More Is More
No one solution can defend K-12 computer networks against the
proliferation of digital threats. A multilayered strategy that addresses
cyber safety on many fronts is a district's best hope.
WHAT DO K-12 SECURITY
threats have in common with chilly temperatures?
The best defense against
them is layers.
"There is no one silver bullet," says
Randy Abrams, director of technical education
at ESET, a producer of anti-malware
solutions. "The best security lies in layers
of protection-- defense in depth."
Because of the sheer volume and
variety of threats looming in cyberspace,
no single security strategy can adequately
safeguard school campuses and networks.
Firewalls and filters alone won't
keep online menaces at bay. Establishing
well-drawn security policies isn't enough
either. Nor is educating staff and students
about the dangers in their midst.
But implemented together, they can
form a multilayered security system that
can reduce the risk posed by hackers,
viruses, predators, phishers, and whatever
else lies in wait in the virtual ether. And
Abrams maintains, that's the only reasonable
goal of a security strategy: not
to eliminate risk, but to manage it-- to
prepare for as many knowable threats as
possible and take steps to preempt any
damage they can do.
According to Abrams, in the effort to
manage risk, no one layer of defense is
more important than the other. He draws
on the different components of car safety
to make his point. "Is the steering
wheel or the brakes more important?"
he asks. "Does that mean the seat belt
can be overlooked?"
There may be no most important layer,
but there is a first one: An effective security
plan begins with setting and enforcing
a clear and precise acceptable use policy.
"Districts operate from a defensive
position more often than an offensive
position," explains Bob Kirby, senior
director of K-12 education for CDW-G.
Creating an AUP, Kirby says, is one of the
few proactive moves a district can make.
Amending that policy frequently to keep
up with ever-emerging threats is critical.
That's why some of the latest data from
CDW-G's annual "School Safety Index"
survey is disappointing, including this
finding: Only 4 percent of districts
update their AUP more than once a year.
Moreover, one out of five districts
updates its security policies only once
every two or three years.
"In order for an AUP to be effective, it
has to be treated as a living document,"
Kirby says. "Districts need to incorporate
the latest trends and
threats into their
It's also important
that the policy be
leaving no potential
security break unaccounted
The Value of Auditing
AN OFTEN OVERLOOKED component of network safety is in fact key to operating
an effective security system, according to Randy Abrams, director of technical education
at ESET, a provider of computer security software. Auditing
your security system is critical, Abrams says, because IT personnel have to stay aware
of what part of the district operation poses the biggest potential security breach.
"If a virus scanner screams, someone has to be there to hear it," he says. "You
need to know when you are being attacked and where. If there is a particular place--
a site, a department, or even a single PC-- that experiences more detections, then
there may be a targeted attack occurring, or perhaps just someone who needs a
reminder about what policy is.
"Auditing can alert an administrator to small problems before they become large
problems. If you can catch an intruder before he gets too far, you can prevent the
loss of critical data.
Auditing can alert an administrator to holes in their defenses
as well. Audit logs can be useful for administrators who need to show management
what the money they are spending is for. Audit logs can show what is being repelled,
in addition to what gets in. Attempted attacks can be discovered so that defenses
can be adjusted accordingly."
"There must be
policies for anyone
and everyone who
has access to the
network," says Linda
Sharp, project director
of Cyber Security
for the Digital District,
a plan launched
by the Consortium
for School Networking
to help schools
and school districts
protect their data
"Schools need to determine different
levels of access and policies for students
as well as educators and administrators.
Are procedures in place to deal with
security breaches from inside the district?
Do you have procedures in place
if there is a breach from outside the
district? And what are the consequences
for not following procedure? Schools
can't wait to decide what to do in the
middle of a crisis."
Of course, policy compliance is not
possible if your people don't know the
policy, which underscores the importance
of integrating the next layer of
defense, what Dwayne Alton, director
of IT support for Lee County Public
Schools in Fort Myers, FL, calls "probably
the most overlooked aspect of
maintaining a secure environment":
"Uninformed users are much bigger
threats than K-12 administrators recognize,"
he says. Accordingly, Lee County
has made user education one of its top
priorities, developing an online security
awareness training course that all district
employees must complete and pass
annually. The course requires them to
master such security fundamentals
as acceptable use policies, password
procedures, malware basics, and data
"In order for an AUP to be effective, it has
to be treated as a living document."
ESET's Abrams offers examples of the
kind of trouble uninformed users can get
into: "If the policy is not to tell anyone
your password, then users need to know
that when they receive a call from someone
who says he is from the help desk
and tells them to change their password
to 'abcdefg,' it is the same thing as
telling someone their password if they
accept what someone else told them to
make their password."
He notes that this isn't an issue
unique to K-12. "A corporate user may
not realize that using a hotel business
center computer may leave a copy of a
confidential document in the temporary
files of the hotel's computer. This may
be contrary to policy about confidential
Kirby at CDW-G says that holding a
one-shot professional development workshop
to familiarize staff with the district
AUP is not sufficient. He believes policy
reviews should be done on a regular
basis and suggests posting the document
on the district website, where it can be
glimpsed at any time.
He cites the emerging threat of
thumb drives, which he says "are quickly
becoming the newest security headache
for schools," as an example of the need
for districts to constantly educate their
faculty about new digital threats.
