To filter or not to filter?

There is a debate out there and it has been going on for quite some time. The debate is whether schools should filter content on student devices. This is a bit more complicated than saying yes or no. For example is the school using a BYOD approach, should schools filter content at school level but not at home should schools monitor but not filter and it can go on and on and on.

I admit, I have flip-flopped on this issue more than once. Usually experience and reflection cause these changes of thoughts, but before we get into all of that let’s talk about what I mean when I say filter.

Continue reading “To filter or not to filter?”

CyberSecurity Part 3: Simple Penetration Testing for K12 Schools

simplepen
By Tony DePrato | Follow Me on LinkedIn

I have been following a few online threads where schools are considering contracting penetration testers. For those who may not know, penetration testing (pentesting) is a security assessment, an analysis, and progression of simulated attacks on an application (web, mobile, or API) or network to check its security posture. The objective is to penetrate the application or networksecurity defenses by looking for vulnerabilities. These are usuallyweaknesses or flaws that an attacker could exploit to impact confidentiality, integrity, or availability. This goal is the same whether performing application pentesting or network pentesting. ~ https://cobalt.io/pentest

As a consultant, I am not opposed to K12 schools using consultants. However, I have seen some red flags out there from pentesting consultants. I want to highlight those issues, and also provide a method for K12 schools to get started on this process in an easy and low-cost manner.

Finding a Good Pentester

The Conversation

School: We are looking for someone to help test our security.

Pentester: Great. I can do that ( credentials and background presented).

School: What do you need?

Pentester: I need a list of (x,y,z). I need an office to work from. I need to interview…

What is wrong here?

Here is how this should go

School: We are looking for someone to help test our security.

Pentester: Great. I can do that ( credentials and background presented).

School: What do you need?

Pentester: I need a contract protecting me if I break into one or more of your services. I need a contact person to send my findings to. I need a timeline.

A pentester’s job is to find the weaknesses and to find a way to access your organization. If you provide access, not only is the job easier, but they could simply report an issue that is unlikely to occur. I witnessed a similar scenario where a firm was asking for the keys to break into the car.

There may be a point where you want a pentester to become a student and see what a student can do with the access provided. There may be a point where you want them to test spaces used by the public during events.  If you provide and manage laptops, a good pentester will need one of the school’s laptops.

These are reasonable requests. Asking the school to literally give them a roadmap and set of targets is not reasonable.

Doing Your Own Testing

I have a list of standards schools should work towards to be secure. Some these do not always connect well to third party services, public-facing websites, etc.

Over the last few months, I have developed a checklist for pentesting K12 school websites and resources.

Test Definition
Subscription and Services Discovery Can your subscriptions and services be easily discovered?
Files Exposed to the Public Are there files publicly available that supposed to be private?
Calendars Exposed to the Public Is calendar data that should be private, private?
Staff and/or Student Email Harvesting Can your staff and/or student PII be used to create a database for phishing and spamming?
Portals and SIS Are your portals and SIS properly secured and difficult to brute force attack?
Websites and Social Media Are websites and social media properly secured; is the media being used legally and correctly?
Cloud Services Have cloud services been properly secured?
Third-Party Sharing Is anyone sharing your content and do they have permission?
FTP, SSH, and Telnet Are any of these protocols a threat to your school via publically accessible information?
Email Blacklist Is your email domain blacklisted?
Email Header Check Is there any data in your header that could be anonymous or lead to blacklisting?
Email Catch-All for Non Existent Emails Is your email set up to catch any email that does not exist and alert someone?
SMTP Relay Is your email system running services that would allow an attacker to use your email for a criminal act; send an email on someone’s behalf?
4xx and 5xx Error Check Do the 4xx and 5xx pages on your public-facing services configured properly and supportive of trusted users?
HTML Forms Are any HTML Forms vulnerable to low-level URL based attacks? (Will also review CAPTCHA.)

I score these on a scale of 1-5 and document the issues/results. The next level is researching the solutions to correct the problems. Keep in mind, many solutions are in policies and procedures. This means issues need to be articulated for school leaders, teachers, students, and parents.

