SCHOOL SECURITY
home | search | Contact | School Security
Solutions For Protecting Your Schools

 

Additional Resources

Read Other Articles by Peter Reilly

 

Do You Have a Security Budget?

January, 2002

At the LHRIC we plan network security from three points of view: Prevention, Recovery, and Forensics.

At a recent technology conference I asked an audience of school leaders how many had budgets for technology security. Not a single person raised their hands. The fact that we in education have spent so little on security is frightening when looked at in light of the incredibly sensitive information on students and teachers that we keep in our student, financial, and special education databases. It would be a disaster should this information ever be compromised.

The disaster would take on even greater proportions if you, as a school leader, were shown to have been negligent in your security preparations. It is not only sensitive information that is at risk but the large investments in classroom and office technology that schools have made over the last decade.

How much should you budget for security and where should you start? The best starting place is to audit your security readiness. This audit is best done by an outside organization with extensive security experience. The audit should point out weaknesses and provide recommendations for improving your security. The size of your security budget will depend on the size of your district and how secure you want to be. The "kicker" is that no matter how much you spend, you will not eliminate all your security problems. Most experts will admit that with the right amount of effort any system can be compromised. The best you can hope for is to diminish the odds of a security incident.

At the LHRIC we plan network security from three points of view: Prevention, Recovery, and Forensics. Obviously, prevention of security incidents is our main goal, however, if there is an incident we want to recover quickly and catch the bad guys.

At a very high level when we approach prevention we look at resources as either public or private. Resources that are declared private are placed behind a firewall or in a DMZ to keep them away from the millions of worldwide users of the Internet. If a school has purchased and installed a firewall, a key area to analyze is its configuration and maintenance. Many busy school technicians don't keep up with the firewall's software patches and/or new releases. Hackers look for these unpatched holes and exploit them. The problem with firewalls in the K-12 environment is that even if they do a reasonably good job of keeping Internet hackers off your system, most schools face their greatest threats from their own student hackers who are behind the firewall.

The problem with firewalls in the K-12 environment is that even if they do a reasonably good job of keeping Internet hackers off your system, most schools face their greatest threats from their own student hackers who are behind the firewall.

Security policies and procedures are another component of prevention that needs to be analyzed. Other than student acceptable use policies most schools have very little in the way of security policy. Does the school require that passwords be changed on a regular basis? Is there an employee acceptable use policy? What is the escalation/notification procedure when there is a breach of security? Does the district allow executable attachments? Nimda, Melissa, Anna K., Goner and others used executable attachments to infect networks around the world. Does the district allow students to download files from the Internet? The list goes on and on.

Most schools have virus protection but many do not update their virus definitions automatically and become vulnerable to the latest and greatest viruses being released on a daily basis. Many schools do not lock down their desktops. This gives students access to the key elements necessary to launch a serious breach of security. The components of a solid prevention plan go far beyond the obvious areas I have raised in this article. A security audit would provide a much more thorough analysis of the risks and provide a roadmap to mitigating potential problems.

The second area that we consider for security planning is recovery. It is surprising to me how many schools do not take this area seriously. Many school leaders assume the information on their key student and financial systems is being copied to "back up" media on a daily basis. If anything ever happened to the operational data on their file server's hard drive it could be loaded back onto the system from the "back up" copy. The truth is that many of these back ups are not happening daily/nightly. Many backups are rendered useless because they freeze during the process. A good example of the problems that can arise when you "assume" something is getting done is when a hard drive failed on a nearby district's financial system over the summer. The database was corrupted during the failure. A new hard drive was installed and when the technician attempted to load the backup he and the district business official were surprised to find that the backups had stopped when the Director of Technology, a ten-month employee, had left for summer vacation. How sure are you that if your systems failed you get yourself up and running quickly? Once again, a security audit would delve much more deeply into the issues involved in quick recovery.

Finally, we focus our planning on forensics. Stuff happens; but when it does we want to catch and prosecute those who did it. Forensics can range from configuring servers and routers to keep logs of all activities, requiring user specific logins, to having procedures to follow and phone numbers to call when there has been a security breech. A teacher at a local school district was arrested for setting up a meeting with an underage student at a mall. The teacher's school computer had a wealth of evidence to support the charge. Because the district didn't have a procedure in place to isolate the evidence, other teachers used the computer before it was seized several weeks later for evidence. Because they had used the computer after the fact, the evidence it contained was tainted and not able to be used in court. A security audit will provide recommendations on how to improve your chances to identify the bad guys.

It is unfortunate that schools must divert precious resources from children to areas such as security; but neglecting to do so would be a huge miscalculation on the part of school leaders. One does not want to gamble when it comes to keeping our children's and their parent's private information safe. The cost of ignoring security is too high.

Top

 

Printer-friendly Version

Receive latest updates to School Security
Submit Questions/ Comments

Site Last Updated: January 11, 2002.
© Copyright Lower Hudson Regional Information Center (LHRIC).