"When loaded with software that captures
keystrokes," he says, "the thumb
drive can be slipped into a USB port
and instantly have the user names and
passwords-- the keys to the kingdom.
Because the thumb drives are so small,
and because USB ports are often not in
the user's direct line of sight, faculty and
staff need to learn to look for them if
they've been away from their computer
for any length of time."
GOING ON OFFENSE
Lee County's Alton
user training is
a key proactive
Sharp, like Abrams, uses a car safety
analogy to deliver her point: "It is our
responsibility to make sure the car is
safe, has inspections, is running
smoothly," she says. "But we have to
teach people to drive it safely or it doesn't
matter how safe the car is.
"Many security breaches actually happen
inside the network, and most are not
malicious. People must be educated on
the type of security that is in place, why it
is in place, how they can ensure compliance,
and what the consequences are if
they don't follow procedures."
Is the technology too good?
Educators often forget that user education
extends to the student level as well,
because of the capabilities of firewalls,
web filters, and anti-malware software,
which form a largely impassable layer of
protection. Abrams says filters and
antivirus technology provide "an essential
preventive ingredient" by simply
deflecting potential security threats
before they can do any damage. "Reducing
the number of shots on goal is always
a good thing," he says.
But it's a case of the technology being
too good, according to Alton, leading
teachers to think they can leave all the
work to the filter and virus protector without
bothering to familiarize themselves
as well as their students about the
threats that lurk online.
"It's common in all industries for end
users to feel they are protected by these
systems and not really feel personal
responsibility for being part of the security
solution," Alton says.
"In some cases, I think it is basically
because they are not educated as to
their part in maintaining security and
confidentiality. In other cases, I think
there's a sentiment that those things are
the organization's responsibility-- they
are there to do their job, not the job of
the IT department.
"In a perfect world, they would be right.
But the reality is that network
security is far too complex for
automated systems to protect
against everything. The systems
easily stop more than
99.9 percent of the common
threats. But that 0.1 percent
can still be significant."
User education can address
that 0.1 percent. But the
"School Safety Index" reports
that only 8 percent of districts
provide cyber safety training to
students, a number that can't
sit well with Sharp.
"We need to help students
understand the threats of
accessing sites that can damage
the network, expose them
to dangerous situations, and
impact others," she says.
need to educate students
about the reasons that filters
are in place, and why they are
limited in what they can
access. We need to address
the importance of keeping their personal
information private, what not to include
on their MySpace or Facebook pages,
why it is important to remember that
nothing on the internet is really private,
why not to share passwords, etc."
"Network security is far too complex for
automated systems to protect against everything. The
systems easily stop more than 99.9 percent of the common
threats. But that 0.1 percent can still be significant."
Sharp says it's an effort that requires
time. "This is not simply a one-time internet
safety class. There should be ongoing
age-appropriate instruction from the time
students are allowed online and continued
throughout their education."
Alton believes that underpinning the
many different layers of a K-12 security
plan is one critical strategy that unifies
all the others: centralization. Lee County
has 96 schools and is one of the fastestgrowing
districts in the state of Florida;
Alton says that pulling together IT
resources is part of a larger mission to
achieve some harmony in the way the
district functions. "We often speak of
being a school district instead of a district
of schools," he says.
Before the district centralized the control
of information technology, Alton says
that security management was extremely
difficult because there was no way for the
district to know whether one of its
schools was behaving in a way that posed
a potential safety threat.
"As schools purchased new products,
there was no evaluation for security implications.
Several products required ports
to be opened in our firewalls. It was very
difficult to determine if 'unusual' network
behavior was 'normal' for a given product.
Anti-malware management was difficult.
Data protection was handled on a schoolby-
school basis, which put our data at
risk. End users were not familiar with the district's acceptable use policy or security
Centralizing its security infrastructure
allowed Lee County to get its individual
schools all on the same page, and acting
by the same rules. "We centralized all
proxy, caching, filtering, and firewall systems
so that they are managed by our
central IT staff," Alton says. "We provided
the schools with managed anti-malware
systems that we can monitor from the
central IT office. School technical support
staff are granted the security privileges
only necessary to complete their jobs,
without having high-level administrative
privileges. This reduces risk of security
issues or accidental problems. We have
centralized our data backup functions so
that critical data at each school is replicated
to the district office, so we can
ensure that it is adequately protected."
Understanding a threat is out there is
what will eventually propel better school
security. Sharp says all K-12 security
strategies come back to the people they're
designed to protect. "Cyber crime is a
$100 billion industry," she says. "Schools
need to work hard to have a secure network.
We need to make sure that all members
of a school society understand that it
is vulnerable to attack and that the users
play a critical role in keeping it safe."
"I liken this to police protection," Alton
says. "People are conditioned to lock
their doors, be aware of their surroundings,
carry personal protection devices,
and use security alarms. The police can't
protect you from everything. Neither can
the IT department. Users, for the most
part, have not really reached that realization
yet, and I think that's across the
board with most organizations. I think
you'll see the evolution of end-user security
awareness over time. I think it will be
as commonplace as personal safety
within the next decade."
For more information on security
strategies, visit www.thejournal.com.
In the Browse by Topic menu,
click on Security/Privacy.
-Andy McDonough is a freelance writer based in Middletown, NJ.
This article originally appeared in the 10/01/2008 issue of THE Journal.