Upload
darcy-walsh
View
214
Download
1
Embed Size (px)
Citation preview
Risk Management for Risk Management for Technology ExposuresTechnology Exposures
National Charter SchoolsNational Charter Schools
Pete ReillyPete [email protected]
http://edtechjourneys.pbwiki.com
Sponsored bySponsored byNYSIRNYSIR
Student Security Network/Data Security
Foil/E-Discovery/Audits
Physical Security CWG Survey Results
Audit Case Study Security Vulnerability Survey
Employee Issues
Agenda
QuickTime™ and a decompressor
are needed to see this picture.
Student Security
Cyberbullying
Student Safety
Web 2.0
The Facts About Online Sexual Abuse
Enforcement and Strategies
RSS Blogs
Employee Issues
Personal Use
Privacy
Improper Access
Harassment
Copyright
Teacher Web Sites
Teacher Links
Confidentiality
Advertising
Politics
Fundraising
Spyware
Bad & Getting Worse
Spam
External Hacks
Web 2.0
Denial of Service
Common Security Risks
Internal Hacks
Phishing
Trojan
Prevention
Forensics
Recovery
BOTs
WAN
ServersNetwork
Desktops
ApplicationsPolicies
Educational Forum
Disclosure and disclaimers
Educational Restrictions
Enforcement
District Strategies
Managing Internet Risks
The Facts About Internet Sexual Abuse
Firewalls
Servers & Network
Desktops
ApplicationsPolicies
User Awareness
Managing Security Risks
Initial & Annual Security Audit
Open Meetings
FOIL & E-Document Policy
CIPA & E-Rate
Domain Names
FOIL & E-Discovery
E- Discovery
Comptrollers Audits
Software Audits
Security incidents are rising exponentiallySecurity incidents are rising exponentially
128,678 incidents from July 1-December 31128,678 incidents from July 1-December 31stst, , 20012001
8, 064 vulnerabilities reported – up from 1,090 in 8, 064 vulnerabilities reported – up from 1,090 in 20002000
41% of companies experienced “critical attacks”41% of companies experienced “critical attacks”
12.7% encountered 1 “emergency” and had to 12.7% encountered 1 “emergency” and had to use recovery measuresuse recovery measures
Source: Washington Post, January 28, 2002Source: Washington Post, January 28, 2002
Tension between security and ease of useTension between security and ease of use
Many/most serious security incidents are caused Many/most serious security incidents are caused by your own students and disgruntled employeesby your own students and disgruntled employees
Bad & Getting Worse
More data online than ever
More devices attaching to the network
More network complexity (ie. VOIP, wireless)
Security Incidents – Security Incidents – 2007 Alone2007 Alone
ARIZONA - May 2007:Ninety-one substitute teacher
names and Social Security numbers were stolen from a car
LOUISIANA - March 2007:Rosters containing Social
Security numbers of 380 school employees were accessed by a
search engine crawler
WEST VIRGINIA – June 2007:Computers containing the names and social security
numbers of district employees were stolen
OREGON - January 2007:Students hacked into the school
network and obtained confidential student and
staff information
According to the
Privacy Rights
Clearinghouse,
www.privacyrights.o
rg, more than 155
million records*
have been stolen
since 2005*Includes Social Security numbers,
account numbers, and driver's
license numbers
CONNECTICUT - August 2007:Computers containing the names
and social security numbers of former students were stolen
Months
Days
Weeks
2003 2004 2005
Avg. exploit in 2005 5.8 days.
Vulnerabilities Exploited Faster
2003 2004200520012002
Hours
Seconds
Minutes
2005 - 90% of the hosts
within 10-minutes.
Threats Propagating Faster
SPAM: 80% of Emails in 12/06
Botnet Launched DDOS on the Rise
Sources: CERT/CC, Symantec, NVD, OSVD
Pre-Nachi – ICMP/8 (Echo) 8/17 Pre-Nachi – ICMP/8 (Echo) 8/17 2200GMT2200GMT
Watch Here . . . Watch Here . . .
Pre-Nachi – ICMP/8 (Echo) 8/17 Pre-Nachi – ICMP/8 (Echo) 8/17 2400GMT2400GMT
Watch Here . . . Watch Here . . .
Pre-Nachi – ICMP/8 (Echo) 8/18 Pre-Nachi – ICMP/8 (Echo) 8/18 0100GMT0100GMT
What?
Pre-Nachi – ICMP/8 (Echo) 8/18 Pre-Nachi – ICMP/8 (Echo) 8/18 0200GMT0200GMT
What?!
Pre-Nachi – ICMP/8 (Echo) 8/18 Pre-Nachi – ICMP/8 (Echo) 8/18 0300GMT0300GMT
What?!
Pre-Nachi – ICMP/8 (Echo) 8/18 Pre-Nachi – ICMP/8 (Echo) 8/18 0400GMT0400GMT
What?!
Pre-Nachi – ICMP/8 (Echo) 8/18 Pre-Nachi – ICMP/8 (Echo) 8/18 0500GMT0500GMT
Whoa??Whoa??Wow!!
Pre-Nachi – ICMP/8 (Echo) 8/18 Pre-Nachi – ICMP/8 (Echo) 8/18 0600GMT0600GMT
Nachi start8/18/03
Nachi begins decay1/1/04
Nachi Worm Lifecycle ViewNachi Worm Lifecycle View
Patch (MS04-011)(April 13)
Exploit Code(April 21)
Warning Spike(April 28)
Sasser Worm(May 04)
Sasser Worm (04/04/04)Sasser Worm (04/04/04)
Patch (MS05-039)(August 09)
Exploit Code(August 12)
Warning Spike(August 15)
Zotob Worm(August 16)
ZOTOB Worm (08/16/05)ZOTOB Worm (08/16/05)
Patch (MS06-040)(August 08)
Exploit Code(August 10)
Warning Spike(August 13)
IRC-Mocbot Worm(August 14)
IRC-MOCBOT Worm (08/14/06)IRC-MOCBOT Worm (08/14/06)
SpywareSpyware
Three Shocking Statistics on Spyware! Three Shocking Statistics on Spyware!
1. 8 out of 10 PC’s are infected with 1. 8 out of 10 PC’s are infected with some sort of Spyware, with an average of some sort of Spyware, with an average of 24.4 spies per PC scanned.24.4 spies per PC scanned.
2. Microsoft estimates that 50% of all PC 2. Microsoft estimates that 50% of all PC crashes are due to spyware.crashes are due to spyware.
3. Dell reports that 20% of all technical 3. Dell reports that 20% of all technical support calls involve spyware.support calls involve spyware.
SpywareSpyware * Severe Threat – 15% of spyware threats send private information * Severe Threat – 15% of spyware threats send private information gathered from the end user currently logged on to the infected gathered from the end user currently logged on to the infected system: logging the user's keystrokes, logged-on user name, hash of system: logging the user's keystrokes, logged-on user name, hash of administrator passwords, email addresses, contacts, instant administrator passwords, email addresses, contacts, instant messengers login and usage, and more.messengers login and usage, and more.
* Moderate Threat – 25% percent of spyware sends information * Moderate Threat – 25% percent of spyware sends information gathered from the victim's operating system, including the computer gathered from the victim's operating system, including the computer (host) name, domain name, logs of all processes running in memory, (host) name, domain name, logs of all processes running in memory, installed programs, security applications, client's internal IP address, installed programs, security applications, client's internal IP address, OS version, the existence and versions of service packs and security OS version, the existence and versions of service packs and security updates, TCP ports the spyware is listening to, Computer Security updates, TCP ports the spyware is listening to, Computer Security Identifier (SID) ,default browser's homepage, browser plug-ins, etc.Identifier (SID) ,default browser's homepage, browser plug-ins, etc.
