Preface
Securing your school’s network can be a cost burden. Not securing your school’s network can be even more costly. Many threats exist for all users of the Internet, but schools inherently have certain risks that many businesses do not encounter. Schools must deal with rising information security concerns, but how? “Throwing money†at information security concerns is not an option that many schools have, nor does it often work. A better solution to implementing an information security project within your school may be the application of an approach known as the Security Systems Development Life Cycle (SecSDLC), coupled with free Open Source software designed with security in mind.
Introduction
Many experts consider the SecSDLC to be “the best approach for implementing an information security system in an organization with little or no formal security†(Whitman, 2003, p. 21). Unlike proprietary software, designers of Open Source software make its source code freely available so that programmers and hobbyists alike can examine the code for any security holes as well as make any changes to the software for their specific purposes. Open Source software is also typically free to download and use. Open Source technologies, when properly applied within the SecSDLC, can prove to be an effective and affordable information security tool.
The SecSDLC originates with the widely accepted Systems Development Life Cycle (SDLC), a conceptual model for general information systems projects. Like the SDLC, the SecSDLC is generally composed of six phases: investigation, analysis, logical design, physical design, implementation, and maintenance and change. The stages are part of a “waterfall model …in which each phase begins with the result and information gained from the previous phase†(Whitman, 2003, p. 21). The investigation phase inspects the current state of your school’s information security. The analysis phase consists of documenting your school’s information assets and associated threats, as well as legal requirements involving information security. The logical design phase develops your general information security plans while the physical design phase develops the particular technologies needed to implement the logical design. Implementation puts into practice what is decided in the physical design phase, and the maintenance and change phase includes long-term testing and modification of the security system through its lifetime (Whitman, 2003).
Investigation
The investigation phase of the SecSDLC serves as a starting place for any new information security-driven project. The first step of the investigation phase should be to closely examine current information security practices. You should be able to answer the following questions: Do you have an information security policy, and if so, what does it include? What types of hardware and software do you use for security purposes? Do you have virus protection for all workstations? What types of firewalls are in place to protect your school network from people with malicious intents? Are wireless networks used, and if so, are they encrypted? Are backups performed on all essential systems? Can students easily install software onto computers? What kind of physical security is in place? What monies, if any, are set aside solely for information security purposes? The answers to these and related questions should be documented for comparison purposes later in the SecSDLC.
Another key element of the investigation phase is to define management roles within the information security realm. Someone must be responsible for making information security decisions, and that person should have the backing of school administration such as the principal, superintendent, and/or school board. Whereas large companies often have a dedicated Chief Information Security Officer (CISO) to head information security, school districts rarely can afford this option. Charter schools and private schools are often at an even greater disadvantage at hiring information security-related personnel. K-12 school districts typically have an Information Services support team, whose head may assume responsibility for information security. Other school districts may have a Media and Technology department instead. Charter and private schools must rely on a computer teacher or other computer-savvy faculty or staff. Whoever is chosen to lead information security should be given support from school administration, as this will lead to better success rates for security practices.
Funding is yet another key element of the investigation phase. While Open Source alternatives can help lower software costs, hardware costs and manpower costs cannot be ignored. The implementation phase will help the school information security professional estimate costs, but budgetary matters should be planned ahead of time. Perhaps the project should start near the beginning of the fiscal year so more monies could be spent, or perhaps grants could be sought after to help finance the project’s cost. These kinds of decisions should be considered in the investigation phase.
Analysis
The analysis phase of the SecSDLC studies your information assets and likely threats to them. An asset is an “organizational resource†that has value, while a threat includes “an object, person, or other entity that represents a constant danger to an asset†(Whitman, 2003, p. 27, 43). The analysis phase is particularly important for K-12 schools to grasp because they have different assets and threats than many industries. The information asset people most often associate with schools is appropriate Internet content for students and teachers. This issue “has been addressed through the Children’s Internet Protection Act (CIPA), which mandates the use of content filtering technology by schools and libraries†receiving E-Rate discounts for Internet connectivity (Enderle, 2003, p. 38). CIPA requires schools to use a proxy-type filter which blocks content considered obscene, child pornography, and content considered harmful to minors.
Another concern particularly important to schools is privacy. One purpose of a recent piece of legislation, The No Child Left Behind Act of 2001 (NCLB) was to make individual schools and teachers more accountable for test results and to give more feedback to parents. Thus NCLB requires the compilation and storage of a lot of data about students and their families, and can be a treasure of important information for people who would mean ill. People who would hack into school and district networks could get personally identifying information about a large number of people (Enderle, 2003, p. 40).
Schools and school systems that keep records of students with disabilities and/or students who are Medicaid-eligible must be in compliance with the Individuals with Disabilities Education Act and the Health Insurance and Accountability Act of 1996 (US Department of Education, 2003). The wealth of personal information collected and stored by many schools entices malicious hackers as well as students. Most risks from hackers “come not from the general public, but with from within the staff. In the area of school networks, the basic curiosity of school-aged children tends to make this even more of a challenge†(Enderle, 2003, p. 39). Schools should follow state and federal legislation closely to ensure compliance with current laws. Another privacy consideration for schools is Web content. The Family Education Rights and Privacy Act (FERPA) “regulates the dissemination of student information… The posting of student work, photos, or other personally identifiable information on a Web site is one of the most obvious issues addressed by federal and state privacy laws†(US Department of Education, 2003, p. 14).
Schools should also investigate threats that plague all industries. If you concluded in the investigation phase that your school does not have adequate virus protection, then viruses are definitely a threat to your school’s network, as they can cause harm to computer systems and take effort to remove. Worms are another threat that plagues all industries. Worms are different from viruses in that they are self-replicating, and often spread by means other than executable files. As assets and their associated threats change so must be revision of security practices and policies.
Logical Design
The primary goal of the logical design phase of the SecSDLC is “to “design an information security program. The creation of an information security program begins with an information security blueprint†(Whitman, 2003, p. 192). An information security blueprint must include an information security policy. Information security policy is defined as the written rules that users of technology must observe, as it “provides rules for the protection of the information assets of the organization†(Whitman, 2003, p. 195). The person in charge of information security for your individual school or school district should develop a thorough information security policy that defines what network behavior is and is not allowed. The policy should also define what consequences will be enforced if policy is broken, with direction from school administration. Finally, the policy must be seen by all users of computer network technology, including faculty, staff, and students. All users should be forced to sign an acknowledgement of and agree to follow the information security policy, also known as acceptable use.
From the information gathered in the first two phases, you should have an idea of what security needs should be addressed. The logical design phase lays out in writing what should be done to address security needs. For example, if viruses pose a problem to machines on your school’s network, then virus protection should be specified as a solution to the problem. Install anti-virus software on all workstations and probably on the Email gateway as well. The Email gateway should probably disallow certain types of attachments that traditionally carry viruses. If hackers are a concern, then you must specify a firewall and/or network intrusion detection system and also replace Ethernet hubs with switches. Address the problem of worms by requiring workstations to update Operating System patches. Address physical security for school computer systems as well. What kinds of door locks need to be installed to the computer room, and who needs copies? If backups are inadequate, specify a backup system. Take measures to make sure students cannot bypass security controls. There should be some type of authentication scheme in place so that students must have a login and password to access any school computer system, and also prevent students from having administrator authority over any computer system. Because having an account for each student will be an administrative headache for all but the smallest schools, it may be wise to have a generic student account for all students, while having separate faculty and staff accounts that have more authority.
Physical Design
The physical design phase of the SecSDLC develops generic ideas from the local phase into a certain plan of action. It specifies which particular technologies to use to address information security concerns. One option for many technologies is to use Open Source programs instead of purchasing commercial software. While Open Source software is typically free, it often has other associated costs. Because most people are less familiar with Open Source software, it can take more time to configure. There is still hope for schools with little Open Source experience however. Many Open Source advocates, such as Linux User Groups, organize themselves in hopes of spreading Open Source software to as many people as possible. They are known to volunteer knowledge and time to K-12 schools. One of the most flexible Open Source tools for information security is GNU/Linux (Linux). Linux is by far the most popular Open Source operating system for PC architecture, and many vendors as distributors offer it. It is flexible in that it can serve as a basis for numerous functions: firewall, Email server, router, file server, and database server — just to name a few. It is easy to get lost with so many Linux distributions to choose from. Schools should look for a Linux distribution that is stable and secure. “Cutting edge†technology is not something many schools need. While there are various Linux distributions designed with stability and security in mind, the CentOS Linux distribution makes an excellent choice as a server / firewall operating system. CentOS is based on the commercial distribution RedHat Enterprise Linux (RHEL), and can be downloaded for free at The cAos Foundation. CentOS has a life span of five years, which includes free security patches for all applications. Since RHEL is Open Source, their source code is free even though their enterprise product is not. CentOS programmers can thus repackage RHEL into their own distribution. CentOS is only one of many excellent Linux distributions.
