Information Security in Education/Administrator Awareness
The primary target audience for this topic are building level, K-12 administrators. Although K-12, central office, and higher education administrators are not the intended target audience, they may glean some insight from the information presented here.
Threats to Schools
Conducting research on the role of K-12 administrators in dealing with their schools’ information security will most likely yield very few, if any, results. The reason for the lack of information is most likely that most K-12 administrators simply do not view information security as a top priority. This is not surprising since the job descriptions of K-12 administrators typically do not including monitoring computer network traffic for potential threats or security breeches. Furthermore, this type of training is usually not in the curriculum of principal’s certification programs. Although information security is not a top priority to principals, nor a part of their education, there are ways that principal’s can assist in securing their school’s network.
In order for administrators to make informed decisions, it is necessary to know not only the problem, but its origin. In terms of information security, the origin of the problem(s) can be multifaceted. Most likely, though, the problem is people. According to Schneier (2004), “people often represent the weakest link in the security chain and are chronically responsible for the failure of the security system (p.255).” For the K-12 administrator, this means that the leading prevention for information security concerns is staff development. Although the term staff development typically refers to teacher training, in this case it refers to all staff (secretaries, custodians, aides, etc.) that has access to the schools network. School staff needs to recognize that they play one of the most significant roles in information security.
Among the biggest external threats that involve school personnel are social engineering threats. Social engineering is the act of manipulating people into divulging confidential information.This type of threat can be used quite easily in a public school since most public school employees, while cognizant of student confidentiality, are very willing to assist other school personnel in solving their problems. There are three main types of social engineer schemes pretexting, phishing, and baiting. Each of these types of social engineering can cause major problems for schools.
Pretexting is the act of creating and using an invented scenario (the pretext) to persuade a targeted victim to release information or perform an action and is typically done over the telephone. It is more than a simple lie as it most often involves some prior research or set up and the use of pieces of known information. In the case of a school, a call from someone pretending to be in the technology department would be an easy sell to most personnel, especially if at the time of the call the network was not properly functioning.
Phishing is a technique of fraudulently obtaining private information. Typically, the phisher sends an e-mail that appears to come from a legitimate business, in the case of a school a fake email from the technology department or administration, requesting "verification" of information and warning of some dire consequence if it is not provided. The fictitious email could ask for passwords or student or personnel information. A teacher could receive an email from the “business manager” requesting updated banking information for direct deposit, or for a social security number. Since school records and software are updated regularly, this type email from a fake business manager would probably not seem strange to an employee.
Baiting is an attack that uses physical media and relies on the curiosity or greed of the victim. In this attack, the attacker leaves a malware infected CD ROM or USB flash drive in a location sure to be found (bathroom, elevator, sidewalk, parking lot), gives it a legitimate looking and curiosity-piquing label, and simply waits for the victim to use the device. In either case as a consequence of merely inserting the disk into a computer to see the contents, the user would unknowingly install malware on it, likely giving an attacker unfettered access to the victim's PC and perhaps, the targeted school’s internal computer network. Unless computer controls block the infection, PCs set to "auto-run" inserted media may be compromised as soon as a rogue disk is inserted. In order for this attack to be successful at school, the attacker would not need to go to much trouble. Any school employee would be subject to this type of attack since the goal would be to return the “lost” device to its owner, who would be assumed to be a student.
It should be mentioned, however, that social engineering attacks are not the only types of external attacks which could be committed against a school district. Password hacks, port scans, and other attacks are possible, but these would never be seen by a building administrator since (s)he is usually never involved in dealing with these attacks.
Internal attacks against a school's network are far more common than external attacks. Most often, internal attacks are committed by students. There are a variety of reasons that students attack their school's network. The most prevalent reason that students give for attacking their school's network is fun. They just want to see if they could do it, and they also want to see what will happen if they do. These students typically do not cause damage to the network. Students who have malicious intent, however, are capable of causing extensive damage to a school's network. On any given day, a student could easily use a Flash Drive, or other device as described above, to plant all types of viruses, malware, spyware, or other dangerous programs on a school's network. Some of these programs have the capabilities of wiping out an entire district's network let alone a single school. The same applies to disgruntled staff who have even more access and more network permissions.
What Administrators Can Do
There are several ways that administrators can help prevent their schools from being the target of information security attacks. The first step that administrators can take is to do what the title of this Wikibook suggests, be aware. Building level administrators go to work each day with a full plate of responsibilities. Dealing with technology issues is usually not at the top of an administrators "to do" list. This does not mean that they should be in the dark about technology issues. Knowing some of the terminology and taking a proactive role in prevention goes a long way. The same diligence that is given to physical security, should be given to network security.
As mentioned earlier, staff training is the key to prevention. It is absurd to think that staff training will prevent all attacks against a network. Much like the administration, staff need to be aware. Relying on a common sense approach is not enough. Most staff can turn a computer on and off, type a document or make a spreadsheet, and surf the Internet. Most are not computer experts and lack the knowledge to see an impending attack or know that they are about to fall victim to a social engineering scam.
Using classroom management software such as Sychroneyes is also a step toward ensuring information security. This type of software allows teachers to view every students' computer screen simultaneously on their computer. The software also allows teachers to disable a student's computer remotely, send instant messages to them, and capture screenshots of what each student is doing. This software, while a very worthwhile tool, is not intended to be a substitute for the teacher. It is still vitally important that teachers circulate the room while the students are using the computers and educate their students on proper computer use and safety.
Lastly, a comprehensive student handbook, which includes consequences for computer misuse, and an Acceptable Use Policy (AUP) are essential. Both the student handbook and also the AUP must contain language which specifies how the district's computers and network may be used, who may use them, and when they may be used. As mentioned, the penalties for misuse should be clearly outlined.
- Schneier, B. (2004). Secrets and Lies. Indianapolis, Indiana: Wiley Publishing, Inc