Cyber security at the distriCt level: are you ready to prevent unlawful, unauthorized or simply misguided use of your technology?In California, a high-school junior hacks into his school district's computer network and copies students' Social Security numbers and other confidential information Noun 1. confidential information - an indication of potential opportunity; "he got a tip on the stock market"; "a good lead for a job" steer, tip, wind, hint, lead . District officials have no choice but to send letters to all families advising them to take measures to make preparations; to provide means. See also: measure to protect their children's records from possible fraud. In Ohio, a 13-year-old deletes student records from a school district's electronic reading program. School officials find themselves in trouble as well when it's revealed the district had failed to back up the files onto a separate server. And in Florida, two students steal a password from a teacher's computer, break into the school's server and start charging $5 to change other students' grades. These are real high-tech horror stories horror story Story intended to elicit a strong feeling of fear. Such tales are of ancient origin and form a substantial part of folk literature. They may feature supernatural elements such as ghosts, witches, or vampires or address more realistic psychological fears. , and while the culprits were all caught and punished, the damage was done--both in actual loss or abuse of school data and in damage to the reputations of the school districts and their leadership. Tempting Targets The latter point cannot be overstated o·ver·state tr.v. o·ver·stat·ed, o·ver·stat·ing, o·ver·states To state in exaggerated terms. See Synonyms at exaggerate. o . In an era of digital technologies, school districts find themselves on a cutting edge, one that slices both ways. Technological tools like the Internet, e-mail, networked computers and such have revolutionized the way children are taught and schools are run, but they also have created new management challenges and ethical issues that many school systems are only beginning to recognize and address. For example, a tech-savvy district these days has the ability to collect, analyze and disseminate dis·sem·i·nate v. dis·sem·i·nat·ed, dis·sem·i·nat·ing, dis·sem·i·nates v.tr. 1. To scatter widely, as in sowing seed. 2. reams of data on everything from neighborhood demographics The attributes of people in a particular geographic area. Used for marketing purposes, population, ethnic origins, religion, spoken language, income and age range are examples of demographic data. to individual student histories. That's useful stuff for administrators seeking to find the biggest bang for their budget or for a teacher trying to understand why a particular pupil isn't doing well academically. But what happens if that information gets into the wrong hands or is used for unlawful, unauthorized or simply misguided purposes? These are questions that keep some educators up late at night. The problem, according to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. several authorities, is that these questions don't keep enough educators up late at night. "The only thing protecting most school districts right now is that they're not as tempting a target for electronic abuse and criminal acts as business," says Steven Miller, director of the Cyber Security for the Digital District, a project of the Consortium for School Networking, a national nonprofit organization Nonprofit Organization An association that is given tax-free status. Donations to a non-profit organization are often tax deductible as well. Notes: Examples of non-profit organizations are charities, hospitals and schools. that promotes the effective use of technology in K-12 education. "On a scale of zero to 10, with 10 being districts that have done a good job of protecting their networks and databases, I'd say the general score nationwide is close to zero, maybe 1 to be generous," Miller adds. "I'm not just talking about small districts, but most medium-sized ones too. School districts tend not to have specialized staff for information technology until they get very large or very wealthy. A middle-sized district might have a person or two. A small district might have a principal or other administrator handle IT as just another part of their job. "Unfortunately, the world has gotten messed up enough, and will stay messed up enough, that districts that don't deal with cyber security issues now or soon are eventually going to find themselves without a functioning system." Perhaps because he often deals with or hears about the most extreme abuses, Miller is more pessimistic pes·si·mism n. 1. A tendency to stress the negative or unfavorable or to take the gloomiest possible view: "We have seen too much defeatism, too much pessimism, too much of a negative approach" than others who say most school administrators at least know there's a problem, even if they don't know Don't know (DK, DKed) "Don't know the trade." A Street expression used whenever one party lacks knowledge of a trade or receives conflicting instructions from the other party. exactly how to resolve it. "I think cyber security awareness Security awareness is the knowledge and attitude members of an organization possess regarding the protection of the physical and, especially, information assets of that organization. is high (around the country)," says David Richards David Richards may refer to:
