Information Security in Education/Print version

From Wikibooks, open books for an open world
< Information Security in Education
Jump to navigation Jump to search


Information Security in Education

The current, editable version of this book is available in Wikibooks, the open-content textbooks collection, at
https://en.wikibooks.org/wiki/Information_Security_in_Education

Permission is granted to copy, distribute, and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 3.0 License.

Contents


School Hacking

Disclaimer[edit]

This page was not written to encourage hacking, but to show educators what type of control students can take over computers and how to identify these hacks.

Introduction[edit]

The term hack has several related meanings in the technology and computer science fields. It may refer to a clever or quick fix to a computer program problem, or to what may be perceived to be a clumsy or inelegant (but usually relatively quick) solution to a problem. The term is also used to refer to a modification of a program or device to give the user access to features that were otherwise unavailable.

thumb
Most networks start off with poor security. But over time, with patches, network security does increase. At this point, a hacker that has gotten use of a certain system may be lose their additional access for a while. But usual the hacker goes on to find new holes. There is only so much an admin can

disable on your computer before it becomes no use to anyone. [1]

To get access to a network, a hacker can use whatever programs are on a computer.. If you are a student then you will undoubtedly have programs that aid in study, such as Notepad, MS Word, PowerPoint and others. All these programs can be used to the hackers advantage. [1]

On this page of the book we will discuss how educational computers are hacked to take access of student files and data.

By knowing these hacks, administrators and teachers will be better able to spot when students are hacking into networks.

Microsoft Windows[edit]

WindowNT.png
With Microsoft Windows based computers, the first line of security is to lock out the control panels and the MS-DOS prompt. Most administrators stop MS-DOS prompt from working, because it's the best way to get administrative privileges.[2] Although these two items are locked down, by searching the internet you can find a number of hacks to get around many of these.

By opening up a Notepad document, it it is easy to make a .com and .bat file that can be used to run locked down parts of the machine. [1]

Novell[edit]

Novell NetWare software is a suite of software products developed and maintained by Novell, Inc. for computer systems management.

NetWare allows administrators to install software on, configure, put a hard-disk image on, inventory and remotely troubleshoot Windows-based workstations and laptops from a central location, through use of policy-driven automation.

As with most security software that is placed in schools, students will quickly find ways to get around the system.


For Netware there are a variety of hacks that can be found on the internet. A Google search for Novell Netware hacks shows 286,000 results. some of these hacks can be seen below.

Novell Windows NT Hacks[edit]

These hacks are referenced from Rahul Hacking

Gain C: Access[edit]

This operation has been canceled by the Administrator" / "You have insufficient rights to execute this command

  1. Open Internet Explorer
  2. Go File > Open then Browse...
  3. At this point you should be able to see the entire C: drive of the computer.

Gain Program Access on C:[edit]

If you know what files are on the C: drive based on the above hack you can then open most of the programs that are on the computer.

  1. Open Internet Explorer
  2. click Browse...
  3. Pick a useful file like "command.com"
  4. When you find the file, click ok and you will have a little box with the full pathname of the file.
  5. At this point you can either OK, Cancel or Browse... Do neither.
  6. Copy the pathname.
  7. Now open MS Word.
  8. Go to View
  9. Select Toolbars
  10. Chose Visual Basic. A toolbox will pop up.
  11. Click "Design Mode". A new toolbox should pop up
  12. Click the "Command Button" which just looks like a small rectangle.
  13. When the button pops up, double click it. You should be taken to a VB screen with the following in the middle:
    Private Sub CommandButton1_Click()
    End Sub
  14. Now type in...
    SHELL("C:\winnt\system32\command.com")
  15. hit F5 (Debug)your screen should read:
    Private Sub CommandButton1_Click()
    SHELL("C:\winnt\system32\command.com")
    End Sub
  16. If a minimized does not come up, try this:
    Private Sub CommandButton1_Click()
    a = SHELL("C:\winnt\system32\command.com",vbNormalFocus)
    End Sub
  17. Hit F5 again.


  • If this doesn't work there could be a number of things wrong:
    • If a screen came up

saying macros have been disabled

    • go back to your first Visual Basic toolbar
    • Click the button says "Security...".
    • Now select the option that says "Low".
    • Try again.
  • If it still doesn't work, read on.
    • If it says "Run-time error:'53'--- File not found" you are in trouble.
      • It means you either typed the pathname incorrectly
      • Or it means the file does not exist
  • If your computer is running win2k or xp you will have to slightly adjust your

pathname.

It is recommend you use command.com as apposed to cmd.exe. The main reason is that cmd.exe can be blocked off by your administrator, so as soon as you open it you will get something that says "CMD has been restricted by your administrator. Press any key to continue...". If this happens, cmd is useless. [1]

Using PowerPoint to run applications[edit]

  1. Create new PowerPoint Slide
  2. Insert Hyperlink
    1. The hyperlink should be pointed at the file you want to open
  3. View the slide
  4. click the hyperlink
  5. Your file or program should open.

Using Notepad run applications[edit]

  1. Open a Notepad
  2. Type:
    <a href="C:\winnt\system32\command.com">click</a>
  3. Go to File > Save as...
  4. type in "link.html" with the quotes
  5. Save the file in the drive you have access to. Sometimes also called My Documents.
  6. When you refresh the drive, you should be able to see an IE icon called "link.html"
  7. Double click it, then click the hyperlink.
  8. Your file or program should open.

Getting Access to invisible drives[edit]

Frequently CD, Floppy, or Flash Drives are locked down. To gain access to them

  1. In your private drive, try creating a shortcut to a:.
    1. This will almost definitely not work but is worth a try.
  2. Try going to File > Winzip > Zip to file. This may allow you to transfer files to your floppy.
    Lastly, we can use DOS. This usually works because it is hard to disable items in DOS effectively so there are a number of ways around it.
  3. In DOS type:
    C:\>a:
    A:\>dir
    Volume in A has no label
    Volume Serial Number is 0001-0AA0
    Directory of A:
    BO2k.zip 111,111 1/1/04
    Netbus.zip 111,111 1/1/04
    C:\>
    So now we can see what's on the disk. If you wanna run it you can type:
    A:\>Netbus.zip

However, a more efficient way of opening it would be to first copy it to your private drive. We do this by typing:

A:\>copy a:\*.zip h:

Getting Passwords[edit]

NOTE: This only works on poorly secured networks From a Dos Prompt type:

C:\>copy c:\winnt\*.pwl a:

This command copies all the .pwl (password) files that are stored in the Windows NT directory. You can now take the disk home and crack the password files in our own time at our own leisure.

Most reasonably secure or just new networks no longer store their passwords in .pwl files. In Windows 2000, there's a new thing called SAM (Security Accounts Manager). Which is harder to crack.


Advanced Novell Hacking[edit]

Advanced hacking of Novell is easy to find too. These involve using programs such as port scanners, keyloggers, Trojan horses and password crackers. For information on this you can go to Rahul Hacking or Google what you are trying to do.

References[edit]



Legal Issues

Introduction[edit]

In 2006 alone, approximately 161 billion gigabytes of digital content were created, stored, and shared around the world. This is equivalent to twelve stacks of books extending as high as the sun, or approximately six tons of books for every person on the earth (Gantz, 2008) [1] With the development of digital content occurring at these rates, educators need to think about digital media's impact not only on student learning but also the legal issues that are connected with it. The goal of this wikibook is to provide school administrators and educators an overview of some of the legal issues relating to technology in K-12 school systems. In particular, an overview of some of the most common laws as well as some case studies will be provided.


The Children’s Internet Protection Act (CIPA)[edit]

The Children’s Internet Protection Act, known as CIPA [2],is a federal law enacted by Congress. The law was enacted to address concerns about minors having access to and being exposed to offensive content over the Internet.


The Neighborhood Children’s Internet Protection Act (N–CIPA), Sec. 1732 of CIPA, imposes certain types of requirements on any K-12 school or library receiving funding from the E-rate[3]program. Specifically, N-CIPA requires that any public school or library receiving E-rate discounts to develop and enforce an Internet Safety Policy (ISP). The policy must address harmful or inappropriate online activities. In particular, schools and libraries must have the following in place in order to receive discounts offered by the E-rate program:


~Technology protection measures to block or filter Internet access to pictures that are obscene, child pornography, or harmful to minors.
~An education program informing minors about appropriate online behavior. This must include information on cyber bullying as well as information about interacting with other individuals on social networking sites and in chat rooms.
~A policy in place to monitor online activities of minors.
~A policy that addresses the following: access by minors to inappropriate matter on the Internet; the safety and security of minors when using electronic mail, chat rooms, and other forms of direct electronic communications; unauthorized access, including so-called “hacking,” and other unlawful activities by minors online; unauthorized disclosure, use, and dissemination of personal information regarding minors; and restricting minors’ access to materials harmful to them. This policy is commonly referred to as an Acceptable Use Policy (AUP).

Acceptable Use Policy (AUP)[edit]

An Acceptable Use Policy (AUP) is a written agreement signed by students, their guardians, and their teachers. An AUP typically identifies the types of tools students will use on the network, defines boundaries of behavior along with the consequences of violating those boundaries, and informs students and parents of the actions that could be taken by the administration in order to maintain the school's network.


If a school receives federal funding for their communication technology (see CIPA), then the school is required to develop an Internet Safety Policy (ISP), which is more commonly known as an AUP. Because AUP's tend to be approved by the school board, they are a legal binding document. More information about a district's AUP can be accessed on the school's Web site. General information on AUP's can be found at the Virginia Department of Education's Web site[4].


Privacy Rights[edit]

Privacy Concerns on a School's Network
Computer locked.jpg
Merriam-Webster[5] defines privacy as the quality or state of being apart from company or observation. Unfortunately, many experts in the field of Internet security will tell you that privacy over the Internet does not exist. For example, in Bruce Schneier's 2000 book, Secrets & Lies, he elaborates on how privacy is almost non-existent with the Internet and that erasing digital information is, if not impossible, then extremely difficult to do. Steve Rambam speaks to issue of privacy being non-existent in his presentation entitled Privacy is Dead-Get Over it![6] And CIPA clearly states that in order to protect children on the Internet, schools need to adopt a policy that monitors online activities of minors. In addition to this, most AUP's have a clause stating something similar to the following: "It is often necessary to access user accounts in order to perform routine maintenance and security tasks; Because of this, system administrators have the right to access user accounts, including stored information, in order to uphold this policy and to maintain the system."


Fortunately, although it appears pretty much any computer/Internet activity that is conducted in a public educational entity can be monitored, there are some laws that protect a person's privacy. The following federal laws are the most common ones referred to regarding privacy rights:
~Family Educational Rights and Privacy Act (FERPA) 20 USC 1232g (1974)[7]
~Protection of Pupil's Rights Amendments (PPRA) 20 USC 1232h (1978)[8]
~USA Patriot Act, P.L. 107-56 (October 26, 2001)[9]
~Privacy Act of 1974, 5 USC Part I, Ch. 5, Subch. 11, Sec. 552 [10]
~Health Insurance Portability and Accountability Act (HIPAA) [11]
~The Electronic Communications Privacy Act (ECPA)[12]
Most of these laws protect both students' and adults' privacy. However, The Patriot Act actually amends the Family Educational Rights and Privacy Act to allow educational institutions to disclose personal information to the Attorney General if the person is believed to be connected to a terroristic crime. More information on the Privacy Act can be accessed by clicking on the link above.


Privacy Concerns outside the School's Network
With the onset of social networking sites such as Facebook and MySpace, concerns arise as to how private one's personal life is, especially for educators. An example of this is seen in the case of Stacy Snyder vs. Millersville University[13]. Ms. Snyder was denied her teaching degree by the University due to a controversial picture that Ms. Snyder posted on her MySpace page. This case is one example of teachers posting questionable content on their personal sites. Many school districts are now warning teachers to be cautious about their online activities. Some districts have gone as to create policies to regulate the virtual lives of their employees. Whether or not this violates any privacy concerns or First Amendment Rights has yet to be determined.


Web Profiling & Search Engines
Web Profiling occurs when an organization monitors your movement on the Internet, collecting information on the sites you travel to, how long you stay on each page, and what you do on these sites. This information is then entered into a database to create a Web profile. This information can be utilized by marketing firms for advertising. Is this legal? Unfortunately, in most cases, the answer to this is yes. An interesting example of this pertains to search engines. When it comes to search engines, ALL information entered into a search engine is saved. And according to Andrew Brown[14], it is not just information entered in on the search engine that is saved; E-mails, mapquests, account information, etc. So as mentioned in the opening paragraph, most of what we do on the Internet is not private, and there appears at this time, no laws to truly protect one's privacy on the Internet.

Web Publishing Issues[edit]

Many schools have Web sites. Some schools post pictures of their students, students' accomplishments, school newsletters, and other samples of student work on their site. Some districts restrict publishing these documents on their sites. Personal student information that is posted on a school's Web site needs to be explained in a school policy manual such as the student manual policy, the AUP, or some other policy. And any information identifying a student on a school's Web page should not be done without the student and guardian's permission. Information about what one can publish on the school's Web site can be retrieved from a school administrator or technology coordinator in one's district[15].

Copyright Infringement and Plagiarism[edit]

With access to the Internet, both copyright infringement and plagiarism are common concerns that need to be addressed with all persons, including students and adults.


Copyright Infringement occurs when a person inappropriately reproduces a work that is copyright protected. An example of this is installing a single user software program onto multiple computers. Most work that is copyright protected will identify what may be considered appropriate use of that work. If it doesn't, it is best to either receive permission from the owner of the copyright or not use the work at all.[16]


Plagiarism involves stealing the work of someone else and passing it off as your own. [17]


Copyright infringement is illegal. Although plagiarism is technically not illegal, if it is addressed in a school's AUP, then it technocally is illegal at the local organization Since most AUP's outline information pertaining to copyright infringement and plagiarism, it is critical that both students and adults are aware of the legalities pertaining to both, as well as the consequences at both the school level and court level.


Technology, Education, and Copyright Harmonization (TEACH) Act[18]
Although copyright law generally treats digital and non-digital copyright-protected works in a similar manner,special digital uses, such as online distance learning and course management systems, have some exceptions applied to them. These exceptions are addressed in the TEACH Act.


Under the TEACH Act:
• Instructors may use a wider range of works in distance learning environments.
• Students may participate in distance learning sessions from virtually any location.
• Participants have more latitude when it comes to storing, copying and digitizing materials.

Computer Fraud and Abuse Act[edit]

The Computer Fraud and Abuse Act (CFAA)[19] is a law passed by the United States Congress that was designed to reduce cracking of computer systems. It involves instances when a person or persons who commit the following acts:
~Access a computer without authorization in order to obtain national security data
~Intentionally access a computer without authorization to obtain financial records, including consumer records from financial or consumer reporting agencies
~Obtain information from any department or agency of the United States
~Obtain information from any protected computer involving interstate or foreign communication
~Access without authorization a government computer and affect the use of the government's operation of the computer.
~Access a protected computer with the intent to defraud and there by obtaining anything of value.
~Cause the transmission of a program, information, code, or command that causes damage or intentionally accesses a computer without authorization, and as a result of such conduct, causes damage.
~Knowingly and with the intent to defraud,traffic a password or similar information through which a computer may be accessed without authorization.


