Network security is one of the biggest concerns affecting schools and business now and, without being too dramatic, it is really serious.
For some time as individuals and businesses, many of us had assumed our digital stuff is safe and that the free Virus Checker we got when we bought our computer in 2005 is still doing its job. My question is, would we take the same blasé attitude to the security of our own homes?
The unfortunate fact is that there are dozens, if not hundreds of bad people constantly walking around your digital neighbourhood, at any given moment. There are literally factories of people who make it their job to exploit the vulnerabilities of your network through malicious techniques such as DDoS, phishing, and other orchestrated techniques of Cybercrime.
The following are some important considerations that you should make when thinking about your school’s network security, in a way that most of us can relate.
Your home address
Having an “unlisted” home address, in network terms, can make it harder to find and therefore harder to attack. The less public facing it is, the better. Keep in mind that this is different from things like your website, which are more than likely hosted somewhere completely different and have little or no direct connection to your network.
Making your network as unattractive or invisible as possible means there is a greater likelihood of a cybercriminal moving onto the network “next door”.
See Remote Connection Security
Like your house, it is impossible not to have different ways to get in and out but limiting these is good practice. A classic example is the way that your staff remotely connect to the school. Ensuring that these entrances are not publicly visible and require some robust ways of getting in, is a big step in making things secure. Although it can be unpopular, using multi-factor authentication (like all banks now require), can provide a layer of protection you can’t get with a single username and password. Additionally, having a secure tunnel that connects the remote user to the server, also makes things safer,
See Remote Connection Security, Multi-Factor Authentication
Keys to the doors
It is not uncommon for temporary access to be granted to individuals within a school to third parties to complete work that is relevant to their network product or service. However, this may be like handing over a set of master keys. Having an internal system to ensure that these “keys” are handed back or that the locks are changed on the door they used, is critical to ensure that an entry is not left open.
This is a perfect example of critical operational procedures that have a variety of fail-safes. Traditionally schools have been very trustworthy not only with the use of the physical facilities but with the network. As New Zealander’s we have often viewed ourselves as living in a safe place, but in terms of our global network footprint, traditional geographies are irrelevant – cybercriminals do not care if you are in New Zealand and certainly do not care you are a school.
See Review Administrative Rights, Account Lockout Policy
Types of locks
Having a lock that is robust and difficult to replicate is essential. Passphrases are now replacing complex passwords – these are often easier to remember and contain more characters, like teeth on a key. In the digital world too, it is also essential to change the locks regularly as people can test your locks out with you even knowing. Additionally, you can create settings in your network that allow accounts to locked out once they have been tried too many times. This is now standard practice across a variety of everyday services such as Spotify, Netflix, and Office 365.
See Password Complexity, Account Lockout Policy, Multi-Factor Authentication
Who is home?
When someone knocks at your door at home, the first instinct is to peek and see who it is. If you recognise them, you usually open the door, unconsciously checking to see how they look, if everything is OK and asking, “why are they here?”. If you do not know who they are, you might keep the door chain on, ask them how you can help or ignore them entirely while filming them through an outdoor camera.
Your network should do the same thing. If being approached digitally, it should use checks like certificates and credentials to ascertain that you are there for the right reasons. Think of asking for a badge number or a number you can ring to confirm the charity and person is real…
Finally, you should consider some User Education. It would be impossible to stop everyone knocking at the door, particularly when we require some people to visit. But just like we teach “stranger danger”, the people in our network need to understand their role in keeping things safe. Being able to do something like identifying a suspicious email or not downloading malicious items onto the network are ultimately responsibilities of the individual. User Education is a crucial part of this, particularly for those with less confidence. It is also something that should be done regularly, as again, things are continually changing and getting more sophisticated.
See User Education, Software and Firmware Updates
From a computer itself to the core network structure, regular monitoring and alert systems ensure that there is some process in letting you know when things are not right. It may happen in the background like a good anti-virus programme, firewalling, or backup monitoring, but it can also be something that can alert a person when required. Making sure this alarm system is correctly installed, monitored and not merely a series of “watch out” stickers on windows, may prevent anything happening at all. This is the ideal scenario – the crooks see the cameras and alarms systems and just walk on by.
See Monitoring, Review Administrative Rights
A single computer or server with either outdated or unsupported firmware and/or software can pose a significant risk to your network. Additionally, any other network-attached device may hold vulnerabilities. Ensuring that there is a regular process of keeping things up to date and supported is like checking the locks are not corroding or the windows are becoming loose.
See Software and Firmware Updates
This goes without saying. Just like your home and valuables, having good insurance sorted is a must. Many schools are covered up to $250,000 a claim under the Ministry of Education Risk Management Programme (http://www.lumley.co.nz/keepsafe/cyber-cover.html), but equally a number are supplementing this or choosing another provider of their own. Regardless, this warrants a regular review, as the changing landscape of the not only the nature of the attacks, but the complexity of recovery is immense.
See Backups – Onsite, Backups – Cloud, Backups – Physical. Cyber Insurance, Data Privacy
If any of these ring alarm bells and you would like to request a free New Era Security Checklist, request an audit, or talk some more – please get in touch