* Minor Threat – 60% of spyware transmits gathered commercial-* Minor Threat – 60% of spyware transmits gathered commercial-value information about the end user's browsing habits. This includes value information about the end user's browsing habits. This includes keywords used in search engines, browsing habits and ratings of keywords used in search engines, browsing habits and ratings of
frequently visited websites, shopping reports etc.frequently visited websites, shopping reports etc.
SpamSpam
Spam = 40%-70% of all e-mailSpam = 40%-70% of all e-mail
Spam floods overloading servers Spam floods overloading servers and acting like DoSand acting like DoS
IE Vulnerability For SaleIE Vulnerability For Sale
Web Attacker Toolkit – Web Attacker Toolkit – Order PageOrder Page
Drive-by, While visiting Drive-by, While visiting Web sitesWeb sites
Innocent Free Games site
Drive-by, While visiting Drive-by, While visiting Web sitesWeb sites
Innocent Free Games site
Exploits our desktop to install a Trojan
Case Study: Case Study: BotnetworkBotnetwork Hacker confirms price – “You wanna buy 0”
Internet
Enterprise DMZ
Enterprise Intranet
Service Provider Backbone
- Firewalls- IDS
- Anti-Virus - Anti-Spam
- Worm Detection
- Packet Filtering - LAN Filtering
- Security Patching - Policy Enforcement - Incident Response
- Network Management - Core Infrastructure Protection
- Manual Blackhole (Customer Initiated) - Manual Rate Limit (Customer Initiated)
EnterpriseSecurity
Responsibility
Large Enterprise Investment(People, Capital, Software)
Typical Perimeter Network Typical Perimeter Network
Prevention - FirewallsPrevention - Firewalls
Intrusion Detection SoftwareIntrusion Detection Software
5,000 port scans per day5,000 port scans per day
Apply update and patches immediatelyApply update and patches immediately
Review Firewall policies annuallyReview Firewall policies annually
Hole opened for server install - not closedHole opened for server install - not closed
Server decommissioned - hole not closedServer decommissioned - hole not closed
Prevention - WAN
Periodic Network Traffic Analysis
Prevention - WAN
Prevention - WAN
Prevention - WAN
Prevention - WAN
BOTs
Music Sites & other improper uses
Prevention - WANPrevention - WAN
Configure your routers with access listsConfigure your routers with access lists
Check hubs, switches and routers for web Check hubs, switches and routers for web management modules and change default management modules and change default passwordspasswords
Use security on your wireless networksUse security on your wireless networks
Prevention - ServersPrevention - Servers
Server maintenance and security Server maintenance and security patches immediatelypatches immediately
Nmda took advantage of known holes Nmda took advantage of known holes
Remove all generic and guest Remove all generic and guest defaults after installdefaults after install
Web server hacked via generic loginWeb server hacked via generic login
Check for inactive web modulesCheck for inactive web modules
They can be accessed and generic They can be accessed and generic setups abusedsetups abused
Prevention - NetworkPrevention - Network
Use Virtual Private Networks (VPNs)Use Virtual Private Networks (VPNs)
Require specific logonsRequire specific logons
Lab aid giving generic logons so Lab aid giving generic logons so students could bypass filterstudents could bypass filter
Pornography found on C: drive in Pornography found on C: drive in teachers’ roomteachers’ room
Prevention - Network
Periodic network and server scans
Consultant with website on school server
Secure remote access to networkSecure remote access to network
Maintenance done by third partiesMaintenance done by third parties
Prevention - DesktopsPrevention - DesktopsA: driveA: drive
Vulnerable to infected floppy disks, flash drives, Vulnerable to infected floppy disks, flash drives, and other non-authorized files and applicationsand other non-authorized files and applications
C: driveC: drive
Vulnerable to configuration changes, and Vulnerable to configuration changes, and access to restricted resources (students hide access to restricted resources (students hide Internet access)Internet access)
FTPFTP
Vulnerable to downloads of infected files or Vulnerable to downloads of infected files or other non-authorized files and applicationsother non-authorized files and applications
Prevention - DesktopsPrevention - DesktopsWindows ExplorerWindows Explorer
Students see all network resources Students see all network resources
Right ClickRight Click
Students can cut, paste, and delete Students can cut, paste, and delete important files including system important files including system configurationconfiguration
Prevention - Prevention - ApplicationsApplications
Microsoft Office – “save as” Microsoft Office – “save as”
Can student see network drives?Can student see network drives?
Downloads of plugins and other softwareDownloads of plugins and other software
Programming courses such as C++ and Programming courses such as C++ and Visual BasicVisual Basic
Have access to basic network functionsHave access to basic network functions
.exe files.exe files
Slow Internet and/or network performanceSlow Internet and/or network performance
Overwhelmed hard drives and network serversOverwhelmed hard drives and network servers
PasswordsPasswords
No policy on changingNo policy on changing
Fewer passwords for ease of use purposesFewer passwords for ease of use purposes
““Shoulder surfing” , yellow stickies, etc.Shoulder surfing” , yellow stickies, etc.
Disks from homeDisks from home
Technical vulnerabilitiesTechnical vulnerabilities
Copyright vulnerabilitiesCopyright vulnerabilities
Prevention - PoliciesPrevention - PoliciesLoading software locallyLoading software locally
Technical issues – not in “Ghost image”Technical issues – not in “Ghost image”
Printing and application support issuesPrinting and application support issues
Copyright issuesCopyright issues
Accidentally “blow out” systemAccidentally “blow out” system
Docking home computersDocking home computers
Students running “cracking” programs Students running “cracking” programs and access SASI passwordsand access SASI passwords
Keychain hardrivesKeychain hardrives
Removal of access when someone leavesRemoval of access when someone leaves
E-mail, Calendar, network logon, etc.E-mail, Calendar, network logon, etc.
Early notification of problems such as virusesEarly notification of problems such as viruses
What process in place to notify users of new viruses, What process in place to notify users of new viruses, etc.etc.
More than one person with key knowledge and More than one person with key knowledge and access.access.
Network backdoors setupNetwork backdoors setup
Secret backups and password changes done before Secret backups and password changes done before terminationtermination
18 months rebuilding system because of no 18 months rebuilding system because of no documentationdocumentation
Prevention – PoliciesPrevention – Policies
Log-off apps, log-off networkLog-off apps, log-off network
Students doing “high level” maintenanceStudents doing “high level” maintenance
May compromise security intentionally May compromise security intentionally or unintentionallyor unintentionally
Enforcement of PoliciesEnforcement of Policies
If practice doesn’t follow policy than If practice doesn’t follow policy than policies are not valid.policies are not valid.
ForensicsForensics
Log files:Log files:
Intrusion detection logsIntrusion detection logs
Firewall logsFirewall logs
Router logsRouter logs
Server logs Server logs
Application logsApplication logs
ForensicsForensics
Unique log-insUnique log-ins
Isolate systemsIsolate systems
Notify authoritiesNotify authorities
Print screens (IM’ing, chat, e-mail, etc.)Print screens (IM’ing, chat, e-mail, etc.)