Those dangers and needs, though, are daunting daunt tr.v. daunt·ed, daunt·ing, daunts To abate the courage of; discourage. See Synonyms at dismay. [Middle English daunten, from Old French danter, from Latin and myriad. It's not just misguided students. They tend to be the least of a school district's cyber security worries. The really troubling threats are serious hackers, criminals and the ongoing, seemingly endless plague of electronic viruses and worms. In 2004, for example, the number of known computer viruses reportedly topped 100,000. It's estimated that at any moment, day and night, there are at least 2,000 programs on the Internet poking and probing for security holes in computer networks. Some are harmless, but others can cause damage costing in the thousands and millions of dollars. The typical virus attack, according to a recent International Customer Service Association survey, costs $11,000 and 11 person-days to repair. Perhaps more troubling are less visible abuses and unwanted intrusions into cyberspace Coined by William Gibson in his 1984 novel "Neuromancer," it is a futuristic computer network that people use by plugging their minds into it! The term now refers to the Internet or to the online or digital world in general. See Internet and virtual reality. Contrast with meatspace. . Spyware are subversive, invasive programs that burrow into unprotected computers, troll for data and send it to a third party. "Phishing Pronounced "fishing," it is a scam to steal valuable information such as credit card and social security numbers, user IDs and passwords. Also known as "brand spoofing," an official-looking e-mail is sent to potential victims pretending to be from their ISP, bank or retail establishment. " is the often-criminal act of sending e-mails that falsely claim to offer something in return for personal data, such as credit card or bank account numbers. And then there's server hijacking hijacking Crime of seizing possession or control of a vehicle from another by force or threat of force. Although by the late 20th century hijacking most frequently involved the seizure of an airplane and its forcible diversion to destinations chosen by the air pirates, when , in which an outside party surreptitiously sur·rep·ti·tious adj. 1. Obtained, done, or made by clandestine or stealthy means. 2. Acting with or marked by stealth. See Synonyms at secret. and often remotely takes control of a server--a computer or device on a network that manages the network's resources, everything from files and printers to network traffic. Miller says he recently heard about a server hijacking case in Louisiana where a school district's server had been unknowingly usurped to disseminate pornography in China. Irresistible Force IRRESISTIBLE FORCE. This term is applied to such an interposition of human agency, as is, from its nature and power, absolutely uncontrollable; as the inroads of a hostile army. Story on Bailm. Sec. 25; Lois des Batim. pt. 2. c. 2, Sec. 1. It differs from inevitable accident; (q. v. Despite these kinds of problems, few districts have refrained from investing heavily in technology. Indeed, more than $7 billion will be spent this year alone in K-12 schools on new technology. According to a study by Quality Education Data, a market research firm in Denver, the typical school in 2005 will spend $53.72 per student on technology hardware--approximately 38 percent of the average total per-pupil technology expenditure. Most of this technology, as in the past, will be ramped into service very quickly, Miller says. Perhaps too quickly. "Technology has become indispensable to the business and administration systems of school districts," he says. "How many administrators now can imagine doing schedules, keeping track of buses or lunch programs without computers?" Julio Velasquez can't. Or rather, he shudders at the memory of those earlier paleo-technological days. The director of instructional technology There are two types of instructional technology: those with a systems approach, and those focusing on sensory technologies. The definition of instructional technology prepared by the Association for Educational Communications and Technology (AECT) Definitions and Terminology for the Somerset, Pa., Area School District, a 2,800-student suburban system southeast of Pittsburgh, Velasquez says it was only three years ago that his district could be described as a sort of digital Stonehenge. "We faced a situation in which our technology was completely obsolete," he says. "We had computers that were 15 years old. Some were ancient IBMs; others were Macs running on personal software. Office 95 was our most sophisticated program. Some of the networking structure we were using had been invented in the '80s or earlier. Very few computers in the district were linked to the Internet and some of those were connected directly with no firewall at all." Back