CoSN CTO Council Taking TCO to the Classroom 3D: Data-driven Decision Making CoSN's Annual K-12 School Networking Conference CoSN CoSN's Emerging Technologies Series CoSN Compendium Safeguarding the Wired Schoolhouse Accessible Technologies for All Students I am interested in becoming a member of CoSN Remove Me from the Secure District Listserv
Cyber Security for the Digital District Quarterly Newsletter
Brought to you by CoSN

Winter 2005



Contents

Welcome to Second Edition of CoSN's Cyber Security Newsletter

Given how dependent our schools have become on technology – for everything from running the payroll to keeping in touch with parents to maintaining student records to enriching the learning process -- high quality cyber security is now one of the foundations for effective leadership, efficient administration, and improved student learning outcomes. It is similar to the way that staying healthy and physically fit is one of the foundations for having the ability to perform well at your job.

CoSN's Cyber Security for the Digital District project provides tools and information to help K-12 policy-makers and technology leaders work together more effectively in order to improve their district's cyber security.

The key tools in this effort are our web site, our workshops, and this newsletter.

You can sign up to receive this free newsletter, and read previous issues, in the newsletter section of the web site: www.securedistrict.org/newsletter.html

Cyber Security Web Site a Success!

Additional Tools and Materials Available
www.securedistrict.org
Our media outreach announcing the availability on our web site of our new set of tools and materials has hit a responsive chord among the K-12 community. During the 9 months in 2004 before the media blitz, we were getting an average of 534 sessions on the website each month. After we updated the web and did our multi-pronged media blitz, the number of sessions increased to 2,302 in October and 2,262 in November!

Now, we are announcing a few additions to the web-accessible tool set. The Security Planning Grid (www.securedistrict.org/tech/Evaluation/SecPlanGridDetailView.html) is now an even more useful diagnostic and priority-setting tool. District reviewers had asked that we include something that would help them not only immediately see their current status and possible next steps, but also help them identify which of the many next steps were the most important. So now, as you look at the most detailed level of the Rubric and scan across each line item at the most detailed level, many of the lines now display a red X, indicating a priority action, somewhere along the continuum from "Basic" to "Developing" to "Adequate" to "Advanced."

To help you plan those next steps, we have also created a Security Planning Template which will also be very useful during budget negotiations. This downloadable, RTF-format file lists all the items in the Planning Grid allowing you to record your current status as well as indicate what actions, if any, you plan to take immediately, during the current school year, and at some point in the future.

But maybe nothing terrible has happened in your district, so its hard to get anyone interested in planning for Cyber Security. We have complied a list of "Cautionary Tales" – true stories that you don’t want to see written about you. (www.securedistrict.org/admin/stories.html) Show these around to your Administrative leaders and point out that despite all you've done so far, it is just good luck that none of this has hit home – yet!

Finally, we've included our first three Case Studies about three very different districts, which we describe in more detail below.

Send us news clips about the horror stories you run across! Contact Steve Miller at smiller@massnetworks.org or Chris Seiberling at cseiberling@massnetworks.org

Learning From Others: Case Studies Reveal Variety of Best Practices

There are a lot of wrong ways to deal with Cyber Security – the most common being not doing enough. But there are also a lot of right ways to deal with Cyber Security.

All the right ways share common traits. They all have leadership involvement and support in the creation and implementation of a security plan. They all include regular maintenance and patching/upgrading of system components. They all put as much emphasis on policy and procedure and user training as on technology. They all accept that problems are inevitable so they rigorously backup key data, install survival-level redundant components, have a stakeholder communication plan ready to go, and practice dealing with possible crises.

But the right ways also have many differences. The most important differences stem from the different educational philosophies of each district, from each district's level of technology use, and from the different resources available. For example, it is a best practice to conduct a full security audit – preferably by an independent group – as part of the planning process and to occasionally repeat the audit as conditions change in future years. Districts that have had such an audit have little doubt about its enormous value. However, in some districts the level of technology usage is too low and peripheral to justify the expense.

More fundamentally, some districts have a "central control culture" that supports a strategy of locking everything down and only allowing a small set of user actions, with a resulting low level of IT problems. Other districts espouse a more exploratory approach to student learning and an emphasis on teacher creativity which leads to a more flexible approach to security which must be backed up with greater emphasis on dealing with the problems that may slip through.

The only way to feel your way through these differences is to listen to real stories from different kinds of districts. That is the purpose of our Case Study Series. The first three in the series are now on our web site: www.securedistrict.org/tech/case.html. As the number of case studies grows we intend to analyze patterns and draw insights, which we will describe in future newsletters.

If you would like to have your district’s story included as a featured case study, please contact Steve Miller at smiller@massnetworks.org or Chris Seiberling at cseiberling@massnetworks.org

Cyber Security Workshops In Demand!

