I have written before about cloud security and file security. I was doing a simple pentesting job for a school recently and found a service they were using called: Edlio.
I cannot say if Edlio has a security issue, or if what I found was simply based-on clients not following procedures, or if all these schools marked their documents as public.
However, I can say it is generally bad practice for:
Personal information to be public and openly searchable
Budget information to be public and openly searchable (aside from summaries and annual reports)
Versions of documents, that are not the final version, to be public and openly searchable
Calendars and other data about large group events to be enabled without security
Schools using Edlio, or other services, need to audit their public content. Here is what is accessible on Edlio with a compound search:
I then noticed that the documents seem to be organized by date, and mixed. Meaning, different schools appear to be storing documents in a “common” directory, and then their files are further organized.
Using a search based on the date, I was able to further sort documents from different schools:
Again, there is no evidence this is an issue with the Edlio service. These documents could be available due to schools simply not managing their permission options, or because the schools believed these documents needed to be public.
The takeaway here is that school senior leadership should be aware this information is public, how it can be searched, and there should be some minor threat assessment done to determine if these documents (and posting policies) are creating more risk than reward.
If you want more information on how to do this type of testing and analysis, please email me: tony.deprato@gmail.com
How many times have you seen it? You walk into an office or classroom, and a Post-it is proudly announcing a user’s password. Why? Because schools are trusting environments. Maybe the password is not for the computer, maybe it is for the teacher/staff WiFi. A WiFi network that has no other security aside from the password: TeacherWifi1.
Developing a solid OPSEC plan is not that difficult. A bit of common sense and creative thinking goes a long way. Let’s walk through some simple practices that will help improve a school’s operational security, and the school’s ability to react to problems.
Follow Normal Child Safety Practices All the Time and in all Departments
The basic child safety concepts are: keep students away from unverified adults and make sure adults are not alone with children (and if they are alone they are visible).
The standards seem to be prevalent in all child safety courses and certifications. Following these two standards, and applying them to a technology plan would yield the following rules:
Students are never allowed on the same network as teachers/staff/guests
Students share information through the cloud or monitored middle process (such as a Synology share that requires user login)
Students should not be allowed to peer share with teachers (e.g. no more AirDrop)
The guest network is limited and separated from everyone else
No access to the network etc. unless all users provide an ID or their devices are identified as approved devices
Office and Classroom Access Should Be Managed by Policy
The worst hacking scenarios I have personally experienced, and that resulted in child and family trauma, began with data being printed and left in unattended offices/classrooms.
Simple and reasonable practice can deter most people from crossing the privacy line. Here are some suggestions:
Laptops should be secured in a bag or other area when unattended; on the desk, lid open is bad practice
Documenting passwords should be discouraged
Desktops and other devices should be logged out when unattended; or secured with a password screensaver
Teams should split their lunches and breaks to ensure that the office/classroom always has someone present
Office/classroom hours should be posted so that everyone knows when the space is open for meetings or visitors
Desktop phones should have a security code to make calls off-campus
Students, parents, and others should have a demarcated area for meeting and working with staff and teachers; certain areas should remain off-limits
Printing from offices needs to terminate in a secure space; it should be difficult for an unauthorized person to make physical contact with an office printer
Walk Around and See What You Can Do
School administrators often conduct classroom walkthroughs and observations. This process is similar.
The leadership team needs to be scheduled to break-in to areas on-campus. They should test closets, offices, doors, etc. Printers should be checked for abandoned documents, and those documents should be sampled. Did someone print and leave any confidential information? Any tests or assessments? When guests are in the building, how freely can they move beyond common areas before they are politely challenged?
The team should document what they find, and question why the access was possible. A formal review of all vulnerabilities is going to inform the necessary actions that need to be taken.
If there is a plan to work with an external contractor, having all this research is essential. Focusing on unrealistic threats and problems will not strengthen security or cybersecurity. A misaligned plan will waste resources, provide a false sense of security, and overall weaken any future response to a real threat.
I have noticed an uptick recently in schools moving resources, money and time, to address cybersecurity concerns. The motivation for addressing security issues is genuine, but the approach and implementations I am reading about are less than effective.
Over the next few weeks, I will be writing a series of posts to address what schools should do to improve cybersecurity. Nearly every suggestion will require a change in process or culture, but not any significant financial investment.
Physical access to any space is the holy grail. Hacking begins with collecting information, watching people, finding the weak links within the organization, and studying how systems and people work.
Having an open friendly campuses means exposing information systems to a variety of threats that exist outside the network controls.
Allowing students, teachers, and staff to freely move around campus with few limitations or consequences, creates multiple opportunities for data to be collected on areas of the campus that generally are part of the plant or backend operations. These areas are designed for small teams of workers to keep the campus running, and these areas allow access to systems that control things like water, gas, electricity, etc. The plans and operational guides for these areas are not public, but people taking a regular stroll through these spaces eventually collect enough information to execute an exploit.
Maybe the exploit is simply students finding a way to sneak off-campus, but when one group creates a loophole, another group has the opportunity to use it. Social engineering practitioners are looking for loopholes and they are looking to mix with trusted groups of people. Their access begins with a bad policy or the improper enforcement of a policy.