then, Velasquez adds, computers were more of an oddity odd·i·ty n. pl. odd·i·ties 1. One that is odd. 2. The state or quality of being odd; strangeness. oddity Noun pl -ties 1. than an effective tool. "Schools couldn't communicate effectively because most of the buildings weren't even cabled for computers. Typewriters were still the main way of creating documents. Information was shared by a secretary typing a bulletin, then faxing it to other buildings so that copies could be made for individuals." In 2002, the Somerset school board and administration decided to upgrade big time, launching a $1.8 million initiative that included computers for every teacher, more than 400 new computers in student labs, extensive rewiring and numerous online curricula and administration tools. Velasquez, who previously had worked in private industry, made sure that some of the money and effort went to cyber security. "I'd say our district compares favorably now to most businesses. Most of our services are done by computer now, and we have all of the virus and spare protections." Overreaction o·ver·re·act intr.v. o·ver·re·act·ed, o·ver·re·act·ing, o·ver·re·acts To react with unnecessary or inappropriate force, emotional display, or violence. Common In some ways, Somerset may be the exception to the rule, experts say. Most districts pay more attention to what technology can do in terms of educating students or running a district than in how to protect it. That may be natural and reasonable, but it's also problematic. "The biggest difficulty is staffing in the district," says Richards, the technology director in Rochester, Mich., a district with more than 14,300 students. "In order to be aggressive and pro-active, you really have to have resources, which includes having bodies available to handle problems. You need people who can monitor and respond to anything that gets through the filters and systems protections. "Whether it's inappropriate e-mails, websites, pop-ups, whatever. You're not going to be able to be as aggressive unless you have trained staff to handle the problem. A lot of districts don't and what happens is something happens and those districts panic. They simply shut down everything until the problem can be fixed. That's not really a good solution." Miller agrees, but says the urge to overreact o·ver·re·act v. To react with unnecessary or inappropriate force, emotional display, or violence. is common because most senior school administrators have little, if any, technical expertise. "People tend to feel overwhelmed o·ver·whelm tr.v. o·ver·whelmed, o·ver·whelm·ing, o·ver·whelms 1. To surge over and submerge; engulf: waves overwhelming the rocky shoreline. 2. a. because there's usually no easy answer. They're frustrated frus·trate tr.v. frus·trat·ed, frus·trat·ing, frus·trates 1. a. To prevent from accomplishing a purpose or fulfilling a desire; thwart: because good answers take ongoing, careful attention," he says. "Most superintendents probably wish someone else would deal with the whole subject." Miller adds. "The best superintendents understand that technology is now just one more thing on their plate, that they need to pull together a leadership team that can deal with it. The superintendent doesn't have to handle it directly, but he or she should have a team in place with the training and authority to not only deal with problems but try to prevent them." That's not to say, of course, that administrators should simply turn over the responsibility of cyber security to technical staff. "The last thing you want to do is tell a tech person that they're in charge and that you don't want anything bad to happen," Miller says. "Their instinct is going to be to lock things down. That might work in business, but it doesn't work in schools where the reason for existence is exploration, discovery, the free flow of information. Technology and security should be implemented in ways that follow a district's values and procedures." First Steps CoSN, in conjunction with Mass Networks Education Partnership in Allston, Mass., has produced the Cyber Security for a Digital District program (www. securedistrict.cosn.org). Among the features is a list of questions every administrator asks about cyber security, a security self-assessment checklist and eight questions every superintendent should direct toward his or her chief technology officer or director of information technology. They are: How are we doing so far? Do we have a security plan? Do we have adequate security and privacy policies in place? Are our network security procedures and tools up-to-date? Is our network perimeter secured against intrusion? Is our network physically secure? Have we made our users part of the solution? Are we prepared to survive a security crisis? Getting answers to those questions usually points the way to first or additional steps. One big step is doing a more thorough security self-assessment, but that's usually just a prelude to ordering an external security audit, says Bob Moore For the football player of the same name see Bob Moore (American football). Bob Loyce Moore (born November 30, 1932 in Nashville, Tennessee), is an American session musician, orchestra