In other words, avoid jargon and lingo.

Doing as much due diligence as possible before contracting someone will not only save time and money, but it will also help to further educate the community.

If you do not know what is actually dangerous, then everything could be sold as dangerous.

These recommended tests are not very difficult, but if you want to outsource this, email me at: tony.deprato@gmail.com  .  I thoroughly enjoy doing this kind of work and have automated many of these processes with scripts and services.

 

 

 

 

Going Phishing with Finalsite

phishing

By Tony DePrato | Follow Me on LinkedIn

This video reviews a method to extract staff email and names from the popular Finalsite CMS used by K12 schools.

Disclaimer: This video is not documenting any known bugs or issues with Finalsite. This video is demonstrating how Personal Information can be harvested using options end-users select. Solutions to this problem are available by adjusting the options in any existing Finalsite implementation. Specific tools and process will not be fully revealed in the video. Anyone wishing to learn more must arrange for a private demonstration.

References:

https://www.proofpoint.com/sites/default/files/gtd-pfpt-us-tr-human-factor-2019.pdf

CyberSecurity Part 1: Social Engineering

Lock
Lock
Source: https://www.youtube.com/watch?v=JsVtHqICeKE

By Tony DePrato | Follow Me on LinkedIn

I have noticed an uptick recently in schools moving resources, money and time, to address cybersecurity concerns. The motivation for addressing security issues is genuine, but the approach and implementations I am reading about are less than effective.

Over the next few weeks, I will be writing a series of posts to address what schools should do to improve cybersecurity. Nearly every suggestion will require a change in process or culture, but not any significant financial investment.

Social Engineering

Even if you’ve got all the bells and whistles when it comes to securing your data center, your cloud deployments, your building’s physical security, and you’ve invested in defensive technologies, have the right security policies and processes in place and measure their effectiveness and continuously improve, still a crafty social engineer can weasel his way right through (or around).

Social engineering is the art of exploiting human psychology, rather than technical hacking techniques, to gain access to buildings, systems or data. ~ https://www.csoonline.com/article/2124681/what-is-social-engineering.html

Physical access to any space is the holy grail. Hacking begins with collecting information, watching people, finding the weak links within the organization, and studying how systems and people work.

Having an open friendly campuses means exposing information systems to a variety of threats that exist outside the network controls.

Allowing students, teachers, and staff to freely move around campus with few limitations or consequences, creates multiple opportunities for data to be collected on areas of the campus that generally are part of the plant or backend operations. These areas are designed for small teams of workers to keep the campus running, and these areas allow access to systems that control things like water, gas, electricity, etc. The plans and operational guides for these areas are not public, but people taking a regular stroll through these spaces eventually collect enough information to execute an exploit.

Maybe the exploit is simply students finding a way to sneak off-campus, but when one group creates a loophole, another group has the opportunity to use it. Social engineering practitioners are looking for loopholes and they are looking to mix with trusted groups of people. Their access begins with a bad policy or the improper enforcement of a policy.

It is far easier to use social engineering tactics to attack a school’s data and assets than to try and exploit the network externally. Not only is it easier, it is less risky. Generally, school policy is granting a person physical access, and therefore they are not trespassing. Whereas any attempt to breach the network would be a crime.

Before worrying about the network, the cameras, and the technology as a whole, it is imperative to reduce physical access and to design policies that balance community with access.

Defending Against Social Engineering in a Friendly Manner

Schools are not banks or government facilities. They are generally friendly and trusting environments. Implementing security measures should not create a panic, and should not create a culture a fear. Every measure taken needs to connect to another logical reason that the community can understand. Here are some ways you can reduce the risk of threats through social engineering:

  1. Let everyone know, they are free to call security and report anyone or anything they see that seems “off.” This means, not punishing people if they misidentify someone. Make the process easy, and make certain security personnel follow through and keep records. Social engineering often requires a few visits to a campus, and studying reports could identify a pattern.
  2. Lunchtime is always important on a school campus. Set a simple policy for business and operational offices to either rotate their lunchtimes and /or lock their offices. Lunchtime rotation is an excellent countermeasure. It ensures that every day, a few people are always in an office, the offices are open so people can access services, and the schedule of activity is difficult to predict.