Terror threat to local HSTerror threat to local HS
Hard Dive recoveryHard Dive recovery
Save to the networkSave to the network
Saving to the C: drive means Saving to the C: drive means no backupsno backups
Verify that backups are completeVerify that backups are complete
Who is responsible? Who is their backup?Who is responsible? Who is their backup?
• External backups vs internalExternal backups vs internal
Proper tape rotation - off site storageProper tape rotation - off site storage
Off-site storageOff-site storage
Periodic backup check before and emergencyPeriodic backup check before and emergency
Do you have a “Hot Site”?Do you have a “Hot Site”?
RecoveryRecovery
Damaged servers & switchesDamaged servers & switches
RAID drivesRAID drives
UPS on all servers and switchesUPS on all servers and switches
Maintenance 24x7x7 contracts or sparesMaintenance 24x7x7 contracts or spares
Mirrored or backup serversMirrored or backup servers
Routers, switches, hubsRouters, switches, hubs
Maintenance 24x7x7 contract or Maintenance 24x7x7 contract or replacementsreplacements
RecoveryRecovery
Formalize a Hot Spot PartnershipFormalize a Hot Spot Partnership
Applications media archivedApplications media archived
Escalation procedure to move to recovery Escalation procedure to move to recovery quicker and to limit damagesquicker and to limit damages
Must notify if privacy is compromisedMust notify if privacy is compromised
May need to isolate problemMay need to isolate problem
May need to change passwordsMay need to change passwords
Internal HacksInternal Hacks
QuickTime™ and a decompressor
are needed to see this picture.
Internal Hacks
QuickTime™ and a decompressor
are needed to see this picture.
Internal Hacks
Internal Hacks
60%-80% of hacks are internal -FBI60%-80% of hacks are internal -FBI
Bypassing the filterBypassing the filter
- IP address (ping)- IP address (ping)
YouTube UKYouTube UK
Superintendent’s private filesSuperintendent’s private files
Employee w Backdoor accessEmployee w Backdoor access
Internal HacksInternal Hacks
Anonymous surfing - Port 443Anonymous surfing - Port 443
Inadvertent damageInadvertent damage
Loading software from homeLoading software from home
Deleting important configuration filesDeleting important configuration files
Attempting to help wiping our systemsAttempting to help wiping our systems
Denial of ServiceDenial of Service
In this type of attack, the attacker begins the process of In this type of attack, the attacker begins the process of establishing a connection to the victim machine, but establishing a connection to the victim machine, but does it in such a way as to prevent the ultimate does it in such a way as to prevent the ultimate completion of the connection. completion of the connection.
In the meantime, the victim machine has reserved one In the meantime, the victim machine has reserved one of a limited number of data structures required to of a limited number of data structures required to complete the impending connection. The result is that complete the impending connection. The result is that legitimate connections are denied while the victim legitimate connections are denied while the victim machine is waiting to complete bogus "half-open" machine is waiting to complete bogus "half-open" connectionsconnections..
BOT
Phishing
Trojan
Improper AccessImproper Access
Access to Obscene and Inappropriate Material Access to Obscene and Inappropriate Material from the School’s Systemfrom the School’s System
Inadvertent Access to PornographyInadvertent Access to Pornography
Julie Amero Story: 4 felony counts, firewall license expired,virus Julie Amero Story: 4 felony counts, firewall license expired,virus protection lapsed, no spyware defense, on an old Win98 system - protection lapsed, no spyware defense, on an old Win98 system - obscene popup.obscene popup.
““It was an innocent search”It was an innocent search”
Domain name spoofsDomain name spoofs
Hate Sites …How to Build a Bomb...Hate Sites …How to Build a Bomb...
Doom & Duke NukemDoom & Duke Nukem
Refers to the most recent generation of web Refers to the most recent generation of web technologies and products including:technologies and products including:
• BlogsBlogs• PodcastsPodcasts• WikisWikis• RSS NewsfeedsRSS Newsfeeds• Social networking (MySpace, Friendster)Social networking (MySpace, Friendster)• Web applications with rich, interactive interfacesWeb applications with rich, interactive interfaces
User created contentUser created content
What Is Web 2.0?What Is Web 2.0?
Hey - 19,241,561
QuickTime™ and a decompressor
are needed to see this picture.
Hahaha - 34,181,513
QuickTime™ and a decompressor
are needed to see this picture.
Dance - 71,712,140
QuickTime™ and a decompressor
are needed to see this picture.
What Is RSS?What Is RSS?
•RSS stands for Really Simple Syndication or RDF Site RSS stands for Really Simple Syndication or RDF Site Summary. Is based on XML and is simple to learn.Summary. Is based on XML and is simple to learn.
•Used by blogs, websites, browsers and applications to Used by blogs, websites, browsers and applications to deliver content to subscribers.deliver content to subscribers.
RSS in Plain English
QuickTime™ and a decompressor
are needed to see this picture.
Security Problems of RSSSecurity Problems of RSS
•As an avenue for automated delivery of web-based content, can be As an avenue for automated delivery of web-based content, can be easily used as a delivery method for spam and phishing.easily used as a delivery method for spam and phishing.
•Popularity of RSS syndication aggregators can make it easier to Popularity of RSS syndication aggregators can make it easier to subvert feeds and redirect them from originators.subvert feeds and redirect them from originators.
•But the biggest problem is the RSS enclosure capability, which is But the biggest problem is the RSS enclosure capability, which is the feature of RSS which enables things like podcasting. Nothing in the feature of RSS which enables things like podcasting. Nothing in the specification which limits this to MP3 files. Can also be used to the specification which limits this to MP3 files. Can also be used to deliver anything from Flash to executables. In most cases deliver anything from Flash to executables. In most cases downloads happen automatically.downloads happen automatically.•
How To Secure RSSHow To Secure RSS
• Verify accurate address of content delivery from your RSS Verify accurate address of content delivery from your RSS feeds.feeds.
Block downloads of executables and other high-risk content Block downloads of executables and other high-risk content at the gatewayat the gateway
•As a complex web application, blogs have the same potential As a complex web application, blogs have the same potential problems as most web applications, such as bugs and problems as most web applications, such as bugs and security holes which require patching, and susceptibility to security holes which require patching, and susceptibility to classic web hacking techniques.classic web hacking techniques.
•However, interactivity of blogs provides some unique areas However, interactivity of blogs provides some unique areas of attack, specifically in the typical ability for any reader to be of attack, specifically in the typical ability for any reader to be able to comment within a blog. At the lowest level this makes able to comment within a blog. At the lowest level this makes blogs susceptible to spam but also opens up more dangerous blogs susceptible to spam but also opens up more dangerous exploits.exploits.
The Security Problems of Blogs
•
New Storm Worm Spreading Via Blog PostsNew Storm Worm Spreading Via Blog Posts•A Storm worm variant using both e-mail and Web sites to infect A Storm worm variant using both e-mail and Web sites to infect Windows-based PCs is injecting itself into the responses people are Windows-based PCs is injecting itself into the responses people are leaving on blogs. leaving on blogs.
When infected systems visited blogs, worm inserted script into the When infected systems visited blogs, worm inserted script into the blog comments that linked to malware.blog comments that linked to malware.
Example: The Storm Worm Variant
How To Secure Your Blogging How To Secure Your Blogging InfrastructureInfrastructure
•Keep your blogging platform software fully patched and up-to-date
•Don’t allow unmoderated comments
• Configure blog to only allow straight text in blog comments
• Use software designed to block or limit what is know as “comment spam”. Examples of these include Bad Behaviour and Akismet
QuickTime™ and a decompressor
are needed to see this picture.