leader, and legendary bassist. , executive director of instructional technology services for the Blue Valley Unified School District The Blue Valley Unified School District (Kansas Unified School District 229) is one of the major school districts in the Kansas City Metropolitan Area. Located in east central and southeast Johnson County, Kansas covering 91 square miles of Overland Park, Kansas. in Overland Park Overland Park, city (1990 pop. 111,790), Johnson co., NE Kans., a residential suburb of Kansas City; inc. 1960. There is printing and publishing, and the manufacture of apparel, aircraft parts, cement, prepared foods, salt, chemicals, marine accessories, and signs. , Kan. "Audits are expensive," Moore says. "It's not something you can buy for a couple of hundred dollars, but the bottom line is the value of the assets you're trying to protect, not the cost of the audit." A good external security audit analyzes risks and identifies vulnerabilities in a district's computer system. Just as important, it suggests remedies. Among the aspects an audit should evaluate: security policies and processes, privacy policies, privacy data handling, security controls, technology infrastructure, physical site security, authentification systems, Internet vulnerability assessment A Department of Defense, command, or unit-level evaluation (assessment) to determine the vulnerability of a terrorist attack against an installation, unit, exercise, port, ship, residence, facility, or other site. , policies and controls for wireless deployment, and unauthorized access points. "We had a security assessment conducted," says Moore of his 20,000-student district. "I can't describe the results, of course, but out of it, we took a look at our priorities, what the different layers of security were, how people accessed information, who had access to what kinds of information and how to make that process work better." One simple but stunning realization, he and others say, is how often cyber security is breached not by determined hackers with ill intent, but by simple negligence or ignorance. "It can be as simple as not keeping up with software patches," Moore says. Other breaches can occur because not everyone who uses school computers is fully cognizant of the security rules and ethics. "I remember one incident where students loaded some software onto a computer while the teacher was out of the room," says Charles Garten, director of information support services support services Psychology Non-health care-related ancillary services–eg, transportation, financial aid, support groups, homemaker services, respite services, and other services for the 33,000-student Poway Unified School District Poway Unified School District is a school district located in Poway, California. The District operates 22 elementary schools (K-5), six middle schools (6-8), four comprehensive high schools (9-12), and one continuation high school. , north of San Diego San Diego (săn dēā`gō), city (1990 pop. 1,110,549), seat of San Diego co., S Calif., on San Diego Bay; inc. 1850. San Diego includes the unincorporated communities of La Jolla and Spring Valley. Coronado is across the bay. , Calif. "Teachers can be too trusting. They'll tell a kid a password or have them input grades. Two kids once got a copy key to a teacher's classroom and the password to the teacher's web page. They had other kids paying them money to change grades posted on the web page. "Unfortunately for them, they didn't realize they weren't getting into the real grade book program," says Garten. "When the quarter ended and report cards went home, the kids who had purchased better grades got their real grades. There were a lot of unhappy students and a lot of unhappy parents when the students told their parents what had happened." An Ethical Emphasis As for ethics, the basic rules are pretty simple, according to the Computer Ethics (philosophy) computer ethics - Ethics is the field of study that is concerned with questions of value, that is, judgments about what human behaviour is "good" or "bad". Ethical judgments are no different in the area of computing from those in any other area. Institute: Don't use computers to harm other people. Don't interfere with others' computer work. Don't snoop around without permission. Don't use a computer to steal or bear false witness. Don't use or copy software you haven't paid for. Think about the consequences of any program you write or use. "Some cyber security issues are more ethical in nature than legal, stuff like not using someone else's user name and password," says Moore of the Blue Valley Unified Schools in Overland Park, Kan. "Whether the subject is cyber security, copyright infringement Noun 1. copyright infringement - a violation of the rights secured by a copyright infringement of copyright plagiarisation, plagiarization, piracy, plagiarism - the act of plagiarizing; taking someone's words or ideas as if they were your own , fair use or something else, we incorporate ethics into virtually all technology training. We're always hitting that message, partly because of staff turnover, partly because you know that the message won't be received by everybody every time and partly