    An example would be the following: Four people work in accounting. On Mondays, Wednesdays, and Fridays, person 1 and 3 choose to do lunch at 11:30AM; On those days person 2 and 4 choose to do lunch at 12:30 PM.

    Locking offices for an hour is safe, but it is not going to be as popular as using a rotation.

  3. Any closet or room containing computer network equipment, phone system equipment, etc. should not be used for storage. Why is this important? Because the moment a room or closet is accessible for storage, the number of people who will be opening the door becomes unpredictable. The equipment in that space would allow easy access to all the data that flows through the school.

    A common mistake schools make, is to use these network/electrical closets to store cleaning supplies.  Cleaners are usually very friendly and trying to help people, as well as maintain safety. So, if I wanted to access the closet and exploit the network, I would create a spill of liquid and wait for the cleaner to get into the closet. I might even distract them long enough to slide a small piece of paper between the lock and door jamb.

    The cleaner is doing their job, and I have gained access to the space after the cleaner is finished.

  4. Guests/Parents should have their own network. It goes without saying that allowing anyone aside from students and employees on the academic network is risky. A guest network SSID is highly recommended if the public or parents are allowed to use the WiFi. The more I consider this, the more I believe that a better policy is to simply improve the mobile network reception, and direct people to use their own data.

    A school can invest in repeaters and other technology to make the mobile signals from various providers strong and robust.

    Schools can also use services like Kajeet to deploy better mobile access. In many cases, schools qualify for FREE mobile hotspots. Why spend time and resources giving the public and parents access to limited and/or filtered academic networks anyway? Using mobile reduces the chances of a data breach, and virtually eliminates the liability a school would incur.

  5. Encourage and incentivize teachers to work outside their offices, in higher traffic areas. Teachers know each other, they know parents, and they know students. Teachers also have good instincts for spotting odd behavior. These statements are from anecdotal evidence, but if you have worked at a school for a long enough time, then you realize teachers are truly on the pulse of the organization.

    Teachers working in school cafes, libraries, etc see and hear more than they would if they are isolated in offices.

    Setting up conference rooms with glass walls, or creating PD opportunities in more public venues would greatly improve the random and increased presence of teachers on-campus.

    Remember, the idea is to create unpredictable patterns and to make it more difficult for someone to find a weakness and the confidence to act. The mere presence of staff in public spaces is a deterrent.

  6. Assume a good Social Engineer can get on-campus with an ID check, and plan accordingly. The core group defending against social engineering would most likely be the security team, operations team, and technology team. They should work together to plan scenarios and action plans. School leadership needs to make certain that those teams are focusing on those individuals who have enough skills to get through the external layer of security.

    Making assumptions that the camera system, front gate ID check, etc., will somehow prevent access, is going to create a false sense of security. Good social engineering requires imagination and creative thinking. Good defense will require the same.

  7. Work with parents to test your security and access. Parents want what is best for the school and their children. Parents also have come from a variety of backgrounds. They are a trusted group that will be honest and help measure improvements.
  8. Educate yourself first, and seek outside advice second. There is a massive amount of information about social engineering. It is worth educating a core group of people on security topics so they can inform practice and direct consultants. Remember, consults will only be useful until they leave. Build your team, and give them the time they need to learn. Much of what people need to know is free, time is the only factor.

I hope this posts stirs the pot and creates some discussion on school campuses. I am placing some resources below, including some very informative and entertaining videos on the subject of social engineering and physical penetration testing.