References[edit]

Schneier, B. (2004). Secrets and Lies. Indianapolis, Indiana: Wiley Publishing, Inc



Security Awareness

Introduction[edit]

Our rapidly increasing technology including a global network has allowed educators the opportunity to create, communicate and store information in incredible ways. Students have access to instant information. Classes can learn with peers who live on the other side of the globe. School systems can store and access information on students, staff and operational issues with ease.

In addition, many schools/districts are being rewarded grants that allow for the purchase of technology tools to which they otherwise would never have had financial access. Entire districts are being set up with laptops, LCD projectors, and other tech tools including staff training and mentoring for Classrooms for the Future grants. Here is a link that provides information on Classrooms for the Future


Unfortunately, with all of this wonderful technology available, there are several security concerns that arise. It is our duty as school staff members and parents to work together to keep our children safe while using these technology tools. Here is an incomplete list of security issues brought on by technology integration:

  1. Students/staff downloading unauthorized software with viruses
    Kids at computer.jpg
  2. Students, staff or outsiders hacking into confidential information
  3. Staff/students accessing, distributing, and/or downloading illegal material via the school network
  4. Hardware being stolen or damaged
  5. Students/staff using technology communication tools to bully/harass/intimidate/etc. others
  6. Denial of Service (DOS) attacks from outsiders or insiders
  7. Students/staff displaying or sharing passwords

Because of these issues listed above (and more) there is a need to train our staff and students in the area of security awareness. There are important steps for all members of an organization to take in order to keep our school community and network system safe. This wikibook page will attempt to provide security awareness training to both staff members and students of an education organization. Of course, this information is not comprehensive and school administrators need to be aware and proactive in the dissemination of this information. Please see the [Administrator Awareness] section of this wikibook for more information.

Teacher Information[edit]

Teachers have many safety issues to be concerned with when it comes to keeping their students safe. The rise of technology use in the classroom has developed its own set of safety issues. Unfortunately, many (if not most) teachers are not equipped or trained to prevent some basic safety precautions to take with their students when using technology.


Internet Safety[edit]

The Internet is widely used among teachers in classroom projects. Students use it for seeking information quite regularly. Unfortunately, school/district internet filters cannot possibly filter out everything that is bad for kids to see. Due to this problem, teachers are faced with educating their students in using the Internet safely. The Center for Innovation in Engineering and Science EducationCIESE has come up with a web page that is excellent for teaching students and teachers about Internet safety and safety software. TeacherVision is another great site, however it requires a subscription (there is a free trial.)

For your students[edit]

Here are some tips that teachers can use to make sure they are on the right path to keeping their students safe:

  1. Check to see if the school/district has an AUP (Acceptable Use Policy). Most schools/districts do have one.
  2. Read through this policy with your students in plain language that they can understand.
  3. Make sure that students and parents are aware of this policy by requiring them to sign and return the policy stating that they have read it. Your school administrator may have this procedure already in place.
  4. If you have a web page, do NOT post your students names on the page. Use a nickname (or pseudonym).
  5. Student work is great to post. Just make sure that you do NOT have student pictures posted without written consent of the parent/guardian.
  6. Make sure that any content posted on your class web page meets your school’s/district’s AUP requirements.
  7. When teaching lessons requiring internet use by students, provide students with links to reviewed kid-safe sites for that activity to limit searches that result in inappropriate content.
  8. ALWAYS be present when students go online for activities.
  9. DO NOT leave lesson plans for substitutes that require Internet/computer use.
  10. Insist that students do not share their passwords or write them down. Provide consequences for those who do to enforce this policy.
  11. Keep students’ passwords in a protected and secure place such as a personal electronic file which cannot be accessed by students.
  12. Keep computers facing the center of the classroom so that you can always see what is on the screen.
  13. Provide parents with information regarding assisting and monitoring Internet use by their child. A great site to give parents is the FBI’s Parent Guide to Internet Safety.
  14. The following link provides teachers with a great cyberbullying video that all students should watch: Comcast iSafe Video

For yourself[edit]

Here are some tips that teachers can use to keep themselves safe when using the internet:

  1. Familiarize yourself with the section in this wikibook entitled [Legal Issues].
  2. Familiarize yourself with ways that students can hack into a school network system. You can find information by visiting the section in this wikibook entitled [School Hacking].
  3. Make sure you read and understand your district’s/school’s AUP. If you don’t, ask your technology administrator to help explain it to you.
  4. Memorize your network passwords. NEVER assume that a student couldn’t find it somewhere that you think it’s hidden. DON’T leave your passwords around-like stuck to the side of your desk or on your monitor.
  5. Do not trust anyone, including other staff members, with your password.
  6. Log in only when there are no people near your computer.
  7. Do NOT give out personal information including passwords to ANYONE over the phone, even if they say they are with your school’s IT department. This is a good trick played by hackers.
  8. Log out and shut down your computer whenever you leave your room.
  9. Do NOT log in and allow a substitute, student or other staff member to use your computer unless you are right there with them the entire time.
  10. Have a school technician check your classroom computers for the history of websites surfed to make sure no inappropriate sites are being accessed especially if you share a classroom or have a substitute.

Hardware Security/Safety[edit]

Here are tips to help keep your electronic equipment in good condition and safe for students/yourself to use. The following site is also helpful for computer hardware safety and care: PC World Computer Care

  1. Keep all cords out of walkways/aisles. Overheads, LCDs, etc. are costly. Teachers tend to place them in the middle aisle of a classroom with cords easily stepped/tripped on. Take the time to unplug, roll up and store cords.
  2. Wipe down all electronic equipment with a slightly damp cloth every few weeks to keep it free from dust. Electronics tend to gather dust quickly and can damage parts. There are also several products that allow you to clean smudges off your computer screen without damaging it.
  3. Keep all electronics in a locked area/room. Do not give your key to unauthorized users (especially students).
  4. Make sure you monitor student use of any electronic device at all times.
  5. Do not plug electronics directly into a wall socket. A surge protector will go a long way in protecting electronic devices.
  6. Do not allow students to hook up any type of personal (non-school issued) electronic device to school devices.
  7. Do not allow anyone (students or staff) to eat or drink near electronic equipment, ESPECIALLY COMPUTERS!
  8. Do not allow students to download software, use personal jump/thumb drives or use any type of unauthorized disk in the computer without your direct supervision. Software may usually never be downloaded by anyone except the technology administrator in a school system. Check your AUP regarding this topic before you download anything on to a school issued computer.

Student Information[edit]

SafeKids.com is an effective site for finding out lots of information about technology safety for kids including cell phone safety, Internet safety and more. The following list includes some of the tips for safety that this website provides.

Safe at School[edit]

  1. Never give any passwords to anyone (even friends). That includes locker combinations, lunch passwords, Internet passwords, or your student ID number.
  2. Never keep anything expensive in your locker. Locks can be picked/hacked.
  3. Follow the rules of your school. Report any bad behavior to a school official. It’s the right thing to do.
  4. Treat school equipment with respect. It is there for you to use. Why ruin it?
  5. Report bullying. You wouldn’t want it to happen to you. It could happen to even the most popular person you know.
  6. Don’t give out personal information to other students.
  7. Don’t let other students borrow your cell phone, laptop, iPod, etc. They may not treat it like you would, even if they are your friend.
  8. Don't go on internet sites that are not pre-approved by your teacher.
  9. Let a teacher know if someone is cyberbullying you or on a site that you know is wrong or makes you uncomfortable.

Cell Phone Safety[edit]

  1. Don't let other people use your cell phone.
  2. If you can't have a cell phone on you at school, leave it at home. It could get stolen out of your locker.
  3. Talk with your parents about your texting plan and how much it costs or how many texts you can send per month. It can get very expensive for you and your parents.
  4. Don't text back to anyone that you don't recognize and trust.
  5. Some cell phones have GPS systems (locator system). Be careful that you don't give information out or communicate with someone that you don't know or trust. They could locate you.
  6. Do not try and download illegal material (like child pornography) from your cell. It is illegal and can be traced.
  7. Do not bully anyone using your phone and report anyone who may be bullying you (through texts, calling, or web applications)to the authorities or at least to your parents or a teacher.
  8. Do NOT EVER send pictures of yourself or anyone else to someone you don't know or trust.
  9. DO NOT EVER send nude pictures of yourself or others. Those pictures could be accessed forever and put on line for all to see.

Preventing Cyberbullying[edit]

You may want to view this Bullying Video. It is an iSafe video produced by Comcast and can be used as an example of how harmful bullying can be.

Preventing Sexting[edit]

Sexting is referred to as sending nude photos of yourself or others or sending pornographic material to others using your cell phone or other electronic devices. See the Sexting Tips section of SafeKids.com.

  1. It could be a form of bullying. Don't do it.
  2. It is against the law. You can get in big trouble.
  3. Your pictures could get sent to people you don't want them to. They could harass you or post them on other sites.

If you are sending nude photos to others:

  1. STOP. Explain your situation to your parents. They may be able to help you before others report you to the police.

If you are receiving nude photos of others:

  1. DO NOT forward them. It is illegal.
  2. Talk to your parents immediately about the situation.
  3. If a friend is sending them, talk to the friend about the trouble they could get in with the law. The law can track these kinds of things without anyone telling on you.

Preventing Grooming[edit]

Grooming is when people try to form a relationship with a child online or using texting. At first is seems like the adult is nice by saying flattering things to the child or teenager. The adult's goal is to have sex, possible rape and/or hurt the child/teenager. They try to build trust with the young person. Check out the How to Recognize Grooming section of SafeKids.com for some great examples of how these adult predators (pedophiles) try to trick kids and teenagers.

Here are a few safety tips to keep this from happening:

  1. Don't communicate with people you don't know whether it's online, texting, etc.
  2. Tell your parents if a strange person keeps trying to communicate with you.
  3. Someone might tell you that they are a kid/teenager when really they are not. Don't believe what strangers say.
  4. Don't agree to meet with anyone in person unless you are with your parents or guardians.
  5. The online predator might tell you that they have a modeling job, money or other attractive things for you. Don't believe it.
  6. Block messages from strangers, whether they seem like adults, teens or children.
  7. Let your parents know who you communicate with.

References[edit]

  1. http://www.edportal.ed.state.pa.us/portal/server.pt?open=512&objID=475&&level=1&css=L1&mode=2&in_hi_userid=2&cached=true
  2. http://en.wikibooks.org/wiki/Information_Security_in_Education/Administrator_Awareness
  3. http://www.k12science.org/internetsafety.html
  4. http://www.teachervision.fen.com/educational-technology/resource/6007.html
  5. http://web.archive.org/20040929085447/www.fbi.gov/publications/pguide/pguide.htm
  6. http://www.ikeepsafe.org/assets/videos/?vid=Comcast_Ikeepsafe
  7. http://en.wikibooks.org/wiki/Information_Security_in_Education/Legal_Issues
  8. http://en.wikibooks.org/wiki/Information_Security_in_Education/School_Hacking
  9. http://www.pcworld.com/article/14872/hardware_tips.html
  10. http://www.safekids.com/
  11. http://www.safekids.com/sexting-tips/
  12. http://www.safekids.com/how-to-recognize-grooming-2/



Administrator Awareness

The primary target audience for this topic are building level, K-12 administrators. Although K-12, central office, and higher education administrators are not the intended target audience, they may glean some insight from the information presented here.

Threats to Schools[edit]

Conducting research on the role of K-12 administrators in dealing with their schools’ information security will most likely yield very few, if any, results. The reason for the lack of information is most likely that most K-12 administrators simply do not view information security as a top priority. This is not surprising since the job descriptions of K-12 administrators typically do not including monitoring computer network traffic for potential threats or security breeches. Furthermore, this type of training is usually not in the curriculum of principal’s certification programs. Although information security is not a top priority to principals, nor a part of their education, there are ways that principal’s can assist in securing their school’s network.

In order for administrators to make informed decisions, it is necessary to know not only the problem, but its origin. In terms of information security, the origin of the problem(s) can be multifaceted. Most likely, though, the problem is people. According to Schneier (2004), “people often represent the weakest link in the security chain and are chronically responsible for the failure of the security system (p.255).” For the K-12 administrator, this means that the leading prevention for information security concerns is staff development. Although the term staff development typically refers to teacher training, in this case it refers to all staff (secretaries, custodians, aides, etc.) that has access to the schools network. School staff needs to recognize that they play one of the most significant roles in information security.

Among the biggest external threats that involve school personnel are social engineering threats. Social engineering is the act of manipulating people into divulging confidential information.This type of threat can be used quite easily in a public school since most public school employees, while cognizant of student confidentiality, are very willing to assist other school personnel in solving their problems. There are three main types of social engineer schemes pretexting, phishing, and baiting. Each of these types of social engineering can cause major problems for schools.

Threats Defined[edit]

External[edit]

Pretexting is the act of creating and using an invented scenario (the pretext) to persuade a targeted victim to release information or perform an action and is typically done over the telephone. It is more than a simple lie as it most often involves some prior research or set up and the use of pieces of known information. In the case of a school, a call from someone pretending to be in the technology department would be an easy sell to most personnel, especially if at the time of the call the network was not properly functioning.

Phishing is a technique of fraudulently obtaining private information. Typically, the phisher sends an e-mail that appears to come from a legitimate business, in the case of a school a fake email from the technology department or administration, requesting "verification" of information and warning of some dire consequence if it is not provided. The fictitious email could ask for passwords or student or personnel information. A teacher could receive an email from the “business manager” requesting updated banking information for direct deposit, or for a social security number. Since school records and software are updated regularly, this type email from a fake business manager would probably not seem strange to an employee.

Baiting is an attack that uses physical media and relies on the curiosity or greed of the victim. In this attack, the attacker leaves a malware infected CD ROM or USB flash drive in a location sure to be found (bathroom, elevator, sidewalk, parking lot), gives it a legitimate looking and curiosity-piquing label, and simply waits for the victim to use the device. In either case as a consequence of merely inserting the disk into a computer to see the contents, the user would unknowingly install malware on it, likely giving an attacker unfettered access to the victim's PC and perhaps, the targeted school’s internal computer network. Unless computer controls block the infection, PCs set to "auto-run" inserted media may be compromised as soon as a rogue disk is inserted. In order for this attack to be successful at school, the attacker would not need to go to much trouble. Any school employee would be subject to this type of attack since the goal would be to return the “lost” device to its owner, who would be assumed to be a student.

It should be mentioned, however, that social engineering attacks are not the only types of external attacks which could be committed against a school district. Password hacks, port scans, and other attacks are possible, but these would never be seen by a building administrator since (s)he is usually never involved in dealing with these attacks.

Internal[edit]

Internal attacks against a school's network are far more common than external attacks. Most often, internal attacks are committed by students. There are a variety of reasons that students attack their school's network. The most prevalent reason that students give for attacking their school's network is fun. They just want to see if they could do it, and they also want to see what will happen if they do. These students typically do not cause damage to the network. Students who have malicious intent, however, are capable of causing extensive damage to a school's network. On any given day, a student could easily use a Flash Drive, or other device as described above, to plant all types of viruses, malware, spyware, or other dangerous programs on a school's network. Some of these programs have the capabilities of wiping out an entire district's network let alone a single school. The same applies to disgruntled staff who have even more access and more network permissions.