because of liability. If something comes up, the district needs to be able to show that it had a deliberate campaign to teach and promote computer ethics." When it comes to cyber security, paranoia paranoia (pr'ənoi`ə), in psychology, a term denoting persistent, unalterable, systematized, logically reasoned delusions, or false beliefs, usually of persecution or grandeur. isn't necessarily a bad thing, said Garten in Poway. "Districts shouldn't necessarily trust their vendors," he says. They shouldn't assume that the company providing them with software or services is completely secure, even if they insist they are. We had a vendor whose software had a hole in it. A kid found the hole and got into our file servers. He didn't do anything malicious, just partitioned off one of the hard drives and was selling space on it to other students. We caught him completely by accident. "I guess you could say we were doing our job," Garten adds. "The kid really understood computers, but it was embarrassing." Marie Scigliano, director of educational technology for the 10,000-student Palo Alto Palo Alto, city, California Palo Alto (păl`ō ăl`tō), city (1990 pop. 55,900), Santa Clara co., W Calif.; inc. 1894. Although primarily residential, Palo Alto has aerospace, electronics, and advanced research industries. , Calif., Unified School District A unified school district is a school district which includes both primary school (kindergarten through middle school or junior high) and high school (grades 9-12). In Illinois, these districts are called unit school districts. , agrees. "Sometimes people have no clue about security. They talk about what they want to do, but security isn't given any consideration," she says. "For example, we have had the experience where vendors do demonstrations of their product using live data from other districts. When we've asked the vendor about this practice, it was not seen as a security risk nor were the districts aware of the use." A New World The more districts embrace and exploit the wonders of the digital age, the greater their vulnerability. A school district with little or no access to the World Wide Web, for example, doesn't have to worry about Internet-borne viruses. Something similar applies to wireless technologies, which allow greater freedom of use. Nearly 67 percent of school districts in one national study said they would be buying wireless laptops for student use this year, posing an entirely different security risk. "People really feel secure with a firewall," a hardware or software system that prevents unauthorized access to or from a private computer network, Garten says. "But if they use wireless technologies, that firewall can be jumped over. A firewall is not the ultimate protection. Then, there are the internal threats: disgruntled dis·grun·tle tr.v. dis·grun·tled, dis·grun·tling, dis·grun·tles To make discontented. [dis- + gruntle, to grumble (from Middle English gruntelen; see employees, kids with too much time in the library, whatever. The first line of defense is always going to be the teacher or staff member. You need to teach them how to effectively use the system and how to spot problems." All of this prevention takes money, and quite a lot of it. There is no typical or average cost, of course. It varies with the needs and expenses of a district, not to mention the degree of security desired or demanded. But one thing is universal: Cyber security costs are rising fast. "There's been a marked increase in the past few years," says Moore. "Some of it is attributable to greater awareness; some of it is because of issues and problems that didn't exist in the past. Five years ago, for example, spam E-mail that is not requested. Also known as "unsolicited commercial e-mail" (UCE), "unsolicited bulk e-mail" (UBE), "gray mail" and just plain "junk mail," the term is both a noun (the e-mail message) and a verb (to send it). was a moot point moot point n. 1) a legal question which no court has decided, so it is still debatable or unsettled. 2) an issue only of academic interest. (See: moot) . Now it's a big problem. (Eighty-eight percent of e-mail globally is unwanted, according to industry experts.) Five years ago, people didn't worry about spyware." Moore estimates his district's cyber security budget "is in the six figures for just hard, direct costs." That doesn't include the biggest expense: the people and time required to maintain the technology and fix any problems. "You really have to have some financial resources," says John Q. Porter, deputy superintendent Deputy Superintendent, or Deputy Superintendent of Police (DSP), was a rank used by police forces of the British Empire. In some territories it was called Deputy District Superintendent of Police (DDSP). of Montgomery County Public Schools Montgomery County Public Schools (MCPS) is a school district that serves Montgomery County, Maryland, USA. It is currently the largest county in Maryland serving over 137,000 students. in Rockville, Md. "You have to have access to the expertise that makes this technology work and meet its potential. For example, my district is big enough to have a chief security officer whose job it is to think about