Yikes!

Have you noticed the change in reports regarding IT security breaches at school districts? One district had its domain name “blacklisted” (the Internet would not accept email using its email name) because district computers were taken over by someone in the Ukraine who was sending millions of fake emails per hour, overloading targeted servers. Another large school district paid $50,000 to get their database back from ransomware. And another large district had to take 25,000 Chromebooks out of students’ hands and reimage each hard drive; taking eight weeks while students went cold turkey. These are not stories, but actual reports. Maintaining IT security has become much more complex, and it will only get worse.

It used to be fairly simple. All computing devices only connected to the district network, never going outside that network. IT would “lock down” the image (no one could add programs, etc...) and funnel everything through a single access point. It resembled a castle with the moat and a drawbridge.

Now we have district devices going outside of the district and coming back, personal devices coming to the district, sensors that are not computing devices; all connecting to the network on a wireless basis. Your “Unified Threat Management” system has to become much more sophisticated with multiple strategies addressing multiple vulnerabilities.

Simply using a router, which only looks at the “header (address)” to protect your Internet access point is now inadequate. Your router needs to be more sophisticated, looking deeper into the actual data beyond the headers for malicious codeware; we call that a firewall. On top of that, we are required by federal law to filter for appropriate content to protect minors. So, now we have firewalls and web filters, both requiring separate real-time subscriptions to “white-hat security” sources that constantly update their databases about what to flag.

Now we must address all of those devices that connect out in the public space, return to the district, and connect to your secure network. Your firewall needs to have what is called an “endpoint monitoring” system that looks at the data coming from those mobile devices after they leave and come back.

Malicious codeware can hitch a ride on that mobile device and, when reconnected to your secure network, infect other devices on your network. So, the endpoint monitoring is doing the same thing as the firewall, but with mobile devices. That endpoint monitoring should also include some predictive analytics that monitor traffic within your network, recognizing patterns that suggest something malicious is on your “secure” network before it can truly embed itself on many devices.

The last vulnerability to be addressed relates to the protection of your wireless network connectivity. In addition to district and personal mobile devices, we now have “building—Internet of Things (IOT)” devices, such as; thermostats, occupancy sensors, LED lighting controllers, electrical power metering, geothermal systems, photovoltaic (solar) panels, access control, and video cameras that are all connected to your secure network.

The Target credit card breach of a few years ago was able to be implemented when hackers used the building automation system as a backdoor into the network. Unfortunately, in today’s world, any device or sensor needing connection to the wireless network represents a major vulnerability. Another system called “Identification and Authentication Management (IAM),” also known as Network Access Control or IEEE 802.1x, addresses that vulnerability.

Every device requiring network access has what is called a MAC (Media Access Control) address that is a universally recognized identifier unique to that device and that device only. The IAM is configured with all authorized devices by MAC address and identification of the owner, identified by your login name and password. The configuration then enables the network administrator to explicitly outline what resources on your network—again by the unique MAC address—your device can access.

Using your mobile phone versus your district issued computer will change what you can access. If the system does not recognize the device or the user, it can be configured to allow access to the public Internet but nothing else. No one can use the MAC address of a sensor and log onto your network. A side benefit of this system is that you now have a one-password login function for all users.

Your current state-of-the-art Unified Threat Management system should contain a firewall with endpoint monitoring and a real-time subscription, a content filter with real-time subscription, and an Identification and Authentication Management system. Unfortunately, they are not cheap, which is why we have so many reports of school district security breaches.

This article originally appeared in the School Planning & Management March 2018 issue of Spaces4Learning.

About the Author

Glenn Meeks is president of Meeks Educational Technology located in Cary, N.C. He can be reached at [email protected].

Featured

  • Springfield Breaks Ground on $53.7M Pipkin Middle School Rebuild

    Construction is underway on a new, state-of-the-art Pipkin Middle School in Springfield, Mo., a major step in Springfield Public Schools’ (SPS) long-term facility improvement plan, according to local news. The $53.7-million project officially broke ground in early June, following years of planning and community input aimed at modernizing aging infrastructure and addressing student capacity concerns.

  • ProTeam Launches GoFit 6 HEPA Backpack Vacuum

    Technology leader Emerson recently introduced the new ProTeam GoFit 6 HEPA backpack vacuum, according to a news release. The vacuum was designed to capture 99.97% of particulates down to 0.3 microns—including atmospheric hazards like lead dust, mold spores, and other particulates—through an advanced filtration system.

  • California High School Starts Construction on New CTE Building

    Analy High School, part of the West Sonoma County Union High School District (WSCUHSD) in Sebastopol, Calif., recently broke ground on a new Career Technical Education (CTE) Building, according to a news release. The 15,000-square-foot facility will offer specialized facilities for students in engineering, welding, culinary arts, agricultural sciences, and design thinking.

  • modern college building with circuit and brain motifs

    Anthropic Introduces Claude for Education

    Anthropic has launched a version of its Claude AI assistant tailored for higher education institutions. Claude for Education "gives academic institutions secure, reliable AI access for their entire community," the company said, to enable colleges and universities to develop and implement AI-enabled approaches across teaching, learning, and administration.

Digital Edition