What Administrators Can Do[edit]

There are several ways that administrators can help prevent their schools from being the target of information security attacks. The first step that administrators can take is to do what the title of this Wikibook suggests, be aware. Building level administrators go to work each day with a full plate of responsibilities. Dealing with technology issues is usually not at the top of an administrators "to do" list. This does not mean that they should be in the dark about technology issues. Knowing some of the terminology and taking a proactive role in prevention goes a long way. The same diligence that is given to physical security, should be given to network security.

As mentioned earlier, staff training is the key to prevention. It is absurd to think that staff training will prevent all attacks against a network. Much like the administration, staff need to be aware. Relying on a common sense approach is not enough. Most staff can turn a computer on and off, type a document or make a speadsheet, and surf the Internet. Most are not computer experts and lack the knowledge to see an impending attack or know that they are about to fall victim to a social engineering scam.

Using classroom management software such as Sychroneyes is also a step toward ensuring information security. This type of software allows teachers to view every students' computer screen simultaneously on their computer. The software also allows teachers to disable a student's computer remotely, send instant messages to them, and capture screenshots of what each student is doing. This software, while a very worthwhile tool, is not intended to be a substitute for the teacher. It is still vitally important that teachers circulate the room while the students are using the computers and educate their students on proper comuputer use and safety.

Lastly, a comprehensive student handbook, which includes consequences for computer misuse, and an Acceptable Use Policy (AUP) are essential. Both the student handbook and also the AUP must contain language which specifies how the district's computers and network may be used, who may use them, and when they may be used. As mentioned, the penalties for misuse should be clearly outlined.

References[edit]



Cryptography

Cryptography barnstar.png


What is cryptography?[edit]

A cipher is a way of representing a message by changing it according to some set pattern or method. The method must preserve the meaning to decrypt it meaning to change it back into its original form. Encryption is to write something in a cipher so that only those authorized to do so can decode it and read it. The study of encryption is called cryptography (Lehtinen, 2006).[1]

The basic idea behind cryptotography is as follows: The message, sent in plaintext, passes through a filter to encrypt it into ciphertext. The ciphertext then goes to the receiver who passes it through a related filter to decrypt it and obtain the plaintext (Schneier, 2004). [2]

Encryption has been around for centuries. However, at first is was thought of as something that only pertained to government. For example, in times of war, messages were encrypted in case the soldier carrying the message was captured. In today's modern age of computer, encryption is something that affects every computer user. Instead of physical interception of messages, encryption is used on electronic networks to protect messages against virtual intruders (Lehtinen, 2006). [1]

Cryptography stub.png

Early Ciphers[edit]


Transposition Cipher[edit]

The transposition cipher does not change the letters in a message, but only puts them in a different order.

Example[edit]

The message below is encrypted using transposition. Try to decrypt it: (Answer below)
YAOPRGYHTCPR

Caesar Cipher (rot-3 cipher)[edit]

This cipher takes each letter of the plaintext and replaces it with a letter three letters later in the alphabet. In the case of letters near the end, the alphabet is looped around back on itself, so Z would be replaced by C. (Schneier, 1996). [3]

Caesar3.svg

Example[edit]

The message below was encrypted using the Caesar Cipher. Try to decrypt it: (Answer below)
BHOORZ

Substitution Cipher[edit]

Instead of a preset rule to always substitute each letter with another letter according to a rule such as the Caesar cipher, with a substitution cipher, each time a character is shown, a certain other character is written. All 26 letters of the alphabet are used and there is no overlap. An example may be to send A to T, B to K and so on. Because each letter has a unique mapping onto the ciphertext, in mathematical terms, this particular cipher is called one-to-one. One of the simplest and oldest substitution cipher is to simply write the alphabet forward and then backwards underneath (Gardner, 1972): [4]

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
Z Y X W V U T S R Q P O N M L K J I H G F E D C B A

Example[edit]

The message below was encrypted using the above substitution cipher. Try to decrypt it: (Answer below)
HFNNVI EZXZGRLM
AlbertiDisk1.jpg

The Alberti Disk[edit]

The Alberti Disk is a simple wheel device which provides 26 different substitution cipher alphabets. From the picture to the right, note that the 26 inner letters are in alphabetical order, but that the letters on the outside of the circle are in random order. For two people to send messages encrypted with an Alberti disk, they must have identical wheels (Gardner, 1972). [4]

Example[edit]

The message below was encrypted using the Alberti disks to the right. Try to decrypt it: (Answer below)

PJLBLSKER


Enigma.jpg

Cyclic Cipher[edit]

With the cyclic cipher, a filter is applied to a filter where the master filter is time dependent and the lower filter time independent. There is a regular rule to transcribe one letter to another, such as a rotation. But, rather than a constant rotation, the lower filter which actually encrypts the message is changed each time by the higher level filter. This concept introduces the concept of a key, which is commonly used today. That is, in addition to the knowledge of the method used to decrypt the message (cyclic cipher,Caesar cipher, etc.) one must also know the key in order to successfully decrypt the message. One of the most famous uses of this type of cryptography was the Egnima machine developed in Germany during World War I (Lehtinen, 2006). [1]

Today's Encryption[edit]

Today we are dealing with computers and numbers rather that machines and letters, but today's encryption still proceeds by some of the age-old principals of substitution and transcription. Every encipherment, no matter how complex can be broken down into combinations of simple elements (Singh, 1999). [5]

Icon of two keys on a keyring.png

Keys[edit]

In addition to the knowledge of the algorithm being used, in order to decrypt a message, one must have knowledge of the encryption key(s).

ClockWiseSpiralPath.png

Example (Clockwise Spiral Path)[edit]

To the right is an illustration of an algorithm called a clockwise spiral path (Gardner, 1972) [4]. To decrypt a message using this algorithm, put the groups of letters in the message in the columns of the 4 X 5 matrix. Then follow the arrows to read the message.

EITR MYAD METH TGHU ENXS

Did it work? It should not. That was because you also needed to know the key and know how to use it. The key is FRANK. It represents the order of the columns. Simply translate FRANK into numbers which represent the alphabetical order that the letters in the key appear. Then place the columns in that order in the matrix (table).

Hint: FRANK translates to 25143. (That is A gets a 1, F gets a 2, K gets a 3, N gets a 4 and R gets a 5.) (Solution Below)

Secret Key[edit]

As is seen in the above example, in order to decrypt a message, one must have knowledge of the algorithm used as well as the key. In today's information age, messages are transmitted via networks. Therefore, it is important to keep the key secret from intruders. It should also be noted that all information stored on computers is stored as a series of 0s and 1s or binary. That means that even words are converted and stored as binary. Therefore, today's algorithms are mathematical. To make it harder for intruders to decrypt messages, the algorithms used should be one-way mathematical functions rather than two-way mathematical functions. This is because one-way functions are much harder to reverse (Singh, 1999). [5]

Examples[edit]

Arithmetic symbols2.svg

Two-Way Function (multiplication)

y = ab (a times b)
If y is 6 and a is 2, the function is easy to reverse to calculate that b is 3. (reversed using division)


One-Way Function (modular arithmetic)

y = a mod b
What is a if y = 4 and b = 3?
To answer this question, one must have a knowledge of modular arithmetic which is sometimes referred to as clock arithmetic (Gardner, 1972).[4] y represents the remainder of the division operation.
Example:
7 mod 4 = 3 because 7 divided by 4 = 1 with a remainder of 3
15 mod 2 = 1 because 15 divided by 2 = 7 with a remainder of 1
12 mod 5 = 2 because 12 divided by 5 = 2 with a remainder of 2
Therefore you can see that there can be several answers to the above question:
4 mod 3 = 1
10 mod 3 = 1
16 mod 3 = 1
31 mod 3 = 1

Using the concept of a a secret key, Bob and Alice exchange information. The information is not the key, but used in a one-way function to establish a key. Therefore, even if Eve intercepts the information, she still does not have access to their secret key.

Ombrellino-keys.svg

Public Keys[edit]

The encryption methods mentioned so far have been symmetric. That means that the unscrambling process is the opposite of the scrambling process. With symmetric encryption, the same key is used both to encrypt and decrypt a message. With asymmetric encryption, the encryption key and the decryption key are different. The decryption key, known as the private key, is used to decrypt a message. The encryption key, known as the public key, is used to encrypt a message. In addition, it is published so that it is available for everyone to see (Singh, 1999). [5]

Encryption Strength[edit]

The technique or rule selected for encryption is known as the encryption algorithm. Most encryption techniques use rather simple mathematical formulas using functions such as modular arithmetic, but applied to very large numbers and in conjunction with other functions. The type of encryption algorithm, the secrecy of the keys and a number of other characteristics together form what is referred to as the strength of the encrypted message (Lehtinen, 2006).[1]

Asymmetric cryptography - step 2.svg

Cryptography in Education[edit]

Currently, most schools use computers to store academic files as well as personal information about students and employees. Encryption can be an effective way to protect this information. Schools, in fact, are bound by several laws and regulations regarding the security of student information. Cryptography is core to this security (Schneier, 2004).[2]


FERPA[edit]

FERPAstands for the Family Educational Rights and Privacy Act of 1974. This federal law governs the privacy and handling of educational records. Under this law, non-directory information which includes such information as ethnicity, grade point average and test scores is considered private information. This information is not to be released to anyone without written consent from the student (FERPA, 1974). [6]

PPRA[edit]

PPRA stands for Protection of Pupil Rights Amendment. This amendment "seeks to ensure that schools and contractors obtain written parental consent before minor students are required to participate in any ED-funded survey, analysis, or evaluation that reveals information concerning:

Political affiliations;
Mental and psychological problems potentially embarrassing to the student and his/her family;
Sex behavior and attitudes;
Illegal, anti-social, self-incriminating and demeaning behavior;
Critical appraisals of other individuals with whom respondents have close family relationships;
Legally recognized privileged or analogous relationships, such as those of lawyers, physicians, and ministers; or
Income (other than that required by law to determine eligibility for participation in a program or for receiving financial assistance under such program)." [7]

Therefore the confidentiality of student information is imperative.


Key-crypto-sideways.png

Answers to Ciphers[edit]

Transposition Cipher[edit]

CRYPTOGRAPHY

Caesar Cipher[edit]

YELLOW

Substitution Cipher[edit]

SUMMER VACATION

Alberti Disk[edit]

THIS IS FUN


ClockWiseSpiralPathSolution.png

Clockwise Spiral Path[edit]

MEET ME THURSDAY NIGHT


References[edit]

  1. a b c d Lehtinen, R., Russel, D. & Gangemi, G. (2006). Computer Security Basics. Sebastopol, CA: O'Reilly Media, Inc.
  2. a b Schneier, B. (2004). Secrets and Lies. Indianapolis, Indiana: Wiley Publishing, Inc.
  3. Schneier, B. (1996). Applied Cryptography. New York, New York: John Wiley & Sons. Inc.
  4. a b c d Gardner, M. (1972). Codes, Ciphers and Secret Writing. New York: Dover Publications, Inc.
  5. a b c Singh, S. (1999). The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography. New York, New York: Random House, Inc.
  6. FERPA. (1974). Retrieved April 19, 2010 from https://sa.uab.edu/enrollmentservices/ferpa/
  7. PPRA. (2005). Retrieved April 19, 2010 from http://www2.ed.gov/policy/gen/guid/fpco/ppra/index.html



Security Regulations

1 ethan t.jpg


Introduction[edit]

Today's schools face numerous regulations, guidelines and protocols that must be met in order for the students, faculty and staff to safely utilize networked resources. Along with meeting these regulations in order to be in compliance, meeting these same regulations can also directly impact access to state and federal technology monies. Two significant laws and corresponding guidelines that schools must be in full compliance with at all times are the Children’s Internet Protection Act and The Family Educational Rights and Privacy Act. A third law, the Health Insurance Portability Accountability Act can also come into play in certain school settings.


Key Terms[edit]

A national and local Record is a compilation of records, files, documents, and other materials that contain information directly related to a student and maintained by educational agencies or institutions, or by individuals acting on behalf of the agencies."

Confidentiality refers to your obligation not to disclose or transmit information to unauthorized persons.

Privacy is a uniquely personal right that reflects an individual’s freedom from intrusion.

Security refers to technical procedures that ensure that only authorized and intended parties have access to data.

Disclosure includes permitting access to, revealing, releasing, transferring, disseminating, or otherwise communicating all or part of any individual record orally, in writing, or by electronic or any other means to any person or entity.

Protection Principle: Information users should use appropriate technical and managerial controls to protect the confidentiality and integrity of personal information. (1997). [1]

Regulations, Guidelines, Protocols[edit]

CIPA[edit]

"The Children’s Internet Protection Act (CIPA) is a federal law enacted by Congress to address concerns about access to offensive content over the Internet on school and library computers. CIPA imposes certain types of requirements on any school or library that receives funding for Internet Access or internal connection from the E-rate program-a program that makes certain communications technology more affordable for eligible schools and libraries"(CIPA, 2001).[2] At the beginning of 2001, the Federal Communications Commission issued a set of rules that would be used by the FCC to implement CIPA in all E-rate funded schools and libraries. These rules required all funded schools and libraries to have an Internet Safety Policy that included technology protection measures that address such issues as the filtering and blocking of content by means of email, chat rooms or other means of electronic communications. The protection measured used must specifically block access to content or pictures that are deemed obscene, child pornography or harmful to minors. All schools must include this Internet safety policy (including these technology protection measures) in their application for funding. Prior to adopting this policy, schools are also required to "provide reasonable notice and hold at least one public hearing" (CIPA, 2001).[2] regarding this policy and plans to adopt it. The CIPA regulations do not affect the E-rate funding received by schools for such things as telecommunications or telephone service.


COPPA[edit]

The Children's Online Privacy Protection Act, effective April 21, 2000 regulates the collection of personal information about children under the age of 13 by websites accessed by children through a school Internet connection. According to COPPA, all website hosts must have a clearly stated privacy policy that states the requirement of parental permission before collecting personal information about a student.

"The Children's Online Privacy Protection Act and Rule apply to individually identifiable information about a child that is collected online, such as full name, home address, email address, telephone number or any other information that would allow someone to identify or contact the child. The Act and Rule also cover other types of information -- for example, hobbies, interests and information collected through cookies or other types of tracking mechanisms -- when they are tied to individually identifiable information"(COPPA, 2000).[3]

All website operators must post a notice of their information gathering processes on the home page of their website and a notice containing the same information must be given to parents prior to their signing of a consent form. Parental consent can be obtained by email for internal uses of personal information only. All external uses of this information require a signed consent form.