these issues, to work on planning, to look for best practices and policies. There's a group of us who focus a lot of time on this subject and yet, I'm not sure it's enough. We have 45,000 computers in the district; 180,000 users of all kinds. That's a lot of ground to cover." It's all expensive. A full-time cyber security officer, says Garten, the director of information support services at Poway, can demand a salary approaching $100,000 a year. External security audits, which should be done every 12 to 18 months, can exceed $50,000 for a month's work. Then there's the actual security software and services sold by numerous companies to protect district computers and systems. "Software manufacturers get a pretty nice penny for their products," says Richards, the technology administrator at Rochester Community Schools, "but it's not an option anymore to simply say, 'No thanks.' The programs are essential. A school district has to have some sort of system filter. Paying for it simply has to be built into the operations budget. It's a part of doing business." CoSN's Miller tells a story about a superintendent who boasts of getting a new, high-tech bike. But when asked how it operated, the superintendent admitted he'd never been on the thing. No time, he explained. "Cyber security is like that bike," says Miller. "You've got to get on it. Do the studies. Hire the staff. Make security a priority." "Most school administrators get depressed when talk turns to costs," Miller adds. "They say they don't have any available money. But the fact is, increasing security is going to cost something, though in many cases it won't cost as much as they fear and, in all cases, the cost will be much less than repairing the consequences." Inevitable Breakdowns Miller says all good cyber security programs in a school district should cover three basic elements: * Back-up systems. Any data that's important is backed up onsite in a different location. If it's really important, it's backed up offsite too. * Redundancy and more redundancy. This is particularly true of critical systems, such as those maintaining student records. Redundant systems don't necessarily have to be as robust as the main system, but they should be sufficient to allow school district business to go on while repairs are made. * Practice crises. Everybody needs to know what has to be done in a real emergency and that the emergency plans actually work. Pursue all three avenues to the letter, says Miller, and things still will go wrong. Hackers will continue to find ways to break in. Viruses will still infect infect /in·fect/ (in-fekt´) 1. to invade and produce infection in. 2. to transmit a pathogen or disease to. in·fect v. 1. . Programs and systems will fail. That's the nature of technology, sighs Miller. "It happens." RELATED ARTICLE: Basic tips on cyber security. The technology may be daunting--even akin to magic for some users--but effective cyber security starts with simple steps and caveats, say security experts. Here are 10 tips for anyone who relies upon computers from the National Cyber Security Alliance (www. staysafeonline.info), a Washington, D.C.-based public-private partnership Public-private partnership (PPP) describes a government service or private business venture which is funded and operated through a partnership of government and one or more private sector companies. These schemes are sometimes referred to as PPP or P3. of institutions and technology companies. * Use anti-virus software anti-virus software n → Antivirensoftware f . * Don't open e-mails or attachments from unknown sources. Be suspicious of any e-mail attachments A file that rides along with an e-mail message. The attached file can be of any type. E-mail programs make it easy to attach a file. For example, in Eudora, all you do is select Attach from the Message menu, browse through the folder hierarchy to find the file you want and then double that are unexpected, even if they come from a known source. * Protect your computer from Internet intruders. * Regularly download security updates and patches for operating systems Operating systems can be categorized by technology, ownership, licensing, working state, usage, and by many other characteristics. In practice, many of these groupings may overlap. and other software. * Use hard-to-guess passwords. Mix upper case, lower case, numbers and other characters not easily found in the dictionary. Make sure your password is at least eight characters long. * Back-up your computer data on disks or CDs regularly. * Don't share access to your computer with strangers. Learn about file-sharing risks. * Disconnect disconnect - SCSI reconnect from the Internet when not in use. * Check your security on a regular basis. * Make sure all employees know what to do if a computer or system is believed to be infected in·fect tr.v. in·fect·ed, in·fect·ing, in·fects 1. To contaminate with a pathogenic microorganism or agent. 2. To communicate a pathogen or disease to. 3. To invade and produce infection in. or corrupted. Scott LaFee covers science and health at the San Diego Union-Tribune. E-mail: scott.lafee@uniontrib.com |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion