Is Your Network Safe?
Why educators should care about cybersecurity — and what they should do about it.
by Cheryl S. Williams and Keith R. Krueger
Assume that you are the superintendent of the Above-Average School District. Today in the news you spy a devastating story about a neighboring school district whose education network was attacked by hackers. Confidential information was breached, and the district’s data warehouse, e-mail communications, and Web site are all down. You think about how increasingly dependent your own district has grown on its educational network. You wonder, How do I know that our educational network is safe from cyber attacks? Now assume that you are the district technology leader—the chief technology officer (CTO)—and you have just been told the superintendent wants to talk to you about cybersecurity. You enter his office and he grimly shows you the press clips he is reading. He turns to you and asks, “Is our network safe?”How do you respond?
Most educators have little experience or expertise in cybersecurity. Yet, it is one of the most pressing vulnerabilities in today’s society. But beyond simply being aware of this vulnerability, educational leaders must ask themselves: What is an effective strategy for managing cybersecurity concerns? Whom do you trust to give you the best information? What should you do first? To answer these questions, administrators need to think more strategically about the vulnerability of educational networks to cybersecurity threats.
A Critical Partnership
Ensuring security in your school district’s information systems is both a set of processes and a frame of mind that recognizes cybersecurity as the attentive day-to-day management of network systems in tandem with active involvement of committed users on the system. Your district’s most powerful network security tool is its users, whether administrative staff, teachers, or students. To the extent that a network truly serves the needs of educators, a district’s invested ownership depends on a healthy partnership between you, the technology leader, and your supportive colleagues. Users of an educational network can serve as your eyes and ears for the system, as well as alert you to policies and practices that have the potential to impair their use of its resources. This type of systemic approach to network and information security is particularly important for ensuring student safety, protecting student and staff privacy, supporting a district’s teaching and learning mission, and maintaining strong community support and trust. Enthusiastic support for the district IT system from students, teachers, and administrators also guarantees that an active learning community is built and maintained, and that student recordkeeping and reporting are timely and accurate.
At-Risk Educational Networks
School districts can be especially vulnerable to IT security breaches because many districts have developed systems in an ad hoc fashion over time, with mixed environments that are harder to manage and secure. What’s more, many district IT departments are understaffed and poorly trained. Added to these two realities is the increased use of school network systems for both administrative recordkeeping and reporting, and teaching and learning activities. If not thoughtfully managed, the increase in appropriate and long-advocated uses of network systems has, in fact, the potential to augment the security risks. Finally, current trends in IT system development add to the security risk. These trends (all of which increase ease of access for users) include always-on broadband, Wi-Fi and other wireless network options, outsourcing data management, peer-to-peer (P2P) file sharing, and the growing number and types of portabledevices used by teachers and students.
8 QUESTIONS A SUPERINTENDENT SHOULD ASK THE CHIEF TECHNOLOGY OFFICER
1. How are we doing so far?
2. Do we have a security plan?
3. Do we have adequate security and privacy policies in place?
4. Are our network security procedures and tools up-to-date?
5. Is our network perimeter secured against intrusion?
6. Is our network physically secure?
7. Have we made our users part of the solution?
8. Are we prepared to survive a security crisis?
(Detailed follow-up questions are available at: http://www.securedistrict.org/admin/firststeps/eightquestions.html.)
Providing strong, visible leadership that forcefully articulates the importance of IT security while balancing the access needs of students, teachers, and community members is the important role of the district superintendent. Also useful are the “first steps” for superintendentsand policymakers that are listed at http://www.securedistrict.org/admin/firststeps.html.
With all this in mind, an effective technology leader can take concrete steps to ensure that day-to-day management and user engagement is deliberate, attentive, and user-focused, so that security is maintained and potential risks are identified before a breach occurs. The Consortium for School Networking (CoSN) has developed a Web site on cybersecurity (http://www.securedistrict.org) that offers tools and approaches to make certain the network is safe and operating in accordance with all of a district’s needs. What follows is a sample of what you and your district will find on the site to support your educators in understanding the challenges of cybersecurity and the possible strategies to undertake.
Tips for Increasing Network & Information Security
- Keep stakeholders—teachers, students, school board members, parents, and district administrators—informed about the issues related to IT security. Download Cyber Security for the Digital District: An Introductory Slide Show (http://www.securedistrict.org/Downloads/cyber_security_intro.ppt) to kick off your meetings with stakeholders, and structure the conversation for maximum audience participation.
- Conduct a comprehensive district security assessment that sets a baseline for future planning. The District Security Self-Assessment Checklist (http://www.securedistrict.org/assessment/checklist.cfm) can provide guidance on the kinds of questions you should be asking.
- Keep the big-picture planning goal and process in mind as you implement your detailed security planning activities. Use the Security Planning Protocol flowchart (http://www.securedistrict.org/tech/Planning/flowchart.html) to help you visualize and prioritize your planning and implementation activities.
- Document all organizational requirements and activities necessary to guarantee successful security measures and ongoing district and stakeholder support. The comprehensive Security Rubric and Planning Grid: Overview (http://www.securedistrict.org/tech/Evaluation/SecPlanGrid-SummaryView.html) helps educators plan and execute this systemwide activity.