There are several exceptions to this policy. According to COPPA, "prior parental consent is not required when: an operator collects a child's or parent's email address to provide notice and seek consent; an operator collects an email address to respond to a one-time request from a child and then deletes it; an operator collects an email address to respond more than once to a specific request -- say, for a subscription to a newsletter. In this case, the operator must notify the parent that it is communicating regularly with the child and give the parent the opportunity to stop the communication before sending or delivering a second communication to a child; an operator collects a child's name or online contact information to protect the safety of a child who is participating on the site. In this case, the operator must notify the parent and give him or her the opportunity to prevent further use of the information; an operator collects a child's name or online contact information to protect the security or liability of the site or to respond to law enforcement, if necessary, and does not use it for any other purpose"(COPPA, 2000).<refname="COPPA"/>

All new requests for personal information require a new signed consent form. Parents may choose to revoke their consent at any time and direct the operator to delete all previously collected information. The Federal Communications Commission may at any time "bring enforcement actions and impose civil penalties for violations of this rule"(COPPA, 2000).[3]


FERPA[edit]

"The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C 123g: 34 CFR Part 99) is a Federal Law that protects the privacy of student educational records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.

FERPA gives parents certain rights with respect to their children's educational records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level. Students to whom rights have transferred are eligible students"(FERPA, 1974).[4] Under this law, parents and students have the right to: inspect and review the students educational records maintained by the school; request that the school correct records which they believe are incorrect or misleading; decide when and to whom their educational records are released.

Under the FERPA regulations, schools must have written permission from a parent or eligible student to release any information pertaining to the students academic records. Schools do however have the right to release these records without written consent to: school officials with a valid educational interest; schools to which a student is transferring; school officials for purposes of audits or evaluations; appropriate parties regarding financial aid to the student; accrediting organizations; organizations conducting studies on behalf of the school; to comply with judicial orders; state and local authorities or the juvenile justice system according the state law (FERPA, 1974).[4] Schools may also disclose, without the consent of the parent or eligible student, directory information related to students: name; address; telephone number; date and place of birth; honors and awards; dates of attendance (FERPA, 1974).[4]

Schools must inform a parent or eligible student of the plan to release this information prior to doing so in order to allow the parent or student a "reasonable amount of time to request that the school not disclose directory information about them" (FERPA, 1974).[4]


Palm IIIxe PDA.jpg

HIPAA[edit]

The Health Insurance Portability and Accountability Act governs how school health services may share student health information with other parts of the school community. In October, 2004, the acting regional director of the U.S. Department of Health and Human Services noted in a letter to his staff that these health records are actually considered part of a student’s educational records and therefore should be covered by the FERPA laws. As a result of this letter, there was confusion on the part of schools and school health services staff. In November 2008, a joint guide published by the United States Department of Health and Human Services and the United States Department of Education helped to clarify these apparent dual regulations and where they were to be applied. According to this guide entitled, "Joint Guide on the Application of the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act (HIPAA) to Student Records," These two departments joined forces in an attempt to clarify once and for all where each of these laws could be rightly applied in a K-12 school setting. What this guide stated was that, because student medical records are part of a student’s educational records, a school is not required to follow the guidelines identified under the HIPAA laws. They are mandated however; to follow all rules and regulations of the FERPA laws because these records are student educational records. Some exceptions to this approach would be adolescent mental health facilities that also provide an educational component and, private schools who do not directly receive educational technology funds.

The common denominator in all of these laws and corresponding regulations is the importance of a comprehensive Information Security Plan. This plan must address all potential threats that could keep the school from being in full compliance with these regulations; especially if they wish to seek federal technology monies such as those available through the E-rate program. All schools receiving federal funds through programs such as the E-rate program must provide an Information Security Plan (including an Acceptable Use Policy) as part of the application process.

Protecting Student Records[edit]

The protection of student data is a significant responsibility of a school or district administrator, as well as school medical staff. Access to a student’s educational records (including health information) should only be granted to the administrator, nurse, parent and student. Access by other parties is not permitted unless specific disclosure permission is granted by the minor students’ parents or student who is over 18 years of age and identified as the eligible student. While the restriction of access can be managed by keeping student records in a locked file cabinet and file room in the school administrative and medical offices, this same level of security can be more difficult to manage when these records are kept in an electronic format. As stated previously, there is confusion regarding which regulations apply when the student records in question are medical records. This lack of clarity can be further muddied when the school nursing staff comes from a contracted outside medical agency. In this and all situations pertaining to student medical records, it is advisable to comply with both the HIPAA and FERPA regulations.

Along with the need for strict security measures to protect student data transmitted over a school or district wired Ethernet network (through such means as encryption of data, network firewalls etc),there is also the need to protect information that may be transmitted over wireless devices as well. Any wireless device used by medical personnel in a school setting would fall under the standards identified by Lehtinen(2006)as TEMPEST.[5] Lehtinen defines TEMPEST as Telecommunications Electronics Material Protected from Emanating Spurious Transmissions and these standards apply to the electronic transmission devices utilized by those staff members who are transmitting HIPAA protected data. All electronic transmission equipment used in a HIPAA compliant setting must meet and be approved by these standards. Because of the level of suppression in these devices, they are often larger, heavier and more costly than those available to general consumers. In order for school and medical facilities to be HIPAA compliant, these devices must be used when transmitting student medical data.


As educational technology leaders in a school or district, it is our responsibility, in concert with school and district administrators and medical staff, to make sure that all technology utilized within the school network is CIPA, FERPA and HIPAA compliant. This level of compliance should be stated in the Information Security Plan and, appropriate repercussions for non-compliance on the part of school personnel should be clearly spelled out in the district or school policies and faculty and staff handbook. All school personnel must indicate that they have read and clearly understand these policies before they sign their Acceptable Use Policy contracts.


References[edit]

National Association of School Nurses. (2004). School Health Nurse’s Role in Education: Privacy Standards For Student Health Records. Retrieved from http://www.nasn.org/Default.aspx?tabid=277

Schneier, B. (2000). Secrets & Lies: Digital Security in a Networked World. Indianapolis, Indiana.: Wiley Publishing, Inc.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191 guidelines found at http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hipaaferpajointguide.pdf

  1. National Center for Education Statistics, National Forum on Education Statistics. (1997). Protecting The Privacy of Student Records. Retrieved from http://nces.ed.gov/pubsearch/pubsinfo.asp?pubid=97527
  2. a b The Children's Internet Protection Act of 2001, Pub. L. 106-554 Sec. 1732. found at http://www.fcc.gov/cgb/consumerfacts/cipa.html
  3. a b The Childrens Online Privacy Protection Act of 2000. Found at http://www.ftc.gov/bcp/conline/pubs/buspubs/coppa.htm
  4. a b c d The Family Educational Rights and Privacy Act of 1974 20 U.S.C. § 1232g; 34 CFR Part 99. found at http://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html
  5. Lehtinen, R., Russell, D. & Gangemi Sr., G. T. (2006). Computer Security Basics.



Authentication

Desktop computer clipart - Yellow theme.svg

“Passwords are often the first (and possibly only) defense against intrusion.” MacGregor (2002)[1]


Introduction[edit]

Many institutions and businesses invest large sums of money to create and ensure a secure computer system for all its stakeholders. Outlays of monies bring together hardware, software, policies, procedures, physical parameters, and training to construct a fortress of protection for its data, network, and, ultimately, its mission. Without the sense and assumption of a secure computer network, revenues would be lost, data compromised, and secrets unfolded.

But every system relies on identification and authentication of the user. The system would not have been built if not for the intention of users to access and use the system, whatever that system may offer to the users. Almost always is a user accessing the system from a remote area away from the system’s administrators. They need to have a way to identify each user and authenticate that the user’s digital identity matches the physical user sitting in front of the computer or server is mandatory. Add to this drama that the user is human. This very nature is what may bring down and create the weakest link in the strongest fortress. As Schneier (2000)[2] stated, "Think of security… as a chain. The security of the entire system is only as strong as the weakest link." That weakest link is many times the user of the system; unlike the human in the food chain, where man takes a prominent stand, in the access and security of computer networks, the human is many times the weak prey or entry point to what is secure with the assumption that the right users are identified and authenticated.

Crystal Project Password.png

Username/Password Combinations for Identification & Authentication[edit]

A common way to authenticate users is to assign each authorized user of a specific system a unique username/password combination. The username identifies the user and the password authenticates him; in other words, a human user proves his/her identity is true to the nonhuman system. A password is “a word, a phrase, or combination of miscellaneous characters that authenticates the identity of the user” (Granger, 2002)[3]. However, the only matter that is sure is that the username and password combination agrees with a username/password combination in the system’s database of valid and authorized users. If the user logs into the system remotely, the only element that the system is sure of is the combination entered matches a stored combination for a user of the system.

Rubens (2008)[4] emphasized that the Gartner research house reported 94% of businesses only require a username/password combination to log into their respective computer systems. That popularity and reliance illustrates a lot of commercial trust in the simple philosophy of identification and authentication of access. Passwords are a simpler and cheaper security measure compared to other security hardware and software. Passwords can protect users’ personal information such as private documents, financial data, identity data, or social security numbers. Passwords can also protect professional data, which could mean intellectual property, trade secrets, financial data, human resource records, or customer information. The access or loss of any of this data in the hands of the wrong party could be detrimental and disabling to the person, the profession, or the proprietor.

As Schneier (2008)[5] cautioned, “The problem with passwords is that they’re too easy to lose control of. People give them to other people. People write them down, and other people read them. People send them in email, and that email is intercepted. People use them to log into remote servers, and their communications are on. They’re easy to guess. And once that happens, the password no longer works as an authentication token because you can’t be sure of who is typing that password in” (240)[5].

The commonality in all of these passwords flukes is “people”—humans with that imperfect human nature that corporations trust their most valuable asset to in the security framework.

The popularity of username/password combinations reveals the reliance corporations and institutions have on people keeping their passwords private. Considering the unpredictable and imperfect human nature of people, the key to security with username/password combinations is educating and training the users to exercise a regimen that safeguards and secures accurate identification and authentication of the user.

Computer.png

How Can Passwords be Uncovered[edit]

Passwords can be found out by guessing or uncovering passwords to gain unauthorized access to computers or the information on those computers. This process is referred to as password cracking. Granger (2002)[3] stated the most popular ways people crack passwords are:

  • Using a word list or dictionary attack software
  • Using password crackers (one example is Packetstormor Top Ten Password Crackers)
  • Password sniffers – looking at data as it travels through a network or internet with the existence of vulnerabilities, and since passwords are only as strong as their human creators and users, people must be educated to practice habits to keep passwords strong, private, and secure.
  • Social engineering – human element where one person cons another to give up personal information such as usernames and passwords
  • Reckless password behavior by user

Securing Passwords with Secure Practices[edit]

Password.svg

Some secure password practices are built on commonsense where others take on a more systematic framework. Schneier (2009)[6] encourages the following password advice:

  • Most important advice? Use a password manager which is an application that keeps track of and manages a user’s passwords.
  • Change passwords frequently.
  • Do not reuse old passwords.
  • Have a scheduled date to change passwords. Password managers can assign expiration dates to passwords and send reminders when to change them.
  • Always keep passwords secret. Users should not document their passwords manually or digitally. Trust no one with a username/password combination.
  • Do not use passwords that consist of dictionary words, birthdays, common series such as sequential numbers or repeated characters.
  • Do not use the same username/password combination for more than one site.
  • Do not allow a computer to log on or boot up automatically or allow applications to have stored passwords where the user is logged in for a specified amount of time.
  • Do not log into user accounts on another person’s computer in case there is a key logger installed.
  • Do not access web sites that require a log in over wireless Internet connection unless the https protocol is used.
  • Do not log into an account via a link in an email in case it is a case of phishing. Enter the normal URL, Uniform Resource Locator, in the web browser to check the identity of the party asking for information.

Password Tips for BlackBerry Users[edit]

The BlackBerry devices have been touted to perform with the most secure mobile platform (Sacco, 2010)[7]. RIM, the company that manufactures Blackberry devices, has invested time and monies to equip their products with secure and strong infrastructure, software and security certificates. However, as Sacco (2010)[7] stated, this does not cover the security or lack thereof practiced by the Blackberry user. In the occurrence of a stolen or lost BlackBerry device, the security of the devince and data on the machine depends upon the security practice of the human owner of the phone.

Sacco (2010)[8] encouraged five guidelines, two of which deal with passwords, for mobile owners to use when safeguarding their BlackBerry and its information.


  • Enable password-protection on a BlackBerry, if the corporation has not done so before assigning the corporate phone in your possession and use:
  • Open Blackberry Options menu, scroll down to and click the word Password
  • Select Password field and then enable option with pop-up box
  • Click on Blackberry Escape key, save changes, and enter password (minimum of four characters for Blackberry phones)
  • Confirm new password by typing it again
  • Blackberry phone is now locked
  • Type password to unlock BlackBerry after password-protection has been enabled
  • Additional password security features are available on Blackberry phones such as:
  • Specify number of password attempts
  • Choose a security timeout period
  • Mandate use of password when downloading new applications
  • Use the Password Keeper application on Blackberry mobile devices which stores all user passwords by entering a password to open this application:
  • Open Password Keeper application on BlackBerry
  • Create a password to protect all your other passwords
  • Choose a password that is difficult to guess since this password safeguards all the user passwords
  • To enter and log each user password:
  • Click on Blackberry Menu key, choose New to log a password
  • Type information for Title, Username, Password, Website, Notes for each password to be saved
  • After all passwords have been saved, the user opens the Password Keeper app and enters the master password to access passwords stored on the device
  • Password Management Tips for iPad & iPhone[edit]

    Wagner (2010)[9] placed on top of his list of new applications available for iPads, the newest of the Apple computer devices, 1Password. This application, developed by Agile Web solutions, is password management software. This software is also available on iPhones.

    Without this specific application, an iPad owner may still password-protect applications by designating password entry prior to using applications (Brandon, 2010)[10].

    • This password protection can be activated on the iPad:
    • Settings > General > Restrictions
    • Press Enable Restrictions
    • Type a difficult to guess four-digit number password (never use birthdates, street address phone numbers, social security digits, or phone numbers.
    • Turn on restrictions for applications that the user would like protected
    • If the application needs a password to use it, such as iTunes, the user will have to type in two passwords (Password protection's password and specific application's password).

    Password Protection Feature in Firefox Web Browser[edit]

    Mozilla Firefox logo 2013.png

    Firefox, a web browser, provides the user with a password-protection feature call Master Password. When a user opens Firefox for the first time, the web browser prompts the user for a password. With the awareness of phishing, a fraudulent conspiracy to contrive a user’s sensitive information, unbeknown to the user, has made many people wary of pop-up windows asking for our passwords, usernames, etc. Horowitz (2010)[11] advises to use a [2] FreeOTFE or TrueCrypt container. These are open source encryption software programs that works on all platforms by creating a virtual encrypted disk to protect a user’s information.

    Facebook and Passwords[edit]

    Facebook.svg

    Facebook, a social networking site that to date has over 400 million users, provides their members quality and strong security information (“Statistics”, Facebook, 2010)[12]. What is beneficial of Facebook purporting secure measures and practices of their users is that many of this social network site’s users are young adults, which supports many of the same security guidelines concerning passwords students learn in high schools and colleges.