I am happy to do a live debate on this subject or webinar for anyone interested. Please email me at tonydeprato@gmail.com

 

Resources

 

  1. DEFCON 19: Steal Everything, Kill Everyone, Cause Total Financial Ruin! (w speaker)- https://www.youtube.com/watch?v=JsVtHqICeKE
  2. I’ll Let Myself In: Tactics of Physical Pen Testers- https://www.youtube.com/watch?v=rnmcRTnTNC8

  3. What is Social Engineering: https://www.csoonline.com/article/2124681/what-is-social-engineering.html
  4. Passwords are Still a Problem: https://www.nextgov.com/cybersecurity/2019/01/why-computer-passwords-are-still-problem-2019/154086/
  5. Cybersecurity Stats: https://www.varonis.com/blog/cybersecurity-statistics/

 

 

 

Scan Your School for Unsecured Public Documents

Screen Shot 2019-08-08 at 1.10.41 PM

By: Tony DePrato | Follow me on LinkedIn

How many documents do you have open to the public? When was the last time you checked to see what anyone with internet access could download from your school website, your PowerSchool or SIS public folder, or even your various cloud services?

Before you think I am wasting your time, here is a quick glimpse of a simple public search for budgets people have not secured:

Budget_Search

 

If the above animation is not clear, don’t worry. I will show you how to do it.

INURL and FileType

Google has some cool advanced search features. To scan your public files, the two I recommend are “inurl:” and “filetype:” .

For example when copying and pasting the following string into Google, inurl:saschina.org filetype:pdf , the results are all public PDF files that exist with any url that contains saschina.org.

Screen Shot 2019-08-08 at 1.20.38 PM

Keeping the url simple often yields more results. For example, using saschina would look at other domains. If you add the .org, then the search will be limited to the .org domain only.

When to Worry about Public Documents

First off, many documents are supposed to be public. Seeing documents in this type of search is normal and excepted. What is not usually expected are documents that contain:

  • Name associated with contact information
  • Medical information
  • Names of parents, donors, etc.
  • Special codes use to tell vendors/suppliers who has organizational authority to place orders
  • Bank information
  • Payment information
  • Usernames and Passwords
  • Etc

Documents with information similar to the above should be secured, unless required to be public for legal reasons.

I would suggest having document ID numbers in the footer that indicated a document should be public. This simple practice would allow everyone in the organization to report documents that should not be public.

The link below will take you to a page that will help you begin checking your online resources.

Want to Jump In and Start Scanning? Get Started Here

If you want more information on data security, privacy, and data auditing for your school, please contact me using the form below.

 

Controlling What Students Can Access

By: Tony DePrato | Follow me on Twitter @tdeprato

Recently I have been discussing multiple new security measures for academic networks. From these discussions with other schools, engineers, and suppliers, I have created set of goals to help keep the development of network security on track and within budget.

Physical Access

Physical access can be managed without a great deal of expense. The goals to reach for are:

  • We allow only the devices we have confirmed and labeled
  • We can control the number of concurrent devices a user is using on the network
  • We can identify by IP, Serial Number, or MAC Address (or a combination of the three) the owner of a device
  • We can remove a user from network access, and restrict their devices, with minimal effort
  • We have processes and procedures to register devices; users can switch devices through these processes
  • Users can only circumvent the processes by giving their login IDs, passwords, and hardware to another person

These goals do not imply the direct management of equipment; nor do they capture user data. These goals ensure that devices on the network are approved, registered, and can be clearly identified.

Achieving these goals is the first step towards the concept that accessing the network is a privilege not a right. Privileges can be revoked. If revocation is not possible, then the concept/policy cannot be enforced.

 

Read More @ The International Educator

Understanding Ransomeware

 

 

 

 

 

 

 

 

                   By: Tony DePrato | Follow me on Twitter @tdeprato

On Friday, 12 May 2017, a large cyber-attack using it was launched, infecting more than 230,000 computers in 150 countries, demanding ransom payments in the cryptocurrency bitcoin in 28 languages. This type of malicious attack is classified as ransomeware.

The ransomeware concept is fairly simple. Once the package infects a system, it begins to encrypt all the data. The data is still on the machine, but it is not accessible unless the user enters a decryption key. In order to obtain the key, money must be sent to the “owner” of the ransomeware. Usually this money is requested in the form of cryptocurrency, to make it difficult (if not impossible) to trace the payment.

