QUESTIONS ANSWERED IN THIS CHAPTER: Show
IntroductionEducation agencies thrust into the world of computer networks and electronic communications are often unprepared for the related security risks and are unaware of many of the strategies that can protect their system. The agency's technology officers or technical staff working directly with Internet or intranet (i.e., internal networks, as opposed to the outside world of the Internet) networks will most readily appreciate the technical aspects of security presented in this chapter. Nontechnical staff should find the broader discussion of security helpful in understanding the absolute necessity for and value of securing all facets of the agency's network. Security is a process that focuses on ?CIA?: confidentiality, integrity, and availability. The recommendations in this chapter are detailed and extensive. Education agencies must be prepared for every eventuality ranging from a careless employee walking away from a computer station that is logged onto a sensitive data site to a hacker trying to break into the agency's system to physical destruction of the network by a tornado, hurricane, or earthquake. An agency involved in maintaining a computer network, especially one with Internet access, should use the information in this chapter to identify and resolve system vulnerabilities and in so doing reduce the risk of liability. The security recommendations described in the chapter are solid, fundamental business practices that are, for the most part, not unique to the education sector. However, because education agencies are responsible for ensuring the physical safety of children in a stable environment that fosters learning, the obligation to extend security precautions to online computer information systems is especially strong. In addition to student safety, other areas at potential risk include the confidentiality of student, staff, or financial data sent or received through the Internet; the integrity of intellectual property; and the investment in hardware, software, and other resources. When considering security precautions, education agencies in particular should take note that the greatest exposure to risk comes from within the organization. Internal agency employees perpetrate most network security violations. Malicious, or even unintentional, corruption of data, hardware, or software can be crippling to any enterprise. Illegal acquisition and disclosure of sensitive student information can harm a child and ultimately the school system. An agency should assess the legal and financial ramifications of failing to make a reasonable effort to secure the network and its many components. The following key areas for strategic planning organize the discussion of network security in this chapter. The following methods for securing each component of the network, whether a local or wide area network, are presented:
Security AssessmentThe first question to ask is what needs to be done to provide appropriate security for the agency's network? The total network is only as secure as its weakest link, and, as mentioned, most security breaches occur from people who work inside the agency itself. For this reason, the implementation of very simple security measures, many of which are free or are inexpensive, can provide significant protection for the total network. The first step is to perform a security assessment. If multiple agencies are connected to a larger intranet (a private network that provides users access within the agency and to the public Internet), the security assessment is ideally performed collaboratively. Common security strategies should be employed throughout this intranet and for all components of the network. In performing a security assessment, the agency should address each of the topics discussed in this chapter. In assessing the level of security, agency staff should
A security plan should be written under the auspices of the district technology director, but should involve other agency representatives. When developing the plan, the agency should consider the following issues:
Securing HardwareHardware security includes the physical protection of equipment (e.g., computers, printers, monitors, etc.) from both theft and damage. Different types of hardware require different types of protection. Servers and related equipment should be placed in a secure room with limited access. The room should have proper environmental conditioning and fire protection equipment.* (i.e., fire extinguishing systems should be used in areas where water cannot be used). While this may seem obvious, an asset (inventory) control system will assist with the agency's technology planning efforts. Without an asset control system, the agency will be unable to determine what hardware exists or where it is. This system is also important so that the agency can determine which computers, or other systems, need to be replaced as they become obsolete. Along with the obvious fact that proper security deters theft of property, effective hardware security bars unauthorized access to the server. Proper security prevents people from tampering with server settings, corrupting data, or gaining access to unauthorized programs and confidential information. Measures for securing hardware systems include the following:
Securing Operating SystemsThe operating system (OS) is the underlying computer system on which application programs run. Choosing an OS is a critical decision that directly affects the security measures an agency must take. Some OSs are easy to use but less secure. Others are more complicated to maintain but when properly configured are virtually impenetrable. Whatever the choice, the system must be "hardened," or secured, by removing unneeded functions, restricting access, and tracking changes and processes. If, for example, a port (i.e., a doorway into a system) is left open unintentionally, it can become the door through which an intruder can enter the network. Conversely, if the system is secure, intruders will have a much more difficult time entering the system. Many OS options are available, from "UNIX-like" freeware (public domain software offered at no cost) to various Microsoft and Apple products, which vary in acquisition and maintenance costs. Acquisition cost does not necessarily indicate the power of any particular OS. The agency should ensure that the hardware and OS combination is robust enough for the intended purpose. The OS must have the ability to be configured to meet both the service and security requirements of the agency. The criteria for the OS selection should be based on the agency's needs assessment. The agency should take into account the resources necessary to support the OS. If the agency chooses to run a mixed environment (a combination of hardware and software utilizing more than one OS), it should be sure the support resources required to maintain this configuration are available. A mixed computing environment requires additional expertise and resources in order to maintain proper security. OS security consists of limiting access to network resources, such as centralized applications, files and directories, network printers, and other such components. Personnel should have network access only for the specific tasks related to their work. An appropriate policy for OS security is a baseline denial of access to all components by all personnel, with explicit access privileges granted on a case-by-case basis. User login credentials identifying the role(s) and profile of the user should "describe" the user's access parameters to the OS. The extent of access to network resources granted to the user should be based on the individual's authorized role/profile. Different operating systems regulate user access in different ways; however, each provides similar functionality by assigning Read, Write, and Execute permissions on directories, files, network printers, etc., to groups of users or individual users as required. Some access-related security measures that should be implemented are as follows:
Securing Software (Applications)As noted earlier, software programs are applications that run "on top" of the operating system. The most common applications are information systems, word processors, spreadsheets, e-mail programs, and web browsers. There are literally thousands of applications available. The purpose of this section is to provide education agencies with recommendations for securing software applications. Security in this area will limit (not eliminate) copyright infringements, assist in the proper licensing of software, and attempt to ensure that only authorized persons have access to software installation media. Software installation media should be stored in a centralized location with proper documentation of the number of licenses and number of installations. These media should be protected from harsh environmental conditions, such as excessive heat, moisture, and electrical and magnetic fields (EMF). All software media should be backed up regularly to ensure that no data are lost. Periodic backups stored in a secure off-site location will make it possible to recover quickly from a catastrophe on site. The agency should take into account regional peculiarities when storing backups off site. For example, in areas prone to earthquakes, media should not be stored in high-rise buildings; in areas prone to flooding, media should be stored in a facility away from the flood plain. Some recommendations for software security are as follows:
Securing the NetworkThe same security procedures in place for server hardware apply to equipment that supports the network, including switches, hubs, routers, firewalls, access points, cabling, etc. Network equipment should be installed in an environment with proper ventilation and power requirements and should be protected from unauthorized access. The agency should place the equipment in dedicated building spaces. Access should be limited to staff that have a key, combination lock, key card, or other security device. Some basic precautions for securing network equipment are as follows:
A fundamental action the agency can take toward maintaining a secure and reliable network is to hire a qualified individual to serve as the network administrator. Network administration is not a task for the average high school teacher/technology coordinator. Many agencies, however, cannot afford to hire an experienced network administrator for each school and often do rely on faculty for this position. If a teacher/coordinator is to be responsible for a school network, the agency must recognize training and professional development as priorities. Agency network policies and procedures should be clearly defined. These policies should be made readily available to anyone responsible for maintaining the network. Listed below are some items to consider for agencies managing their own networks. The responsibilities of a network administrator are, for the most part, very technical in nature. This reinforces the point that training is critical for anyone with the responsibility of running a network. Agencies should
Wireless NetworksWireless communication is a rapidly evolving technology that is becoming increasingly prevalent in everyday life. The built-in security for wireless computer networks, however, is relatively weak. Technology coordinators need to pay particular attention to secure these networks properly, and the network administrator must keep up to date on emerging methods for securing wireless networks. Some security measures to consider when planning a wireless network are as follows:
If hackers are able to guess or crack the agency's WEP keys, they will not be able to access the remainder of the internal network because VPN and VLAN architecture with access lists will allow only authorized VPN clients to be routed to the network from a wireless VLAN segment. Hackers will be able to attack clients on the same subnet, however, and if one VPN connection is left up, it could be abused to access the rest of the internal network. Network ReliabilityReliability of the network is a key to daily business operations and to an effective instructional program. Everyone in the school hears about the times a teacher has scheduled a web-dependent lesson only to be unable to access the network. It is imperative that "mission-critical" applications (e.g., financial systems, student information systems) always be available to those who depend on the systems. Network architecture designed for redundancy, with built-in backups for primary resources, minimizes the incidence of network downtime. When considering this issue, the agency should take into account the extent of redundancy needed. Where it is possible, consider redundancy in both LAN and wide area network (WAN) architectures during the design phase. The agency should select redundant service providers that use separate infrastructures. Some specific redundancies that can be built into the network apply to
Another measure to maximize network reliability is the implementation of intrusion detection systems. Intrusion detection systems are host-based or network-based software that monitors attempts to break into and gain access to the network. These systems watch data packets as they transit the network outside the firewall. They monitor attempted port scans, distributed denial of service (DoS) attacks, and other intrusion attempts. Intrusion detection protocol should include the following tasks:
Data SecurityData drive the engine of each educational organization. From payroll records to "datadriven decisions" about instructional programs to student information systems, human resources files, transportation information, and student portfolios-data integrity is critical. Keeping data secure is the primary mission of those in charge of technology. Protecting the agency's data by implementing robust architectures and comprehensive backup and recovery plans is extremely important. The agency must take every precaution to prevent unauthorized users from changing data, deliberately or inadvertently, by way of a "hole" in security procedures. Security holes can occur from outside through the web or internally from within the LAN. The following recommendations for maintaining data security are based on using Redundant Array of Independent Disks (RAID). This allows the same data to be stored in different places on multiple hard drives. When using RAID, the following steps should be taken:
Backing up DataThe reasons for backing up data are obvious. However, many agencies (both inside and outside the education community) do not take this task seriously until they lose data. When the payroll information cannot be found or when all the student information entered into the system during the day is lost, people will pay attention to backing up data. It is better to pay attention before a disaster strikes. What is a network security policy quizlet?What is a network security policy? A network security policy defines the rules that apply to all users accessing the network. It includes how they are given access, what they can do once they have access, and what will happen if they don't follow the rules. You just studied 175 terms!
Which of the following is an element of a network security policy that explains for what purposes network resources can be used?Acceptable use policy: Explains for what purposes network resources can be used. Authentication: Describes how users identify themselves to gain access to network resources. Logon names, password conventions, and authentication methods should be described.
Where should a NIDS be placed to protect the entire network?Network intrusion detection system (NIDS) is an independent platform that examines network traffic patterns to identify intrusions for an entire network. It needs to be placed at a choke point where all traffic traverses. A good location for this is in the DMZ.
What has occurred when all routers in a network have accurate?A state of convergence is achieved once all routing protocol-specific information has been distributed to all routers participating in the routing protocol process.
|