Convergence: The New Security Priority

By the beginning of June of 2008, a California high school student knew that he was failing a couple of courses and doing poorly in others. The student didn’t want to count himself out of college. So he broke into the school’s information system, pulled up his grades and gave himself an A in all of his courses. He also improved the grades of a dozen of his friends.

This student was also a thief. Since he couldn’t hack into the school’s computers from computers located outside of the school, he stole a master key to unlock an exterior door of the school as well as the door to the server room, where he hacked into the grading system. In case he wanted to do some more hacking, he installed a spyware program that enabled him to ransack the school’s records from a remote computer.

This story illustrates a new security priority for K-12 schools: the convergence or coming together of physical and IT (sometimes called logical) security. Simply put, if you don’t lock the doors securely, the best IT or logical security system in the world won’t be able to keep all of the hackers out. Someone will get in.

Conversely, if you don’t protect the logical systems securely, the best physical security system of locks and cameras won’t keep hackers out. Again, someone will find a way in.

In the Californian student’s case, the physical security system and the logical security system both broke down.

“Today’s students are very sophisticated,” says Nick Stricker, vice president of security services with Chicago-based ESPO Systems, an outsourcing technology firm with a security specialty. “I’ve seen students set up encrypted tunnels from school computers or servers to their home computers.”

Because the tunnel is encrypted, firewalls and other IT security applications can’t see the activity and so can’t stop it.

Paul Timm, president of Chicago-based consultant RETA Security Inc., agrees that students are becoming ever more sophisticated technology users — even those with relatively benign goals. “My 11-year-old daughter figured out how to use an iPod Touch to connect to the Internet,” he says. “Then she downloaded an app that sends text messages for free.”

Malicious students have also set up bots, or robot systems on school systems, continues Timm. Like the high school student’s spyware, robot systems can be managed from computers located elsewhere.

Smart, malicious hackers don’t just hack systems; they make it possible for others to do the same. The Internet contains numerous Websites created by able hackers for wannabe hackers. Those sites contain applications that kids — or anyone interested in committing high-tech vandalism or other advanced technology crimes — can download and use to mount an attack on a computer network. Such hacker tools come complete with instructions for the uninitiated.

Convergence became important in the commercial world a decade or more ago as hackers and thieves developed sophisticated digital skills. Today, high-tech students, as well as high-tech thieves, have begun to victimize K-12 schools.

Last December, for example, the Duanesburg Central School District in New York discovered that cyber thieves had stolen $3 million from its local bank account. The FBI and the New York State Police are investigating; at this writing, the district had recovered about $2.5 million. About $500,000 was still missing. Cyber thieves don’t have to break through locked doors. They can steal money by finding digital paths into bank accounts.

Then too, if criminal hackers and student hackers want to get into a school or a school district administrative building, they can hack into the network and attack the access control systems to open the doors, while turning off the surveillance cameras to hide video evidence of their presence.

Securing Networks and Doors
Defending against criminal and student hackers today requires policies and strategies, not unlike those used to secure against burglars with crowbars in the old days. The only real difference is that security measures must now encompass both physical and logical arenas.

To begin with policies, the federal government already requires school districts that receive E-Rate funds — federal money that helps pay for computers and other communications technologies — to set policies that deal with some of these cyber issues. In 2001, for instance, the Federal Communications Commission (FCC) issued regulations implementing the Children’s Internet Protection Act (CIPA), a federal law designed to control student access to certain Internet content over K-12 school and library computers.

Under those regulations, schools and libraries receiving E-rate funding must adopt and enforce polices to block or filter Internet access to materials deemed harmful to minors by computers used by minors. The policy must require monitoring online activities of minors and provide for the safety and security of minors using e-mail, chat rooms and other computer communications tools.

More to the point of convergence, CIPA policy must prohibit unauthorized access or hacking and other unlawful activities by minors.

Schools and libraries must certify that these policies are in force in order to remain qualified to receive E-rate funding.

Even if a school district doesn’t rely on E-rate money, it can still take a cue from the federal regulations when developing security policies for your school today.

Physical security policies pursue goals similar to these logical security policies. They aim to protect students from predators while also prohibiting students and others from gaining unauthorized access to school facilities.

Traditional security strategy creates layers of security. If an attacker gets through one layer, say a fence, another layer, perhaps a locked door, takes over. A converged security strategy does the same thing but includes layers of logical security as well as physical security.

The first layer will discourage a percentage of possible attackers. Of those that get through the first layer, another percentage will be discouraged by the second. Still others won’t be able to penetrate the second layer. Those that do get through encounter yet another layer, eliminating more and so on. Only the most skilled attackers will be able to get through all of the layers. But those folks may decide not to try, concluding that the overall effort will require so much time as to risk detection.

Physical security layers might consist of patrolling security officers, doors locked with card access control systems and monitored by video surveillance cameras equipped with motion detection. Both the card access system and the video surveillance system could be set to alarm if someone attempts to break through either layer.

Such a physical security system would have required the California high school student to go to a lot more trouble than stealing a master key to break into his high school’s server room. He would have had to sneak past the security officers, defeat the card access system and trick the video cameras into not seeing him

Even if he had gotten past the officers and used a stolen access card capable of opening the school door and the server room door, and disabled the cameras, logical security systems forming additional layers of security, adding more time and the possibility detection to the process of breaking in, might have stopped him or deterred him.

Logical Security
Logical security begins with a network-based gateway (NBG), today’s term for what used to be called a firewall. “A gateway sniffs out tampering and blocks it,” says Timm.

That’s what makes passwords and password validation important. The Californian student would not have a password connected to permission to access files containing student grades. The gateway would have refused access to someone trying to open information about a student without a valid password.

But suppose the student had stolen a password from someone with the authority to look at those files? Another logical layer, encryption perhaps, would take over and prevent access.

According to Stricker, encryption ranks as one of the most powerful logical security layers available. “Encryption uses algorithms or complex mathematical formulas to encode sensitive information and make it inaccessible to unauthorized users,” he says.

Bobbing and Weaving
Perhaps because so many physical security professionals come from the ranks of law enforcement, they have always more or less understood how important it is to stay current with the methods used by those trying to defeat physical security systems.

Industry observers say, however, that logical security professionals come more often from an IT background where they have learned from experience how few people understand the technological systems they manage.

That isn’t true of digital criminals and vandals, though. Hacker’s and cyber criminals do understand the technology. Moreover, it is in the nature of digital malefactors to find and respond to new challenges. Create a new way to keep hackers out of a system, and hackers will find a new way to get in.

As IT vandals and criminals bob and weave and seek out new ways to defeat IT security — and now physical security — systems, IT security professionals have to bob and weave right with them, trying to stay one step ahead of the next attacker’s idea.