Written by Jim Peterson , Bloomington School District , Bloomington, IL
Revised by Karen Eder
"Robbery is illegal, but people still find it prudent to lock doors and close windows in their homes; so too must we lock up our information systems. " SafeGuarding Your Technology, National Cooperative Education Statistics System (http://nces.ed.gov/pubs98/safetech/index.html )
Due to the number and complexity of the technologies in schools today, the issue of security has become a much more salient topic. As schools begin to network computers and peripherals to each other; neighbor classrooms, wide area networks and the Internet, the administration, teachers and students are increasingly aware of the need for security within their systems. This is due to the growing number of entry points in these connected classrooms. The focus of this paper is to delineate the entry points and provide common software and hardware security adaptations that assist in limiting access and maintenance of technology services. It will discuss the administration, development and implementations of policies required to maintain a secure network environment. Since the audience of this paper is mainly teachers and administrators, each relevant security subtopic is disussed. Those security issues that are normally handled by a network administrator or contracted entities are more thoroughly covered through links to relevant documents.
All schools should have a security component of their technology plans. There are several different levels of security that need to be defined. Each level has someone who is deemed responsible. Depending upon the school circumstances, the person responsible at each level may be the administration, teachers, and/or students.The security levels, list of possible responsible persons, and the issues of each level are discussed below.
Physical security is the most fundamental of all security levels because it deals with securing your technology equipment from damage or theft, protecting it against accidental power surges, and the like. The reponsiblility for physical security is in the hands of many - from the administrators who make plans to lock and secure the buildings, to the teachers who check that mouse balls are present at the beginning and end of each class, or even to the student who properly shuts off the computer at the end of the day.
This level of security is most often left out or a minimal part of technology plans, but is extremely important. Take for instance the case of a school district that is planning to put in an average of 6 computers in each classroom over the duration of 5 years. In year one, the first couple of network connections and computers and arrive in the classrooms and users begin storing their files on local drives and such. As the 3rd or 4th computers arrive later in the plan, the school starts noticing frequent power outages and data is lost because of the lack of proper uninterrupted power supplies (UPS) on the machines and network equipment. It is important to plan for the drain on current energy resources that these new technologies will inevitably render. This is the case in many older school buildings throughout the country, as they find the costs of adding computers are great in terms of the behind-the-scenes recources that need to be expanded to accomodate these new technologies.
Measures for Ensuring Physical Security
There are simple guidelines that staff and students can follow to provide physical security - many of them are acts of common sense, while others take planning and assigned budgets. But to ensure physical security, it is important to build a security component within the technology plan, assign responsibilities and enforce the security. Chapter 5: Protecting your Physical Security , of the SafeGuarding Your Technology a document created by the National Cooperative Education Statistics System, provides the most clear measures that schools should take in developing a physical security plan including:
This document also provides a detailed checklist on physical security and a variety of case scenarios.
Any teacher who has worked with students and computers lacking desktop security for an extended period of time, knows the day-to-day cleanup tasks are inevitable. Desktop Security refers to the ability of the computer user to change properties of the local machine's operating system and applications. Being able to control what files and settings a student is able to access and change on a shared computer is very important to maintaining a controlled environment. In K12 education, the most prevalant operating systems are Apple OS and Microsoft DOS/Windows9x/NT . Desktop security software is an addition to the operating system software which is set by an administrator to control varying levels of access depending upon the user. Desktop security can be maintained by a central administrator using networked-based desktop security software, or desktop security software may reside on the local machine and can be controlled by a teacher or other staff. An example of the most popular Macintosh-based network security package is the Apple's Network Administrator's Kit . It allows for a teacher, lab monitor, or whomever else is determined responsible to create varying levels of access to machine resources (ie. control panels, network applications, etc) from a central point. A more common solution is installing software packages that reside on the local machine and are administered by a teacher or lab monitor. Examples of such software packages include Smartstuff's Foolproof Software as well as several others listed in annotated website list . Theae are also applications that are useful for Windows users. An ever increasing central management solution for Windows desktop security works in conjunction with the user login and network operating systems like Novell and Microsoft Windows NT, which is more thoroughly covered in the next sections.
