There's Bears in Them Thar Woods
by James Punderson
As submitted for publication in Inside Education December 2001

Talking about network security is roughly as much fun as talking about life insurance or income tax returns or watching your cousin’s vacation slides for the fourth time. And schools never had to worry about it very much. But now they do.  

You can try the ostrich act, as many schools are doing, and bury your head in the sand but the problem won’t go away. Thanks to the Internet, network security problems are getting worse, and they’re getting worse faster and faster. The woods are full of bears now.

Oh, for the Good Old days…

Schools have had networks for quite a few years. Security concerns were mostly limited to keeping students out of the grading program or keeping everyone (almost) out of the accounting system. Typically this was easy to accomplish; all that had to be done was to isolate the networks. For instance, the accounting system was only connected to a few offices mostly in the Board of Education building. So if unauthorized people were kept physically outside the office and away from the computer terminals, the system was secure (except from physical break-ins).

So We’re OK Then, Right? Wrong, Wrong, WRONG!

So what’s the problem? The biggest part of the problem is the incredible rate at which we raced to connect everyone in our school districts to the Internet. And the bottom line is that if everyone is connected to the Internet, then they are all connected to each other. PERIOD. I remember when the big Internet wiring jobs started, we would have schools say to us, “We want the business office hooked to the Internet and we want the students hooked up to the Internet BUT we absolutely don’t want them connected to each other. Bad news, folks, you can’t get there from here. I’d tell them that if they absolutely, positively wanted no connection between the networks then one of the networks could not be connected to the Internet. I’d hasten to explain that there are many things that can be done to safeguard the connection but there is still a connection. Invariably they went ahead and connected all the networks to the Internet. The lure of browsing and e-mail was just too hard to resist.

But even after connecting, many schools continue to focus almost exclusively on the danger from within; the fear of students changing their grades, reading confidential files and just plain messing up their computers. But there’s a much bigger danger these days, the danger of malicious attacks from outside the school building. Folks, there are nasty, evil people out there who will wreck things if given half a chance.

Extremely few school districts employ anyone with more than a tiny understanding of Internet security problems. Their computer people may be experts at keeping the kids from installing games on their computers or getting into the grading system from the classrooms but that’s a whole different skill set. Unfortunately not too many districts hire knowledgeable outside security consultants to fill in this skill gap. The sad part is they don’t even know they have an exposure.. There’s an astonishing level of complacency about this, at least in our experience.

Bad News: You’ll Never be Safe From the Pros

Face it, if the FBI, CIA, NSA and Pentagon web sites can get hacked then so can your network, no matter who you hire to work on them and no matter how diligently they work. That’s the bad news. Does that mean you shouldn’t do anything? No, it’s just like the physical security of your building. Any sufficiently determined person with specific knowledge, adequate resources (lock picks, dynamite, bulldozers, etc.) and plain old perseverance will find a way to break into your building but that doesn’t mean you shouldn’t lock the doors.

Good News: You can be Pretty Darn Safe From the Script Kiddies

The good news for schools is that pro level hackers are highly unlikely to be the least bit interested in anything you have on your school network, and they will gain no glory or fame from breaking into it. But there are others. Also known in the business as ankle-biters, packet monkeys (and other derogatory terms), “script kiddies” are usually relatively unskilled but bored, mischievous and/or malicious teenagers. If someone else has created the Internet equivalent of a lock pick or pry bar, they will run all over (using computerized scanning programs) and check all your network “doors” and “windows” for openings they can try to break into using their new toys.

Just as the locks you put on your real doors will keep out most potential intruders, so too the network “locks” will keep out the script kiddies. By definition, they exploit only “known” vulnerabilities. So if you, or someone working for or contracted by you, will ensure that your system is swiftly protected against “known” vulnerabilities as they become ‘known”, then you will have protected yourself about as well as can be practically done without exorbitant expense. Did you catch that word “swiftly” in there? That wasn’t filler; you really need to act quickly if you want to prevent damage.

Time is of the Essence

The security war is a fast-paced arms race between the hackers and the hardware and software industry. You can get away with never upgrading the news on your web site or even with keeping your old Word Perfect 4.1 with it’s blue screen and white text but you cannot get away without someone paying constant attention to the security arrangements protecting your school network from outside intruders. Just this last week for example, there were over 20,000 unsuccessful “Nimda” (Admin spelled backwards—a particularly fast spreading combination virus and worm) attacks on our own corporate network.

This year alone over 40 different security fixes have been released for the popular Microsoft Internet Information Server. What happens if they don’t get installed? It’s the electronic equivalent of leaving the back door to your house unlocked. Every day’s delay is another round of Russian roulette. A lousy game and I don’t recommend it. Plan to have someone whose responsibility it is to update your “locks” as often as holes in your defenses are discovered by the computer industry.

Better News: You Don’t Have to Lose Everything Anyway

But even though you can’t totally ensure that hackers will be kept out of your network, there is one, simple-to-understand thing you can do to keep from suffering a catastrophic loss. You can make sure that backups are made daily of all your critical and changeable data and weekly ones of everything else. After all, if your data has been totally destroyed, a good set of backups is your only hope to retrieve it. That way, even if a high-level hacker breaks into your system, you can quickly fix it with nothing but a temporary loss of function and a few hours of data. But, and this is a BIG but, while most everyone in the world with a network knows they should be doing backups daily, only a little teeny, tiny percentage of them actually do it. (The ones that do backups usually don’t make sure the backup process actually worked by testing to see if they can restore files selected at random.)

What Else You Can Do

Even if your network people tell you there’s nothing to worry about, it would be prudent to periodically get a second opinion. There are numerous consultants and sites on the Internet devoted to security. Having your site checked for security issues is not particularly expensive and certainly not when you compare it to the loss of critical data and public embarrassment, which often results from hacking attacks. 

For example, a rather large district near here (not a client of ours) was hacked. They said they weren’t going to put up their web site again till they were sure it was safe. But the very same security hole we saw before they were hacked was still there after the security “upgrade. Get an expert, not a BS artist or a wannabe. Ask for references. Call the references.

Don’t be a poster Child for What Not to Do

Don’t let yourself become the horrible example that all your neighboring districts learn from. “Did you hear what happened to so-and-so; their whole network was vandalized and their school board is all wound up about it. I guess we better check into our defenses before it happens to us.” Avoid the rush. Check it out now. And next week. And the week after that. Repeat forever.

What is Your Final Answer?

What happens if you don’t do anything about this? If you’re very, very lucky, when they break in they will only look around. If not they could destroy data or, even worse, make subtle changes so that you don’t find out until much later that you have a big problem.

As Clint Eastwood said in the 1971 movie “Dirty Harry” “You've got to ask yourself one question:  ‘Do I feel lucky?’” Well, do you?