1
Information Security for Information Security for School NetworksSchool Networks
J Scott Christianson, Kaleidoscope ConsultingJ Scott Christianson, Kaleidoscope Consulting
2
J. Scott Christianson, OwnerMCP, MCP + Internet, MCSE, NACSE Senior Network Specialist,
Cisco CNA, Network +, Certified Videoconferencing Engineer, etc...
Kaleidoscope Consulting
3
In Your Packet*• CD-ROM
– Software
– Documents (Whitepapers and Security Guides)
– Firewall Presentation (in .ppt format)
– The Internet-LAN Security Workshop by Consysco Solutions (in .ppt format)
– This presentation (with note pages)
• Handouts for this presentation• Internet Security for Educational Institutions• Internet Security Products and Services for Education
* Can also be downloaded from www.kaleidoscopeconsulting.com
4
Today’s Presentation
• Are you vulnerable? Are you being hacked?
• What are the threats to school networks?
• Ten essential security measures that every school should take.
• Resources for more information.
• Questions.
5
Student Hackers Pilfer Eighth-Grade Science Exam
• Hillsborough County, Fla., school officials are examining their test security after two eighth-grade honor students at a technology magnet middle school hacked into their science teacher’s computer, discovered the semester’s final exam, and sent it out over the internet to an unknown number of fellow students.
--from eSchool News Staff Reports
Could you have prevented this from happening on your network? Would you have detected it? Do your teachers know how to secure a file (with encryption or on a server?)?
6
High School Students Charged
In Virginia, two high school students were charged with computer hacking. The students face maximum penalties of five years in prison and fines of $10,000 each.
The father of one of the students said he was surprised by the gravity of the felony charges: "These were just kids working on a computer. (My son) had no idea what he was doing was illegal."
Do your students know what your security policy is? And the consequences of breaking it? Do the parents of your students know what your security policy is?
7
Why are Security Incidents Increasing?
Sophistication of Hacker Tools
Packet Forging/ Spoofing
19901980
Password Guessing
Self Replicating Code
Password Cracking
Exploiting Known Vulnerabilities
Back Doors
Sweepers
Sniffers
Stealth Diagnostics
Technical Knowledge Required
High
Low 2000
DDOS
-from Cisco Systems
Disabling Audits
8
Are you being Hacked?
• Without a burglar alarm it is hard to know if you are being robbed until you notice something missing.
• Use an Intrusion Detection System (IDS) to detected hacking attempts and probes of your network.
• Many Firewalls (personal and network) will act as a IDS system for you. (Demo)
9
Network Security Threats
Any Internet connection is vulnerable to:
•Unauthorized Access to the network. •Denial of Service (DoS) attacks. •Viruses. •Capture of Private Data and Passwords. •Offensive Content.
10
Ten Essential Security Measures That Every School Should Take
1. Develop a Security Policy. And let everyone know about it. Develop online warnings to inform users of the rules for accessing your network.
2. Use strong passwords. Choose passwords that are difficult or impossible to guess. Give different passwords to all accounts.
3. Make regular backups of critical data. Backups must be made on a regular basis and that restoration is possible.
11
Ten Essential Security Measures That Every School Should Take
4. Use virus protection software. Install the software, check regularly for new virus signature updates, and scan all files periodically.
5. Use a firewall as a gatekeeper between your computer and the Internet. Firewalls can be hardware or software products.
6. Enable Logging for all important systems. Often Logging is turned off by default making it impossible to tell what happened.
12
Ten Essential Security Measures That Every School Should Take
7. Do not open e-mail attachments from strangers, Be suspicious of any unexpected e-mail attachment from someone you do know.
8. Regularly download security patches from your software vendors. Visit www.windowsupdate.com and other update sites regularly. Don’t forget network devices (routers, hubs, etc).
9. Document your network and conduct vulnerability scans.
10. Educate your users and yourself. Security is a continual process.
13
More Resources
• SANS (www.sans.org)• CERT (www.cert.org)• CSI (www.goCSI.com )• Lower Hudson Regional Information Center
(www.LHRIC.org) [Top 22 School Security Risks, Top Internet and E-mail Risks.]
• CoSN (www.cosn.org)
14
Summary
• You can’t be totally secure, but there is a lot that you can do (relatively cheaply) to make your network more secure.
• Most attacks play on well-known vulnerabilities.
• Education is the key to a secure network.
• Security is a continual process.
15
Questions
16
Sample Configuration A
DM
ZP
or t
WAN
INTERNET
Web or EmailServer
Configuration A: TypicalNetwork-based Firewall
Installation.
Student Computer
Teacher Computer
Student Computer Student Computer
AdministrationComputer
FirewallTeacher Computer
AdministrationComputer
17
Sample Configuration B
DM
ZP
or t
WAN
INTERNET
Web or EmailServer
Configuration B: DualNetwork-based Firewalls.
Student Computer
Teacher Computer
Student Computer Student Computer
AdministrationComputer
FirewallTeacher Computer
AdministrationComputer
Firewall
18
Sample Configuration C
DM
ZP
or t
WAN
INTERNET
Web or EmailServer
Configuration C: NetworkFirewall and Host-based
Firewalls for Teacher andAdministrative Computers
Student Computer
Teacher Computer
Student Computer Student Computer
AdministrationComputer
FirewallTeacher Computer
AdministrationComputer
Host-basedFirewall/IDS
Host-basedFirewall/IDS
Host-basedFirewall/IDS
Host-basedFirewall/IDS
19
SANS Ten Worst Security Mistakes IT People Make
1. Connecting systems to the Internet before hardening them.
2. Connecting test systems to the Internet with default accounts/passwords
3. Failing to update systems when security holes are found.
4. Using telnet and other unencrypted protocols for managing systems, routers, and firewalls.
5. Giving users passwords over the phone or changing user passwords in response to telephone or personal requests when the requester is not authenticated
20
SANS Ten Worst Security Mistakes IT People Make
6. Failing to implement or update virus detection software
7. Failing to educate users on what to look for and what to do when they see a potential security problem.
8. Failing to maintain and test backups9. Running unnecessary services, especially ftpd,
telnetd, finger, rpc, mail, rservices.10. Implementing firewalls with rules that don't stop
malicious or dangerous traffic-incoming or outgoing.
21
SANS Five Worst Security Mistakes End Users Make
1. Opening unsolicited e-mail attachments without verifying their source and checking their content first.
2. Failing to install security patches-especially for Microsoft Office, Microsoft Internet Explorer, and Netscape.
3. Installing screen savers or games from unknown sources.
4. Not making and testing backups. 5. Using a modem while connected through a
local area network.
22
SANS 7 Top Management Errors That Lead to Computer Security Vulnerabilities
7) Pretend the problem will go away if they ignore it.6) Authorize reactive, short-term fixes so problems re-emerge
rapidly5) Fail to realize how much money their information and
organizational reputations are worth.6) Rely primarily on a firewall.7) Fail to deal with the operational aspects of security: make a few
fixes and then not allow the follow through necessary to ensure the problems stay fixed
8) Fail to understand the relationship of information security to the business problem -- they understand physical security but do not see the consequences of poor information security.
1) Assign untrained people to maintain security and provide neither the training nor the time to make it possible to do the job.
http://www.sans.org/newlook/resources/errors.htm