Ransomeware Targets Everyone

Schools often believe that certain security measures and protocols followed in the corporate world do not apply to them. There is often a consensus on-campus that technology needs to be friendly and open. Because of this cultural approach to planning technology many rules and regulations are simply not followed, especially if those rules and regulations are designed for extreme scenarios.

For example, it would be odd to find a school that did not have user managed passwords for email. When users get their email account, they change and manage their own password. However, if someone recommends that school personnel setup multistep authentication, that expires every thirty days, that recommendation is probably going to be rejected. Any multistep authentication process requires that users learn more about security and manage security more regularly. If a user makes a mistake, the delay for resetting their services is often considered unacceptable.

IT policies and procedures that would prevent a school from being a victim of ransomeware, or other sophisticated attacks, are going to be policies that create barriers and limits. These measures would slow people down at times, and restrict certain types of technology from being used on-campus.

Read More @The International Educator

Stopping Entitlement & The Arbitrary Security

fist-pump-baby-lets

This is one of those posts that I may regret writing in a few months. It is more of a plan than a post, and a plan I intend to sell with significant confidence.

Starting in the fall, when students roll out of the bus and into the boarding school I work for, they are going to find that technology is simply not available (unless they are in the IB program which will be less than 80 students).

Students in years 6-10 are going to have to wait and to earn their technology. For some, for a few weeks, they will be taken back to into the past, where “always on” was only in science fiction movies, and only Michael Knight could use a smart watch.

Here is the plan to stop the initial entitlement of technology and access to the internet:

Years 9-10, and the IGCSE Program

These students are in a BYOD program. They will not have their devices activated on the network for at least two full weeks. During this time they have to settle into the board school routine. Their network activation and device privileges will be based on reports from their house masters, their joining of at least one sport and one club, and their completing of a one hour seminar on digital citizenship. During the seminar the AUP will be fully reviewed and signed by all of them.

Once all these steps are completed, they will have a weekend to activate their email, join the school LMS, post a reply confirming they are connected, use their cloud and share a file, and finally access a flipped classroom lesson set.

Unless all these steps are completed, week three will be technology free for them; but teachers will be allowed to start requiring technology. Weeks one and two are designated as technology free in all lessons, however, once week three begins some work will require the use of a laptop.

Years 6-7-8, Custom Bilingual Curriculum

Year 6-7 use school own devices. Year 8 is on BYOD, but their laptops are not allowed to be stored in their rooms. This is the introductory point to the BYOD program.

These students will not have their one-to-one devices for 4 weeks. I know, how can they live? How can they be people? How can they traverse the world without mindless games and WeChat?

These students will have to achieve points to get their devices. The campus will turn into one massive game board. Points can be earned by helping people, earning effort grades by the end of week 4, and completing a series tasks. This group also has to join a sport and club, have good dorm behaviour, attend a workshop to review the AUP, and eventually activate their email, cloud storage, etc.

Because the Year 6 students do use iPads, an additional task will face them during their first week of having the device. They will need to demonstrate competence in the APP CYCLE. That is what I call the insane series of apps needed to complete mundane tasks.

I am not pro-iPad, but I am working with a pro-iPad group so I have to make sure the devices are as effective as possible, yet, I like mocking them whenever possible :).

That summarises the removal of the device entitlement, the next part of this plan is eliminating arbitrary security. In a school tightly managing devices and internet access normally results in students waiting to get home to work on their own equipment.

In a boarding school there is no home to run to for technology freedom. Since the students need to feel at home, locking them down like a Denver Boot is not fair and does not help them develop responsible technology habits.

The plan is fairly straight forward. Students in years 8-11, who come out of week two with shining reviews from their house masters, will only be restricted via out network policies. Students who have poor reviews will have their BYOD machines bound to our hardware management system (this includes a firmware lock and removal of all boot options). This binding will be review at the beginning of semester 2, and if the student is doing well, the binding will be removed.

By all current estimates, this will be about 30-40 students by the end of the second month of school. That leaves around 320-330 students free to work and manage their own technology. This will not increase our staffing requirements, nor will it affect our budget.

This plan only impacts students who are negatively impacting their whole community. Students who are working in class, staying within normal teenage boundaries in the residences, and who are participating in the community will have freedom to be on their devices and use all the other technology resources the school offers.

