed ad hoc. Central IT may not even know it’s there, much less have full control over it. Performing a thorough IT infrastructure assessment and periodic equipment inventory is the first step to getting the chaos under control. Wireless LANs: It used to be that IT staff could at least track down where all of the network drops were by tracing wiring, but no more. Once a wireless access point is plugged into the network, networked clients and servers could be almost anywhere. Open access points allow anyone to tap into your wired network from a wireless laptop located anywhere in range, such as a car parked on the street outside your school. Unless you enable encryption on your wireless access points, anyone using basic sniffer programs can easily hijack your network, and watch all of your internal network traffic—including passwords and other sensitive data—fly across the ether.

MAKING SECURITY A LINE ITEM

The scenarios above provide particularly good Return On Investment arguments for allocating budget resources to conduct a thorough risk assessment and develop a solid security plan. If you don’t plan for it now, the cleanup costs for a major security-related event are likely to be astronomical. In addition, the unplanned costs of dealing with a federal investigation due to data access prohibited under the Family Educational Rights and Privacy Act (www.ed.gov/policy/gen/guid/fpco/ferpa/index.html) could be enormous.

WHERE TO START

Doing a full information inventory, followed by an assessment of which assets are most deserving of protection, is the logical first step for schools, says Shipley. This entails identifying your assets, classifying the risks to those assets, and finally, managing the risks which are found to be most severe.

Here’s a basic example. Your grade book system collects data on each student’s assessments and progress. That data, entered into password-protected computers in classrooms, is sent over a wired network to a student information system located on a server in your data center. Potential risks to the data involve passive access, such as unauthorized interception and viewing; improper active access, such as making changes to the data or deleting it; and denial-ofservice, where someone manages to knock out or subvert the application and/or the computers, servers, and networks it depends on, so that the system cannot be used. All of these risks should be assessed for likelihood, potential consequences, and any opportunities to mitigate the known risks.

One of the most valuable and basic tools which can be used in the course of a risk assessment is scenario planning, an exercise which can be as simple as asking, “What happens if?” For instance, “What happens if we lose the e-mail server? What happens if we have a worm outbreak? How much will that cost us?” Scenario-planning exercises can go a long way to helping you understand potential risks and their costs.

STAFF EXPERTISE KEY

A typical concern in risk assessment is the lack of in-house staff with experience in this area. The most important factor here is qualifying the person or persons who are going to spearhead the assessment. Have they done this before and do they have a deep understanding of both technology and business dynamics?

The benefits of in-house staff versus outsourcing a risk assessment is always a lively debate. Using external staff avoids political snafus, but the disadvantage is that outside staff may not understand your organization and business processes well enough within a limited time frame to uncover problems in a timely manner. On the other hand, it’s important to select someone who has conducted risk assessments before, who has current knowledge of best practices in this area and continues to use them, and who is an expert at the process and delivering results. Often the best solution is to construct a composite team, pairing the in-house expertise you do have with outside staff to fill in the holes where needed. Either way, however, oversight for the overall project ideally has to exist outside of IT, for the same reasons that you keep auditors and bookkeepers on opposite sides of the fence.

Finally, rather than doing a one-time assessment and then putting a technical Band-Aid on the biggest holes, schools will need to look at those problems which can be traced back to systemic failures of management or processes. “If you’re just trying to fix a few obvious pain points at a particular point in time, you’ll never catch up,” says Shipley. Put another way, if you concentrate on finding a good bailing bucket but ignore that fact that your boat has no bottom, you’re still going to sink. A good risk assessment should give you an accurate plan for keeping your IT ship afloat no matter what security storms come your way.

Richard Hoffman, former Web technologies coordinator for Fairfax County Public Schools in Virginia, is a technical architect based in New Hampshire and site editor of CMP Media’s Database Pipeline.

Risk Assessment Resources

Mine the latest data-driven decision making resources offered by our parent company, CMP Media.

• A sample risk matrix from security firm Neohapsis that details audit issues based on the impact on operations, finances, or reputation: www.techlearning.com/schoolcio
• General overview of how to perform a security audit in a K–12 setting: www.techlearning.com/story/showArticle.jhtml?articleID=17602668
• Cybersecurity strategies and tools including a district security self-assessment checklist and security rubric and planning grid (Disclosure: This is a CoSN initiative with media sponsorship from Technology & Learning): securedistrict.cosn.org

Assessing Risk

If “risk” equals “severity” times “probability,” how can you assess what “severity” means? Here, some basic guidelines.

In general, the most serious level of risk is always potential threat to life or health. Below that come lesser priorities such as illegal access to private or personal information, defacing of public sites and information, and interference with the operation of the school. Below these come such typically lesser priorities as improper use of excess capacity, as with a hacked server being used as a spam relay, or an employee using their Internet access for improper or unauthorized purposes.

Rather than a strict hierarchy, these categories can overlap. For instance, access to private information can lead to danger to life or health if, for example, private student information such as physical address gets into the hands of a pedophile. Defacing of a public Web site could be a health danger if someone hacks the school site to incorrectly indicate that schools are open during a blizzard. All of these levels need to be indexed to specific scenarios that correspond with your actual real-world operations and use of IT.

  • Danger to life or health
  • Illegal access to private personal information (potential danger to health and safety)
  • Defacing of public sites and information (can mean embarrassment and bad press; potentially physically dangerous in certain circumstances)
  • Interference with operation of school (hacks of payroll, scheduling, grade book systems, denial of service attacks)
  • Improper use of excess capacity

What kinds of security problems lead to the highest risk? That, too, will vary by circumstance and facilities, but here are some of the top risk factors experienced

by many school systems:

  • Unpatched computers, particularly Windows (can lead to items 3–5, below)
  • Wireless access
  • Inappropriate access to internal systems
  • Inappropriate incoming information
  • Inappropriate outgoing traffic