“Most networks,” I remember reading (no source, sorry), “are built like a medieval castle. Once you get past the moat, the castle wall with archers and infantry armed with boiling pitch, you have relatively free access to the castle grounds.” This blog entry provides tips for various hot areas (e.g. data breaches, DOS attacks, password security, etc.). Given how easy it is to breach school district defenses, the guiding question is,
Top Security Tips for Educators*
So, here are my top security tips–with acknowledgements to Doretta Walker and David Jacobson–for fellow educators. Tips are divided up into the following 5 categories:
- Preventing Data Breaches – These often involve unauthorized access to confidential/sensitive data and are usually preventable. Password security is also an important area to consider.
- Stopping Infiltration – These involve your computer or device being compromised through an email attachment of some sort, or a phishing attack that the end-user falls for (e.g. send me your username and password via a GoogleForm).
- Listening for Keywords (e.g. DOS/DDOS) – These attacks are being launched from inside school districts from tech-savvy students, usually on testing days.
- Appropriate Use of Social Media – Students and, some times, staff, are involved in posting information online via social media that is inappropriate for school settings. If these result in a significant disruption to the schooling, they are actionable.
- Protecting Your Finances – Some tips on how to protect your finances online (and off).
*Updated to reflect suggestions in the comments. Thank you!
1- Preventing Data Breaches
You can help your school district protect against data breaches–unauthorized access of student and staff confidential/sensitive data and/or personally identifiable information (PII) by following these tips:
- Lock or logout of your computer when you leave it alone. Going to lunch? Going down the hall to the restroom? Make sure to secure your computer or device…don’t leave it logged in, even if you’re just on your web browser checking out the lunch menu.
- Never use work email for personal purchases and/or items. Aside from being “discoverable” during public records or legal proceeding (which you may not even know is happening), you should use a different email for finances. Move your financial management to another email system.
- Use 2-factor authentication for emails and other services. “Two-factor authentication is a simple feature that asks for more than just your password. It requires both “something you know” (like a password) and “something you have” (like your phone)” (Source: LifeHacker). 2-factor works on sites like Google, LastPass, Apple, Facebook, Twitter, Dropbox, Evernote, Paypal, Steam,Microsoft, Yahoo (avoid them), Amazon, LinkedIn, and WordPress. This will help prevent unauthorized use of your account unless they have your username, password AND your smartphone.
- Don’t read spam messages; delete them un-opened. Most email providers (e.g. Gmail) have a way of marking messages as spam. And, sometimes, spam slips through those filters they’ve setup to catch unwanted email. That means, it’s up to you. Some spam is obvious, others are more clever.
- Access confidential data on your work device ONLY. If you work from home, make sure that you encrypt confidential data on your mobile device (e.g. laptop) for travel (yes, even for that short trip from work to the grocery store to home). If you decrypt confidential data, make sure to shred it off your computer (it’s easy to recover deleted files). Apple Macs come with “Secure Empty Trash,” and on Windows, you can use the free File Shredder program.
- Do not put unencrypted confidential data on a USB flash drive or external hard drive or CD-ROM. This is the source of many a confidential data breach!
- Secure your smartphone and remove confidential/sensitive data on your personal mobile phone after each use. Lots of folks use their smartphones to access work details. Make sure you protect that by a) Putting a passcode on your phone, or better yet, encrypting your phone’s storage with a password; b) Shred data on your Android phone (get SSE app for free) or if on iOS, use Readdle Documents (free) with a passcode and encryption, which adds another layer of protection. And, finally, AVOID saving confidential data on your smartphone from your email (and, any emailed confidential data should be encrypted…see next tip).
- Encrypt ALL confidential data and personally identifiable information (PII) at rest and in transit. Assume that anyone can bypass district network security and that the computer on your desk–laptop, Chromebook, desktop–can be worked on as if someone was sitting in front of it. Want to send an email or store data in the cloud? Encrypt the files and the message itself if it deals with confidential data or PII. Read this blog entry to get you one-stop shopping solution at no-cost for schools. And, if you’re looking for an “enterprise solution,” forget about it.
- Use a password tool generate uncrackable passwords, and change them periodically. There are many password managers, like 1Password, LastPass that are online, while others can be saved on your computer or device (e.g. Keepass). You can always use a Secure Password Generator to come up with tough ones. This sure beats writing them on a post-it, and sticking them to your computer or desk (I actually saw a desk covered in these).
- Avoid sharing confidential data or personally identifiable information with students and staff. That information can be used to create bank accounts, etc. This can also include leaving confidential data or PII on your desk at work, in your paper notebook in the car. Whether it’s digital or paper, you still have to pay identity theft protection!
- Shred paper copies. It doesn’t matter if you are all digital if a paper copy ends up stolen from your desk, car or home. Shred paper as soon as possible.
- If it’s confidential or sensitive data, the web site you are connecting to should have https:// If not, refuse to enter the information in.
