Yikes!

• By Glenn Meeks
• 03/01/18

Have you noticed the change in reports regarding IT security breaches at school districts? One district had its domain name “blacklisted” (the Internet would not accept email using its email name) because district computers were taken over by someone in the Ukraine who was sending millions of fake emails per hour, overloading targeted servers. Another large school district paid $50,000 to get their database back from ransomware. And another large district had to take 25,000 Chromebooks out of students’ hands and reimage each hard drive; taking eight weeks while students went cold turkey. These are not stories, but actual reports. Maintaining IT security has become much more complex, and it will only get worse.

It used to be fairly simple. All computing devices only connected to the district network, never going outside that network. IT would “lock down” the image (no one could add programs, etc...) and funnel everything through a single access point. It resembled a castle with the moat and a drawbridge.

Now we have district devices going outside of the district and coming back, personal devices coming to the district, sensors that are not computing devices; all connecting to the network on a wireless basis. Your “Unified Threat Management” system has to become much more sophisticated with multiple strategies addressing multiple vulnerabilities.

Simply using a router, which only looks at the “header (address)” to protect your Internet access point is now inadequate. Your router needs to be more sophisticated, looking deeper into the actual data beyond the headers for malicious codeware; we call that a firewall. On top of that, we are required by federal law to filter for appropriate content to protect minors. So, now we have firewalls and web filters, both requiring separate real-time subscriptions to “white-hat security” sources that constantly update their databases about what to flag.

Now we must address all of those devices that connect out in the public space, return to the district, and connect to your secure network. Your firewall needs to have what is called an “endpoint monitoring” system that looks at the data coming from those mobile devices after they leave and come back.

Malicious codeware can hitch a ride on that mobile device and, when reconnected to your secure network, infect other devices on your network. So, the endpoint monitoring is doing the same thing as the firewall, but with mobile devices. That endpoint monitoring should also include some predictive analytics that monitor traffic within your network, recognizing patterns that suggest something malicious is on your “secure” network before it can truly embed itself on many devices.

The last vulnerability to be addressed relates to the protection of your wireless network connectivity. In addition to district and personal mobile devices, we now have “building—Internet of Things (IOT)” devices, such as; thermostats, occupancy sensors, LED lighting controllers, electrical power metering, geothermal systems, photovoltaic (solar) panels, access control, and video cameras that are all connected to your secure network.

The Target credit card breach of a few years ago was able to be implemented when hackers used the building automation system as a backdoor into the network. Unfortunately, in today’s world, any device or sensor needing connection to the wireless network represents a major vulnerability. Another system called “Identification and Authentication Management (IAM),” also known as Network Access Control or IEEE 802.1x, addresses that vulnerability.

Every device requiring network access has what is called a MAC (Media Access Control) address that is a universally recognized identifier unique to that device and that device only. The IAM is configured with all authorized devices by MAC address and identification of the owner, identified by your login name and password. The configuration then enables the network administrator to explicitly outline what resources on your network—again by the unique MAC address—your device can access.

Using your mobile phone versus your district issued computer will change what you can access. If the system does not recognize the device or the user, it can be configured to allow access to the public Internet but nothing else. No one can use the MAC address of a sensor and log onto your network. A side benefit of this system is that you now have a one-password login function for all users.

Your current state-of-the-art Unified Threat Management system should contain a firewall with endpoint monitoring and a real-time subscription, a content filter with real-time subscription, and an Identification and Authentication Management system. Unfortunately, they are not cheap, which is why we have so many reports of school district security breaches.

This article originally appeared in the School Planning & Management March 2018 issue of Spaces4Learning.