Catchy title- but statistically not accurate. I trust the people at Freakonomics a bit more than I trust my family screaming at the TV on Thanksgiving.
So is this post about statistically irrelevant phrases? No. It is, however, about offense vs defense.
I spent a few days last week working on a “Loss and Recovery” policy for one of the schools I am working with, and if you would like a copy of it, please email me directly: email@example.com .
The school seems to have been struggling for the last two or three years with students and teachers losing school owned and personal equipment. Everyone I spoke to originally said that it was not a real problem, but when I spoke to the person who manages the inventory, I found out that it was a problem.
As I wrote this policy I had to make a choice, and set my priorities. I firmly believe anyone with more than one priority, has no priorities, so I forced myself to choose: offense or defense.
This is the same decision I had to make a few months ago when redesigning the network. Did I want an offensive active monitoring solution or a defensive passive monitoring solution? In both cases I chose defense over offense.
In a defensive system, the goal is to protect the school’s assets, protect the assets actively connected to the school’s assets, and to record enough information to execute a focused offensive plan in the future. In an offensive system, the goal is to try and find potential threats coming from all clients, at all times, and to intervene as quickly as possible.
For example, in an offensive network if a student goes to a website and downloads inappropriate material- the school would have someone assigned to immediately block their network access and intervene. The student would be reprimanded, probably taken to see an administrator, and various punishments would be carried out. Systems that allow this level of control are expensive. They often require a school to employ a few people to manage them; or they require teachers to stop teaching and play police officer. Long term though, they are ineffective. When students feel they are being monitored, they stop using systems. They stop engaging. They start circumventing school resources by linking to 3G and 4G networks that no one can block.
Before you say, “Yes you can block 3G and 4G services I have seen hardware that does this!”- You need to know this is illegal in mosts parts of the world. The risk of blocking people from making contact during an emergency is always considered too high to allow 3G and 4G networks from being legally blocked.
Also remember, if you can offensively control students, you can do the same to teachers. Maybe teachers were told, “Hey don’t worry we are not watching what you are doing.” It would be more fair to tell them, “Hey we can watch what you are doing when we want to, we just are choosing not to, at least today, tomorrow it depends.” Ask yourself, are teachers who are being monitored doing the same quality of work as teachers who are not?
Offensive systems make administration seem easy, because all the bad things start happening in the shadows. The statistics flatten-out and everyone feels safe. They make teaching and learning worse, because these systems are usually setup to block first and ask questions later; or they run over the network and take-up huge amounts of bandwidth. They use the bandwidth to watch screens and control devices. The worst part is, most people running these systems have no special training. They have no guidelines for understanding privacy, or even how to detect a real threat. They may not even be aware of how much impact they are having on the network, since their priority is to be invasive.
Untrained people will also react quickly to false flags.When a school responds to a false flag, their response resources are tied-up and focused. This means if an event is happening that is significantly worse, the school will not be able to respond in time. Having a great response time is not significant if a pattern of events is occurring and the pattern is unseen.
I recently attended a meeting with 15 other schools. About 50% of them had offensive systems in place or had them in place. One school had spent $60,000 USD on hardware in less than a year, and since, had abandoned their offensive strategy. The 50% that were attempting to be offensive, had poor results, and were looking to either spend more money or hire more people.
The largest school in attendance had completly abandoned monitoring and simply moved resources to teaching and learning and servers. They said that it was impossible to maintain security and teaching and learning if the budget was not infinite. They chose teaching and learning and increased their server/network defense. This school went further, and stated that 3G and 4G devices made it possible for 3-4 kids to hotspot outside the network. Again – they found no point in fighting a losing battle when more than 80% of the students had the ability to be online without being on the school’s network.
In 2011-2012 I was in Hong Kong. At that time I met with 5 different schools, all with a variety of IT configurations and budgets. All of these schools, however, were delivering good education. That statement is based-on test scores and university placement, but I can also state the learning environments I saw were engaging and well supported. None of these schools had made an investment in offensive systems. All of them but one had the budget to execute any type of security plan, and yet, none chose this course of action. Why? Maybe because their schools were doing a good job at being a school and they didn’t want to impact teaching and learning? Just a question and a thought.
Ranting and Raving aside, here is how I see a defensive policy working at a school:
- The first step is to creating V-LANS for everything. Make sure the network is organized so that people can clearly see where people are when they are online.
- The next step is to pay close attention to user-groups, or organizational units. These can be easily audited by a normal non-IT person. Each group of students and teachers should be in a group. For example, year 6 students should all be in a year 6 group; and middle-school teachers should all be in a middle-school group. This allows rules to be applied to people who have commonalities. Often groups are neglected because no-one makes sure that each year IT updates and audits the users.
- Servers and network equipment need to be defended like NORAD. If no-one at the school has completed a Certified Ethical Hacking course, then someone should. The network and servers need to be attacked, exploited, and re-adjusted until the most common exploits are removed. This includes all printers, switches, and peripherals.
- All WiFi and LAN connections should require a username and password to sign-in. Everyday, people should have to sign-in when they connect. This creates a very transparent view of who is online, and where they are accessing the network from.
- Wifi networks should have a common community password on the SSID. This adds a layer of defense between the school and the outside.
- Users should be restricted to a fixed number of devices. This is a simple way to keep people from accessing accounts after stealing someone’s password.
- Password policies need to be real and enforced at least twice a year if not more. This means forcing people to change their passwords, and preventing them from using the same passwords all time. People who write down their passwords and leave them out in the open, should be spoken to in a firm and alarming manner :).
- An accurate map of the campus should display all access points using the access points IP address. An image file of a map can be overlaid with XML to allow for real-time updating of this data. Having a map of Wifi activity gives IT the ability to narrow down patterns and to hunt for lost devices still connected to the wifi.
- Usage reports should be ran weekly to look for trends among groups of users. This level of data collection requires some type of firewall or other access control system. These reports should be shared with the administration and any anomalies or potential risks should be highlighted.
- All AUPs need to include the phrase, “No Expectation of Privacy.” Make it clear that data is being collected and studied, and this data will be checked if anything is irregular. The data connects to the user or group, and only data that is alarming will be followed. In other words, we are not watching your screens or reading your emails, we are just watching you online activity.
In this environment technology can be used to protect resources, help people find things they have lost, and help identify trends in what people are using and needing for their teaching and learning. All of these things are positive, and most people in the community will appreciate the functionality. However, users will also be very aware that this type of network allows for a history of activity to be flagged as a threat or a violation. The system provides the tools needed to track locations as well as online interactions. Thus, allowing the school to narrow down the time, place, and population in any given scenario.
Most people do things in groups. Monitoring the group and trying understand the group’s goals is more important than apprehending a single student or teacher for breaking the rules.
My “Loss and Recovery” policy includes the defensive use of security cameras, and defensive methods for searching lockers and dorm rooms. It was hard not be aggressive and threatening when writing it, because I wanted to be aggressive. I wanted to be blunt and exercise the school’s right to protect property. Then I realized that being aggressive and blunt against a bunch of middle school kids looking to pull pranks all day really was not the best way to teach them about balancing private and public spaces and understanding the difficulties in managing personal and private property in an organization.
Students are not the enemy, unless you give them something to hate.