Security: Are Script Kiddies Hacking Your System?
In the time its takes you to read this article, your network will have been scanned by someone who means to manipulate, damage or outright destroy your school's data.
Your adversary may be out in the parking lot right now--a student sitting in a car with a laptop and wireless connection to your server, silently scanning thousands of files.
Or the attack may come from an apartment in a European city, where a bored exgraduate in computer programming is watching reruns on TV, while in another room a computer running a virus program he wrote is relentlessly seeking targets.
Or in the tiny town of Edcouch, Texas, near the Rio Grande, a sixth grader who is supposed to be at home with the flu is crossing his fingers as he prepares to launch a program script he found in a chat room that promises to brown-out school networks in seconds.
"On average, 15 seconds after a new Web site appears on the Internet, it's been scanned by a hacker," says Jason Matlof, vice president of marketing and business development at Neoteris, a maker of computer security products. "There are people who do practically nothing else except look for chances to break into networks," he adds. "Some are 'script kiddies'--just inexperienced wannabe hackers following a program they found on the Internet. Others are criminals looking to steal credit card information. And a few are genuine cyberterrorists--enemies of the United States who try to disrupt government functions. In this last category of targets, schools can be easy pickings."
20,000 Attacks a Day
Probably nowhere else in the networked world is privacy as important as it is in schools. To protect a student's academic standing and health information, schools must comply with the Family Educational Rights and Privacy Act and the Health Insurance Portability and Accountability Act, to say nothing of federal and state initiatives requiring schools to keep data on students secure for years, even decades.
And yet never have schools been faced with so many threats to student privacy, and to their deep cyberstructure of record-keeping, data storage and curriculum management.
The tip of the iceberg has already appeared on college campuses. The University of Arizona, for instance, averages 20,000 hits a day from people trying to find vulnerabilities in its network connecting more than 30,000 computers--the largest non-Defense Department system in southern Arizona. In July 2002, a University of Delaware student allegedly hacked into her school's database to change her grades from F's to A's. Yale accused Princeton last year of hacking into its online admission system. And at Oregon State University, a man hacked into the university's system and used stolen credit card numbers to wire money.
The problem has become so widespread that the University of Calgary is offering a course on virus writing, with an eye toward virus prevention. Titled "Computer Viruses and Malware," the course will require students to write and test their own viruses on a closed network to ensure that none of their creations spread beyond the classroom. Another program in rural Maine allows high school students who are performing poorly in academic subjects but have an aptitude for computers to hack test systems in a controlled environment. The intent of the Maine program is to foster awareness of computer security as a career choice and perhaps to turn some of these students into Maine-based computer security specialists.
It's just an indication of the lengths some educational institutions are taking to beat back attacks on their systems. Others, of course, are fighting fire with fire and upgrading their technology defenses. (See "Strengthening the First Line of Defense," p. 60)
Off the 'Easy Pickings' List
At Somerset Area School District, a suburban district with 2,800 students located southeast of Pittsburgh, the administration took steps this past summer to remove itself from the "easy pickings" list.
As part of a $1.8 million IT renovation, which includes computers for teachers in every classroom, more than 400 new computers in the student labs, and numerous online curricula and administrative tools, the district realized the need for secure remote access to resources as more systems moved online.
"As we continue to migrate processes from paper-based systems to electronic forms," says Julio Velaquez, Somerset's director of IT, "our teachers and administrators now rely heavily on computer-based systems for everything from grading to curriculum development to accessing a variety of internal and other school related information available in our district intranet."
Working with Neoteris, Velaquez and his colleagues wove a security system that would not be compromised over compatibility issues with different client PCs or Internet service providers.
But with 99 percent of all public schools connected to the Internet, according the National Center for Educational Statistics, how many are battened-down like Somerset against attacks?
Still Wide Open
"In general, compared to business, schools are wide open," says Peter Reilly, director of Educational Technology for the Lower Hudson Regional Information Center, a nonprofit organization providing administrative and technology support to 62 districts in New York state. "Ask a superintendent how much of his or her budget is devoted to computer security, and the usual answer is, 'Nothing.' In terms of investing in computer security as an important line item, schools are just beginning to pay attention."
What makes schools vulnerable, says Reilly, compared with businesses is that businesses have firewalls in place against outside attacks. But in schools, the attackers are often already inside the defense perimeter.
"The people to worry about are inside the wall--kids," says Reilly. "Sometimes the breach in security is accidental, of course. A student clicks on a server and sees files he shouldn't have access to. But there's nothing accidental about a student sitting in the school parking lot on a Friday night using a laptop that school has checked-out to him to log-on through a wi-fi network to unprotected servers inside the building."
Reilly attributes part of schools' defenselessness to a double-standard.
"If a student breaks into the school at night and spray paints the lockers, that's burglary and vandalism. There's no question the school would take steps to prosecute and protect itself against further incidents. But if another student hacks into the system and does $4,000 worth of damage, the reaction is, 'Wow! That kid is so bright! Who would have thought it? Kids these days sure know a lot about computers.' Burglary is burglary and vandalism is vandalism. We should not send a mixed message about destructive behavior. For a number of years now, we've winked at hackers."
Have a Security Audit Done
Every administrator in a school environment, says Reilly, has an obligation to be knowledgeable about cyber security, including district-level administrators, such as superintendents, community directors and finance managers, as well as school-level administrators, such as principals, guidance counselors and libraries. "Safeguarding computers is not just for technology professionals," he adds.
"Take the teacher who allows a student to take attendance on a networked computer. If the student doesn't log-off, the program stays open until the student stops by the computer lab later in the day and accesses it to his heart's content. Educate the teachers in security issues."
On the other hand, says Reilly, it's a big job, especially for small districts "cobbling together IT" to devote the amount of time necessary to maintain a safe system. "You may have a part-time teacher who's also the part-time IT director. Updating patches for the system and downloading new virus protections requires regular attention."
The best thing any district can do and invest in, Reilly says, is to have a "basic security audit done. Have someone come in from the outside, an expert, and check out your system. You'll find there are three to four easy things the school can do to address 80 to 90 percent of the problems you might face. I always tell IT coordinators, 'If I was in your school, I'd have an audit done that compares what you're doing to best practices. There's just no compromising.' "
Elements of School Security
Anti-virus software Every computer and server in your network should be protected with anti-virus software. Virus updates come out monthly and are often included in the price of the original software purchase. Districts should take advantage of the latest downloads.
Firewall protection A firewall is software or hardware designed to block hackers from accessing your computer network.
Data backup Backing up system data and storing it off site is an integral part of any cyber security plan. Regular data backups protect schools in the event of hardware failure or accidental deletions. District administrators need to make sure that backup files are created at appropriate intervals and stored off site.
E-mail Make it a rule that both students and adults should only open e-mail from people they know. If an e-mail address is unfamiliar, they should delete it without reading the message.
Passwords Set up a district or school plan for proper password maintenance and security. Passwords should be meaningless, change every 90 days, and be available to select personnel only. Passwords should never be shared with students or kept in a location where students can access them (either on paper, or electronically).
Charles Shields is a contributing editor.