Half-Day and Full-Day Cyber Security Workshops, and Keynote Presentations Now Available
Last month, the Cyber Security staff conducted a half-day workshop for CTOs in Wyoming. About 50 people attended from districts across the state. Participants praised the, "ideas and tools to help evaluate, and the encouragement we got to continue to improve, our security." There was especial interest in the Planning Grid and the Self-Assessment Checklist which is in a, "form even my superintendent can understand." People felt there was, "a good mix of presentation and interaction." One tech leader's final comments were, "I've known my district is weak in security, but I didn't know where or how to start – nor the time to research it. Thanks for such a superb guide and place to start!"

Are you a member of an organization that brings together superintendents and other district policy-makers? Or are you a member of an organization that brings together the people in charge of district technology – whether called the Chief Technology Officer, CIO, Technology Director, Assistant Superintendent, etc.?

Do you think your peers or members would be interested in learning more about how to deal with Cyber Security – either at the policy or the implementation levels?

The Cyber Security for the Digital District project has developed workshops suitable for either of these audiences. It can be delivered in a half-day (suitable for a time slot of 2.5 to 3 hours) or a full-day (suitable for a time slot of 4.5 to 6 hours).

The Cyber Security staff are also available for 30 to 60 minute keynote presentations.

If you are interested in hosting one of these events, please contact Steve Miller at smiller@massnetworks.org or Chris Seiberling at cseiberling@massnetworks.org

Security vs. Safety

When the Cyber Security staff talks with educators and the media, we often find that people do not distinguish between programs to improve student/staff cyber safety and planning needed to improve their IT system’s cyber security.

The two are not the same.

Safety is about individual conduct. Being safe includes never giving out personal information to an unknown person – either face-to-face or on-line – much less agreeing to meet with them in an unsupervised venue. Safety means knowing that nearly 90% of email today is spam, virus carriers, or a phishing attempt – which means all interactions with an organization should be done by using a browser to go directly to the organization's website rather than using an embedded link in an email. Safety means knowing how to deal with inappropriate material that slips into the network through the various filters or that is accidentally found on the web.

Security is about keeping the system functioning so that the schools remain operational, all the district’s resources remain intact, and all the users remain safe.

If safety comes from awareness and good behavior, security comes from proper administration of the overall system. Safety is an individual responsibility. Security is an organizational responsibility.

Of course, there is overlap. But even with something like passwords, teaching users to keep their passwords private is a safety issue, while establishing a good password update policy is a security concern. It's a bit like the difference between teaching students how to avoid going dangerously high on a playground swing and making sure that the chains holding the swing aren't about to break.

Safety is important. So is security!

10 Questions Superintendents Most Often Ask

Every wonder what Superintendent's say about IT issues when they're not around you? Do you assume that it's all unprintable? The Cyber Security project's staff talks to a lot of Superintendents and other education policy-makers. On our website we've posted some of the most frequent questions we get asked, and the answers we try to give.

www.securedistrict.org/admin/firststeps/tenquestions.html

What are the cyber security-related questions you think Superintendents' wonder about? What answers do you think they should be given? How can our answers be improved? Let us know what you think: send your thoughts to Steve Miller at smiller@massnetworks.org or Chris Seiberling at cseiberling@massnetworks.org.

Links to Recent Articles by Cyber Security Staff

Scholastic Administration (Dec/Jan 2005)
"Safe & Secure? Take these steps to gauge how fortified your networks really are." www.scholastic.com/administrator/decjan0405/articles.asp?article=bulletproof

Today's School (11-12/04)
"Cyber Security: Protecting Your Digital Data" By Steven E. Miller www.peterli.com/archive/ts/764.shtm

Technology & Learning (3/15/04)
"Network Monitoring: A 360-Degree Plan" By Steven E. Miller and Chris Seiberling www.techlearning.com/story/showArticle.jhtml?articleID=18311597

District Administration (2/04)
"Cyber Security: Why CoSN wants to help districts protect their technology assets" by Steven E. Miller www.districtadministration.com/page.cfm?p=636

Do you publish a newsletter or other regular publication? Would you be interested in getting periodic short pieces from the Cyber Security staff? Let us know: contact Steve Miller at smiller@massnetworks.org or Chris Seiberling at cseiberling@massnetworks.org

Security-Related Sessions at Upcoming CoSN Conference

The annual CoSN conference will be held in Washington, DC on Tuesday and Wednesday, March 22 and 23, 2005. It will be preceded by a Capital Hill "Advocacy Day for Education Technology" on March 21 and followed by an "International Symposium on Next Generation Online Educational Content" on March 24.

There are several security-related workshops and panel discussions at the conference.

T105: Panel - Crisis Management: Keeping Things Going When Everything Goes Wrong
Tuesday, March 22, 2005; 11:00 AM. to 12:00 Noon

W107: Panel - The Essentials of Leadership in the Ed Tech Field
Wednesday, March 23, 2005, 10:30 AM. to 11:30 AM.