      Some of these guidelines include:
    • Use different passwords for different online websites
    • Be cautious of where a user enters his password. Pay attention to the URL of a website. Additionally, copy and paste that URL into a new web browser window to check the requester's digital source.
    • Do not share passwords with anyone; no one should ever ask for a password if the organization practices good security principles
    • Use difficult passwords that would be hard to guess; make sure a password is not contrived with obvious information about user.
    • Create passwords that have a combination of lower and uppercase alpha characters, numeric characters, and symbols (“Facebook Security”, Facebook, 2010)[13]

    Microsoft Online Safety Password Advice[edit]

    Microsoft logo (1987).svg

    Password strength is determined by a combination of different types of characters, the length of a password, and if it does not make a dictionary match (Microsoft, 2010)[14].


      Microsoft, one of the top the international computer technology corporations, offers users recommendations for creating strong passwords:
    • Use passwords with 14 characters or more
    • Use variety in characters (alpha, numeric, symbols)
    • Use the entire keyboarding; do not only use characters that are often utilized
    • Another key element is to create a password using the above guidelines, which a user can remember and not write down due to its difficulty.
    Microsoft)[14]. Microsoft offers the following advice to remember long passwords:
    What To Do: Suggestion: Example:
    1. Start with a sentence or two (about 10 words total).Think of something meaningful to you.Long and complex passwords are safest. I keep mine secret. (10 words)
    2. Turn your sentences into a row of letters.Use the first letter of each word.lacpasikms (10 characters)
    3. Add length with numbers.Put two numbers that are meaningful to you between the two sentences.lACpAsIKMs (10 characters)
    4. Add complexity.Make only the letters in the first half of the alphabet uppercase.lACpAs56IKMs (12 characters)
    5. Add length with punctuation.Put a punctuation mark at the beginning.?lACpAs56IKMs (13 characters)
    6. Add length with symbols.Put a symbol at the end.?lACpAs56IKMs" (14 characters)
    Microsoft Create a Strong Password that You Can Remember Table)[14].  
    

    After the user constructs a password with the above steps, the user can check the password’s strength and, thus, its safety, by using a Password Checker application offered by Microsoft[14]. It should be pointed out that the password examples users enter is not stored on this site maintained by Microsoft. Each password is checked on the person’s computer and not the Password Checker by Microsoft[14].

    After a user creates a strong password, the security of the data the password protects will not be ensured if the user does not put into practice and habit ways to keep that password safe and private.

    • Five tips Microsoft (2010)[14] advices to safeguard a strong password are:
    • Never provide a password to a request made digitally, by email or in pop-up windows.
    • Do not type in a personal password on a computer that is owned by another person or is a public use computer. Other computers can have key loggers installed to capture guest user passwords.
    • Never tell another person your password face-to-face or over the phone. Be cautious of social engineering; people who pose as professionals asking for your password to troubleshoot possible problems in your account (Schneier, 2000)[5].
    • Protect recorded passwords in a safe and secure place. Never store passwords on a computer that one owns.
    • Use more than one password on different web sites.

    Enabling Firmware Password Protection in MAC OS X[edit]

    Apple Computer Logo rainbow.svg

    Open firmware password protection is turned off by default, but provides password protection on MAC computers that have MAC OS X version 10.1 or later operating system installed. This software only allows a computer to be started from the volume that the user with the correct password designates as the startup volume. For the firmware password to work securely, there must be strong effort by the user to create a safe and strong password as a physical security measure (apple, 2010)[15].

    Full instructions and features of this password protection application can be found at the apple site.

    A list of firmware updates is available.

    Open Firmware Password 1.0.2 download is available.

    How to Protect Unattended Computer[edit]

    Crystal Project computer.png

    How does a user protect his computer after he logged on to his computer and walks away, that someone does not sit down to use his/her computer? One way is to set a screen saver password on a Windows or GNU/Linux PC or laptop.

      The directions to do this on Windows are:
    • Right-click the desktop > choose Properties > click on Screen Saver
    • Click on Password-protected > Change
    • Enter a secure password > click OK > click Apply > click OK

    The best way to keep a computer safe is to shut it down when one walks away from his/her computer.

    Better Password Practices[edit]

    Vista-password.png

    Granger (2002)[3] stated that the simplest security of all is in the control of the weakest link in the computer network, humans. If humans practice better, more private password habits, the infrastructure that is planned, constructed, and implemented has a better chance to be secured.

    • Granger proposed the following best practices for securing passwords:
    • Do not use proper nouns, dictionary words, or foreign words, either in its spelling order or typed backwards
    • Do not use personal information such as first, last, or middle names of self or family or friends, pets’ names, street address, phone number, or any other data that is uniquely the user’s information
    • Create a password that has length, width and depth. Length represents the number of characters used in a password. Granger (2002) recommended six to nine characters. Width pertains to the combination of different kinds of characters, meaning alpha, numeric, upper case, lower case, symbols. It is recommended to have at least one of the following types of characters:
    • upper case letters
    • lower case letters
    • numbers
    • special characters such as symbol and punctuation
    • alt characters such as µ, £, Æ
    • Depth in a password means to have a password that has meaning, but hard to guess. This can be done when the user thinks about phrases and mnemonics instead of words. One example of this can be found on the University of Michigan’s (2009)[16] Information and Technology Services web site:
    • Make a strong and memorable password by using the first letter of the words in a phrase, in combination with the other stated criteria. For example, "Four score and seven years ago our fathers brought forth" becomes 4S&7yaofb4th.
    • Use different passwords for different web sites
    • If able, find ways to add encryption or a one-time password capability to log-in passwords. The latter requires a user have a password generator, a password list, or a secure card.
    • Password generator
    • Switching to a Smart Card (password) directions
    • Encryption (PGP)
    • Never disclose passwords to any other party by email, phone, or face-to-face interaction.
    • Never write down a password. Commit it to memory. If one must write something down to remember a password, write a hint to the password, and not the password itself.
    • Change passwords at a regular interval. The more sensitive the information the password protects, the more often the frequency of change or shorter the interval
    • Do not let anyone watch or stand behind the user when typing a password

    Dr. Tim Tyson, an educational consultant and retired middle school principal, offers this advice in his Practical Practice blog: Spring Cleaning: Password Security and Organization.

    Teaching Students Better Password Practices[edit]

    Computer lab.jpg

    It is mandatory when teaching students about their responsibilities on the school network, in conjunction with the district's acceptable user policy, that we as educators teach and emphasize good password practices. This begins in the K12 level and continues into higher education. The following colleges and universities have specific password protocols, procedures, and education pages teaching students to practice better password guidelines.


    At the K12 level, teachers can teach better password practices to students as part of the curriculum and security measure of the district's Acceptable User Policy.


    Password Practices to Ponder
    Any password can be "cracked". Create a password that is hard to guess.

    Notice how easy it is to find out a password for entry. Whether it is a manual "trial and error" or a digital "trial and error", the best defense to data security is to follow best practices to create and safeguard a password.

    Media:Electronic_lock_yl88_operation.ogg

    References[edit]

    Computer Display.svg
    1. MacGregor, T. (2001, May 13) “Password Auditing and Password Filtering to Improve Network Security”. SANS Institute. Retrieved April 13, 2010 from http://rr.sans.org/authentic/improve.php
    2. Schneier, B. (2000). Secrets and lies: Digital security in a networked world. Indianapolis, ID: Wiley Publishing, Inc.
    3. a b c Granger, S. (2002, January 17). “The simplest security: A guide to better password practices”. Symantec Security. Retrieved April 9, 2010, from http://www.symantec.com/connect/articles/simplest-security-guide-better-password-practices Invalid <ref> tag; name "Granger" defined multiple times with different content Invalid <ref> tag; name "Granger" defined multiple times with different content
    4. Rubens, P. (June 2008). User authentication beyond the password. QuinStreet, Inc. Retrieved April 1, 2010 at http://www.enterprisenetworkingplanet.com/netsecur/article.php/3756206
    5. a b c Schneier, B. (2008). Schneier on security. Indianapolis, ID: Wiley Publishing, Inc. Invalid <ref> tag; name "Schneier" defined multiple times with different content Invalid <ref> tag; name "Schneier" defined multiple times with different content
    6. Scheier, B. (2009, August 10). Schneier on security [Msg 1]. Message posted to http://www.schneier.com/blog/archives/2009/08/password_advice.html
    7. a b Sacco, A. (2010, March 2). Five tips to keep your Blackberry safe. Computer World. Retrieved March 30, 2010 from, http://www.computerworld.com/s/article/print/9165238/Five_tips_to_keep_your_Blackberry_safe?taxonomyName=Security&taxonomyId=17 Invalid <ref> tag; name "Sacco" defined multiple times with different content
    8. Sacco, A. (2010, March 2). Five tips to keep your BlackBerry safe. Computer World. Retrieved March 30, 2010 from, http://www.computerworld.com/s/article/print/9165238/Five_tips_to_keep_your_Blackberry_safe?taxonomyName=Security&taxonomyId=17
    9. Wagner, M. (2010, March 23). Apple’s Ipad: Developers discuss their plans for apps. [Msg 1]. Computer World Blogs. Message posted to http://blogs.computerworld.com/15800/ipad_apps
    10. Brandon, J. (2010, April 9). 50 really useful iPad tips and tricks. Apple News. Retrieved April 11, 2010 at http://www.techradar.com/news/computing/apple/50-really-useful-ipad-tips-and-tricks-682306
    11. Horowitz, M. (2010, March 3). Trust no one and how it applies to Firefox passwords. [Msg 1]. Computer World Nlogs. Message posted to http://blogs.computerworld.com/15687/trust_no_one_and_how_it_applies_to_firefox_passwords
    12. “Statistics”. (2010). Facebook. Retrieved on April 13, 2010 from, http://www.facebook.com/press/info.php?statistics
    13. “Facebook Security”. (2010). Facebook. Retrieved on April 10, 2010 from, http://www.facebook.com/security?v=app_4949752878#!/security?v=app_7146470109
    14. a b c d e f Microsoft. (2010). Microsoft online safety and privacy education. Retrieved April 14, 2010 from, http://www.microsoft.com/protect/ Invalid <ref> tag; name "Microsoft" defined multiple times with different content Invalid <ref> tag; name "Microsoft" defined multiple times with different content Invalid <ref> tag; name "Microsoft" defined multiple times with different content
    15. Apple. (2010). “Setting up firmware password protection in MAC OS X”. Retrieved April 10, 2010 from http://support.apple.com/kb/HT1352
    16. Information and Technology Services. (2009, October). “ITSDocs: Choosing and changing a secure UMICH password”. University of Michigan. Retrieved April 16, 2010, from http://www.itd.umich.edu/itcsdocs/r1162/#protect

    Contact Writer: Mwiscount (talk) 12:52, 18 April 2010 (UTC)



    Professional Development

    Professional Development in Computer Security[edit]

    Introduction[edit]

    The administrators and users of a computer network represent the greatest vulnerability to the system (Lehtinen, Russell & Gangemi, 2006).[1]. One of the strongest defenses against compromised security is to train and inform the staff of an institution. This chapter will focus on why users pose a large threat; it will also expand on many topics that can be the focus of professional development. These topics include but are not limited to explaining an institution's Acceptable Use Policy (AUP) in plain English, explaining proper system access etiquette and the description of a phishing scam.

    The Weakest Link[edit]

    Figure 1

    The human factor in information security is known as the weakest link in computer security (Schneier, 2000) [2] Many security breaches occur as a social engineering attack. “In this type of attack, an attacker uses human interaction (social skills) to obtain or compromise information about an organization or its computer systems”(Schneier, 2000. pg. 266)[2]. An example of using social skills to attack a network might be for an attacker to send an e-mail to the employees of an institution telling them to clickhere.exe and receive a $10 coupon to a local coffee shop. The user will open the e-mail and download the attachment. At this time, a virus or a worm may be infecting their computer and since the user's computer is networked, the entire network may be infected in a matter of minutes. The link that was downloaded and caused an entire network to go down for hours or days may have been saved if the user was educated on how a virus comes to them from an external source.

    Like Figure 1, security is a chain, but if any of the links in that chain are broken, the entire system may be vulnerable (Schneier, 2000)[2] experts in the field believe that social engineering will always work because humans inherently want to trust. Humans will trust if they believe that the ‘attack’ is coming from one of their contacts or friends. A good example of this was the “ILOVEYOU worm of the 1990s cloaking itself in an e-mail from people the recipient knew” (Schneier, 2000, pg. 268)[2]. Future attackers will come up with new and creative ways of hiding viruses and worms. Scam artists will develop new ways of receiving personal information from people in the digital world. The key to protecting a system is to continually educate the users giving them up-to-date information.

    Training Topics[edit]

    Acceptable Use Policies In Plain English[edit]

    Before a staff member is asked to read and sign an institution's AUP, it is a good idea to share real-world examples with them. Professional development opportunities during the school year provide time for administrators or presenters to share incidents that may have occurred at neighboring educational institutions. This technique may allow staff members to understand where many of the policies originate from when creating the district's AUP.

    ScrabbleTMAUP.JPG
    Real-World Examples[edit]

    1. Middleton-Cross Plains teachers served suspensions for inappropriate emails [3]

    2. Teacher Fired for Inappropriate Behavior on MySpace Page [4]

    3. Teacher Placed On Leave For Inappropriate Behavior [5]

    4. Inappropriate school computer use contributed to the death of Phoebe Prince [6]

    5. This is not a newsflash: Teachers use social media too [7]

    6. Inappropriate Student-Teacher Relationships Online [8]

    7. Teacher Arrested for Inappropriate Texts, Touching [9]

    8. Broken Trust: Inappropriate student-teacher relationships [10]


    Some Acceptable Use Policies use vocabulary terms that can be confusing to users. The following section defines some confusing terms.

    Vocabulary[edit]

    1. Executable Files

    An executable file is any file that ends with the extension of '.exe'. When a user clicks on an 'exe' file, a built-in routine automatically executes code that can set several functions into motion. Exe files are used to install and run programs and routines (Kayne, 2010).[3] Executable files are particularly dangerous because a virus or a worm can infect your computer through this application.


    2. Virus

    A Computer Virus is a program that can copy itself and infect a computer without the permission or knowledge of the user. A Computer Virus has two major characteristics: the ability to replicate itself, and the ability to attach itself to another computer file. Every file or program that becomes infected can also act as a Virus itself, allowing it to spread to other files and computers (Antivirus Ware, 2010). [4]. Viruses behave in different ways. Some viruses stay active only when the application it is part of is running. Turn the computer off and the virus is inactive. Other viruses will operate every time you turn on your computer after infecting a system file or network.

    The following ways are suggestions to limit how viruses infect a computer (Myron, n.d.) [5]:

    -Load only software from original disks or CD's. Pirated or copied software is always a risk for a virus. (This is why your school district's network administrator might not allow you to load your own software).

    -Execute only programs of which you are familiar as to their origin. (Programs sent by email should always be suspicious).

    -Computer uploads and "system configuration" changes should always be performed by the person who is responsible for the computer. Password protection should be employed. (This is usually done by district professionals).

    -Check all shareware and free programs downloaded from on-line services with a virus checking program.

    -Purchase a virus program that runs as you boot or work your computer. Up-date it frequently. (Your school district takes care of this already).


    3. Other Types of Malware

    Examples: Worms, spyware and trojan horses.

