Are School Networks as Safe as You Think?

The words "Internet security" mean different things to different people. Some people will tell you that a school’s network is secure if it keeps the students from accessing inappropriate material across the Internet. Others will tell you that most school and district networks aren’t secure because they do not have the proper safeguards to protect them from hackers referring to the possibility of students accessing information and outside hackers who are after the personal information about the students and staff.

The first issue, concerning content, has been addressed through the Children’s Internet Protection Act, which mandates the use of content filtering technology by schools and libraries. Several organizations have issued guidelines, and several companies have released software to help schools filter Web content, scan e-mail attachments and block attachments, and track network activity.

But what about the other security issues - making sure that the data in a school or district’s network is secure from hackers?

"Networks are very vulnerable for a lot of reasons," says Steve Miller, who serves on the national board of CoSN (Consortium for School Networking) and is executive director of Mass Networks Education Partnership, a nonprofit educational consulting group based in Boston. "One of the reasons is that the K-12 networks’ staff is typically under resourced, and they do not have the time to deal with this type of security because of conflicting demands."

Carol Woody, a senior member of the technical staff for the Software Engineering Institute (SEI), agrees. "Based on my understanding of how they developed, how they are supported and funding levels provided for technology support, I would define the vulnerability level of K-12 networks as high," she says. "Most networks were built as self-contained environments by teachers with good technical skills, many of whom are self-taught. Telecommunications and Internet linkages were added later to provide good communication capability." But, she continues, "The budget cycle is long and complex, without funding for extensive ad hoc support. Well-supported industries are struggling to keep up and losing the fight against attacks." She added that another factor that complicates matters is that all of the software on the market has some form of vulnerability, some of which have not yet been discovered.

The federal government is aware of the threat. The White House recently released a report on cybersecurity, but its references to schools deal almost completely with the concerns of higher education. Keith Kreuger, director of CoSN, says, "During these times when we are becoming even more concerned with national security, and after events like Columbine, it only makes sense to secure the information we have in the K-12 schools as well. It also makes sense to use these school networks in advantageous ways, like as response vehicles to get information to parents, law enforcement agencies and within districts and the schools themselves. Just think how a secure network of this sort could work during a national emergency."

Basic Security Issues
What about basic security, like virus protection, firewalls and so on?

Seventy percent of average Americans do not do virus maintenance on their own machines,” Kreuger says, adding that it is likely that there are a number of schools and districts that aren’t much better about using these protections.

Woody proves his point saying, "A recent survey by the National School Boards Foundation (NSBF) points out a high level of implementation of filtering software which is mandated by federal regulations, but much lesser consideration for firewalls, antivirus software, etc. - all of which involve expenditure of scarce technology resources and constant, on-going support."

That may be why there hasn’t been a lot done in this area, says Miller. "The technical staff would need to put a lot of attention into network security," he says. "In a typical school environment the staff works on a preventive basis, meaning that the primary part of their time goes into service for teachers and students. What time is left goes to infrastructure. Security is an added layer of responsibility that few of them can afford to devote the needed amount of time and resources."

"Part of it also depends on the size and sophistication of the school district," he adds. "Large districts have larger resources and larger staff. The rural and urban districts are struggling. You can see this played out from virus protection to firewalls and the updating of security patches."

All the Villians Don’t Have Handlebar Moustaches "We know from the healthcare industry that most of the risk from hackers come not from the general public, but from within the staff," says Kreuger. "In the area of school networks, the basic curiosity of school-aged children tends to make this even more of a challenge."

Woody says that before Internet access students were the largest risk for the closed networks. "Now they are just part of a large crowd through the Internet," she says. "SANS Institute, , estimates 2,000 to 3,000 scanning programs are running constantly looking for an ever-expanding volume of vulnerabilities to exploit. The growth of bulletin boards that share exploit information, and the development of easy to use tools, has reduced the knowledge level needed to launch very broad attacks."

But she sees the biggest challenge with school-age kids as being the limited ethics training that they receive. "They can easily copy CDs and videos illegally and plagiarize information with a couple of mouse clicks," she says, adding, "most students do not have a frame of reference for breaking into digital resources in the same manner as breaking into physical resources, such as a house. They don’t even realize they are doing something wrong. They are pushing the envelope, and they are trying to do things their friends cannot do. This technical prowess is rewarded by their peers and becomes a ‘right of passage’ into the gang."

