Back to school security
As educational facilities return to the new normal, it is important to update cyber and physical security defences to protect learners in a new environment As educational institutions return to normal it is important to highlight some of the biggest security risks that the sector is facing. One of the biggest being cybersecurity, as a lot of work will continue to be communicated and completed online. A major priority for educational institutions is defending networks from intrusion and protecting the personal information of students, alumni and employees. Why do school administrators and educators need to know this? Because schools of all kinds – from primary through secondary and higher education — now have databases full of personal information about faculty, staff, and students. To cyber criminals, who are not fussy about whose data they steal, these repositories of personal data make an appealing target. An additional priority is meeting the auditing and reporting mandates for a potential patchwork of federal and state privacy laws. The key for educational institutions to meet all of these information security demands is to proactively implement security controls and best practices, rather than taking a reactive approach and responding to short-term requirements. With such a broad range of large, small, public and private institutions, there is no one solution that is right for everyone. There are certainly a range of information security products and services to help meet regulatory requirements and reduce the risk of a data breach. Educational institutions without a dedicated security operations center can rely on managed security monitoring & compliance services to provide the expertise to meet regulatory requirements and implement industry best practices. Here are our 5 security considerations that are key: Layered defences Do not expect one security product alone to protect you against every possible threat to your systems and data. Of course you want to make sure you have an anti-malware suite on all parts of your network (don’t forget smartphones, Android tablets, Linux servers, and Mac computers along with your Windows machines). But you should also have a firewall at the gateway to your school’s network and on all your individual machines –those you own, those owned by grants, and those owned by your students, faculty, and staff. Any important data, such as grades, finances, or personal information, should be encrypted both in storage (both on servers and workstations) and any time data leaves your machines, like via email or on devices like smartphones or USB sticks. Implement the principle of least privilege The principle of least privilege simply means that no person, machine, or system should have access to things they don’t strictly need. For instance: student financial data should be in a different part of the network, and completely cut off from people who don’t need to access it. And very few people, if any, should have administrator-level access rights on their own machines (some people are shocked at this suggestion, but that’s one way we manage our machines here at ESET – and if they must have admin rights, they shouldn’t be using that account except when they need to do admin tasks). Any time you can restrict access without disrupting people’s ability to do their jobs, you should. Update, update, update Applying updates and patches for all software is one of the most important things you can do to minimise the vulnerabilities criminals can use to silently get into your machines. When managing complex systems there may be a case for testing updates before rolling them out, but keep delays due to this process to a minimum. The bad guys are constantly probing for unpatched vulnerabilities. And don’t forget that it’s not just your operating systems and applications you need to keep patched; there are the helper apps that your browsers run, from Java to Flash to Acrobat and beyond. Indeed, the risks of not patching as quickly as possible probably far outweigh the benefits of testing. If an immediate system-wide rollout is not practical, at the very least initiate a rollout of patches immediately on a small set of representative machines, then expand to greater subsets as soon as practical until all machines under your control are patched. [Getting the machines you do not control patched is a wholly different problem; consider blocking logons to your networks (with appropriate notices beforehand and when actual blockage occurs) to any machines that have not been patched, at least for critical vulnerabilities. Passwords are not enough If you’re protecting lots of personally identifiable data, a password alone may not be enough. Consider implementing two-factor authentication or 2FA. This can be a biometric, like a fingerprint, or a one-time pass code that is provided to users via a small digital key card or fob. A more recent development is the use of smartphones to deliver one-time pass codes to users and these systems can be relatively inexpensive yet highly secure. Students who use social networks like Facebook and Twitter should already be familiar with the notion of 2FA, as those services use it to prevent unauthorised access. Make a clean break When employees leave and students move on, be sure to adjust their credentials accordingly. In many cases this will mean terminating their access to school systems. The use of “lingering” credentials that should have been revoked is one of the most common forms of “insider” abuse of systems. In addition, a review of authorised user accounts should be done at least once a year to weed out access that is no longer appropriate. Surveillance and security The safety of students and staff is vital for every school. The distinctive quality and flexibility of network cameras effectively reduce the threat of harassment and violence. Suitable for monitoring school playgrounds, hallways, gyms, lunch areas and classrooms, they ensure the safety of students and staff, and prevent damage to school property. With an increasing focus on everything from bullying, to medical emergencies and vandalism, campus security is more important than ever. Administrators understand that they’re not
Back to school security Read More »