It is far easier to use social engineering tactics to attack a school’s data and assets than to try and exploit the network externally. Not only is it easier, it is less risky. Generally, school policy is granting a person physical access, and therefore they are not trespassing. Whereas any attempt to breach the network would be a crime.
Before worrying about the network, the cameras, and the technology as a whole, it is imperative to reduce physical access and to design policies that balance community with access.
Defending Against Social Engineering in a Friendly Manner
Schools are not banks or government facilities. They are generally friendly and trusting environments. Implementing security measures should not create a panic, and should not create a culture a fear. Every measure taken needs to connect to another logical reason that the community can understand. Here are some ways you can reduce the risk of threats through social engineering:
Let everyone know, they are free to call security and report anyone or anything they see that seems “off.” This means, not punishing people if they misidentify someone. Make the process easy, and make certain security personnel follow through and keep records. Social engineering often requires a few visits to a campus, and studying reports could identify a pattern.
Lunchtime is always important on a school campus. Set a simple policy for business and operational offices to either rotate their lunchtimes and /or lock their offices. Lunchtime rotation is an excellent countermeasure. It ensures that every day, a few people are always in an office, the offices are open so people can access services, and the schedule of activity is difficult to predict.
An example would be the following: Four people work in accounting. On Mondays, Wednesdays, and Fridays, person 1 and 3 choose to do lunch at 11:30AM; On those days person 2 and 4 choose to do lunch at 12:30 PM.
Locking offices for an hour is safe, but it is not going to be as popular as using a rotation.
Any closet or room containing computer network equipment, phone system equipment, etc. should not be used for storage. Why is this important? Because the moment a room or closet is accessible for storage, the number of people who will be opening the door becomes unpredictable. The equipment in that space would allow easy access to all the data that flows through the school.
A common mistake schools make, is to use these network/electrical closets to store cleaning supplies. Cleaners are usually very friendly and trying to help people, as well as maintain safety. So, if I wanted to access the closet and exploit the network, I would create a spill of liquid and wait for the cleaner to get into the closet. I might even distract them long enough to slide a small piece of paper between the lock and door jamb.
The cleaner is doing their job, and I have gained access to the space after the cleaner is finished.
Guests/Parents should have their own network. It goes without saying that allowing anyone aside from students and employees on the academic network is risky. A guest network SSID is highly recommended if the public or parents are allowed to use the WiFi. The more I consider this, the more I believe that a better policy is to simply improve the mobile network reception, and direct people to use their own data.
A school can invest in repeaters and other technology to make the mobile signals from various providers strong and robust.
Schools can also use services like Kajeet to deploy better mobile access. In many cases, schools qualify for FREE mobile hotspots. Why spend time and resources giving the public and parents access to limited and/or filtered academic networks anyway? Using mobile reduces the chances of a data breach, and virtually eliminates the liability a school would incur.
Encourage and incentivize teachers to work outside their offices, in higher traffic areas. Teachers know each other, they know parents, and they know students. Teachers also have good instincts for spotting odd behavior. These statements are from anecdotal evidence, but if you have worked at a school for a long enough time, then you realize teachers are truly on the pulse of the organization.
Teachers working in school cafes, libraries, etc see and hear more than they would if they are isolated in offices.
Setting up conference rooms with glass walls, or creating PD opportunities in more public venues would greatly improve the random and increased presence of teachers on-campus.
Remember, the idea is to create unpredictable patterns and to make it more difficult for someone to find a weakness and the confidence to act. The mere presence of staff in public spaces is a deterrent.
Assume a good Social Engineer can get on-campus with an ID check, and plan accordingly. The core group defending against social engineering would most likely be the security team, operations team, and technology team. They should work together to plan scenarios and action plans. School leadership needs to make certain that those teams are focusing on those individuals who have enough skills to get through the external layer of security.
Making assumptions that the camera system, front gate ID check, etc., will somehow prevent access, is going to create a false sense of security. Good social engineering requires imagination and creative thinking. Good defense will require the same.
Work with parents to test your security and access. Parents want what is best for the school and their children. Parents also have come from a variety of backgrounds. They are a trusted group that will be honest and help measure improvements.
Educate yourself first, and seek outside advice second. There is a massive amount of information about social engineering. It is worth educating a core group of people on security topics so they can inform practice and direct consultants. Remember, consults will only be useful until they leave. Build your team, and give them the time they need to learn. Much of what people need to know is free, time is the only factor.
I hope this posts stirs the pot and creates some discussion on school campuses. I am placing some resources below, including some very informative and entertaining videos on the subject of social engineering and physical penetration testing.
I am happy to do a live debate on this subject or webinar for anyone interested. Please email me at tonydeprato@gmail.com
We’re not old, we’re seasoned! This is our fiftieth episode and we are pleased to be joined with Tony, Cara and Preston. Of course Omar and I will be there to kick off the festivities. Please subscribe to us on iTunes, download the episode below or listen to it right here on the blog!
This is our longest episode yet but man it is probably our best. We do have a little technical difficulties with our mics (odd as we’re IT people) but stick with it as we talk about a lot of very relevant topics. Including Chemas big night out. Be sure to subscribe to us on iTunes here.
Technology in the Classroom 