Desktop security is important in preventing technology misuse, in that it is the first line of defense for those who may be trying to use computers inappropriately. Desktop security packages often work with the local and network operating systems to limit access to network applications, allow for updates of virus software, and the like. They are also very easy to use and manage, allowing even the most novice of computer users to manage student permissions to technology resources. One of the major issues of concern in desktop security is the management of such. Many staff would prefer to manage their own desktop computers, while many central management technicians believe it is better to centrally locate the authority for the desktop security. Those on the central management side often argue for standardized measures and increased security, while those on the local management side argue for more autonomy of their local machines and quicker response times to fix problems. Many of todays networked-based desktop security packages are appealing to both concerns by letting one override the other, or the sharing of rights and permissions.
For those users who are interested in finding more information on software security, Chapter 7: Protecting your System: Software Security , of the SafeGuarding Your Technology document covers software security countermeasures, procedures for testing and backing up critical system software, the regulation of software aquisition and development, and a detailed software security checklist - all of which are valuable to network administrators and technology coordinators.
Refers to the access that the user has to connect to other machines, servers, and other network resources that are attached to the local machine. In this scenario, users at the workstation (computer) level are required to logon, or authenticate to a network server, using a username and password. Depending upon the users login, permissions and rights are granted to specific network resources (ie. printers, files, applications, etc). Logons and passwords are maintained by a central networking authority. Therefore, a central networking authority can assign rights to whomever should access student records and whomever should not. Typically, K12 users with Apple Macintosh or Windows workstations logon to servers that are running a network operating system. Novell's NetWare and Microsoft's Windows NT are the most common network operating systems, followed by a variety of Unix flavors. Persons responsible in maintaining security on network level operating systems most commonly include technology coordinators and network administrators. Due to the centralized management of this type of technology and the need for standardized security measures, building staff have limited access to manage network level operating systems.
Often, the username and password with which one logs onto the network, also provides users with a variety of services including access to electronic mailbox, and space on web servers. Since these services are often extended to the world via connections to the Internet, it is of high importance that all users maintain privacy with their individual passwords and change them on a regular basis. This will help protect from intruders from outside the school network. Additional examples of infringement on local networks include the use of sniffers , as described by David Stone. Sniffers can also be used to gain access to users passwords. But with the installation of switched networks and the Pretty Good Privacy (PGP) software encryption packages, this threat can be severely limited.
The goal of many schools that are spending thousands of dollars in networking equipment is to connect to the vast array of resources provided through the Internet. When a school connects to the Internet, it is not a one-way steet and the traffic that goes in and out of the school network is not always from trusted sources. Therefore, special equipment has been developed to help networks judge what computers and networks on the internet should be trusted and allowed to talk with the schools network. These devices are called routers and firewalls. Routers are devices that route Internet traffic to and from the Internet or other networks. Firewalls are devices that allow network administrators to limit traffic that it deems harmful. By instituting a properly configured and managed firewall on a school network that is connected to the Internet, schools are able to guard against unwarranted attacks on the integrity of its data, users and systems. Due to the complexity and importance of installing and configuring firewalls, this task is usually left to network administrators or contracted entitities.
Chapter 9: Protecting your System: Network Security , of the SafeGuarding Your Technology document provides a comprehensive discussion of network security and policy issues including:
Protect Networks from Outsiders
Protecting Transmissions Sent over the Internet
and a Network Security Checklist
One of the most common problems of network security is best illustrated by this short clip from the movie War Games (view the WindowsMedia stream version or download the Apple QuickTime file ). In this clip, the student takes advantage of the school password security flaw in which they write down their user password in an insecure area. The student enters the schools computer from home to change his grades using the school account. This fictitious example is not far from the truth and provides an example of how the school network is only as secure as the passwords of its users.
Comprehensive Technology Security
Safeguarding Your Technology: Practical Guidelines for Electronic Education Information Security
An extensive and detailed guide to education institution security. This downloadable document deals with risks, needs assessment, security policy development, and protection of physical, information software, user access, and network information securities. Highly recommended for teachers, technology coordinators, network administrators, and technology committee members.
Desktop Security Products
FoolProof Software http://www.smartstuff.com/
PowerOn Software http://www.poweronsw.com
Aladdin Systems http://www.aladdinsys.com/
Network Operating Systems
Microsoft Windows NT
Firewall and Router Security
Review of Firewalls and Internet Security
Developed 3/5/99. Last modified 5/2/99.