Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
K-12 Information SecurityThe Current State
Matt Rose - CERIAS Outreach
Overview
I. Context: Technology Integration &IT Nationwide
II. Information Security in Indiana K-12Schools: Sample SecurityAssessments, Surveys
III. CERIAS K-12 Outreach Efforts
I. Context: Tech Integration
• 99% of US Schoolsare Connected
• More Kids useInternet at Schoolthan at Home
• EducationalTechnology isIntegrated intoStandards
I. Context: Tech Integration
• 94% - High-Speed Connections• 23% - Wireless• 7% - Handhelds (Student)• 8% - Laptops (Student)• 86% - Website
I. Context: Classroomsw/Internet Access*
0102030405060708090100
1998 1999 2000 2001 2002
Source: * US DoE, 2003
I. Context: Distribution ofResponsibility*
Full-Time, Paid Tech.Coordinator/Director 38%District Staff 26%
Teacher 18%
Part-Time 11%
Other 7%
Source: * US DoE, 2003
I. Context: CIPA Controls*
• 91% - Monitoring by Teachers• 96% - Blocking/Filtering• 82% - Parental AUP• 77% - Student AUP• 52% - Monitoring Software• 41% - Honor Code
Source: * US DoE, 2003
I. Context: Standards*
• “Social, ethical, and human issues”– Students understand the ethical, cultural,
and societal issues related to technology.– Students practice responsible use of
technology systems, information, andsoftware.
Source: * ISTE NETS, 2003
II. Information Security inIndiana Schools
• Sample Security Assessment ! !• Surveys:
• Technology Coordinators• Teachers• Students
II. Sample SecurityAssessments
Who: Infotex, Volunteer Indiana SCs,CERIAS, WVECWhat: 5 Complete SecurityAssessmentsWhy: Mainstream Data SourcesInsufficientWhere: Available on CERIAS K-12Website
II. S.A. Methodology
• External & Internal Penetration TestingUsing Commonly Available Tools:– NMAP, Nessus, LANGuard, SuperScan,
L0phtcrack
• Data Rated on Risk, Effort to Fix
II. S.A. Results2 of the 5 schools easily
penetrated from Internet.
Remaining 3 hadvulnerabilities that wouldhave caused irreparabledamage to systems if theywere exploited & thus werenot attempted.
Easily obtained FERPAprotected information from 3of the 5 schools from theInternet, & from all schoolsinternally.
CIPA measures could beeasily circumvented in allschools using basictools/techniques well w/ingrasp of average student.
Payroll & grade systems wererelatively easily penetrated in4 of 5 schools, although notfully due to their sensitivenature.
Attacks & compromises werenot detected by any schoolIT staff w/o intentionaldisclosure.
II. S.A. Results: Risk SeverityDistribution
Critical 80%High 105Medium 7%Low 3%
II. S.A. Results: Risk PriorityDistribution
Critical 36%High 48%Medium 9%Low 7%
II. S.A. OverallRecommendations
!Policies!VPN for Wireless!Patch Management!Separate
AdministrativeNetworks
!CIPA Enforcement!Proactive Security
Controls!Proactive Internal &
External Assessments!DMZs
General recommendations made to all fiveschools were relatively similar:
II. Information SecuritySurveys
2002: Ethical & Safe Use: 488 StudentsAge 11 - 16
2003: Information Security: 43Technology Coordinators
2003: Information Security: 68Teachers
II. Key Findings: MiddleSchool Survey
89% - Have Home Internet Access (80% Dialup)31% - Have Parental Controls51% - Have Formal Rules at Home55% - Have Downloaded Music45% - Think Downloading Music is Okay33% - Have been Harassed while Online56% - Have been Sent Inappropriate Material
while Online47% - Chat w/ Strangers
II. Key Findings: TechCoordinator Survey
70% Have Policies in Place, but only 14% ofTech. Coordinators thought TeachersKnew Consequences
53% Thought Teachers have ViolatedCopyright Law
0% Thought Teachers Understood howFERPA Applies to Computer Use
II. Key Findings: TeacherSurvey
19% Have Never Backed up Files3% Use P2P Every Day53% Could Identify a Strong Password31% Have Never Changed their Password96% At Least Partially Understood FERPA69% Aware of Online Threats to Students
(Exception: Harassment)
Goal 1: CommunityAwareness• Information Security Newsletters• PTO Presentation• Self-Instructional Document
Goal 2: Standards &Curriculum Integration• Middle School IS Packet• K - 12 Lesson Plans• Teacher Workshops
Goal 3: Increase Security ofK-12 Systems• Technology Coordinator Workshops• Multimedia Self-Instruction for
Teachers• School of Technology Service-
Learning Course
For More Information
• Poster Session
• www.cerias.purdue.edu/education/k-12/