Learn From These Schools
Uncover your vulnerabilities by discovering what other districts have experienced with IT security, and then tailor your individual and district plans to build on those lessons learned. The district case studies below, as well as others on the CoSN Web site (http://www.securedistrict.org/tech/case.html), provide the kind of background that is indispensable for a technology leader.
TIPS FOR TEACHERS AS THE INSTRUCTIONAL LEADER in your classroom, you should be familiar with your district’s acceptable-use policies and security procedures. The need to protect your private password and stay on top of student use of IT resources is a responsibility only you can fulfill. While the secure district Web site is designed for use by your district’s CTO, superintendent, and school board, you need to know the basics to keep your students and classrooms safe.
Ayer Public Schools (MA). Ayer is a small, middle-class community located about 30 miles outside of Boston that serves 1,400 K-12 students in two buildings—one elementary and one combination middle/high school. The district has 200 staff members, 118 of whom are teachers. Two T1 lines come into the district, up from one the previous year, and every classroom has a phone and computer. The overall annual budget for IT is approximately $300,000 and supports three full-time staff: a system administrator, an administrative technology support specialist, and a technical support assistant. Brian McDermott is CTO of Ayer Public Schools, and also serves as the district’s business manager.
Ayer’s business operations and communications are heavily computerized, with data entry used for ordering supplies, keeping track of lunch orders, and running the accounting system. Administrators send electronic announcements, and teachers are constantly e-mailing. Teaching and learning activities include widespread student use of word processing and conducting research on the Web. Students are taking online courses and participating in collaborative online activities with students in other districts. Still, many teachers remain hesitant to use the system more because the district hasn’t solved all the maintenance issues, and there is increased concern about student access to unacceptable or dangerous information.
Ayer started using technology districtwide in the late 1990s and hired its first technology staff person at that time. In attempting to get a system operating quickly, the district made some bad decisions, including choosing an ISP that sent fragmented packets and a low-bid firewall provider that was unable to handle the district requirements. This resulted in the Web site and mail server residing outside of the firewall.
In response to these early missteps, the district upgraded its firewall service to include the Web site and mail server; hired a system administrator whose technical expertise could anticipate and respond to such issues; and upgraded the network configuration to require user passwords for access. The district is constantly balancing security with functionality, but, overall, has been forced to strictly limit user functionality in order to maintain the level of security it’s comfortable with. Currently, students have no district e-mail accounts and no wireless access, and filters block most incoming and outgoing P2P, IM, and AOL activities. Furthermore, the district has used this strategy to block unacceptable use of the system by students.
As a small district, Ayer is constantly trying to manage resources, safety, and districtwide functionality, but generally the district has discovered that it pays to hire a staff with technical expertise; to standardize equipment, operating systems, and software across the district; and to use outside vendors to maintain firewalls when the human resource requirements exceed the district’s staff capacity.
Poway Unified School District (CA). In contrast to Ayer Public Schools, Poway USD is a large district in Southern California with 34,000 students, 5,000 staff members, 34 building sites, and more than 8,000 computers. All schools in the district have a local area network (LAN) and are tied together by a wide area network (WAN). Each school also has at least two drops with Internet access, phones, and cable TV in every classroom. The district currently has 20 people on its technical support staff, while information services has 11 staff members, including clerks and administrative assistants.
As it has trained its attention on IT security issues, Poway has faced three major problems that taught the district valuable lessons. First, as a result of teachers sharing personal passwords with students, on two occasions students tapped into confidential information which they posted on external Web sites. While the breaches were fixed, significant staff time was necessary to find the source and work with authorities to mitigate damage. District leaders publicized these incidents, which helped spread the lesson about the risks of sharing passwords, and an acceptable-use policy was instituted that requires all teachers using the system to agree to the policy as a condition of employment in the district.
Second, the presence of viruses downed the district’s system for as long as two weeks, necessitating round-the-clock staff work to clean up the situation. New protection plans and products were evaluated, and the one selected has proved capable of being able to stop viruses at their introduction. However, this is a reality that must be constantly monitored.
A third attack came from hackers, two of whom were successful in entering the system. One challenged the district to find him, and he was ultimately sentenced to jail and forced to pay Poway for the cost of catching him. The second took advantage of a hole in some software programs to get on a server and sell space on that server to his friends. It was the experience with the two hackers that led the district to conduct a security audit.
Poway created a Security Committee that includes supervisors of the Tech Support and Data Systems, as well as a staffer from the user-training program. The district recognized that it didn’t have written policies or set procedures for keeping up with IT issues, and that it needed to install new tools to monitor servers as its technology got more sophisticated with increased wireless access points. The security audit has served not only to help the district identify points of weakness, but also to report to board members and other stakeholders on the need for investing in increasing levels of IT security.
A key lesson gained from Poway’s experiences is the need to take IT security seriously and work to build widespread recognition of the importance of acceptable-use policies that are constantly being updated and shared broadly throughout the district. As students and staff become more enthusiastic technology users, the security issues expand. The district has assigned a chief security officer to oversee the implementing of adequate security measures, as well as to ensure that end users are able to access the information and resources they need to provide rich teaching and learning activities for students.
Cheryl S. Williams is VP of education for the Corporation for Public Broadcasting. Keith R. Krueger is CEO of the Consortium for School Networking.
This article originally appeared in the 11/01/2005 issue of THE Journal.