Cyberbullying Statistics
90% of MS 90% of MS students have students have had their had their feelings hurt feelings hurt onlineonline
42% have been 42% have been bullied onlinebullied online
QuickTime™ and a decompressor
are needed to see this picture.
Cyberbullying Statistics
35% have been 35% have been threatened threatened onlineonline
21% have 21% have gotten gotten threatening e-threatening e-mailmail
QuickTime™ and a decompressor
are needed to see this picture.
Cyberbullying Statistics
53% have said something mean or 53% have said something mean or hurtful onlinehurtful online
58% have not told their parents 58% have not told their parents about bullying incidents about bullying incidents
Cyberbullying
Bully
At school
Poor relationship with teachers
Fear of physical retribution
Cyberbully
At home
Good relationship with teachers
Fear of loss of tech privileges
Further under the radar than bullying
Copyright Copyright Infringement Infringement
Everything on the Internet is protected by Everything on the Internet is protected by CopyrightCopyright
If employer has the right & ability to If employer has the right & ability to supervise the actions of the employee & supervise the actions of the employee & has a financial interest in exploitation…has a financial interest in exploitation…even if the employer didn’t know…he even if the employer didn’t know…he may be liablemay be liable
SIA lawsuits, Record industry SIA lawsuits, Record industry lawsuitslawsuits
Copyright Copyright InfringementInfringement
Students cutting and pasting parts of Web Students cutting and pasting parts of Web pages onto their ownpages onto their own
Improper use of student materialImproper use of student material
District StrategiesDistrict Strategies
Supervise! Supervise!
Educate staff, students, and parents Educate staff, students, and parents
Develop a site limitation strategyDevelop a site limitation strategy
Develop a solid AUPDevelop a solid AUP
Keep policy decisions at the highest levelKeep policy decisions at the highest level
Establish an Establish an Educational ForumEducational Forum
Insure that policy and practice are alignedInsure that policy and practice are aligned
Insure that AUP is signed - affirmative Insure that AUP is signed - affirmative consentconsent
You can allow limited “self-discovery”You can allow limited “self-discovery”
If it is educational, access can’t be If it is educational, access can’t be denied,restricted or suspended without due denied,restricted or suspended without due processprocess..
Notice to student of alleged violationNotice to student of alleged violation
Opportunity for student to respond to allegationOpportunity for student to respond to allegation
No denial of an account in advance of a hearingNo denial of an account in advance of a hearing
Missouri suitMissouri suit
Arkansas suitArkansas suit
Ohio suitOhio suit
Pennsylvania expulsion upheldPennsylvania expulsion upheld
Court to school district: You can't stop a kid from creating a personal web site critical of your schools: Missouri school district
becomes the latest to learn the hard way
From eSchool News staff and wire service reportsSending a clear signal to educators everywhere, a federal judge ruled Dec. 28 that Woodland School District in Marble Hill, Mo., violated a high school student's free
speech rights when it suspended him for posting a personal web page criticizing his school. The ruling makes clear that schools have no jurisdiction over what their
students do in cyberspace, provided it's done on their own time and from their own computers.
U.S. District Court Judge Rodney Sippel issued a preliminary injunction that prohibits the district from using the suspension against student Brandon Beussink
in grade and attendance calculations. It also bars the district from punishing Beussink or restricting his ability to post his home page on the internet.
"Dislike or being upset by the content of a student's speech is not an acceptable
justification for limiting student speech," Sippel wrote in his opinion.
Newslines--Arkansas district settles lawsuit over student’s sexually explicit web page
eSchool News staff and wire service reports
Arkansas’ Valley View School District has settled a lawsuit involving a student’s internet site soit could begin the school year without the distractions of a court hearing, a school district
attorney said Aug. 18.
Dan Bufford said the court case was causing too much disruption. “We were looking at sending six to eight teachers, seven to eight students, and three sets of parents from Jonesboro to Little Rock to testify,” Bufford said. “The distractions and the expense of that was just too
much.”
The American Civil Liberties Union sued the school district, contending the district wrongly suspended Justin Redman for 10 days. He was suspended for producing a web site that
mirrored the school’s official web site, but included sexually explicit photos and text, some of which
named other students and administrators.
John Burnett, the ACLU’s state legal director, said the settlement doesn’t mean the organization
agrees with the district’s actions. “Every school board and every school board attorney in the state is going to know about this case,” he said. “The schools are going to have to come to realization that, just as they cannot visit discipline on students for something they said at a
weekend party, they cannot do it because of something a student said on the world wide web.”
District must pay teacher-bashing student $30K: Court overturns suspension and upholds protection of student speech
on the internet Gregg W. Downey
A school district will pay $30,000 to one of its students who was suspended for making fun of his band teacher on the internet, according to the Associated
Press (AP). In return, the student will drop his half-a-million-dollar lawsuit against the district for the 10-day suspension, AP reported.
Superintendent Beverly Reep of the Westlake school district in suburban Cleveland was ordered in March by a federal judge to reinstate16-year-old Sean O'Brien. O'Brien had been suspended for using his home computer to
create a web site disparaging a band teacher.
The superintendent said the district suspended O'Brien for violating a policy forbidding students from showing disrespect to employees. A federal court told
the school district to stop trying to restrict O'Brien's right to free expression.
Pennsylvania judge: Expelling student for web site threats is OK
From eSchool News staff and wire service reportsA Lehigh Valley, Pa., school district did not violate a student’s constitutional
right to free speech when it expelled him last year for allegedly threatening a teacher on his personal web site, a Northampton County Court judge ruled July
23.
Justin Swidler, now 15, was expelled in August 1998 after Bethlehem Area School District officials saw his web site, in which he allegedly asked for
donations to hire a hit man to kill Nitschmann Middle School math teacher Kathleen Fulmer. Swidler’s family described the site asan attempt at satirical humor, not a terrorist threat.
The long-since-dismantled web site reportedly had a heading saying “Why She Should Die” above a sentence reading, “Take a look at the diagram and the
reasons I give, then give me $20 to help pay a hit man.”
Enforcement - Enforcement - Consistency Consistency
Schools have double standard for computer Schools have double standard for computer vandalism and crimevandalism and crime
““It was just a joke.”It was just a joke.”
Nerd discipline Nerd discipline
School yanks Internet access School yanks Internet access
Legal punishmentsLegal punishments
Incident policyIncident policy
$10,000 damage award$10,000 damage award
The Evolution of 'Nerd Discipline'
As with most schools, our overall experience with computer technology,classroom applications, networks, and controlled internet access has been positive and
productive. There is, however, a small, smart, and venturesomesegment of our student population whose actions sometimes make it otherwise.
These are individuals who use school computers--occasionally in conjunction with computers at home--to test every rule, procedure, and established guideline ... and thus challenge
us to devise new and different ways of dealing fairly and effectively with a whole new category of "electronic" infractions. The infractions can range in severity from downloading
objectionable material to exchanging passwords, and from intentionally deleting student files to planting software devices designed to disable one or more targeted workstations, a whole
department, or the school's entire network.
Through constant monitoring and review of policies and rules, we can makeevery school's experience with computer technology as positive and productive
as it can and should be.
Jeannine Clark is an assistant principal at Clarkstown High School North in New City, N.Y., and the school's building coordinator for the district's technology initiative.