    -A worm is an independent program that reproduces by copying itself from one computer to another, usually over a network (large concern for a school district). Like a virus, a worm worstens the damage it does by spreading quickly from one site to another. Unlike a virus, which attaches itself to a host program, a worm keeps its independence; it usually does not modify other programs (Lehtinen et al., 2006). [1].

    -Spyware can detect and report a user's activity of a computer and/or the internet (Lehtinen et al., 2006). [1]. Your school dsitrct most likely employs these programs to monitor the use of district equipment and the use of the internet. A specific type of spyware, called a keylogger can actually record the strokes of the keyboard that the user inputs. When in the wrong hands, a keylogger can capture sensitive information, including passwords.

    -Trojan horses are named due to its method of getting past computer defenses by pretending to be something useful (Lehtinen et al., 2006). [1]. When the computer lets the program in, it unleashes its malicious code.

    For more information, please refer to another chapter in this Wikibook, Malicious software

    System Access Etiquette[edit]

    Have you ever logged onto your district's computer and then walked away to do other things? If you answered yes, you may be putting your information and/or the network at risk. Once a computer is logged on, an unauthorized user does not have to go through the process of trying to guess a password. An unauthorized user may change a grade, write an e-mail posing as the authorized user, upload a malicious program, install spyware type software, or the unauthorized user may delete important information from the authorized user's account.

    Lehtinen et al. (2006). [1]. has some suggestions on how users can be the first defense to the network:

    -Protect your password and do not display it.

    -Create a healthy length for a password. (For more on this, please refer to another chapter of this Wikibook, Safeguarding passwords for today's technology.

    -Refrain from using a district account for personal use (social networking- Facebook, Twitter, MySpace, online shopping, personal communication, etc...)

    -Do not allow a user to use a computer you have already logged into.

    -Log out of applications when finished using them.

    -Log out of computer while not in the classroom.

    -Refrain from logging into more than one station.

    -Do not open any attachment with the file extension (.exe) because it is an executable file and may harm your computer or the entire network. Recall the definition of an executable file in the vocabulary section of this chapter.

    Phishing.JPG

    -Do not respond to any e-mails asking for sensitive information such as your password, phone number and/or address. For more on this, please refer to the phishing section in this chapter.

    -Report any suspicious e-mails, unauthorized changes of protected information, and monitor student use of system.

    Phishing[edit]

    A specific type of social engineering attack can occur digitally by the use of phishing. “Phishing attacks use email or malicious websites to solicit personal information by posing as a trustworthy organization” (McDowell, 2004, para. 2) [6]. Some trustworthy organizations can include charity foundations, educational institutions, and/or health-related establishments. Users of a district's network need to be particularly aware of phishing scams. A phishing scam will most likely come to the user through e-mail. A sender might ask for sensitive information such as the recipient's username, password, phone number, address, etc. Users should NEVER give out this sensitive information. All phishing type e-mails need to be reported to your network administrator immediately because you may avoid the scam, but your colleagues may not.

    References[edit]

    1. a b c d e Lehtinen, R., Russell, D., and Gangemi, G.T. (2006). Computer security basics. Sebastopol, CA: O'Reilly Media, Inc.
    2. a b c d Schneier, B. (2000). Secrets and lies. Indianapolis, Indiana: Wiley Publishing, Inc.
    3. Kayne, R. (2010). What is an EXE file?. WiseGeeks. Retrieved from http://www.wisegeek.com/what-is-an-exe-file.htm
    4. Antivirus Ware. (2010). What is a computer virus? Antivirus Ware. Retrieved from http://www.antivirusware.com/articles/computer-virus.htm.
    5. Myron, H. (n.d.) What is a computer virus? Newton. Retrieved from http://www.newton.dep.anl.gov/teachers/compvir.htm
    6. McDowell, M. (2004). National Cyber Alert System. Retrieved from http://www.us-cert.gov/cas/tips/ST04-014.html



    Network Defenses

    Introduction[edit]

    Computers have not only transformed society overall but they have also enabled schools to run more smoothly. Large amounts of student and employee data can be managed efficiently, teacher work time is cut down since everything no longer has to be written out by hand and students have access to a multitudes of information. Unargueably, computers have made life easier. However, with this access comes risks. Wherever there are computers there are also criminals waiting to perform malicious acts. School districts need to be especially careful since there can be both internal and external threats to security. This chapter will offer educators an introduction to various network defenses.


    What are network defenses?[edit]

    Network defenses are actions that are taken to protect information, computer and networks from unauthorized activity. These defenses guard against disruption or denial of service, degradation or destruction. [1], Some examples of network defenses are firewalls, demilitarized zones (DMZ's), virtual private networks (VPN's), intrusion detection systems (IDS's), and vulnerability scanners.

    Firewalls[edit]

    What is a firewall?[edit]

    Firewall.png

    A firewall, according to Schneier (2000)[2] is a piece of software or hardware that keeps intruders out and allows only authorized users in to a network. They act as boundaries between private networks and the vast public network. (Schneier, 2004)[2] Before the term firewall was used in computer lingo it described a wall in a building that was designed to keep a fire from spreading from one area to another (How Stuff Works)[3], A firewall in a computer acts in much the same way as a firewall in a building. A firewall in a network ensures that if something bad happens in one part of the firewall, the computers on the other side of the firewall won't be affected. Intruders to a school network can cause problems in various ways. For example, they can gain access to personal information of staff and students that could lead to identity theft, steal password information, spread viruses, or gain access to stored personal documents.

    How does a firewall work?[edit]

    When a computer firewall is enabled, everything that goes in and out of the network is monitored. If information is flagged by the filters, it is not allowed through. For example, in a school district there may be hundreds of networked computers. In order to protect all of these computers from being directly accessible to anyone on the internet, firewalls are installed at every connection to the Internet. The IT department can then configure the firewall with a set of rules that determine what information is allowed in and out of the network. This allows greater security from hackers. Although school districts use firewalls and other security measures to protect their networks they cannot let all of this security give them a false sense of security. If anyone does get through these defenses,they can live on a network, doing whatever they want for as long as they want. Hackers can find vulnerabilities in networks and silently gather sensitive information or change a system and leave a back door so that he can come and go undetected whenever he wants. [IT Security][4], Because of this, school districts need to have other network defenses in place to safeguard their systems.

    What are Demilitarized Zones?[edit]

    DMZ network diagram 1 firewall.svg

    A Demilitarized Zone (DMZ) is a place on a network where public services would be placed. (Schneier)[2] Devices cannot direclty access the trusted network from an untrusted network so the DMZ acts as a "go between". For example, you would want to place devices like a web server in a DMZ so that people on the Internet can access the web server in the DMZ but not have access to the protected network. If the web server were to be compromised, this would limit the amount of information that an outside person has access to. The devices on the DMZ may have limited access to certain resources on your protected network such as a school district's student data base.

    Intrusion Detection Systems[edit]

    What is an Intrusion Detection System?[edit]

    Intrusion detection systems (IDS), according to Schneier (2000)[2] are network monitors. They are devices that have the ability to listen for traffic on a network that may be suspicious such as attacks that are taking place. IDS's alert the people who are monitoring the system of an attack usually while it is happening. These alerts can come in the form of an email, page, text or pop up window. The alerts will let the monitor know how critical the attack is and exaclty what kind of attack is happening. The IDS will also suggest some kind of action that can be taken in order to prevent or stop the attack. To be most effective, IDS devices should monitor traffic both on unprotected and protected networks. The traffic on the unprotected network should be monitored in order to listen for threats before they get to the protected network. IDS devices should also monitor the traffic on the protected network in order to listen for internal threats.

    How does an Intrusion Detection System work?[edit]

    The job of the IDS device is to listen to all the traffic on the network and look for certain patterns. It is used to perform the job that a firewall cannot do. When a hacker attempts to get into a secure network such as a school district's, a firewall blocks these attempts, however, they do not alert a network manager. Since access logs would need to be continuously checked, it could be a tedious job. This is where an IDS is beneficial. Any attempts that are made to get into a network will be logged by the firewall and the IDS will analyze this log. If there are a large number of request-reject entries, the IDS will notice this and alert the network manager. The manager can then see what is happening right after or even while the attacks are still happening [IDS][5], The network manager then has the ability to analyze the techniques being used, source of attacks, and methods used by the hacker [IDS][6],


    Virtual Private Networks[edit]

    What is a Virtual Private network?[edit]

    A Virtual Private Network (VPN), according to Schneier, (2000)[2] is simply a secure connection over a public network which allows users to communicate just as they would if they were in the same building.

    How does a Virtual Private network work?[edit]

    A Virtual Private Network (VPN) is a way of accessing resources such as printers, servers, and fileshares of a network to remote users. For example, teachers would be able to access the information on their school computer from home. This is done by creating a "tunnel" that is encrypted through an unprotected network. According to Schneier, (2000)[2] a VPN is like a hole in the firewall. A person with a VPN is allowed to tunnel through the firewall into the network. Both a home network and a school network could be considered protected networks. In order to get to the school network from home one needs to go through an unprotected network such as the Internet to access the data. It is important that this communication be encrypted to protect against hackers stealing protected information as it is being sent from the school district's network to a remote network. VPN's can also protect against wireless hijacking of data. Since wireless transmissions are able to be captured by anyone, VPN's can provide an additional level of security to protect against unauthorized viewing of the data.



    Vulnerability Scanners[edit]

    What is a Vulnerability Scanner?[edit]

    Vulnerability scanners are computer programs that assess all devices on a network for known weaknesses where potential hackers can find a way in. This software finds security holes and classifies the weaknesses into how critical the security hole is. Most vulnerability scanners will also explain how to correct the weakness.

    How does a Vulnerability Scanner work?[edit]

    A vulnerability scanner works by gathering information from the devices on the network by using a database of known vulnerabilities and then attempts to exploit each vulnerability that is discovered. The scanner will look for security holes in services running on the system or do a port scan to connect to a host that is listening for incoming connections. If the host is running an application that uses a certain port, the scanner will attempt to connect to that port and try to exploit the appliction running on the system.

    References[edit]

    1. http://www.thefreedictionary.com/computer+network+attack accessed April 17, 2010
    2. a b c d e f Schneier, B. (2000). Secrets and lies: Digital security in a networked world. Indianapolis, ID: Wiley Publishing, Inc. Invalid <ref> tag; name "Scheier" defined multiple times with different content Invalid <ref> tag; name "Scheier" defined multiple times with different content Invalid <ref> tag; name "Scheier" defined multiple times with different content Invalid <ref> tag; name "Scheier" defined multiple times with different content Invalid <ref> tag; name "Scheier" defined multiple times with different content
    3. http://www.howstuffworks.com/firewall.htm accessed April 17, 2010
    4. http://www.itsecurity.com/features/intrusion-detection-for-dummies-072906/ April 17, 2010
    5. http://www.skullbox.net/ids.php accessed April 18, 2010
    6. http://www.skullbox.net/ids.php accessed April 18, 2010



    Case Studies

    Case Studies[edit]

    When the average person thinks of network security within a school they often think of the student trying to hack into the system to change their grade, to see if they can take over their friend’s computer, or to put a prank up on the school website. In light of the current network dangers these may be some of least of the school system worries.


    All of the following cases are based upon real situations.
    As you read through each case ask yourself these questions:

    a) What should be the very first course of action?
    b) Should the public be informed about the situation? If so, how will their trust be regained?
    c) What steps should be taken to prevent similar attacks in the future?
    d) What are the ethical issues of this situation?
    e) How should students be dealt with if they were the people initiating the attack?

    Breached Passwords[edit]

    There are many ways for people to get passwords. What they do once they have them can be devastating. The important first step in data security is for everyone to take password security seriously. Choosing good passwords, not posting it on your computer, making sure no one is looking when you are typing it in are all simple steps in password security. For password security tips see the page on Safeguarding passwords for today's technology.



    Hackers used brute force password cracking program to break into the district’s computers and initiated a batch of bogus transfers out of the school’s payroll account. The transfers were kept below $10,000 to avoid the anti-money laundering reporting requirements. The hackers had almost 20 accomplices they had hired ]

    account. Two days later a school employee noticed the bogus payments. Unfortunately, unlike consumers who typically have up to 60 days from the receipt of a monthly statement to dispute any unauthorized charges, organizations and companies have roughly two business days to spot and dispute unauthorized activity. This is because school organizations that bank online fall under the Uniform Commercial Code. Due to this law, the district was able to get less than $20,000 of the transfers reversed.  
    
    Notice how easy it is to see what someone is typing

    Shoulder surfing[edit]

    A former student “shoulder surfed” (physically observed) the password of an employee while still in high school. After graduating, he used this information to get into the district’s student information system. From there, he gained access to a different district’s payroll data including birth dates, social security numbers, and bank account information of 5000 current and former employees. This information was then used for identity theft purposes including requesting and using credit cards, creating checks and altering bank account information. The perpetrator was caught and arrested after attempting to use a fake check at a local store. At a cost of $62,000 the district gave all of the affected employees fraud prevention and resolution services. According to the district superintendent, the district suffered “damage to our reputation with the public and our employees. Hundreds of hours were spent investigating the extent of the compromised data and developing the plans and procedures to protect staff from further exposure to fraud.... answering employee questions, and preparing internal and external communications. It is impossible to measure lost productivity as employees worried about their financial security and work to change bank account and payroll information."

    Key logger[edit]

    A group of students installed a keystroke-tracking program (this could also fall under malware or student hacking) on computers at their high school to grab the user names and passwords of about 10% of the students, teachers, parents, and administrators that use the system. The students then used this password information to access the system to change grades for themselves and others. They did not seem to do anything else to the system while they had access.

    Case Studies[edit]

    When the average person thinks of network security within a school they often think of the student trying to hack into the system to change their grade, to see if they can take over their friend’s computer, or to put a prank up on the school website. In light of the current network dangers these may be some of least of the school system worries.


    All of the following cases are based upon real situations.
    As you read through each case ask yourself these questions:

    a) What should be the very first course of action?
    b) Should the public be informed about the situation? If so, how will their trust be regained?
    c) What steps should be taken to prevent similar attacks in the future?
    d) What are the ethical issues of this situation?
    e) How should students be dealt with if they were the people initiating the attack?

    Breached Passwords[edit]

    There are many ways for people to get passwords. What they do once they have them can be devastating. The important first step in data security is for everyone to take password security seriously. Choosing good passwords, not posting it on your computer, making sure no one is looking when you are typing it in are all simple steps in password security. For password security tips see the page on Safeguarding passwords for today's technology.

    Brute force[edit]

    Hackers used brute force password cracking program to break into the district’s computers and initiated a batch of bogus transfers out of the school’s payroll account. The transfers were kept below $10,000 to avoid the anti-money laundering reporting requirements. The hackers had almost 20 accomplices they had hired through work at home job scams. Over $100,000 was successfully removed from the account. Two days later a school employee noticed the bogus payments. Unfortunately, unlike consumers who typically have up to 60 days from the receipt of a monthly statement to dispute any unauthorized charges, organizations and companies have roughly two business days to spot and dispute unauthorized activity. This is because school organizations that bank online fall under the Uniform Commercial Code. Due to this law, the district was able to get less than $20,000 of the transfers reversed.