"I would say that schools have a bigger challenge here as contributors to the technical education of students who may or may not be using that knowledge ethically," Woody says. "Computer science curriculum has been expanded to include technology use, but the realization that there is a need to include some education in ethics and close monitoring is not always there. Adult supervision in this area is very low. Most parents don't know what the kids are doing until the FBI shows up at the door," she adds.

Threats From the Outside
But students may not be the biggest problem, at least not in the future. Kreuger, Miller and Woody see the threat of identity theft as a problem that the nation’s school should be preparing to address.

"I think the big thing that will hit the schools comes from the demands for increased data collection and reporting mandated by No Child Left Behind," says Miller. "This legislation requires the compilation and storage of a lot of data about students and their families, and can be a treasure of important information for people who would mean ill."

He says that people who would hack into school and district networks could get personally identifying information about a large number of people. "If you wanted to pursue identity theft or just create operational havoc, this is the type of information you would need," he says.

Woody sees the problem as even more complex. "The issues here are two dimensional -- content, which is two fold, involving current and developing content plans, and connectivity," she says. She gives student grades as one example of current content, saying that there are some hackers who will offer to change grades for a fee. Another example is school-run programs that involve credit card information that she says can be mined and sold to criminal elements.

"Proposed content carries a much higher risk level for the future," Woody says. "School districts are building large databases of detail information to support the No Child Left Behind Act reporting requirements and equally if not larger repositories to address the trend for data-driven decision making. Without careful security considerations, these repositories, which contain very sensitive information about individual children and families, will be ideal for identity theft, which is a growing horror, and personal reprisal attacks on individuals and groups of individuals."

Woody says connectivity poses another valuable commodity. "Open networks can be hijacked to attack others, for example infection by the NIMDA worm allows the controller of the infected machine to launch denial of service attacks on any selected target -- protection against that worm required application of a patch and thousands of machines were compromised." She also says these open networks can be used to disguise identity, allowing ill-intentioned people to gain access or information normally out of their capability by disguising their identity.

Where Do We Begin?
How can schools protect themselves from these kinds of threats?

"The healthcare industry was forced to address this type of problem with the passing of HIPAA (Health Insurance Portability and Accountability Act), which deals with issues of confidentiality," says Kreuger. "We have not seen this kind of legislation yet at the K-12 level, but it is only a matter of time."

Woody says the financial industry has also been forced to deal with issues of privacy. "Schools are latecomers to the Internet environment and need to learn from the experiences of those that have been dealing with the problems for a long time. HIPAA and Gramm-Leach Bliley (for financial organizations) require a risk assessment," she says.

"It is impossible for any organization to keep up with all of the fixes and patches, and the existing Internet environment will not substantially change for many years to come as old equipment and software slowly cycle out of use. Risk management is the strategy that has been recognized nationally by the regulatory authorities, and school environments need to adopt that approach to survive,” says Woody. She acknowledges that most organizations haven’t discussed how to handle these issues. "Each organization needs to figure out what their level of risk is and then balance that against what control mechanisms they are willing to support," she says.

Woody is adapting a risk management methodology she teaches at the SEI for use in K-12. She says when the project is complete, the methodology should provide a process schools can use to look at the information on their networks, figure out what they want protected and develop the policies and procedures needed to begin that process.

"I don’t think the schools are currently in a crisis situation, but I think they could be there eventually as they continue to build their data bases, but there are a lot of groups they can learn from."

"Complicated and expensive," is the way Miller describes what is needed. "I don’t think anyone is prepared for it. Part of the problem is that everyone is looking for a simple fix, and the reality is that making things secure isn’t simple,” he says.“It involves a number of issues. The easy part is the technology, because that’s straightforward. The hard part is the development of policies, procedures for training and the building of a community of trust."

Kreuger says that adopting policies, procedures and penalties will only work if the procedures are followed, the policies enforced and those penalties are used when there is a violation.

"At some level, this all boils down to making the people who have access feel that it is their system, so they want to do what is right," says Miller. "“Without that feeling, no amount of technology or form of lockdown or punishment will work."

JERRY ENDERLE -- Enderle is managing editor of School Planning & Management magazine. He can be reached at [email protected]