When it comes to cybersecurity, school districts don’t present the content-rich targets that major corporations or government agencies might, but they also don’t have the same resources to protect themselves, says Jim Flanagan, chief learning service officer at the International Society for Technology in Education.
For example, he’s heard about several districts that fell victim to “ransomware” scams in which hackers hold a network or data hostage until they are paid off. “That’s a definite concern – breaches from individuals not being as guarded as they could,” Flanagan says.
Finding the right balance of network and server infrastructure security can be tricky, says Wayne Donjon, technology director at Desoto 73 School District in Shawnee, Kansas, which has four schools and slightly less than 3,000 students.
“The most secure thing would be to shut everything off and not offer the services,” he says. “But that doesn’t work. We’re making sure we have a data governance program. A lot of school districts probably don’t have these things hammered out.”
Phishing and spam campaigns are perhaps foremost on the mind of Emil Ahangarzadeh, coordinator of technology integration services at Santa Ana USD. “We get thousands of these,” he says. “We’re not Chase Manhattan. We’re not a military facility. But we have accounts. There is plenty of opportunity for identity theft. We have Social Security numbers.”
Flanagan suggests that districts consider moving their data and information to the online “cloud” rather than continuing to maintain their own servers, given the continuously updated expertise that’s necessary to prevent breaches. “They need trusted partners who are experts in cybersecurity and be renting that service vs. continually having to staff for the latest expertise,” he says.
Districts need to be on guard against inside jobs when it comes to preventing hackers from shutting down servers, particularly at certain sensitive times, Flanagan says. “A student can, for $50, or even free now, download denial-of-service protocols and shut down a district, just as a high-stakes test is about to happen, not coincidentally,” he says.
Schools and districts need to train faculty, staff and students to be appropriately suspicious and think critically when opening an email or attachment that looks unfamiliar, Flanagan says. “You need increasingly sophisticated network managers,” he says.
‘A Gargantuan Task’
To stay on top of these issues, Santa Ana will shortly be hiring a full-time security network analyst for its more than 60 schools with approximately 55,000 students, which will become especially important as it moves to one-to-one computing, where every student has a school-issued computer, Ahangarzadeh says.
“Monitoring all those devices on our network is going to be a gargantuan task,” he says. “It’s only going to get harder. We’re working closely with the Santa Ana police and all the local authorities to stay on top of what’s going on. We have an entire blog on information security. We take it seriously. The last thing we want is Santa Ana Unified School District on the front page of a newspaper saying we just lost 40,000 employees’ information, or worse, some kid just got hacked by a sexual predator.”
While people might not think of school districts as especially vulnerable to hackers, Ahangarzadeh says, they do present information-rich targets. “All I need to do is get a couple valid Social Security numbers, and I can make a pretty penny,” he says. “We’re a treasure trove. Websites on the ‘Dark Net’ will sell these products to the discerning buyer.”
The Santa Ana USD firewalls and content filters have done much to tighten the district’s networks, but Ahangarzadeh remains concerned about the vulnerability from on campus, where “it is pretty simple for somebody to walk onto a campus some place, with 60-some buildings, and physically plug into a jack and bypass the firewall system,” he says.
He’s even more concerned about phishing and spamming, and to that effect Santa Ana has launched a full cybersecurity education and awareness campaign in the 2015-16 school year called “Securing the Human.” This began with presentation to the principals and other top officials and has continued with an online voluntary course for anyone who wants to learn about cyber threats and the damage they can cause.
In April, the district launched an assessment component to that. “We’re phishing ourselves,” Ahangarzadeh says. “We’re designing full-on email campaign and socially engineering them to see who all is clicking on what.” The newly hired security analyst will run that program going forward, he says.
Santa Ana also has been running sophisticated software to determine which browser plug-ins are out of date and thus vulnerable to hackers. “Cyber criminals will take advantage,” he says. “This guy is using Explorer 5, which hasn’t passed muster for 10 years. They find the security vulnerabilities.”
Desoto 73 School District has been putting together as comprehensive a data governance program as it possibly can within its budget, while facing an upcoming review from the state auditor’s office, Donjon says. “It caused all of us to take a hard look at what we’re doing and to identify shortfalls,” he says. The technology office identified nearly 60 issues to resolve with its “limited” support staff. “We know we can’t fix everything overnight,” he says. “We’re trying to attack what we can when we can.”
The district faces challenges like retrofitting old buildings with new technology, which seldom produces ideal solutions, and a desire to shift away from using Social Security numbers in its system conflicting with the need for the Medicare program, for example, to be able to identify people that way, Donjon says.