    Notice how easy it is to see what someone is typing

    Shoulder surfing[edit]

    A former student “shoulder surfed” (physically observed) the password of an employee while still in high school. After graduating, he used this information to get into the district’s student information system. From there, he gained access to a different district’s payroll data including birth dates, social security numbers, and bank account information of 5000 current and former employees. This information was then used for identity theft purposes including requesting and using credit cards, creating checks and altering bank account information. The perpetrator was caught and arrested after attempting to use a fake check at a local store. At a cost of $62,000 the district gave all of the affected employees fraud prevention and resolution services. According to the district superintendent, the district suffered “damage to our reputation with the public and our employees. Hundreds of hours were spent investigating the extent of the compromised data and developing the plans and procedures to protect staff from further exposure to fraud.... answering employee questions, and preparing internal and external communications. It is impossible to measure lost productivity as employees worried about their financial security and work to change bank account and payroll information."

    Key logger[edit]

    A group of students installed a keystroke-tracking program (this could also fall under malware or student hacking) on computers at their high school to grab the user names and passwords of about 10% of the students, teachers, parents, and administrators that use the system. The students then used this password information to access the system to change grades for themselves and others. They did not seem to do anything else to the system while they had access.

    Malware[edit]

    Programs can be installed into a computer with dangerous consequences. See the page on malicious software for a more indepth description of these types of programs
    malware can infect your computer

    Malware[edit]

    A school computer containing no confidential information was hooked to the network containing the personal information of over 15,000 students. This computer was breached with malware designed to steal sensitive data. Names, addresses, phone numbers, dates of birth and Social Security numbers were all part of the database that was potentially exposed to this malware. It is uncertain if any of this information was actually accessed, but the malware was found to have been on the breached computer for approximately five years.

    Botnet[edit]

    A school network administrator was contacted concerning spam e-mail and other attacks emanating from the district system. When the administrator looked into the problem, it was discovered several computers had been infected with a botnet. Several of the district computer’s operating systems had been commandeered and were being used by the person controlling the botnet for illicit activities.

    kmxkh [oykdn'lay

    Stolen or lost equipment[edit]

    Flash Drive

    Lost Flash Drive[edit]

    A school employee was using a flash drive to transfer personal information of 6000 employees for job related purposes. The information included names, addresses, phone numbers, dates of birth and Social Security numbers. This flash drive went missing. There is currently no evidence that the sensitive information has been accessed or used inappropriately.


    Stolen & Returned Mobile Storage Device[edit]

    A mobile storage device was stolen and retrieved in a matter of three hours. The thief was apprehended. The device contained names and Social Security numbers for approximately 1600 individuals in a welfare reform program. A computer expert could not determine if the information on the data storage device had been copied off it. There is currently no evidence that the sensitive information has been accessed or used inappropriately.


    Stolen Laptop[edit]

    A district business office laptop was stolen. The laptop contained sensitive employee and student data. The laptop was password protected and contained data in a format that would not be easily accessible. There is currently no evidence that the sensitive information has been accessed or used inappropriately.


    Protecting the School’s Investment[edit]

    Crystal128-laptop.svg
    The district has decided to initiate a one-to-one initiative. Each child from middle school through high school will be issued an internet and wireless enabled laptop for use both in and outside of school. Since this is a significant investment of tax dollars, the school board would like a system put into place for theft protection. The system administrator installs a program for remote access of each computer with the capability to track the IP address and take a picture of the current user. If a computer is reported as missing the system will be activated and the information can be used to recover the computer. There is no mention of this software to the students or parents. If a thief was aware of this software they may be able to disable it, defeating its purpose. Only two district employees have the capability to activate this system. A student was called into the office by the assistant principal and accused of wrong-doing. The proof supplied included a picture of the student taken by his school issued laptop’s webcam after school hours in the privacy of his home.

    a) Is this type of system appropriate for use on a school computer?
    b) Should students be made aware of this type of system being installed on the computer?
    c) How can the school ensure this system is used correctly?
    d) What other methods could be used for theft protection and prevention?

    Information Posted to the Web[edit]

    FTP installed[edit]

    A member of a school association installed a file transfer program onto a server without permission, inadvertently exposing the names, birth dates and Social Security numbers of thousands of associated members around the country. The program was installed and had the information exposed for almost a year before it was discovered.

    Wrong information uploaded[edit]

    An assessment specialist who handled testing data accidentally uploaded personal information including names, Social Security numbers, birth dates and test scores of the district’s 17,000 students to a Web site for an unrelated school study.


    Student Hacking[edit]

    Approximately 67 percent of teens admit to "having tried, on at least one occasion, to hack into friends' instant messaging or social network accounts" (Masters, 2009) [1] Students need to be taught proper ethical behavior when it comes to the internet and computer usage.

    Grade "Fixing"[edit]

    A group of high school students managed to infiltrate the school district's records management system. Once in they changed grades for students who paid them to accomplish this task. The students said in addition to the money, they did it for kicks, to prove they could do it.
    Child & Computer, Hacking has become child's play

    Moving files[edit]

    A high school student taking a networking class hacked into an administrator's user file. Once in, he changed student's passwords, remotely shut down computers, and created and copied folders in an assistant principal's file. He just wanted to see what he could get away with and didn't do any real damage despite his capability to do so.

    Looking around[edit]

    A third grade student used the teacher's password to gain access to the instructor's portion of the blackboard online learning environment. Once in, he changed some student's passwords and some of the homework assigned.

    Senior Project[edit]

    A 15 year old student used three hacking programs to gain access to the district records management system in 200 milliseconds. Once in, he lowered his grades, since he couldn't raise them, he already had 4.0. He then wrote a three page paper on how to improve the security of the system. Finally, he proceeded to help the district to improve the security of the network in general.

    References[edit]

    1. Masters, G. (2009, May 15). Study: majority of adolescents online have tried hacking. SC Magazine for IT security professionals, Retrieved from http://www.scmagazineus.com/study-majority-of-adolescents-online-have-tried-hacking/article/136926/

    Links[edit]

    Here are some links to sites to find more real life, school network security breach stories: [11]
    scmagazine
    Slashdot.org
    net-security.org
    New York Times
    Washington Post
    WKRN

    Here are the links to read the stories these cases were based upon: [12]
    [13]
    [14]
    [15]
    [16]
    [17]
    [18]
    [19]
    [20]
    [21]
    [22]
    [23]
    [24]
    [25]
    [26]
    [27]
    [28]
    [29]
    [30]
    [31]

    Stolen or lost equipment[edit]

    Flash Drive

    Lost Flash Drive[edit]

    A school employee was using a flash drive to transfer personal information of 6000 employees for job related purposes. The information included names, addresses, phone numbers, dates of birth and Social Security numbers. This flash drive went missing. There is currently no evidence that the sensitive information has been accessed or used inappropriately.


    Stolen & Returned Mobile Storage Device[edit]

    A mobile storage device was stolen and retrieved in a matter of three hours. The thief was apprehended. The device contained names and Social Security numbers for approximately 1600 individuals in a welfare reform program. A computer expert could not determine if the information on the data storage device had been copied off it. There is currently no evidence that the sensitive information has been accessed or used inappropriately.


    Stolen Laptop[edit]

    A district business office laptop was stolen. The laptop contained sensitive employee and student data. The laptop was password protected and contained data in a format that would not be easily accessible. There is currently no evidence that the sensitive information has been accessed or used inappropriately.


    Protecting the School’s Investment[edit]

    Crystal128-laptop.svg
    The district has decided to initiate a one-to-one initiative. Each child from middle school through high school will be issued an internet and wireless enabled laptop for use both in and outside of school. Since this is a significant investment of tax dollars, the school board would like a system put into place for theft protection. The system administrator installs a program for remote access of each computer with the capability to track the IP address and take a picture of the current user. If a computer is reported as missing the system will be activated and the information can be used to recover the computer. There is no mention of this software to the students or parents. If a thief was aware of this software they may be able to disable it, defeating its purpose. Only two district employees have the capability to activate this system. A student was called into the office by the assistant principal and accused of wrong-doing. The proof supplied included a picture of the student taken by his school issued laptop’s webcam after school hours in the privacy of his home.

    a) Is this type of system appropriate for use on a school computer?
    b) Should students be made aware of this type of system being installed on the computer?
    c) How can the school ensure this system is used correctly?
    d) What other methods could be used for theft protection and prevention?

    Information Posted to the Web[edit]

    FTP installed[edit]

    A member of a school association installed a file transfer program onto a server without permission, inadvertently exposing the names, birth dates and Social Security numbers of thousands of associated members around the country. The program was installed and had the information exposed for almost a year before it was discovered.

    Wrong information uploaded[edit]

    An assessment specialist who handled testing data accidentally uploaded personal information including names, Social Security numbers, birth dates and test scores of the district’s 17,000 students to a Web site for an unrelated school study.


    sadasdasdasdss

    References[edit]

    Links[edit]

    Here are some links to sites to find more real life, school network security breach stories: [32]
    scmagazine
    Slashdot.org
    net-security.org
    New York Times
    Washington Post
    WKRN

    Here are the links to read the stories these cases were based upon: [33]
    [34]
    [35]
    [36]
    [37]
    [38]
    [39]
    [40]
    [41]
    [42]
    [43]
    [44]
    [45]
    [46]
    [47]
    [48]
    [49]
    [50]
    [51]
    [52]



    Security Policies for Mobile Devices

    Security Policies for Mobile Devices


    Introduction[edit]

    Target Audience This information is intended for K-12 administrators. In addition, it may be helpful to faculty, central administration and parents.

    In today's society, almost everyone has some type of mobile device. Mobile devices consist of but are not limited to cell phones, personal digital assistants (PDAs), smartphones, iPods, Palms, game consoles, and handheld computers. The Pew Internet Project (2009) [1] showed seventy-nine percent of fifteen year olds owned cell phones in 2009. In addition, eighty-two percent of sixteen year olds and eighty-three percent of seventeen year olds owned cell phones.

    Mobile devices have become a part of everyday life for this generation. Cell phones complement the short-burst, casual, multitasking style of today's "Digital Native" learners (Prensky, 2005). [2] Digital natives were born into technology. Technology has always played an important role in their lives. They use technology for entertainment, communication and collaboration in social settings. As we progress into the 21st century, educators need to recognize this emphasis on technology. This page will address the risks and benefits of using mobile devices in the K-12 setting. If your district or institution is planning to use mobile devices, you may find the AUP suggestions and sample policies useful to begin this process.

    The Benefits of Mobile Devices in Education[edit]

    There are many reasons why a district or institution might want to use mobile devices in the classroom. As stated above in the introduction, most students own a mobile device. Although they are not allowed in most schools throughout the country, studies show that up to 90% of students still possess these devices throughout the school day [3].

    Shortages are seen in technology staffing and most districts are unable to supply every student with a laptop. Ironically, most of these students are carrying mobile devices in their pockets that have the same capabilities as a laptop. If students were able to use these devices within the educational setting, districts would save a great deal of money. Laptops and iPods cost money, of course, but so do textbooks; some can run a couple hundred dollars each. And because there is so much free educational material online, high-tech can sometimes mean low-cost (Martin,R. & Brouwer, C., 2009) [4]. Textbooks purchases are costly and books become outdated within a few years. Some districts are claiming textbook free zones and replacing these purchases with laptops and iPods. Access to the Internet and World Wide Web (WWW) assure immediate updates and free the district of textbook bias.


    Students can download a number of applications (apps) on their mobile devices. Companies like Apple [5] offer educational apps that can be used in the classroom to enrich instruction. Apple is currently researching the educational benefits of these mobile devices in the K-12 environment. They are using iWork, iPads, and iPods to see the effects on student achievement. So far, their data has shown significant results in favor of the use of mobile devices in the classroom.

    Mobile devices are the "swiss army knife" of tech tools. Students can:

    ~take pictures.
    ~make videos.
    ~listen to music during down time.
    ~collaborate with peers and educators through texting and phone calls.
    ~access the internet.
    ~record lectures.
    ~create podcasts.
    ~listen to podcasts/lectures so there will be more classtime for educational activities.
    ~download educational applications.
    ~access notes when absent through texting and podcasts.
    ~improve bilingual skills through podcasts.
    ~use a calculator.
    ~type documents in Word.
    ~download videos and notes.
    ~improve typing skills.
    ~enhance the learning experience.
    ~have lessons differentiated to assure success.


    As these tools improve, this list will grow. It will be up to the educator to effectively integrate these tools into the curriculum to make learning meaningful.

    The Risks Involved[edit]

    It is important to identify risks that can be involved when a district decides to incorporate mobile devices in the learning environment. The greatest risk is not the tool itself but the person using the tool. Schneier (2004)[6] states people often represent the weakest link in the security chain and we are chronically responsible for the failure of security systems. As districts plan this transformation to include mobile devices in their curriculum, they must consider the human factor. When technology tools are, used the vulnerabilities to systems security increases. Instructional practices within the classroom should stress proper uses of the devices to limit risks to the network.

    The human factor can attribute to the following risks within the classroom:

    ~Cheating can occur. Students can text or record answers for classmates. Students can also hide files and formulas within the device and access the material during assessments.
    ~Students can record teachers during class. Teachers may feel violated if students try to use the recording against the teacher.
    ~Students can arrange drug deals using the devices.
    ~Students can makes threats with the devices.
    ~Students can set up fights, record fights or cyberbully using the devices [7].
    ~Mobile devices can make disruptive noises in the classroom.
    ~Mobile devices are used to "pass notes" during class time.
    ~Students can take inappropriate pictures and videos with the devices.
    ~Researchers are unsure of the long term physical effects of cell phone use.
    ~In an emergency situation, cell phone use by students can overload the communication system.

    The Consequences of Misuse[edit]

    Consequences of misuse of mobile devices can range from confiscation of the device to 90 lashes in front of the student's peers [8] http://www.cnn.com/video/#/video/us/2010/01/21/cafferty.saudi.girl.cnn?iref=allsearch. Some districts have adopted an "out of sight, out of mind" general rule. If administrators can't visibly see the device, it is not confiscated. If the device is confiscated, most districts will only turn over the device if a parent or guardian of the child comes to pick it up.

    It is not uncommon to turn on the news and hear about a story that involves a mobile device. Some of these cases end up in our judicial system. When mobile devices are used in crimes, there is hard eveidence of the incident. Once a statement, picture, or movie is added to the web, it remains on the web even if one tries to delete it.


    There are always consequences for behaviors that are unacceptable [9]. The district's acceptable use policy (AUP) can address the consequences for these behaviors. If district's plan to use mobile devices in the classrooms to enhance learning, they must plan on educating faculty, staff and students on the appropriate and inappropriate uses of the devices.

