More Is More


No one solution can defend K-12 computer networks against the proliferation of digital threats. A multilayered strategy that addresses cyber safety on many fronts is a district's best hope.

More Is More WHAT DO K-12 SECURITY threats have in common with chilly temperatures? The best defense against them is layers.

"There is no one silver bullet," says Randy Abrams, director of technical education at ESET, a producer of anti-malware solutions. "The best security lies in layers of protection-- defense in depth."

Because of the sheer volume and variety of threats looming in cyberspace, no single security strategy can adequately safeguard school campuses and networks. Firewalls and filters alone won't keep online menaces at bay. Establishing well-drawn security policies isn't enough either. Nor is educating staff and students about the dangers in their midst.

But implemented together, they can form a multilayered security system that can reduce the risk posed by hackers, viruses, predators, phishers, and whatever else lies in wait in the virtual ether. And Abrams maintains, that's the only reasonable goal of a security strategy: not to eliminate risk, but to manage it-- to prepare for as many knowable threats as possible and take steps to preempt any damage they can do.

According to Abrams, in the effort to manage risk, no one layer of defense is more important than the other. He draws on the different components of car safety to make his point. "Is the steering wheel or the brakes more important?" he asks. "Does that mean the seat belt can be overlooked?"

There may be no most important layer, but there is a first one: An effective security plan begins with setting and enforcing a clear and precise acceptable use policy.

"Districts operate from a defensive position more often than an offensive position," explains Bob Kirby, senior director of K-12 education for CDW-G. Creating an AUP, Kirby says, is one of the few proactive moves a district can make. Amending that policy frequently to keep up with ever-emerging threats is critical. That's why some of the latest data from CDW-G's annual "School Safety Index" survey is disappointing, including this finding: Only 4 percent of districts update their AUP more than once a year. Moreover, one out of five districts updates its security policies only once every two or three years.

"In order for an AUP to be effective, it has to be treated as a living document," Kirby says. "Districts need to incorporate the latest trends and threats into their policies."

It's also important that the policy be comprehensive, leaving no potential security break unaccounted for.

The Value of Auditing

AN OFTEN OVERLOOKED component of network safety is in fact key to operating an effective security system, according to Randy Abrams, director of technical education at ESET, a provider of computer security software. Auditing your security system is critical, Abrams says, because IT personnel have to stay aware of what part of the district operation poses the biggest potential security breach.

"If a virus scanner screams, someone has to be there to hear it," he says. "You need to know when you are being attacked and where. If there is a particular place-- a site, a department, or even a single PC-- that experiences more detections, then there may be a targeted attack occurring, or perhaps just someone who needs a reminder about what policy is. "Auditing can alert an administrator to small problems before they become large problems. If you can catch an intruder before he gets too far, you can prevent the loss of critical data.

Auditing can alert an administrator to holes in their defenses as well. Audit logs can be useful for administrators who need to show management what the money they are spending is for. Audit logs can show what is being repelled, in addition to what gets in. Attempted attacks can be discovered so that defenses can be adjusted accordingly."

"There must be policies for anyone and everyone who has access to the network," says Linda Sharp, project director of Cyber Security for the Digital District, a plan launched by the Consortium for School Networking to help schools and school districts protect their data systems.

"Schools need to determine different levels of access and policies for students as well as educators and administrators. Are procedures in place to deal with security breaches from inside the district? Do you have procedures in place if there is a breach from outside the district? And what are the consequences for not following procedure? Schools can't wait to decide what to do in the middle of a crisis."

User Education

Of course, policy compliance is not possible if your people don't know the policy, which underscores the importance of integrating the next layer of defense, what Dwayne Alton, director of IT support for Lee County Public Schools in Fort Myers, FL, calls "probably the most overlooked aspect of maintaining a secure environment": educated users.

"Uninformed users are much bigger threats than K-12 administrators recognize," he says. Accordingly, Lee County has made user education one of its top priorities, developing an online security awareness training course that all district employees must complete and pass annually. The course requires them to master such security fundamentals as acceptable use policies, password procedures, malware basics, and data confidentiality.

"In order for an AUP to be effective, it has to be treated as a living document."

ESET's Abrams offers examples of the kind of trouble uninformed users can get into: "If the policy is not to tell anyone your password, then users need to know that when they receive a call from someone who says he is from the help desk and tells them to change their password to 'abcdefg,' it is the same thing as telling someone their password if they accept what someone else told them to make their password."

He notes that this isn't an issue unique to K-12. "A corporate user may not realize that using a hotel business center computer may leave a copy of a confidential document in the temporary files of the hotel's computer. This may be contrary to policy about confidential information."

Kirby at CDW-G says that holding a one-shot professional development workshop to familiarize staff with the district AUP is not sufficient. He believes policy reviews should be done on a regular basis and suggests posting the document on the district website, where it can be glimpsed at any time.

He cites the emerging threat of thumb drives, which he says "are quickly becoming the newest security headache for schools," as an example of the need for districts to constantly educate their faculty about new digital threats.

