Attacks by external hackers on Sony and Target make big headlines, but in K12 the threats more often come from the inside.
Plaguing districts with increasing frequency are distributed denial of service (DDoS) attacks that, for pure mischief’s sake, saturate servers with so many external communications requests that they cannot respond to legitimate school traffic, such as teachers trying to access online grades or email.
Last year, two high school students shut down the network for the entire Community Unit School District 303 in Illinois for more than a month. The students learned from a gaming environment how to launch the attack with their smartphones.
Consolidated High School District 230, also in Illinois, got hit with several DDoS attacks last year during midterms. The disruption was shortlived, however, because the district has a software protocol that shifted the unwanted inbound traffic to a separate IP address. Intrusion detection software then alerted the IT staff, who shut down the attacks before they caused more disruption.
The district also has two data centers. In the event the first one becomes flooded with unwanted traffic, IT can switch all users to the second one.
“DDoS attacks are fairly new to districts, and the potential cost and changes to mitigate them are usually complex and/or expensive,” says John Connolly, chief technology officer at District 230. “Educational and private companies typically make the changes after they have been hit by these attacks. I anticipate that this will be standard security practice for school districts and private companies over the next one to two years.”
The district is considering software (a DDoS-mitigation solution) that would automatically shut down an attack without requiring the second step of manual intervention. The district hasn’t purchased the software yet because of the high cost; however, the price is dropping, says Connolly.
The following includes part of CoSN’s list of key security questions:
1. Network Operations Center Management and Security
*Does the provider perform regular penetration testing, vulnerability management and intrusion prevention?
*Are backups performed and tested regularly and stored off-site?
2. Data Storage and Data Access
*Where will the information be stored and how is data “at rest” (such as data in the data center) protected?
*How does the provider protect data in transit, such as SSL or hashing?
*Who has access to information stored or processed by the provider?
Data and Metadata Retention
*How does the provider ensure the proper management and disposal of data?
*How will the provider delete data?
3. Development and Change Management Process
*Does the provider follow standardized and documented procedures for coding, configuration management, patch installation?
*Are practices regularly audited?
4. Availability
*Does the provider offer a guaranteed service level?
*What is the provider’s protection against denial-of-service attacks?
5. Audits and Standards
*Does the provider provide the school system the ability to audit the security and privacy of records?
*Have the provider’s security operations been reviewed or audited by an outside group?
6. Test and Development Environments
*Will “live” student data be used in non-production (such as training) environments?
*Are these environments secure to the same standard as production data?
7. Data Breach, Incident Investigation and Response
*What happens if your online service provider has a data breach?
*Do you have the ability to perform security incident investigations or e-discovery? If not, will the provider assist you?
For a data security checklist, visit the U.S. Department of Education Privacy Technical Assistance Center.
And problems can be created unwittingly when administrators, teachers or staff members share passwords or store files on personal devices. Both can give unauthorized users access to district data. Bob Moore, director of CoSN’s Protecting Privacy in Connected Learning project, says these common mistakes can be prevented with best practices:
*Require passwords that are long and complex—and change them regularly.
*Let users access files only from a secure cloud; and bar them from downloading sensitive documents onto personal devices.
*Educate users about protecting login information.
To strengthen defenses, districts should frequently update and enforce data-access policies, says Donna Williamson, technology director at Mountain Brook Schools in Alabama.
After a “massive” review in 2013 and 2014 of who had access to what data, the district revised its rules. For example, teachers can now access only their students’ data; and principals can see data only for their own schools.
Also, a limited number of authorized people can access social security numbers and only after they have entered additional security protocols. Previously, a broader group of administrators could view the information.
Users need permission if they want wider access—such as when a teacher of an advanced class wants to review records of students being considered for the program. If the request is granted, access is provided for a limited time.
Mountain Brook Schools regularly reminds users to be on alert for email viruses, and not to install unapproved applications on devices that connect to district networks.
Districts also need to be aware that free learning apps can expose data to companies not vetted by the district, says Jim Peterson, technology director at Bloomington School District 87 in Illinois.
“All districts are struggling with managing free apps,” says Peterson, who’s also chief technology officer for the IlliniCloud, a state-managed cloud that provides state-of-the-art computing resources to 500 districts.
A more streamlined and secure level of access that is somewhat common in higher education and is starting to take root in K12 is identity and access management (IAM). At many districts, teachers are logging in and out of multiple online applications—such as the LMS, electronic grade book, and learning resources from third-party providers.
To manage the multiple logins, many users pick weak passwords and often store them where unauthorized users can find them. IAM technology lets users access online resources with a single sign-on that meets district security policies.
IAM also puts tighter controls in the hands of IT staff. For example, the software lets IT automate when accounts, resources and certain operations should be blocked—an important step sometimes overlooked by districts, says Jason Radford, a member of IlliniCloud’s systems/operations team.
For example, IT staff can set an end date—such as the last day of school—for the transmission of data from district users to an online learning vendor. Without IAM, someone must manually close each account for each user.
“Districts are burdened with keeping up with the velocity of how they are sharing data and who they are sharing it with,” says Radford. “Data governance and IAM help to address and enforce terms of use.”
Of course, not all attacks are caused by internal users. Sometimes, the best defense against external culprits lies with a cloud provider. Better security is one of many reasons a district might choose to host their data in a cloud.
“Tech companies typically have good disaster recovery and redundancy, while schools typically do not,” says Moore, of CoSN. “However, tech companies and service providers can quickly go out of business, and might be more interesting targets of hackers.”
Radford and Peterson say a consortium like IlliniCloud provides much stronger security than a district can afford on its own. “There were a lot of districts that had data centers in unsecure closets,” Peterson says. “We provide multimillion-dollar levels of security.”
One of the leading-edge security practices of IlliniCloud is software that enables “micro-segmentation.” With it, cloud staff can see every firewall and router on the network and each piece of data being transmitted.
The software also sets up defenses around individual segments of data, rather than relying only on defenses around the entire network. This limits damage to an isolated area should the cloud be hacked or hit with a virus.
It also limits exposure when data is being transferred to an external party, like a state agency. IT staff can send information to an external party without exposing the entire data pool.
When a district joins the IlliniCloud, the staff helps administrators determine who should have access to which data. For example, a district can indicate that test scores should be sent to a state agency while a roster of students can be sent to the provider of an online math curriculum.
“A district will have different access needs for their library system than their financials and student data,” says Radford. “The framework lets districts choose the access and security needs for different assets. But the default starts out at zero access, as if everything needs to be ultra-secure.”
Whether data and networks are in the hands of a cloud provider or a district, the network must be protected with firewalls, heavy encryption and intrusion prevention systems. Offensive measures include regular external security audits and penetration testing, and having disaster recovery tools in place, including server replication, and data backup and recovery.
“Security testing should be performed whenever any changes are made to the network perimeter to ensure that new vulnerabilities were not introduced as a result of the changes,” Moore says.
Finding the right software provider is crucial, says Williamson. Mountain Brook Schools hosts its SIS and finance software on-site but backs up the data to a cloud. She starts the selection process with vendors that have been vetted by the Alabama Education Technology Association. She also relies on a network of peers who alert districts to emerging viruses and to new information and options for protecting data and networks.
“Organized, illicit data gathering has become big business,” says Williamson. “We will have more threats, more breaks and more hacks. There are no isolated bubbles.”