“School districts are collecting and maintaining every sensitive piece of information about a family or individual – health, financial, legal, all of those things,” he says. “Every one of those things would be devastating to somebody in data breach. Trying to protect ourselves from something like that is kind of scary – and then we still have to keep a system that’s open enough for students and families to have access to, and for our staff to use as a system that works for them on a daily basis.”
A Layered Approach
The district uses a “layered approach” with firewalls, onsite and offsite filtering of user accounts to combat increasingly sophisticated threats coming from different directions, Donjon says. “There is no one product out there that would protect us from everything,” he says. And given Google and the cloud, with students receiving Google Apps for Education accounts this year and Chromebooks for 1,500 junior high and high school students next year, “Our cybersecurity cannot end when a student goes home on the bus,” he says. “It has to follow them wherever they are.”
In the Los Angeles Unified School District, the school’s police department has worked to break down silos and partner with local law enforcement as well as the FBI to monitor and evaluate cyber threats and determine whether and how to respond, says Steven K. Zipperman, LAUSD police chief.
“We have had various threats, as all school districts do throughout the nation,” he says. “We take a look at what’s happening in social media in general, in all the different platforms out there. We do have a unit that monitors social media sites, to get situational awareness of what’s happening that could affect us.”
The Hollister R-V School District in Hollister, Missouri, with four schools and approximately 1,500 students total, has approached cybersecurity with the philosophy that “you cannot legislate morality” and that given differing families’ viewpoints, “we keep everything as G-rated as you can,” says Sean Woods, assistant superintendent of district operations.
The district has made Facebook available on its network after school hours, which allows personnel to monitor students’ activity, Woods says. “If someone says, ‘I’m going to come shoot up the school,’ they’re going to type up words that are going to flash up on our server, and a counselor or school resource officer will meet with them the next morning and nip that in the bud,” he says.
Delicate information about personnel is housed in a third-party web-based program that’s fully data-encrypted, Woods says, and the district no longer collects Social Security numbers, giving every student a school ID number. “We’re trying to layer safety precautions,” he says. “As a public entity with limited funds, we’re probably more vulnerable than larger private-sector industries.”
Education about Social Media
The most progressive schools and districts are also accounting for the social and emotional components of the online world, Flanagan says. “Districts are taking this opportunity to help students learn about digital citizenship,” he says. “It forces us to address everything from bullying to what it means to be a good person: thoughtful, ethical and empathetic. We can’t just turn it off because it is ubiquitous and it is the world our kids are going to live in. They need to learn to manage it.
“We used to look at technology as something to overlay on education. Now we’re learning in a digital world. It’s the opposite. Unless you understand the elements of that you won’t be able to manage your life, manage your work and be an effective contributing citizen,” he adds. “A lot of that involves managing your own security – what it means to post something on Instagram.”
Santa Ana has put in place a system called Go Guardian, which monitors student activity in the school’s Google domain on email, chat and searches, in select schools where principals have for asked it. The program looks for words like “suicide” or those associated with sexual activity and creates a threat index, Ahangarzadeh says.
“We don’t use that against our kids, but we provide a threat index to principals,” he says. “Why does this kid have a threat level of 700? They’re searching for sex sites. They’re not able to access them, but the very fact that he is engaging in that kind of behavior is a potential danger to that child.” The district office monitors the system for those who opt into it and charge schools a certain fee, he adds.
The LAUSD unit that monitors social media watches how students communicate, and the district works to educate them on being responsible, Zipperman says. “It’s about making sure our kids are safe on social media,” he says. For example, with the scourge of “sexting,” he says, “Kids don’t understand where stuff ends up. We’re educating them with a new campaign called, ‘Now Matters Later.’”
Desoto 73 School District uses the Safe Mail product, which now works on Google Drive, to watch students’ activity for evidence of inappropriate materials, drug use, bullying, and possible suicides and self-harm, Donjon says. “It’s not just naughty words and pornography,” he says. “It’s students in crisis. … No parent wants their kids to be exposed to something that could harm them. And if they’re in trouble, the parent wants to know about it.”
School Messenger also contains a hotline for bullying and students in crisis, Donjon adds. “It allows students to send an anonymous text message or voicemail to someone at the school district whom we identify, who helps to monitor those things, so the student will know there is someone who can help them at any time,” he says.
Hollister R-V School District trains teachers through the iSafe system to keep students safe by watching for predators of various types, whether sexual abusers on the outside or bullies on the inside, Woods says. “It’s about how to spot when things are not right or not normal,” he says of the training. “Do we have kids bullying each other? Do we have kids threatening each other? Do we have kids threatening themselves?”
The school also provides social media education to students every year, as required by the federal government to participate in its eRate funding program for technology, Woods says. “If you’re a seventh grader, you’re going to do that for the next five years,” he says. “Is that enough [to guarantee students’ safety]? No, but it’s something.”