Information Security in Education/Administrator Awareness
Introduction
Target Audience
The primary target audience for this topic is K-12 administrators, although higher education administrators may gleen some insight from the information presented here.
Threats to Schools
Conducting research on the role of K-12 administrators in dealing with their schools’ information security will most likely yield very few, if any, results. The reason for the lack of information is most likely that most K-12 administrators simply do not view information security as a top priority. This is not surprising since the job descriptions of K-12 administrators typically do not including monitoring computer network traffic for potential threats or security breeches. Furthermore, this type of training is usually not in the curriculum of principal’s certification programs. Although information security is not a top priority to principals, nor a part of their education, there are ways that principal’s can assist in securing their school’s network.
In order for administrators to make informed decisions, it is necessary to know not only the problem, but its origin. In terms of information security, the origin of the problem(s) can be multifaceted. Most likely, though, the problem is people. According to Schneier (2004), “people often represent the weakest link in the security chain and are chronically responsible for the failure of the security system (p.255).” [1] For the K-12 administrator, this means that the leading prevention for information security concerns is staff development. Although the term staff development typically refers to teacher training, in this case it refers to all staff (secretaries, custodians, aides, etc.) that has access to the schools network. School staff needs to recognize that they play one of the most significant roles in information security.
Among the biggest threats that involve school personnel are social engineering threats. Social engineering is the act of manipulating people into divulging confidential information. [2] This type of threat can be used quite easily in a public school since most public school employees, while cognizant of student confidentiality, are very willing to assist other school personnel in solving their problems. There are three main types of social engineer schemes pretexting, phishing, baiting and quid pro quo. Each of these types of social engineering can cause major problems for schools.
Threats Defined
Pretexting is the act of creating and using an invented scenario (the pretext) to persuade a targeted victim to release information or perform an action and is typically done over the telephone. It is more than a simple lie as it most often involves some prior research or set up and the use of pieces of known information. In the case of a school, a call from someone pretending to be in the technology department would be an easy sell to most personnel, especially if at the time of the call the network was not properly functioning.
Phishing is a technique of fraudulently obtaining private information. Typically, the phisher sends an e-mail that appears to come from a legitimate business, in the case of a school a fake email from the technology department or administration, requesting "verification" of information and warning of some dire consequence if it is not provided. The fictious email could ask for passwords or student or personnel information. A teacher could receive an email from the “business manager” requesting updated banking information for direct deposit, or for a social security number. Since school records and software are updated regularly, this type email from a fake business manager would probably not seem strange to an employee.
Baiting is an attack that uses physical media and relies on the curiosity or greed of the victim. In this attack, the attacker leaves a malware infected CD ROM or USB flash drive in a location sure to be found (bathroom, elevator, sidewalk, parking lot), gives it a legitimate looking and curiosity-piquing label, and simply waits for the victim to use the device. In either case as a consequence of merely inserting the disk into a computer to see the contents, the user would unknowingly install malware on it, likely giving an attacker unfettered access to the victim's PC and perhaps, the targeted school’s internal computer network. Unless computer controls block the infection, PCs set to "auto-run" inserted media may be compromised as soon as a rogue disk is inserted. In order for this attack to be successful at school, the attacker would not need to go to much trouble. Any school employee would be subject to this type of attack since the goal would be to return the “lost” device to its owner, who would be assumed to be a student.
References
Schneier, B. (2004). Secrets and Lies. Indianapolis, Indiana: Wiley Publishing, Inc
http://en.wikipedia.org/wiki/Social_engineering_(security)
[[Category:Template:FULLBOOKNAME|Template:FULLCHAPTERNAME]]
- ↑ "Schneier, B. (2004). Secrets and Lies. Indianapolis, Indiana: Wiley Publishing, Inc."
- ↑ http://en.wikipedia.org/wiki/Social_engineering_(security)