    Writing an AUP addressing Mobile Devices[edit]

    An acceptable use policy (AUP) is a document that explains what actions are acceptable when using certain tools within an institution or organization. A user must agree to follow this policy in order to be provided with access to a network or to the Internet. It is common practice for many businesses and educational facilities to require that employees or students sign an acceptable use policy before being granted a network ID [10]


    Writing an AUP can be a challenging endeavor. The best way to approach this task is to form an AUP committee. Members of the committee should represent the various stakeholders such as administrators, technology coordinators, tech support, educators, curriculum developers, school board members, parents and possibly students. You want to be sure to write the most effective policy using a number of views. For instance, the curriculum developers will be concentrating on technology integration and the tech coordinators will be thinking about security issues. Your district will have a greater chance of covering possible obstacles when a combination of experts are on the committee.

    Security policies determine what countermeasures to use. How should your district deal with security? Will user names and passwords be sufficient? Will users be able to use their own mobile devices or will the school provide devices? Should the district address the faculty and staff in the policy? What would be considered inappropriate use of the device? Who will be able to access the Internet and WWW from the devices? Will students be allowed to upload data to the devices? If there's no policy, there's no basis for consistently answering these questions (Schneier, 2004)[11].

    Sample AUP Policies[edit]

    When developing an AUP for your district, you may want to visit your state's website for assistance. The Pennsylvania Department of Education [12] and the Virginia Department of Education [13] can be very helpful. The National Educational Technology Plan (NTEP) [14] is another great resource to guide your AUP writing. NTEP stresses the use of technology tools to enhance and enrich the learning environment. This plan concentrates on anytime, anywhere learning through the use of 21st century skills and tools. The goals of this plan are to increase college attendance and decrease the digital divide among our U.S. students.

    Here are a few links that will assist you as you develop an AUP specifically for mobile devices.

    ~School AUP 2.0 [15] http://landmark-project.com/aup20/pmwiki.php?n=Main.CellPhonePolicies
    ~ICT AUP for cell phones [16] http://www.shambles.net/pages/learning/ict/ictaup/
    ~AUP 2 point 0 wiki [17] http://roxannnys.pbworks.com/AUP-2-point-0
    ~iPod user agreements [18] http://web.archive.org/20091027054419/ieducationappsreview.ning.com/forum/topics/user-agreement-for-ipod-touch


    As your district steps into this new realm of 21st century tools, you must keep in mind that the policy you develop is never enough. Security is a people issue (Deubel, P., 2007) [19]. You need to educate the administrators, teachers, staff, and students in order to have a successful outcome. Make sure your policy addresses all users including faculty, staff and administration. Modeling proper use of the tools will improve the desired results.

    Additional Resources[edit]

    42 [53] This is a short video that addresses the small audience our students write for in their entire K-12 experience.

    ABC News [54]

    Blog Policy [55]

    CBS- Cell Phone Ban [56]

    Cell Phone Projects [57]

    Classrooms for the Future [58]

    Computer World- iPods [59]

    Consortium for School Networking [60]

    COSN 2007 Compendium [61]

    Crunch Gear [62]

    iPods [www.nytimes.com/2007/10/09/education/09ipod.html]

    Pennsylvania Department of Education [63]

    Public Relations Toolkit [64]

    Virginia Department of Education [65]

    References within Text[edit]

    1. http://www.pewinternet.org/Reports/2010/Social-Media-and-Young-Adults/Part-2/1-Cell-phones.aspx?r=1
    2. http://www.innovateonline.info/pdf/vol1_issue5/What_Can_You_Learn_from_a_Cell_Phone__Almost_Anything!.pdf
    3. http://www.pewinternet.org/~/media/Files/Reports/2009/PIP%20Teens%20and%20Mobile%20Phones%20Data%20Memo.pdf
    4. http://abcnews.go.com/Technology/ipods-laptops-replacing-school-textbooks/story?id=8563292
    5. http://www.apple.com/education/why-apple/
    6. Schneier, B. (2004). Secrets and Lies. Indianapolis, Indiana: Wiley Publishing, Inc
    7. http://www.desertdispatch.com/news/school-471-cell-phone.html
    8. http://www.cnn.com/video/#/video/us/2010/01/21/cafferty.saudi.girl.cnn?iref=allsearch
    9. http://spreadsheets.google.com/pub?key=pXA5Sk606oPICUuLoE_QjQA
    10. http://whatis.techtarget.com/definition/0,,sid9_gci213795,00.html
    11. Schneier, B. (2004). Secrets and Lies. Indianapolis, Indiana: Wiley Publishing, Inc
    12. http://www.education.state.pa.us/portal/server.pt/community/pennsylvania_department_of_education/7237
    13. http://www.virginia.gov/cmsportal3/portalsearch.html?cx=006541648125353085856%3Apxkar5vs7ki&cof=FORID%3A11&safe=active&q=aup#947
    14. http://www.ed.gov/technology/netp-2010
    15. http://landmark-project.com/aup20/pmwiki.php?n=Main.CellPhonePolicies
    16. http://www.shambles.net/pages/learning/ict/ictaup/
    17. http://roxannnys.pbworks.com/AUP-2-point-0
    18. http://web.archive.org/20091027054419/ieducationappsreview.ning.com/forum/topics/user-agreement-for-ipod-touch
    19. http://thejournal.com/Articles/2007/04/02/Data-Security-in-K12-School-Districts.aspx?Page=1



    Malicious Software

    Introduction[edit]

    Malware logo.png

    The specific Malicious Software detailed within this page can come in the form of attacks on a single computer or computer network attacks. Malicious Software can be responsible for damage and reduced computer security on both the individual and network levels. A basic understanding of Malicious Software can be helpful in recognizing the threats that you may encounter in the digital age.

    The topic of Malicious Software is broad and technical. This page will focus on the questions of "What is it?" and "What does it do?" for each topic.

    Malicious Software[edit]

    Malicious Software is also commonly referred to as Malware. According to Bruce Schneier, "Malicious Software includes computer viruses, worms, and trojan horses" (Schneier, 2004).[1] Other experts include spyware, dishonest adware, crimeware, rootkits, and other unwanted software. Bots and botnets will also be presented as they have also become a more common threat to computer security.

    What is it? Malicious Software or malware is software designed to infiltrate a computer system without the owner's informed consent.

    What does it do? Depending on the variety of malware, "it can hijack your browser, redirect your search attempts, serve up nasty pop-up ads, track what web sites you visit, and generally screw things up"[2]. The bottom line is malware can cost you or your organization time, money, resources, privacy, and security.

    Computer Viruses[edit]

    Attack tree virus.png

    What is it? A Computer virus "is a program that can infect other programs by modeling them to include a possibly evolved copy of itself. It can spread throughout a computer system or network. Every program that gets infected may also act as a virus and thus the infection grows" (Thompson, 1984). [3]

    What does it do? "A properly engineered virus can have a devastating effect, disrupting productivity and doing billions of dollars in damages".[4] Viruses can cause any number of symptoms ranging from slowing down the computer to ultimately crashing it.

    Viruses have been around since virtually computers have been in existence, dating back to 1949. The term virus dates back to 1984 and is credited to Kenneth Thompson. The term computer virus is often used synonymously for all forms of malware, although each form of malware discussed on this page has a different function. Here is a great link to explore the history of viruses.

    Worms[edit]

    What is it? Computer worms are independent programs that copy themselves and reproduce at a rapid pace, usually over a computer network. "The programs on individual computers are described as the segments of worms. The segments in a worm remain in communication with each other, should one segment fail, the remaining pieces must find another free computer, initialize it, and add it to the worm. As segments(computers) join and then leave the program, the worm itself seems to move through the network"(Schoch, J., & Hupp, J., 1982).[5]

    What does it do? It is similar to a computer virus because it magnifies the damage it does by spreading rapidly, and can include malicious instructions that cause damage or annoyance. "Unlike a virus, which attaches itself to a host program, a worm keeps its independence and usually doesn't modify other programs"(Lehtinen, 2006).[6] Worms can infect your email, delete computer files, lock you out of your computer, and even steal your information.

    Here is an interesting link to a 60 Minutes investigation that explains what computer worms are and chronicles the spread of the Conficker worm in March of 2009.

    Trojan Horses[edit]

    Troi.jpg

    What is it? A Trojan horse (computing) is a code fragment that hides inside a program and performs a disguised function.[6] It takes its name from the classical mythology tale of the hollow wooden horse made by Odysseus wherein soldiers hid and then launched their attack during the Trojan War.

    What does it do? A Trojan horse hides inside a independent program that performs a useful task. Along with that function, it performs some other unauthorized operation. "Once a Trojan horse is activated, it can access files, folders, or your entire system. Commonly, Trojans create a "backdoor”, which can be used to send your personal information to another location".[7]Some Trojans may open up the possibility of someone accessing your machine, while others may monitor your Internet connection and grab your email addresses and access passwords. One common and annoying function is the annoying unwanted pop-up messages that seemingly arise from nowhere.

    Here is a six minute YouTube video that explains most of what you might want to know about Trojans.

    Spyware[edit]

    What is it? Spyware refers to programs that use your Internet connection to send information from your personal computer to some other computer, normally without your knowledge or permission.

    What does it do? On the Internet (where it is sometimes called a spybot or tracking software), "spyware is programming that is put in someone's computer to secretly gather information about the user and relay it to advertisers or other interested parties."[8]"Different strains of spyware perform different functions. Some might also hijack your browser to take you to an unexpected site, cause your computer to dial expensive 900 numbers, replace the Home page setting in your browser with another site, or serve you personal ads, even when you're offline."[9]

    Adware[edit]

    What is it? Adware is short for Advertising Supported software. The legal type of adware is a way for shareware authors to make money from a product, other than by selling it to the users. But since this page is about Malicious Software, dishonest adware is what is explained more fully. Dishonest adware is an aggressive form of unwanted software that evolved from legal adware. Adware then began exhibiting spyware and malware characteristics. Dishonest adware writers began to design their programs so that they would reinstall automatically if removed, sometimes using different file names. As Adware has matured it has become smarter. Historically, as fast as the clean-up experts have worked out how to fight malware, those behind it have fought back with new tricks.

    What does it do? It generates advertisements such as pop-up windows or hotlinks on Web pages that are not part of a page's code. "Adware may add links to your favorites and your desktop. It can hijack your home page and search engine, create tool bars that appear out of nowhere, and generate unwanted pop-up windows."[10]

    Here is another short YouTube video that does a nice job of simply explaining the differences between adware and spyware.

    Crimeware[edit]

    What is it? Crimeware is any software tool used in cybercrime. Crimeware is software that is:

    • used in the commission of the criminal act
    • not generally regarded as a desirable software or hardware application
    • not involuntarily enabling the crime

    Like cybercrime itself, the term crimeware covers a wide range of different malicious, or potentially malicious software.[11]

    What does it do? Because the definition above states just about any software could be used in a manner that would deem is crimeware, examples of how a software program can be used as crimeware follows. For example, child predators often use various IM clients to converse with their intended victims. Another example would be FTP sites are sometimes set up to facilitate the distribution of pirated software.

    Rootkits[edit]

    What is it? Rootkits are mechanisms and techniques whereby malware, including viruses, spyware, and trojans, attempt to hide their presence from spyware blockers, antivirus, and system management utilities.[12]A rootkit is a collection of tools (programs) that enable administrator-level access to a computer or computer network.

    What does it do? Typically, a cracker installs a rootkit on a computer after first obtaining user-level access, either by exploiting a known vulnerability or cracking a password. Once the rootkit is installed, it allows the attacker to mask intrusion and gain root or privileged access to the computer and, possibly, other machines on the network.[13]

    Bots & Botnets[edit]

    Botnet.svg

    What are bots and botnets? A bot is a is a type of malware which allows an attacker to gain complete control over the affected computer. Computers that are infected with a 'bot' are generally referred to as 'zombies'. There are literally tens of thousands of computers on the Internet which are infected with some type of 'bot' and don't even realize it. [14] A botnet is the network of computers that have been infected by a particular bot software. The term "botnet" is short for "robot network".

    What does a botnet do? Computers that have been caught up in a botnet have been effectively taken over, and can be used to perform almost any task by the person or persons who control the botnet. Botnets are controlled by criminals whose motives include selling products, operating financial scams and crippling websites through coordinated attacks.[15]

    An interesting fact is that while it is possible for Mac or Linux systems to become victim to botnets, the vast majority of botnets are Windows PC based.[16]

    Lastly, here is a YouTube video that explains the bot and botnet tale.

    Cited Sources[edit]

    1. Schneier, B. (2004). Secrets and Lies. Indianapolis, Indiana: Wiley Publishing, Inc.
    2. "Malware: what it is and how to prevent it". http://arstechnica.com/security/news/2004/11/malware.ars. Retrieved 2010-04-18. 
    3. Thompson, K. (1984) "Reflections on Trusting Trust," Communications of the ACM, Volume 27
    4. "How Computer Viruses Work". http://www.howstuffworks.com/virus.htm/. Retrieved 2010-04-18. 
    5. Schoch, J., & Hupp, J., (2006). “The Worm Programs-Early Experience with a Distributed Computation,” Communication of the ACM, Volume 25.
    6. a b Lehtinen, R., Russel, D. & Gangemi, G. (2006). Computer Security Basics. Sebastopol, CA: O'Reilly Media, Inc.
    7. "What is a Trojan Horse". http://www.wisegeek.com/what-is-a-trojan-horse.htm. Retrieved 2010-04-18. 
    8. "What is spyware". http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci214518,00.html. Retrieved 2010-04-18. 
    9. "What is spyware". http://www.wisegeek.com/what-is-spyware.htm. Retrieved 2010-04-18. 
    10. "Adware and Bad Things it Does". http://www.microsoft.com/windows/ie/community/columns/adware.mspx. Retrieved 2010-04-18. 
    11. "What is crimeware?". http://www.symantec.com/norton/cybercrime/crimeware.jsp/. Retrieved 2010-04-18. 
    12. "What is Rootkit. How to remove it.". http://forums.techarena.in/guides-tutorials/1000985.htm. Retrieved 2010-04-18. 
    13. "Antivirus, antispyware management". http://searchmidmarketsecurity.techtarget.com/sDefinition/0,,sid198_gci547279,00.html. Retrieved 2010-04-18. 
    14. "What is a bot?". http://netsecurity.about.com/od/frequentlyaskedquestions/qt/pr_bot.htm. Retrieved 2010-04-18. 
    15. "Warning, Danger: Botnets!". http://askbobrankin.com/what_is_a_botnet.html. Retrieved 2010-04-18. 
    16. "What is a bot anyway?". http://www.itworld.com/security/74656/what-botnet-anyway. Retrieved 2010-04-18. 

    Additional Information[edit]

    1. http://en.wikipedia.org/wiki/Malware

    2. http://en.wikipedia.org/wiki/Computer_virus

    3. http://en.wikipedia.org/wiki/Computer_worm

    4. http://en.wikipedia.org/wiki/Trojan_horse_(computing)

    5. http://en.wikipedia.org/wiki/Spyware

    6. http://en.wikipedia.org/wiki/Adware

    7. http://en.wikipedia.org/wiki/Crimeware

    8. http://en.wikipedia.org/wiki/Rootkit

    9. http://en.wikipedia.org/wiki/Botnet

    10. http://computer.howstuffworks.com/virus2.htm

    11. http://news.cnet.com/60-minutes-whats-next-for-the-conficker-worm/

    12. http://www.youtube.com/watch?v=ssckV79mNLs