School yanks student internet access By Rebecca Flowers
A school in Cloverdale, Calif., is being criticized for its decision to shut down student access to the internet after two local teens were accused of hacking Pentagon
computers. Some charge the school overreacted in issuing the internet ban, but school officials disagree.
The two students, sophomores at Cloverdale High School, have not been charged with any crimes, and investigators are certain the school's computer network was not used during any of the attacks. But the fear
of sabotage or retaliation compelled school officials to close down access to the internet for all students at the school on March 5
Although the FBI had not contacted the school, John Hudspeth, the boys' computer science teacher, disabled the hackers' network accounts and froze their personal directories.
"We had tried to limit the privileges of only the two hacking students, to allow the rest of the student body and faculty to enjoy continued online services," said Bill Cox, president of the board of education. "But either
other students were helping our hackers out of friendship or because they saw hacking as 'cool’ or our hackers had captured other account passwords and were using those accounts in direct violation of our
Acceptable Use Contract that all network users sign."
Threats of further retaliation in the Wired article coupled with attacks on one of the ISPs were enough to convinced Cox that strong action was necessary. "Do we just wait around for our high school server to be
trashed?" he said. School officials said the temporary suspension was needed to allow them to regroup and learn more about security. Cox also felt that the student body needed to think about the hacking issues in a
more reasoned light.
Enforcement - Legal Enforcement - Legal ChargesCharges
Some of the Legal Charges Against Some of the Legal Charges Against Students/Staff Students/Staff
1st Degree Computer Tampering -Felony1st Degree Computer Tampering -Felony
3rd Degree Computer Tampering - Felony 3rd Degree Computer Tampering - Felony
2nd Degree Aggravated Harassment - 2nd Degree Aggravated Harassment - MisdemeanorMisdemeanor
1st Degree Attempt to Distribute Indecent 1st Degree Attempt to Distribute Indecent Material to MinorsMaterial to Minors
EnforcementEnforcement
Who do I call?Who do I call?
When should I escalateWhen should I escalate
How do I secure the evidence?How do I secure the evidence?
How do I limit the damage?How do I limit the damage?
Do I have to notify users of the breach?Do I have to notify users of the breach?
What long term actions are needed?What long term actions are needed?
Personal UsePersonal Use
““School computers, networks, and Internet access School computers, networks, and Internet access are provided to support the educational mission are provided to support the educational mission of the school. They are to be used primarily for of the school. They are to be used primarily for school-related purposes. Incidental personal use school-related purposes. Incidental personal use must not interfere with the employee’s job must not interfere with the employee’s job performance, must not violate any of the rules performance, must not violate any of the rules contained in this policy or the student AUP, and contained in this policy or the student AUP, and must not damage the school’s hardware, must not damage the school’s hardware, software, or communications systems.”software, or communications systems.”
• NSBA Legal Issues and Education TechnologyNSBA Legal Issues and Education Technology
PrivacyPrivacy
Parents & Public can access Web LogsParents & Public can access Web Logs
Exeter SchoolsExeter Schools
Indiana SuperintendentsIndiana Superintendents
E-Mail and all electronic data is discoverable in litigation E-Mail and all electronic data is discoverable in litigation
Utah lawsuitUtah lawsuit
School Board’s e-communications may be in violation of School Board’s e-communications may be in violation of state’s Sunshine Lawsstate’s Sunshine Laws
South CarolinaSouth Carolina, , Pennsylvania,Pennsylvania,
Improper AccessImproper Access
Images from web pages are stored in Images from web pages are stored in cache and can be accessed from hard cache and can be accessed from hard drive even without Internet access drive even without Internet access
Physics Teacher firedPhysics Teacher fired
Dean of Harvard Divinity SchoolDean of Harvard Divinity School
Amero TragedyAmero Tragedy
N.J. district sues teacher for allegedly viewing web porn
From eSchool News staff and wire service reports
The Bergenfield, N.J., board of education is suing a physics teacher to recoup wages it paid him while he allegedly viewed computer pornography during school hours.
The viewing took place in a school physics room and included times when students were in the room, school officials said.
According to the Associated Press, Alan Ross, who taught 11th- and 12th-grade chemistry, physics, and earth science before being suspended without pay last year, also has a tenure challenge pending. If Ross is found guilty, he would lose
tenure and the board would be allowed to fire him.
A report on computer-stored information viewed from Nov. 3 through Dec. 19, 1997 showed visits to about 2,900 sites, more than half of which were categorized as
adult or personal.All of the online visits occurred during school time--and about 55 percent while students were present in the physics room, school officials said. No
sites were visited on the three days Ross was absent during that period, they said.
HarassmentHarassment
Off color and potentially offensive Internet Off color and potentially offensive Internet jokes and e-mails circulating among staff jokes and e-mails circulating among staff may create a “hostile” environmentmay create a “hostile” environment
Teacher suspendedTeacher suspended
Harassment rules apply equally to Harassment rules apply equally to electronic communicationselectronic communications
Report abuse Report abuse
Take immediate stepsTake immediate steps
Newslines--Judge upholds teacher’s suspension over sexually explicit eMail
eSchool News staff and wire service reportsA judge has upheld the three-week suspension without pay of a Scottsbluff,
Neb., middle school teacher accused of repeatedly sending sexually explicit materials on the school district’s eMail system.
Gerald Schmeckpeper was suspended in December for insubordination when he disobeyed repeated requests to stop his eMail practice. The
school board upheld the suspension in January.
Schmeckpeper argued that he was told only to use caution when opening eMail. But District Judge Robert Hippe on July 13 said there was sufficient evidence to suspend Schmeckpepper. Schmeckpeper was receiving and sending eMail with crude jokes and cartoons and had several sexually
explicit pictures stored electronically, Hippe said.
CopyrightCopyright
LA Schools sued for $4.8 million in LA Schools sued for $4.8 million in copyright abuse casecopyright abuse case
LA Schools settle copyright suitLA Schools settle copyright suit
Fair Use suit could influence what schools Fair Use suit could influence what schools can publish on the webcan publish on the web
Alleged software piracy could cost LA schools $4.8 million eSchool News Staff Reports
A coalition of software makers that includes Microsoft Corp. has targeted the Los Angeles Unified
School District (LAUSD), alleging its teachers and other employees have illegally copied software
programs.
The charges of piracy could cost the nation's second-largest school district (after New York City)
nearly $5 million over the next three years.
Under a proposed settlement, the district would pay $300,000 to the Business Software Alliance
(BSA), a trade group based in Washington State that was formed by Microsoft and other software
producers to protect their copyrights.
But the real cost of the settlement, which at press time was still subject to board approval, is the
estimated $4.5 million the district would be forced to spend to replace the unlicensed softwarethat allegedly has spread throughout its classrooms.
Newslines--LAUSD school board settles software piracy charge eSchool News Staff and Wire Reports
The Los Angeles Unified School District (LAUSD) will pay a computer trade group $300,000 to settle a lawsuit alleging that copyrighted computer programs were being unlawfully duplicated
for use in schools.
The settlement, approved Feb. 9 by the LAUSD school board, also requires the district to spend $1.5 million over the next three years on an eight-member team to find and eliminate any
unauthorized software and to train staff and students on district policy prohibiting the unlawful duplication of computer programs.
The Business Software Alliance, an organization formed by Microsoft Corp., Novell Inc., and other computer software companies, alleged that the West Valley Occupational Center in
Woodland Hills used unauthorized copies of numerous types of software, including Microsoft Word and Adobe Photoshop.