Once you have decided on a distribution, then you can focus on the particular security task at hand. Firewalls will undoubtedly play a role in your security plan. Linux has an excellent stateful firewall, Netfilter, built into its kernel. Stateful firewalls “perform packet filtering… (and) can restrict incoming packets by denying access to packets that are response to internal requests†(Whitman, 2003, p. 278). Netfilter will allow you to logically segment your network into an external network, an internal network, and a DMZ. The external network includes the Internet and should be considered insecure by your firewall. The DMZ will be where Web and Email servers are placed, while workstations belong in the internal network. This logical separation keeps outsiders from gaining access to your internal network, even when they visit your Web site or send you Email. While Netfilter will prove beneficial in keeping data protected from hackers, it will not help with CIPA compliance. Squid and SquidGuard are both free Open Source packages that will run on Linux. Squid is a web proxy, while SquidGuard is a plugin for Squid that contains among other things an updated blacklist for pornography Web sites. Squid and SquidGuard are very fast and efficient and would make an excellent choice for your school’s content filtering needs.
Many people think of Open Source software only as a benefit of the Linux Operating System, but it can be also prove to be beneficial to existing and new Windows and Macintosh OS X workstations. Some authentication methods can prove to be expensive. Luckily Samba, another free Open Source package, can serve as a Windows domain controller. Samba also allows folders in Linux to be shared to Windows clients. This is useful since it is sometimes unfeasible to backup every Windows workstation. Important documents can thus be stored on the Linux Samba server.
You can accomplish remote backups on key Windows and Macintosh workstations through Rsync, another Open Source program designed for remotely synchronizing computers. Written for Linux and other UNIX-like operating systems, it can be used in Windows when paired with Cygwin, an Open Source utility for Windows that allows Linux programs to run. Handle intrusion detection through Snort, a free Open Source intrusion detection system. Most viruses come as Email attachments. Mailfilter, when paired with Clam Antivirus, scans all Email attachments for viruses directly on your Email server, as well as automatically updates its virus definitions every hour. Both of these applications are free Open Source. Clam Antivirus also works directly on Macintosh OS X clients and a free version of its software for Windows, ClamWin. ClamWin can be installed on all of your Windows workstations, and supports automatic virus definition downloads. While these Open Source technologies may take time to implement, their cost and effectiveness should be worth your efforts.
Implementation
The implementation phase of the SecSDLC carries out the plans designed in earlier phases. This happens through a project plan, a written plan that “delivers instructions to the individuals who are executing the implementation phase. These instructions focus on the security control changes needed to the hardware, software, procedures, data, and people that make up the organization’s information systems†(Whitman, 2003, p. 393). In school systems with a technology department, the project plan is important to make sure everyone involved in the implementation is aware of his or her duties. It is also important to create milestones, or “specific point(s) in the project plan when a task and its action steps are complete†(Whitman, 2003, p. 396). You will determine costs in the investigation phase, followed by implementing the task recommended in the physical design phase.
Maintenance and Change
The maintenance and change phase of the SecSDLC is the last phase and will continue throughout the security project’s lifetime. Penetration and vulnerability testing should be an ongoing project to test for new vulnerabilities. Nmap and Nessus are free Open Source utilities useful in this stage. Nmap is a port scanner that detects open TCP and UDP ports, while Nessus reports vulnerabilities for any network services running on your computers. Your school will undoubtedly install new technologies, and those technologies will bring more risks. Flaws will be found in existing technologies as well, causing more vulnerabilities. User accounts will have to be created and deleted as personnel changes occur each year. By keeping a close eye on security, hopefully your information security program will stand for several years.
Conclusion
The task of implementing an information security project for your K-12 school can seem to be a daunting task. It is, however, a task that must be completed. By applying the SecSDLC and Open Source technologies, any school should be able to afford good information security. It is up to education technology leaders to make sure that information security concerns are met at our nation’s schools.
References
Enderle, J. (2003). Are school networks as safe as we think? School Planning and Management, 42(4), 38-41.
U.S. Department of Education. National Center for Educational Statistics. National Forum on Education Statistics. (2003) Weaving a Secure Web Around Education: A Guide to Technology Standards and Security, NCES 2003-381. Washington, DC.
Whitman, M., Mattord, H. (2003). Principles of Information Security. Boston, MA: Thomson Learning, Inc.
Email: Joe Meador
