Product Focus

Fine-Tuning Internet Security

With the proliferation of web 2.0 applications and mobile devices, school internet security requires more than a simple firewall.

Designing internet security for schools used to be a bit like building a castle with a moat: A crude perimeter ke pt out Trojan horses and other threats. Safety could be maintained as long as the g atekeepers could define who was a friend and who was a foe . But because of the advent of web 2.0 applications that make information sharing and collaboration easier, K-12 schools now have an increased need for more complex, customized internet security solutions. Firewall and filtering tools must also be flexible enough to serve the varied needs of students, educators, and administrators.

"In the old days, [firewalls] were binary : allow or not allow," explains Brian Contos, director of global security strategy and risk management at McAfee, an internet security provider. "Now it's a lot more like clay than Legos."

Facebook is a good example of a tool that requires a more flexible approach to security.  Not only a website, Facebook is a conduit for hundreds of applications that range from games to networking for business and pleasure . It's also an access point for music and entertainment services.  Rather than block Facebook entirely, Contos says, schools may want to target specific apps that put a strain on network resources, degrade bandwidth, slow down e-mail delivery, and make the network vu lnerable to malware. 

Indeed, the social networking sites that are so popular with students provide rich pickings for cybercriminals . According to a recent report by internet security provider Symantec, one ingenious ruse in 2010 involved shortened URLs. Although these abbreviated URLs can link to legitimate, albeit long and complicated, web addresses, hackers posted millions of these shortened links in efforts to lure victims to websites for phishing and malware attacks .

Attackers leveraged the news-feed capabilities provided by popular social networking sites to mass-distribute the attacks, logging onto compromised accounts and posting shortened links to malicious websites, which spread the links to the victims' friends within minutes. Last year, 65 percent of malicious links in news feeds observed by Symantec used shortened URLs.

In many circumstances, to fight such threats, internet security vendors can analyze billions of files, e-mails, and malware products to categorize and determine their "reputation" in the cloud and quickly update their customers' firewalls and filters . However, they have another challenge when working with K-12 schools, which can have more intricate security needs.

School districts must protect their networks from being compromised by intrusions, malicious code, and spam e-mail. They can set stringent policies to block adult, gun-related, gambling, and drug-related content, and other web content deemed inappropriate. They can also keep out sites that slow traffic or propagate malicious content hidden in music and streaming videos. At the same time, they may also want to give some of their users the freedom to access and participate in wikis, YouTube, Facebook, Twitter, and other social networking and content-sharing sites.

Teachers are well aware of the frustrations of requiring access to certain teaching materials--via YouTube, for instance--that simply may be off limits to them because sites are blocked to the entire district. T
hat's why experts s uggest IT staffers seek out security solutions that allow them to set up policies for different groups --teachers, students, and administrators, among others-- with granular, rather than wholesale, restrictions even within those groups.

To help districts customize their web security solutions, vendors often offer a predefined list of blockable content and allow school administrators to select additional sites to block, depending on factors such as the age of the students and their familiarity with internet security threats. The youngest students, McAfee's Contos says, may not be cognizant of online threats and the dangers of giving out personal information online, requiring more protection than older students.

More Mobility, More Problems
The proliferation of mobile devices in schools has created a major security concern that will become even more serious in the future. IT administrators must contend with a multitude of personal devices, smartphones, and tablet computers, many of which can offer access to sensitive information such as grades and payroll information.

"Mobile devices are a natural extension of the campus network," says Gerhard Eschelbeck, chief technology officer at Webroot, an internet security provider. While the size and shape of the threat remains in the early stages, "the bad guys are working on it."

"How can organizations rein in devices they don't control?" asks Lenny Zeltser, who leads the security consulting team at Savvis, which provides managed computing and network infrastructure solutions. 

Mobile devices are vulnerable, Seltzer says, because mobile system architecture "hasn't benefited from being battlefield tested for years and years, which is the case with desktop operating systems," he explains. "When attackers focus on the mobile platform, they get a lot of bang for the buck."

Hackers have unleashed malware that can gain control over a phone and, for instance, charge users for calls they never made or SMS services they never used. The threats are becoming more sophisticated as social media spreads to phones and botnets take control and multiply through the users' entire contact lists.

Schools must make sure they have complete coverage on the gateway side, with filtering of inbound traffic, Eschelbeck says. They also should consider making security solutions that reside on the mobile devices mandatory.

At Lakeview Academy in Gainesville, GA, only high school students are allowed to bring iPads, smartphones, and other mobile tools to campus--and access to the internet must be through the device provider, and not the school's network. That policy may change if and when the school implements mobile security protection, says Connie White, the school's director of technology and media.

Additionally, schools can insist that their users password-protect their phones and remind them to evaluate mobile apps before downloading them, says Alicia diVittorio, director of marketing at Lookout, which provides mobile security and antivirus smartphone protection on Android, Black Berry, and Windows Mobile devices so far. Users should pay attention to who the app developer is, if there are many reviews, and if the reviews are good--to ensure they're not picking up a bogus app from a rogue developer.

Mobile device users also shouldn't log onto password-protected sites--say, the school's--while on public WiFi networks, where they may be vulnerable to eavesdropping sniffers that can read the data they send and receive. "It's not just about their own personal information, but the entire network's," diVittorio says.

Securing a mobile device presents different challenges than the well-established solutions for PCs. Phones have lower processing power and limited battery life, so the security apps must be small in size, and much of the heavy lifting resides in the cloud, diVittorio says.

Lookout's solution, available free and in a premium version for Android, offers features such as scanning every app for malware and spyware, backup, and restoration of data. If a device is lost or stolen, it can locate the phone, sound an alarm, and implement remote wipe and lock.

Keywords: technology in education, educational technology, K-12 technology, school technology, education information technology, internet security, web 2.0, firewall, filtering tools, social networks

A Combined Solution
To protect its network and its students, Lakeview Academy, a private K-12 school in Gainesville, GA, works closely with parents to fine-tune its filter . "We were quick to empower the parents and tell them, 'We still need you to be the parent, to keep the rules, because you know what's best for your child,'" says Connie White, Lakeview's director of technology and media.

Faculty and staff establish technology policies, but a student advisory team allows students to voice their concerns and feel their input matters, says White. The result was a policy that takes into account students' grade levels and whether they are accessing the internet from home or school.

"Web 2.0, that's where kids are. It's a communication tool that's powerful. They know it can be a distraction, but why not help them gain the ability to manage it?" White asks. "You can either ignore it, and not think it's happening, or hit it on the head and educate them."

In grades K to 5, teachers direct students to specific web content via online resources listed on the instructor's website or wiki that don't require students to search the internet themselves. Middle school students are issued laptops for use at home, and parents--who undergo internet safety training themselves--can decide whether to allow access to social media sites and how tightly they want to set the web filters.
Several social networking sites are available to all high school students on campus, but only  juniors and seniors have access to Facebook and YouTube.

Filters also can allow administrators to review and selectively grant access to normally forbidden websites if users can offer good explanations for why they need the information. "These tools have the flexibility to give teachers and administrators the ability to override blocked content," says Mike Maxwell, head of state, local, and education public sector issues at Symantec.

McAfee's Contos points out, "It's a question of customization. In the early days, a class researching breast cancer might have found some pages blocked as sexually explicit, but today, technology is more mature. A site can be easily opened up or easily denied."

White adds, "We will assist, if needed, if the child makes poor choices. We want children not only to develop 21st century skills, but give them the ability to make choices and grow into ethical people."