The group said it had found at least 1,399 copies of software that it contended were being used without authorization and asked for more than $562,000 in compensation.
LAUSD officials admitted no wrongdoing, but their legal counsel recommended settling to avoid an even more costly court battle.
Newspaper 'fair use' challenge could limit what schools and others post on the web: LA Times and Washington Post sue web site for
copyright infringement From eSchool News staff and wire reports
In a case with broad implications about what you can post on your schools' web sites, the LosAngeles Times and the Washington Post have filed a copyright-infringement lawsuit against
the operator of a site that posts their stories without permission.
The lawsuit, filed Oct. 1 in a federal court in Los Angeles, accuses the Free Republic site of using hundreds of stories from the two newspapers, violating their copyrights and diverting
users and potential revenue from their own sites.
Rex Heinke, an attorney for the newspapers, said the Free Republic site has been posting the stories "on a very large scale for a very long time.” Reproducing the stories without the
publishers' consent is financially detrimental to the newspaper companies, Heinke said. The newspapers rely on hits to their own web sites to generate advertising sales, he said.
The Free Republic site, based in Fresno, Calif., posts the stories and allows users to writecomments about them. The site's operator, Jim Robinson, said he has ignored warnings from the newspapers because the practice is protected by the First Amendment and the "fair use"
doctrine of copyright law.
Teacher Web SitesTeacher Web Sites
Sites created by teachers for their students Sites created by teachers for their students that are not hosted on the school’s that are not hosted on the school’s computer system may expose the teacher computer system may expose the teacher to risk.to risk.
Whenever possible migrate the teacher’s Whenever possible migrate the teacher’s site to the school system where he/she is site to the school system where he/she is protected by the schools AUP, and protected by the schools AUP, and computer use policiescomputer use policies
Teacher Assigned Teacher Assigned LinksLinks
““The links in this area will let you leave the The links in this area will let you leave the school district site. The linked sites are not school district site. The linked sites are not under the control of the district, and the district under the control of the district, and the district is not responsible for the contents of any linked is not responsible for the contents of any linked site, or any changes or updates to such sites. site, or any changes or updates to such sites. The district is providing these links to you only The district is providing these links to you only as a convenience, and the inclusion of any link as a convenience, and the inclusion of any link does not imply endorsement of the site by the does not imply endorsement of the site by the district.”district.”
• NSBA Legal Issues in Education TechnologyNSBA Legal Issues in Education Technology
ConfidentialityConfidentiality
The Family Education Rights and Privacy The Family Education Rights and Privacy Act (FERPA) requires schools to have a Act (FERPA) requires schools to have a policy that grants parents the rights to policy that grants parents the rights to inspect and review the educational inspect and review the educational records of their children within 45 days of records of their children within 45 days of a request.a request.
FERPA also requires a parent’s written FERPA also requires a parent’s written consent before disclosing personally consent before disclosing personally identifiable information about a student. identifiable information about a student.
AdvertisingAdvertising
School employees are often involved in School employees are often involved in outside businesses and they may find it outside businesses and they may find it tempting to advertise or solicit using the tempting to advertise or solicit using the school’s e-mail. school’s e-mail.
Prohibition should include sending Prohibition should include sending messages from home or other outside messages from home or other outside computer to school district e-mail users.computer to school district e-mail users.
PoliticsPolitics
Any e-mail sent from the school computer Any e-mail sent from the school computer system contains the school’s return system contains the school’s return address. It is the same as using the address. It is the same as using the school’s letterhead. Accordingly, school’s letterhead. Accordingly, employees should be put on notice not to employees should be put on notice not to have their own opinions mistakenly have their own opinions mistakenly attributed to the district.attributed to the district.
Superintendent’s e-mail sparks state Superintendent’s e-mail sparks state inquiryinquiry
Newslines--Middle school principal suspended for eMail violation eSchool News Staff and wire service reports
A Massachusetts middle school principal was suspended for 10 days because she sent an eMail message to her staff urging them to vote for a political candidate. Mary
A. Toomey, principal of the South Lawrence East School, might also have violated state ethics laws.
“As a result of the investigation, I determined that Mary Toomey exercised poor judgment,” said Lawrence Public Schools Superintendent Mae E. Gaskins.
Toomey eMailed the school’s staff soliciting their votes for Nancy J. Kennedy, who was running a sticker campaign for school committee. She sent the eMail the day
before the Oct. 5 primary election.
The eMail said Kennedy needed voters to place stickers printed with her name directly on the ballot. The stickers would be available at the school’s front office,
according to the eMail message.Kennedy received the votes she needed and went on to win a spot on the committee. School committee spokeswoman Martha E.
Previte said Toomey should have received a harsher punishment.
FundraisingFundraising
Schools may decide to permit fundraising Schools may decide to permit fundraising with prior approval or they will prohibit it.with prior approval or they will prohibit it.
If they permit fundraising activity they If they permit fundraising activity they must be careful not to discriminate and bar must be careful not to discriminate and bar any speakers based on the message.any speakers based on the message.
FOILAre e-mail, web logs, spreadsheets & word Are e-mail, web logs, spreadsheets & word processing documents considered records processing documents considered records under FOIL?under FOIL?
Web site logsWeb site logs
Policy directivesPolicy directives
Correspondence and memos related to businessCorrespondence and memos related to business
Work schedules and assignmentsWork schedules and assignments
Agendas and minutes of meetingsAgendas and minutes of meetings
Drafts of documents circulated for comment Drafts of documents circulated for comment
Any document that initiates, authorizes or Any document that initiates, authorizes or completes a business transactioncompletes a business transaction
FOIL FOIL
Parents & Public can access Web LogsParents & Public can access Web Logs
Exeter SchoolsExeter Schools
Indiana SuperintendentsIndiana Superintendents
E-Mail, IM, Voice Mail, etc. is discoverable in E-Mail, IM, Voice Mail, etc. is discoverable in litigationlitigation
Utah lawsuitUtah lawsuit
FOILFOILAdministrators must plan for and design a Administrators must plan for and design a filing structure that can adequately support filing structure that can adequately support operational needs and record keeping operational needs and record keeping requirements.requirements.
You will have to retrieve everything - no You will have to retrieve everything - no matter where it is stored in mandatory matter where it is stored in mandatory Discovery.Discovery.
If you keep everything it’s a problemIf you keep everything it’s a problem
If you delete everything it’s a problemIf you delete everything it’s a problem
Generally, records transmitted through e-mail Generally, records transmitted through e-mail and electronic systems will have the same and electronic systems will have the same retention periods as records in other formats.retention periods as records in other formats.
Court: Schools must let parents view internet-use logs
From eSchool News staff and wire service reports
In a decision with broad implications for schools nationwide, a New Hampshire judge has ruled that the Exeter school district must make public copies of its
internet history logs so a father can check whether officials are doing enough to keep pupils away from the web’s seedy side.
James Knight, a father of four whose children attended district schools until recently, filed a lawsuit asking a judge to force the district to hand over its internet
logs after educators decided not to use filtering programs on computers children use.
The programs, which have been criticized for their accuracy, block access to objectionable internet sites. The district decided to use supervision and spot checks
by teachers instead
Superintendents’ use of school computers questioned From eSchool News staff and wire service reports
An investigation of computer records from 49 Indiana school districts by the Indianapolis Star has raised questions about what constitutes appropriate use of computers by administrators. In a Feb. 18 story, the Star reported that superintendents who are in charge of enforcing their districts’ web-surfing policies often violate their own rules. While many school internet policies
say web surfing should be for educational use only, some Indiana superintendents are shopping for cars, planning trips, and looking for other jobs on their district-issued computers,
the Star reported.