As the new year approaches, the IT department is acquiring new devices which connect to laptops. These devices, all of them, require administrative rights to use. Without a BYOD program in place, we would not be able to effectively connect all the students to these resources without adding more people to the staff headcount. I prefer to spend money on resources, than security, whenever possible.

If anyone is interested in running a program like this, please comment. I need ideas for the year 6-8 group. I really want to build a game like atmosphere that has multiple paths to success. I would love it if a student could earn their device in a week instead of four weeks by beating the system.

Tony DePrato
www.tonydeprato.com

 

Offense Wins Games, Defense Wins Championships

Richard Dent, Chicago Bears Superbowl MVP

Catchy title- but statistically not accurate. I trust the people at Freakonomics a bit more than I trust my family screaming at the TV on Thanksgiving.

So is this post about statistically irrelevant phrases? No. It is, however, about offense vs defense.

I spent a few days last week working on a “Loss and Recovery” policy for one of the schools I am working with, and if you would like a copy of it, please email me directly: tony.deprato@gmail.com .

The school seems to have been struggling for the last two or three years with students and teachers losing school owned and personal equipment. Everyone I spoke to originally said that it was not a real problem, but when I spoke to the person who manages the inventory, I found out that it was a problem.

As I wrote this policy I had to make a choice, and set my priorities. I firmly believe anyone with more than one priority, has no priorities, so I forced myself to choose: offense or defense.

This is the same decision I had to make a few months ago when redesigning the network. Did I want an offensive active monitoring solution or a defensive passive monitoring solution? In both cases I chose defense over offense.

In a defensive system, the goal is to protect the school’s assets, protect the assets actively connected to the school’s assets, and to record enough information to execute a focused offensive plan in the future. In an offensive system, the goal is to try and find potential threats coming from all clients, at all times, and to intervene as quickly as possible.

For example, in an offensive network if a student goes to a website and downloads inappropriate material- the school would have someone assigned to immediately block their network access and intervene. The student would be reprimanded, probably taken to see an administrator, and various punishments would be carried out. Systems that allow this level of control are expensive. They often require a school to employ a few people to manage them; or they require teachers to stop teaching and play police officer. Long term though, they are ineffective. When students feel they are being monitored, they stop using systems. They stop engaging. They start circumventing school resources by linking to 3G and 4G networks that no one can block.

Before you say, “Yes you can block 3G and 4G services I have seen hardware that does this!”- You need to know this is illegal in mosts parts of the world. The risk of blocking people from making contact during an emergency is always considered too high to allow 3G and 4G networks from being legally blocked.

Also remember, if you can offensively control students, you can do the same to teachers. Maybe teachers were told, “Hey don’t worry we are not watching what you are doing.” It would be more fair to tell them, “Hey we can watch what you are doing when we want to, we just are choosing not to, at least today, tomorrow it depends.” Ask yourself, are teachers who are being monitored doing the same quality of work as teachers who are not?

Offensive systems make administration seem easy, because all the bad things start happening in the shadows. The statistics flatten-out and everyone feels safe. They make teaching and learning worse, because these systems are usually setup to block first and ask questions later; or they run over the network and take-up huge amounts of bandwidth. They use the bandwidth to watch screens and control devices. The worst part is, most people running these systems have no special training. They have no guidelines for understanding privacy, or even how to detect a real threat. They may not even be aware of how much impact they are having on the network, since their priority is to be invasive.

Untrained people will also react quickly to false flags.When a school responds to a false flag, their response resources are tied-up and focused. This means if an event is happening that is significantly worse, the school will not be able to respond in time. Having a great response time is not significant if a pattern of events is occurring and the pattern is unseen.

I recently attended a meeting with 15 other schools. About 50% of them had offensive systems in place or had them in place. One school had spent $60,000 USD on hardware in less than a year, and since, had abandoned their offensive strategy. The 50% that were attempting to be offensive, had poor results, and were looking to either spend more money or hire more people.