"When loaded with software that captures keystrokes," he says, "the thumb drive can be slipped into a USB port and instantly have the user names and passwords-- the keys to the kingdom. Because the thumb drives are so small, and because USB ports are often not in the user's direct line of sight, faculty and staff need to learn to look for them if they've been away from their computer for any length of time."

Dwayne Alton

Lee County's Alton
says user training is
a key proactive
security step.

Sharp, like Abrams, uses a car safety analogy to deliver her point: "It is our responsibility to make sure the car is safe, has inspections, is running smoothly," she says. "But we have to teach people to drive it safely or it doesn't matter how safe the car is.

"Many security breaches actually happen inside the network, and most are not malicious. People must be educated on the type of security that is in place, why it is in place, how they can ensure compliance, and what the consequences are if they don't follow procedures."

Is the technology too good?

Educators often forget that user education extends to the student level as well, because of the capabilities of firewalls, web filters, and anti-malware software, which form a largely impassable layer of protection. Abrams says filters and antivirus technology provide "an essential preventive ingredient" by simply deflecting potential security threats before they can do any damage. "Reducing the number of shots on goal is always a good thing," he says.

But it's a case of the technology being too good, according to Alton, leading teachers to think they can leave all the work to the filter and virus protector without bothering to familiarize themselves as well as their students about the threats that lurk online.

"It's common in all industries for end users to feel they are protected by these systems and not really feel personal responsibility for being part of the security solution," Alton says.

"In some cases, I think it is basically because they are not educated as to their part in maintaining security and confidentiality. In other cases, I think there's a sentiment that those things are the organization's responsibility-- they are there to do their job, not the job of the IT department.

"In a perfect world, they would be right. But the reality is that network security is far too complex for automated systems to protect against everything. The systems easily stop more than 99.9 percent of the common threats. But that 0.1 percent can still be significant."

User education can address that 0.1 percent. But the "School Safety Index" reports that only 8 percent of districts provide cyber safety training to students, a number that can't sit well with Sharp. "We need to help students understand the threats of accessing sites that can damage the network, expose them to dangerous situations, and impact others," she says.

"We need to educate students about the reasons that filters are in place, and why they are limited in what they can access. We need to address the importance of keeping their personal information private, what not to include on their MySpace or Facebook pages, why it is important to remember that nothing on the internet is really private, why not to share passwords, etc."

"Network security is far too complex for automated systems to protect against everything. The systems easily stop more than 99.9 percent of the common threats. But that 0.1 percent can still be significant."

Sharp says it's an effort that requires time. "This is not simply a one-time internet safety class. There should be ongoing age-appropriate instruction from the time students are allowed online and continued throughout their education."

Why Centralize

Alton believes that underpinning the many different layers of a K-12 security plan is one critical strategy that unifies all the others: centralization. Lee County has 96 schools and is one of the fastestgrowing districts in the state of Florida; Alton says that pulling together IT resources is part of a larger mission to achieve some harmony in the way the district functions. "We often speak of being a school district instead of a district of schools," he says.

Before the district centralized the control of information technology, Alton says that security management was extremely difficult because there was no way for the district to know whether one of its schools was behaving in a way that posed a potential safety threat.

"As schools purchased new products, there was no evaluation for security implications. Several products required ports to be opened in our firewalls. It was very difficult to determine if 'unusual' network behavior was 'normal' for a given product. Anti-malware management was difficult. Data protection was handled on a schoolby- school basis, which put our data at risk. End users were not familiar with the district's acceptable use policy or security best practices."

Centralizing its security infrastructure allowed Lee County to get its individual schools all on the same page, and acting by the same rules. "We centralized all proxy, caching, filtering, and firewall systems so that they are managed by our central IT staff," Alton says. "We provided the schools with managed anti-malware systems that we can monitor from the central IT office. School technical support staff are granted the security privileges only necessary to complete their jobs, without having high-level administrative privileges. This reduces risk of security issues or accidental problems. We have centralized our data backup functions so that critical data at each school is replicated to the district office, so we can ensure that it is adequately protected."

Building Awareness

Understanding a threat is out there is what will eventually propel better school security. Sharp says all K-12 security strategies come back to the people they're designed to protect. "Cyber crime is a $100 billion industry," she says. "Schools need to work hard to have a secure network. We need to make sure that all members of a school society understand that it is vulnerable to attack and that the users play a critical role in keeping it safe."

"I liken this to police protection," Alton says. "People are conditioned to lock their doors, be aware of their surroundings, carry personal protection devices, and use security alarms. The police can't protect you from everything. Neither can the IT department. Users, for the most part, have not really reached that realization yet, and I think that's across the board with most organizations. I think you'll see the evolution of end-user security awareness over time. I think it will be as commonplace as personal safety within the next decade."

For more information on security strategies, visit In the Browse by Topic menu, click on Security/Privacy.

-Andy McDonough is a freelance writer based in Middletown, NJ.

This article originally appeared in the 10/01/2008 issue of THE Journal.