W305: Workshop - Be Prepared for Cyber Related Risks - Build a Reduction Plan*
Wednesday, March 23, 2005; 2:15 PM. to 5:00 PM. - There is no fee to attend this event, but space is limited and pre-registration is required. To register for this event, select the appropriate box under "Conference Session Registration (Optional)" when completing the online registration form.

On-line registration for the CoSN conference is available at www.k12schoolnetworking.org

Other Training Opportunities: SANS Institute – Intrusion Detection in Depth

The SANS Institute (www.sans.org) is offering one of its GIAC security certification courses to members of the EDU community. The price of the 6 day seminar is $500/person. The normal cost of the seminar is $2895/person.

The emphasis of this track is on increasing students understanding of the workings of TCP/IP, methods of network traffic analysis, and the Snort network intrusion detection system. This is a fast-paced track most appropriate for people who are or who will become intrusion detection analysts. (See: www.sans.org/conference/tcpip_quiz.php in order to fully view the topics that will be discussed). The challenging, hands-on exercises are specially designed to be valuable for all experience levels.

What:
Intrusion Detection, In-Depth (SANS GIAC Track 3)

When:
3/6/05-3/12/05

Where:
Virginia Tech, Blacksburg, VA

Cost:
$500/person includes course materials

Eligibility:
Any faculty or staff from an accredited EDU institution: higher ed, community college, K-12

Register:
www.conted.vt.edu/isect/

Expert Advice: Switching to High Bandwidth Network Requires Rethinking Perimeter Defense

By Michelle Araujo, Product Manager, Symantec Corporation

Increasing bandwidth is a solution to many problems. So many districts are now installing high bandwidth connections to the Internet from each of their schools. However, while doing this district leaders also need to rethink their perimeter defenses.

The Braxton County Public School District in West Virginia is comprised of nine schools and serves the educational needs of nearly 3,000 students. Recently, the district began rolling out high bandwidth connections. However, Sterling Beane, technology director at Braxton County Public Schools, began noticing a corresponding rise in viruses and unauthorized network access.

Part of the problem was that all nine schools were still behind a single firewall and on the same subnet. Once inside this single virtual fence, malicious code was free to make its way from school to school.

Beane began considering possible solutions. He looked at firewall products from one vendor, antivirus from another, and so on. But the district simply could not afford to purchase so many individual solutions and Beane couldn’t devote the time to manage and support such a wide array of products.

Beane's solution was to install a single, multi-purpose appliance which includes antivirus, full-inspection firewall, intrusion prevention, and intrusion detection, content filtering, and virtual private networking (VPN) technology at each of the district's nine schools, and manage all of them from a centralized console. The appliances securely seal each school off from the other, providing each school defense in-depth while also containing attacks and malicious code. Bean's appliance works by pulling apart every incoming and outgoing network packet just once to put it through a series of checks before passing it along.

Since the installation, Beane says viruses are no longer popping up and being quarantined because they simply don't make it past the appliance, hackers are detected just as they begin jiggling the virtual network doorknobs, and even abnormal activity inside the network is visible at a glance.

About CoSN's Cyber Security for the Digital District Initiative

Education technology is becoming an increasingly essential tool for instruction, learning, data informed decision making, and administration. Young people and their guardians are beginning to hear a consistent message about how to protect their personal safety. But individual safety also depends on system security. Therefore, the Cyber Security program helps education leaders keep school networks, the attached equipment, and the users secure from attack.

The project's goal is to provide tools to help both policy makers (such as the district Superintendent) and technology leaders (the district's chief technology officer) have a constructive dialog that leads to effective action concerning:

  • their district's level of Cyber Security preparedness and vulnerability (including an ability to compare themselves against both their peers and "best practice");

  • what needs to be done to improve their status and how to prioritize their "to do" list;

  • how to prepare themselves to ensure operational continuity when a problem inevitably slips through.

Some of the tools already available on the web site (www.securedistrict.org) include:

  • Security Protocol Flowchart – an overview of the Security Planning and Implementation process

  • Eight Questions a Superintendent Should Ask the Chief Technology Officer – to encourage a productive conversation

  • Cyber Security: An Introductory Slide Show – for public presentation

  • Self-Assessment Checklist – computes a "current security status core"

  • Cyber Security Planning Grid – provides a detailed rubric that identifies current situation and help prioritize next steps.

Thanks to Our Sponsors

This project would not exist without the support of our sponsors. Founding Platinum Level Sponsors include:

SonicWall

SurfControl

Symantec

United States Department of Education

Northwest Education Regional Laboratory
(in association with the Northwest Technology Consortium)

Founding Gold Level Sponsors include:

BellSouth Foundation

Enterasys

Microsoft

Sun Microsystems

Our Media Sponsor is:

Technology and Learning Magazine

Partnering with CoSN on the implementation of the initiative is:

Mass Networks Education Partnership


Disclaimer Text