In fact, one superintendent’s internet records reportedly included two sites with pornographic material—an apparent violation of common school district internet policies, and one that cost
former Hamilton Southeastern Superintendent Robert Herrold his job in September. It was Herrold’s example that prompted the Star’s investigation.
The Star’s review of 6,691 web sites on superintendents’ computers showed that half of the sites clearly were education pages. But 3,000 other sites—some of which also could have been viewed for educational purposes—ranged from the popular Amazon.com shopping site to more
obscure
sites.
DA eyes agency's failure to release school internet logs: Utah Education Network faces sanctions for overwriting data it was
ordered to disclose
Failure to hand over certain logs that track the wanderings of school computer users on the world wide web--including records showing attempts to visit sexually oriented or other banned sites--could result in a criminal investigation by a county
district attorney in Utah. The target of the probe: the Utah Education Network (UEN), a public/private consortium that provides internet service to Utah's K-12
schools districts.
In April, Michael Sims, an anti-censorship internet activist, filed for access to the school computer logs under Utah's sunshine law. He wanted to check what web
sites were being blocked by internet content filters used by Utah schools.
At first, UEN officials refused Sims' request, claiming they didn't own the logs. They said those records belonged to the individual school districts. Sims appealed that denial to the State Records Committee. At a hearing last month, the committee
agreed with Sims and ordered that the computer logs, purged of any confidential material, be released.
Electronic Discovery Electronic Discovery Overview Overview
Pre-trial conference and preparation (what do you have?)
Produce electronics records, if requestedCost allocation for producing records (Undue burden?)
Duty to Disclose
Preserve Evidence
In December 2006, Civil procedures for discovery were updated to include more specific guidance on the production of electronic records.
Prevent document spoilagePrivilege work product waiver
Sanctions and Safe Harbor
E-Discovery
Create an enforce an e-Document policy that minimizes the time Non-FOILable information is kept.
Create a litigation response that preserves data at the outset of litigation.
Educate employees on the need for a business approach to e-documents.
NSBA Legal Issues and Ed Tech
Duty to DiscloseDuty to Disclose
•Define the environment and data controlsDefine the environment and data controls•Restrict data storage locations Restrict data storage locations oEmail & Voice mailEmail & Voice mailoShared folders and filesShared folders and filesoDatabaseDatabase
•Data classification, handling and disposal Data classification, handling and disposal policypolicy•Document Retention Schedules Document Retention Schedules (especially email)(especially email)
•User trainingUser training•Audit and assessment to validate controlsAudit and assessment to validate controls•Forensic Analysis capabilitiesForensic Analysis capabilitiesoInternal discoveryInternal discoveryoOpposing counsel - "come and get it."Opposing counsel - "come and get it."
Preserve EvidencePreserve Evidence
•Records Management SystemRecords Management SystemoEnterprise wideEnterprise wideoLitigation support onlyLitigation support only
•System controlsSystem controls•EncryptionEncryption•Backup RecordsBackup Records•Notice to stop operations or Notice to stop operations or restrict data disposalrestrict data disposal
Open Meeting & Open Meeting & Sunshine LawsSunshine Laws
The use of e-mail and The use of e-mail and conferencing tools have raised conferencing tools have raised questions. questions.
If one Board member e-mails another about If one Board member e-mails another about school board business is that a violation of school board business is that a violation of the state’s sunshine laws?the state’s sunshine laws?
How about when board members use the How about when board members use the telephone, e-mail, or faxes to poll one telephone, e-mail, or faxes to poll one another about board business?another about board business?
What about soliciting feedback from the What about soliciting feedback from the public electronicallypublic electronically??
Open Meetings LawOpen Meetings Law
Electronic distribution of Board packets:OKElectronic distribution of Board packets:OK
E-mail between members considered a E-mail between members considered a written memo and is discoverable.written memo and is discoverable.
Interaction via e-mail, bulletin board, chat, Interaction via e-mail, bulletin board, chat, instant messaging, or video conference instant messaging, or video conference most likely constitutes a meeting and is in most likely constitutes a meeting and is in violation. violation.
Open Meetings LawOpen Meetings Law
Resource:Resource:
Robert FreemanRobert Freeman
Committee on Open GovernmentCommittee on Open Government
www.dos.state.ny.us.coogwww.htmlwww.dos.state.ny.us.coogwww.html
[email protected]@dos.state.ny.us
Board’s web feedback criticized Elizabeth B. Guerard, Assistant Editor
A Pennsylvania school board’s use of comments received over the internet has set off a controversy involving the state’s sunshine laws, which require
open access to public meetings.
When Central Bucks School District officials were faced with tough decisions that would uproot and place some 2,800 students in new schools, they solicited feedback from parents over the internet instead of using the
traditional, face-to-face format of a school board meeting.
Administrators at the Doylestown, Pa.-based district—the third largest in the state—say the process made it easy for them to see where the greatest
need for change was. But some parents who were unhappy with the proposed changes have questioned the validity of transferring the
democratic process online.
For one thing, the hundreds of electronic comments that were posted to the district’s web site were not made public. Barry Kaufmann, executive
director of Common Cause Pennsylvania, a state public interest lobby, said parents should be concerned that comments made online were not shared
with others in the community.
Private web forum snags school board eSchool News staff and wire service reports
Members of the Beaufort County (South Carolina) School Board and district Superintendent Herman Gaither have come under fire for using a private internet
bulletin board to discuss school district matters. The private electronic forum might constitute a violation of the state’s freedom of information laws, a South Carolina
media attorney says.
The issue raises questions about how existing laws meant to ensure the open exchange of public information should be applied to modern technologies such as
eMail and the internet.
Gaither said he set up the bulletin board so he could share information with board members on “sensitive or semiprivate information.” Only Gaither and board members had access to the site, which let them read and respond to internal
messages.
Jay Bender, the attorney for the South Carolina Press Association, said the state’s Freedom of Information Act prohibits public agencies from using technology to
conduct their business in private and that the bulletin board might violate the law.
Domain NamesDomain Names
Norwichschools.org vs Norwichschools.comNorwichschools.org vs Norwichschools.com
Purchase all available namesPurchase all available names
Maintain all school domain names rigorouslyMaintain all school domain names rigorously
Porno site appears under school namePorno site appears under school name
High cost of re-purchaseHigh cost of re-purchase
Legitimate third parties have put up school Legitimate third parties have put up school web sites that many parents believe is the web sites that many parents believe is the “official” school site.“official” school site.
Irate e-mails that school didn’t respondIrate e-mails that school didn’t respond
CIPA & E-RateCIPA & E-Rate
Must certify that Must certify that all usersall users are protected from are protected from inappropriate materialsinappropriate materials
Must have public meetingMust have public meeting
Must have AUPMust have AUP
Software AuditsSoftware Audits
LA SchoolsLA Schools
RICs/Schools/BOCESRICs/Schools/BOCES
P.O.’s, Licenses, Hard drive snapshotsP.O.’s, Licenses, Hard drive snapshots
Data MonitoringData Monitoring
Q2a) Does your district monitor access to student records? N=381Q2c) Does your district monitor student e-mail? N=381
Monitoring student e-mail, as well as who is accessing that data, is a first line of defense in
keeping networks and students safe, yet: • 56 percent of districts do not monitor student e-mail
• 16 percent do not keep track of who is accessing student information
Percentage of districts monitoring student e-mail
Percentage of districts monitoring access to student data
Network AccessNetwork Access• Access Access
3939 percent of districts allow outside devices on the network, percent of districts allow outside devices on the network, increasing the chance of introducing viruses and other malware to increasing the chance of introducing viruses and other malware to the network.the network.