The largest school in attendance had completly abandoned monitoring and simply moved resources to teaching and learning and servers. They said that it was impossible to maintain security and teaching and learning if the budget was not infinite. They chose teaching and learning and increased their server/network defense. This school went further, and stated that 3G and 4G devices made it possible for 3-4 kids to hotspot outside the network. Again – they found no point in fighting a losing battle when more than 80% of the students had the ability to be online without being on the school’s network.

In 2011-2012 I was in Hong Kong. At that time I met with 5 different schools, all with a variety of IT configurations and budgets. All of these schools, however, were delivering good education. That statement is based-on test scores and university placement, but I can also state the learning environments I saw were engaging and well supported. None of these schools had made an investment in offensive systems. All of them but one had the budget to execute any type of security plan, and yet, none chose this course of action. Why? Maybe because their schools were doing a good job at being a school and they didn’t want to impact teaching and learning? Just a question and a thought.

Ranting and Raving aside, here is how I see a defensive policy working at a school:

  1. The first step is to creating V-LANS for everything. Make sure the network is organized so that people can clearly see where people are when they are online.
  2. The next step is to pay close attention to user-groups, or organizational units. These can be easily audited by a normal non-IT person. Each group of students and teachers should be in a group. For example, year 6 students should all be in a year 6 group; and middle-school teachers should all be in a middle-school group. This allows rules to be applied to people who have commonalities. Often groups are neglected because no-one makes sure that each year IT updates and audits the users.
  3. Servers and network equipment need to be defended like NORAD. If no-one at the school has completed a Certified Ethical Hacking course, then someone should. The network and servers need to be attacked, exploited, and re-adjusted until the most common exploits are removed. This includes all printers, switches, and peripherals.
  4. All WiFi and LAN connections should require a username and password to sign-in. Everyday, people should have to sign-in when they connect. This creates a very transparent view of who is online, and where they are accessing the network from.
  5. Wifi networks should have a common community password on the SSID. This adds a layer of defense between the school and the outside.
  6. Users should be restricted to a fixed number of devices. This is a simple way to keep people from accessing accounts after stealing someone’s password.
  7. Password policies need to be real and enforced at least twice a year if not more. This means forcing people to change their passwords, and preventing them from using the same passwords all time. People who write down their passwords and leave them out in the open, should be spoken to in a firm and alarming manner :). 
  8. An accurate map of the campus should display all access points using the access points IP address. An image file of a map can be overlaid with XML to allow for real-time updating of this data. Having a map of Wifi activity gives IT the ability to narrow down patterns and to hunt for lost devices still connected to the wifi.
  9. Usage reports should be ran weekly to look for trends among groups of users. This level of data collection requires some type of firewall or other access control system. These reports should be shared with the administration and any anomalies or potential risks should be highlighted.
  10. All AUPs need to include the phrase, “No Expectation of Privacy.” Make it clear that data is being collected and studied, and this data will be checked if anything is irregular. The data connects to the user or group, and only data that is alarming will be followed. In other words, we are not watching your screens or reading your emails, we are just watching you online activity. 

In this environment technology can be used to protect resources, help people find things they have lost, and help identify trends in what people are using and needing for their teaching and learning. All of these things are positive, and most people in the community will appreciate the functionality.  However, users will also be very aware that this type of network allows for a history of activity to be flagged as a threat or a violation. The system provides the tools needed to track locations as well as online interactions. Thus, allowing the school to narrow down the time, place, and population in any given scenario.

Most people do things in groups. Monitoring the group and trying understand the group’s goals is more important than apprehending a single student or teacher for breaking the rules.

My “Loss and Recovery” policy includes the defensive use of security cameras, and defensive methods for searching lockers and dorm rooms. It was hard not be aggressive and threatening when writing it, because I wanted to be aggressive. I wanted to be blunt and exercise the school’s right to protect property. Then I realized that being aggressive and blunt against a bunch of middle school kids looking to pull pranks all day really was not the best way to teach them about balancing private and public spaces and understanding the difficulties in managing personal and private property in an organization.

Students are not the enemy, unless you give them something to hate.

Tony DePrato

www.tonydeprato.com