- Back up your data frequently. It’s obvious, but this is something you can easily do using tools like Dropbox and GoogleDrive. Encrypt your data first before backing it up. And, back it up to different places. Maybe you back it up to Dropbox on Mondays, Wednesdays, and Fridays. On Tuesdays and Thursdays, you back it up to Google Drive. If you don’t like the cloud, get a USB external drive…just make sure to encrypt your data, one file/folder at a time or a whole drive at a time. Just do it.
Help protect the school district against infiltrations caused by virus/malware attacks that could begin with your computer.
- Avoid using obsolete, insecure computer operating systems. If your school district is too cheap to upgrade the computers you use, then make sure you don’t do anything personal on them. File a written request citing the need for a secure operating system; and ask for a newer computer model with up to date operating system (e.g. Windows 7, Mac OS 10.7 or greater).
- Be careful with email attachments. Don’t just automatically double-click on the attachment someone has sent you. First ask yourself, “Is it reasonable that this person sent me an email attachment? Is the email abrupt or doesn’t make sense? Does the file attachment have an EXE extension or the filename doesn’t make sense?” If the answer to any of these questions is YES, stop, scan the file attachment with your antivirus/anti-malware program (e.g. AVG, Avast are two free ones).
- Avoid phishing attacks. Just this past weekend, I received an email from a lawyer that purported to be a GoogleDoc, but was a phishing scam (find out more).
- Make sure your home computer is protected from viruses and malware. Anti-virus/malware software is available at no cost for personal, home use. Your District should have an enterprise anti-virus/malware solution for your work equipment.
- Add a password or WiFi key to secure, encrypt your home wireless access. It’s so easy to “sniff data packets” these days (I tried it with free tools and was shocked how easy it was) that you need to prevent unauthorized access to your wireless (and, in some cases, this means upgrading your wireless router’s firmware).
- Avoid “dodgy” sources of software or apps. These days, you can get your software/apps from approved creator/developer or somewhere else. Most of us should stick to only approved outlets for software because “somewhere else” sources some times result in “bonus” malware.
3- Listening for Keywords that Signal an Attack(s)
While this falls more into what your school district network folks can do, be aware that it’s important to listen to students when they use the acronyms of DOS or DDOS. Actively ask students what is going on and make sure they understand that hacking or attacking the school district network goes against digital citizenship lessons.
- Listen to your students…they may be planning a DOS/DDOS attack.
- Network Staff need to take advantage of tools like Exinda and others to catch and stop an attack. You can “use an Exinda system to throw away malformed packets as well as recognize and then ignore large amounts of traffic emanating from one or multiple IP addresses towards another, as well as block all unnecessary ports.”
- Active monitoring of students using technology.
4- Appropriate Use of Social Media
It’s a simple rule–don’t share anything online that you would be ashamed to see in the evening news or worse, half to answer in a court of law for. Some friendly reminders:
- Think before you post. Realize that anything you post online is public, so do NOT post any embarrassing photos, videos, or make crude remarks about family, staff, or students. Think before you post.
- Check privacy settings periodically. If you use Facebook (and who doesn’t?), check your privacy settings frequently.
- Conduct digital environmental scans to help school districts identify trouble-spots online. Check Instagram and other digital spaces (e.g. Yik Yak, Kik) students gather for appropriateness, and encourage digital citizenship. Cyber-bullying and other issues are problems that continue to arise.
- Notify campus authorities in a timely manner. If you encounter inappropriate content on a students’ device, let your campus administration know immediately. Do not make copies of pornographic photos or send them to your own device since that would have legal repercussions for yourself.
5- Protecting Your Finances
In addition to the tips above, consider ALSO taking advantage of these financially-related tips:
- Add a password your bank account. If you haven’t done this already, you need to. It will prevent just anyone from accessing your bank account.
- Buy an RFID Protected Wallet. Picking up my first pair of running shoes in 8 years at the store, I bought one of those wallets that protects against a scanner reading your RFID enabled credit card.
- Carry and Use one credit card, rather than debit/credit card, for most purchases: In the old days, I would use whatever card was handy…usually my debit/credit card that connected to my bank account. Now, I’m switching to using one credit card that I can better control and won’t affect finances.
The next step is to put together an infographic that captures the best tips. Here are some inspiring ones.
- Reducing Attack Surface with Endpoint Control
- Most Likely Network Security Challenges
- Safe Money Stolen
- Big Data Security
- Avoid a Weak Password
THE YEAR OF THE HACK
Every time I reflect on school district networks, I shudder about how easy it is to breach our defenses. Consider that businesses (e.g. Target) are getting hacked, social engineered, or taken down. In fact, some declared 2014 as the Year of the Hack:
This will be remembered as the year of the hack.
The tone was set in January as we learned details about the Target credit card breach, along with aSnapchat hack that revealed millions of user phone numbers. Now we’re witnessing hackers cripple Sony Pictures Entertainment, stopping the release of “The Interview.” CNET Update looks back at ayear of cyberattacks, as well as a new Pew Research report on privacy. Source: CNet – 2014: The Year of the Hack