Q3) Does your district allow non-district owned devices to access the district’s network? N=381
“In the last year, we’ve prevented faculty and students from installing
software. We now remotely push out software because it can be very
dangerous when they do this on their own.”
User AuthenticationUser Authentication• AuthenticationAuthentication
Without proper authentication, districts may not Without proper authentication, districts may not become aware of holes or intrusions until it’s too latebecome aware of holes or intrusions until it’s too late
1111 percent of rural districts and percent of rural districts and 1919 percent of western percent of western districts do not authenticate usersdistricts do not authenticate users
Tactic: Authentication limits the threat of malicious activity on the network. Consider
dual-factor authentication with password and revolving key for access to sensitive data
Q3) Does your district authenticate users to the network? N=381
•While acceptable use policies (AUP) are nearly universal While acceptable use policies (AUP) are nearly universal ((9999 percent of districts report having one), percent of districts report having one), 5555 percent of percent of districts update AUPs no more than once a year.districts update AUPs no more than once a year.
Tactics: AUPs should be treated as living documents, posted on district Web sites, and updated as often as
necessary.
All users should sign an AUP before receiving access to district computers and networks.
Educate students and teachers throughout the year about online
safety.Q5b) How often is the AUP updated? N=381
EducationEducation
Network ProtectionNetwork Protection95 percent block or limit Web sites95 percent block or limit Web sites
89 percent place computers in view of adults89 percent place computers in view of adults
81 percent monitor student Web activity81 percent monitor student Web activity
38 percent maintain a closed district network38 percent maintain a closed district network
Q9b) Does your district do any of the following to protect students while they are online at school? N=381
Tactic: Many districts are turning to closed networks to limit access to only filtered content and
to monitor e-mail communication.
Districts can also evaluate Web sites on a regular basis to block them or make sites available,
protecting First Amendment rights.
Tactics
•Districts rely on filtering software as a primary defense Districts rely on filtering software as a primary defense method. More districts could benefit from using safety method. More districts could benefit from using safety education as a tool to improve security.education as a tool to improve security.
Tactic: Filtering software is not a substitute for educating students,
parents and staff about the dangers of the Internet. Districts need to
engage the entire community in the IT security process.
Q10) What are some additional ways your district protects students while they are online? N=375
Network ProtectionNetwork Protection
“I would say that we’re constantly looking for ways to improve. At a
minimum, [these new technologies] take a lot of management. What we’re looking for as technology evolves are
new ways to defend.”
IT Security Defenses
IT BreachesIT Breaches•99 percent of districts report at least one IT security percent of districts report at least one IT security breach in the last 12 months.breach in the last 12 months.
Q7) Have you experienced any breaches in IT security in the last 12 months?
Breaches by Metropolitan AreaBreaches by Enrollment
Urban and large districts are at greater riskUrban and large districts are at greater risk66 percent of districts say their networks are somewhat or very percent of districts say their networks are somewhat or very vulnerable to attackvulnerable to attack
Respondents say that a lack of funding and sufficient staff Respondents say that a lack of funding and sufficient staff resources are the biggest barriers to improving district resources are the biggest barriers to improving district security.security.
Q11a) What are your district’s main barriers to Improving IT security?
What are the biggest barriers to security?
IT BarriersIT Barriers
IT Breaches & Barriers – Tool UsersIT Breaches & Barriers – Tool Users 2323 percent of tool users reported an IT breach in the last twelve percent of tool users reported an IT breach in the last twelve
monthsmonths
““Lack of budget” and “too few human resources” come out as top Lack of budget” and “too few human resources” come out as top barriers to improving IT security at barriers to improving IT security at 7474 percent each percent each
Q) Have you experienced any breaches in IT security in the last 12 months?Q) What are your district’s main barriers to Improving IT security?
Campus AccessCampus AccessAt 63 percent, security cameras are the preferred access control
method among districts.
•Cameras, restricted entry and access cards are cited as having the most effective impact on physical security
•Retrofitting older buildings can be costly, hampering improvement efforts, forcing many schools to still use traditional locks and keys
Q19) Does your district currently use any of the following methods to monitor or control access to the buildings in your district? N=381
Q22) What changes implemented by your district have made a positive impact in physical security? N=381
Tactic: Most districts do not have real-time access to sex offender
registries. Districts can add another level of security by cross-checking
visitors with the registry before granting visitors access to
campuses.
Effective Security Tools
•During an emergency, real-time access and instant During an emergency, real-time access and instant communication with local authorities improves response time and communication with local authorities improves response time and the ability to quickly address situations. the ability to quickly address situations.
Only Only 35 35 percent of districts are connected to authoritiespercent of districts are connected to authoritiesIs your district connected via the Internet to
local authorities?
Tactic: Work with local fire departments and police to coordinate
emergency plans and communication.
Run regular mock drills to work out issues ahead of time.
Consider IP security cameras to give authorities an “inside view” of
schools.
Q24) Are the schools in your district connected via the Internet to local police and fire departments in case of emergencies? N=381
Local AuthoritiesLocal Authorities
Faculty CommunicationFaculty Communication•Districts rely heavily on traditional communication Districts rely heavily on traditional communication methods, like the phone and intercom, to reach faculty methods, like the phone and intercom, to reach faculty during emergencies.during emergencies.
Less than Less than 3 3 percent of districts use cell phones as a toolpercent of districts use cell phones as a tool
Weather-related Faculty Communication Emergency-related Faculty Communication
Q25) In a weather emergency, during school hours, how does your district communicate with faculty? N=381
Parent CommunicationParent Communication•To reach parents during emergencies, districts use the To reach parents during emergencies, districts use the phone far more than any other communication tool.phone far more than any other communication tool.
Weather-related Parent Communication
Q26) In a weather emergency, during school hours, how does your district communicate with parents? N=381
Emergency-related Parent Communication
Only Only 1 1 percent of districts report that they are considering emergency percent of districts report that they are considering emergency alert/notification systems that send e-mail and text messages to alert/notification systems that send e-mail and text messages to pre-selected groupspre-selected groups
•2121 percent of districts report experiencing a physical percent of districts report experiencing a physical security breach in the last 12 months; security breach in the last 12 months; 5050 percent of percent of urban districts have had a breach.urban districts have had a breach.
Q23) Has your district experienced any breaches in physical security in the last 12 months? N=381
Physical BreachesPhysical Breaches
“Physical security has definitely been on our radar screen for a
while. Columbine was, I think, the catalyst that has really increased
security awareness.”
Respondents say a lack of budget, tools and staff are the Respondents say a lack of budget, tools and staff are the biggest barriers to improving physical security.biggest barriers to improving physical security.
Q11a) What are your district’s main barriers to Improving physical security? N=381
What are the biggest barriers to physical security?
Physical BarriersPhysical Barriers
“We’ve done a lot of planning and thinking and some practicing, and what
led to all that was our growth. We’re growing so fast that we’ve had to sit
down and really think about the issues we will have to face in the future.”