Oct 31 2006

Foiling Student Hackers

Outside threats to computers and networks are just one aspect of the IT security challenge facing schools today. There are also threats posed by a school's tech-savvy students.

Melissa Solomon

HACKING INTO HIS HIGH SCHOOL network was child’s play for Reid Ellison. The question was what to do once he got in. Since the straight-A student couldn’t raise his grade-point average any higher, he bumped it down from a 4.0 to a 1.9.

As part of a technology security project a few years ago, Ellison got permission from his principal at Anzar High School in San Juan Bautista, Calif., to hack into the faculty-only section of the network. Ellison downloaded from the Web easily available software that launched a brute-force attack. In less than a second, he was in.

“I think they were a little shocked that I was able to do it in such a short amount of time,” recalls Ellison, who is currently a freshman at Columbia University in New York City. “It was a wake-up call.”

Anzar High School was very lucky. Many school officials around the country have learned the hard way that technology security is not just about protecting their networks from outside threats. It also involves keeping mischievous or malicious students from accessing parts of the network where they shouldn’t be. In fact, it was a student grade-changing scandal at a nearby high school that gave Ellison the idea for his project, which earned him an A, by the way.

“We’ve got hundreds of kids who are smart, and they’ve got all this teen angst and motivation to push the envelope,” says Mike Annab, director of technology at Valley Christian Schools in San Jose, Calif. “Once they’re on the inside, that’s a huge hurdle. You have to treat them like—I hate to say it—hackers in training.”

Schools face an especially volatile mix of ingredients when it comes to keeping their networks secure: tight school budgets, faculty members who downplay the importance of information security and rebellious students who are often more tech-literate than their teachers.

At the same time, schools strive to provide students with access to the latest technology and teach them to excel at using it.

“We want students to be tech-savvy,” Annab says. “We absolutely do. We just want them to flex their intellectual muscles in a positive way. We teach students that if you really want to be creative, then construct, don’t destruct.”

Late-Night Intrusions

About a year ago, the intrusion detection system (IDS) logs at the Gary and Jerri-Ann Jacobs High Tech High School in San Diego turned up some suspicious activity: It appeared that a teacher had logged onto the software used to track student grades after midnight on a Tuesday.

When questioned, the teacher confirmed the IT team’s suspicion that a student had used the teacher’s name and password to hack into the network. The teacher then helped IT determine who might be responsible. The IT team rechecked the IDS logs, which showed that the network was accessed from a suspected student’s personal notebook computer. He was expelled.

Thwarting student hackers is a significant portion of the security job, according to Tim Garton, director of information technology at High Tech High. “I think about it on a daily basis,” he says. “But I can’t do it all myself. You really have to get the teachers involved so they can watch out for suspicious activity.”

At each year’s orientation, Garton warns staff of the dangers of walking away from computers without logging off and of typing passwords in front of students. Garton also uses software that accepts only passwords that have complex combinations of letters, numbers and characters.

“It takes only one weak password,” Garton points out. “If the students get hold of it, then it’s all over.”

Many security measures can be expensive, but the most-effective tools—restricting network access and requiring strong passwords—don’t cost a thing, Ellison notes.

While Ellison hacked into Anzar High School’s network with high-tech tools, he also demonstrated the role social relationships play in security. Since his freshman year in high school, Ellison was one of several student volunteers who repaired computers at the school, so the staff and faculty trusted him. He explains that this unmonitored access gave him the opportunity to install a keystroke monitor—tiny hardware that connects the keyboard to the computer and records keystrokes—on a faculty computer.

“I took [the keystroke monitor] off after one day, and it had the password on it,” Ellison recalls.

A Never-Ending Job

Continuous education for the entire staff and faculty should be a critical element of every school’s security program, advises Brandon Alt, the information security manager at Duval County Public Schools in Jacksonville, Fla. “Your users can be your best layer of defense,” he says. “If you’re looking for a technological silver bullet, there’s nothing. It comes down to education and being proactive.”

With Duval’s 158 schools and nearly 129,000 students, Alt is always busy keeping the schools’ network secure. In his work, he employs an arsenal of tools, including firewalls, encryption and IDS, and is in the midst of installing a vulnerability and mitigation management program.

“It’s continuous improvement,” Alt explains. “We’ll never reach 100 percent. That’s not possible with security. But we’ll get as close as we can.”

Alt uses the ISO 17799 standard as a guideline in developing the school district’s security program. This ISO specification details best practices in 10 areas of information security, including business continuity management and system access control.

Due to limited funding, Alt can’t implement everything he’d like to, but he strengthens the schools’ equipment with tight security procedures. “There are tons of toys,” he says, “but it really does come down to the people.”

Alt advises schools to develop a security policy that anticipates risks and spells out disaster recovery plans for different threats. The policy should establish a security team plus a separate incident-response team that includes staff members who have a variety of perspectives and skills. The team members should have authority to proactively defend the network with a set of preapproved procedures, he says.

At Valley Christian Schools, control is a key factor in the IT security program. Annab uses content-filtering software to block certain Web sites and file types. He prohibits both students and teachers from downloading software onto school computers, and he sets time limitations on machines and bans their use at night and on weekends.

Annab established even tighter security policies in common areas with a lot of student traffic, such as computer labs and the library. He also keeps tight audit trails to track the use of equipment and the network.

As an added precaution, Annab shows teachers how to check their computers for potential security problems and encourages the teachers to check them periodically. That kind of attention can help cut down on hacking tools like the keystroke monitor that Ellison installed for his school project.

“Unless you create a culture of security, you’ve missed one of the biggest opportunities to secure your organization,” Annab points out. “It’s an ongoing thing. I’ve been doing it for years, and I think folks are really starting to get it.”

Melissa Solomon is a New York-based freelance writer who specializes in technology.

Hackers, Keep Out!

Here are 10 tips for thwarting student hackers:

1. Separate or isolate staff networks from those available to students.

2. Train staff to use strong passwords and keep them secure.

3. Teach students cyberethics and explain the consequences of hacking.

4. Keep up to date on software upgrades and security patches.

5. Restrict student access to faculty and staff computers, networks and offices.

6. Use intrusion detection software and monitor logs for suspicious behavior.

7. Review network and security programs to ensure they’re up to date.

8. Test the school network by trying to infiltrate it with new hacking techniques.

9. Use strong authentication and encryption on wireless networks.

10. Have teachers keep hard copies of grades and periodically compare them with those on the network.

Better Safe (and Secure) Than Sorry

In the 1983 movie War Games, it took a wunderkind to break into a network. No more.

Thanks to the widespread availability of hacker networks and shareware, even students who are not very tech-savvy can find ways to get inside.

“It’s not like it was years ago, when you actually had to know what you were doing,” says Brandon Alt, information security manager at Duval County Public Schools in Jacksonville, Fla. “Now anyone can go out and get [hacking tools].”

Ever-evolving technology also makes it harder for schools to keep their computers secure. For instance, “Perry,” a New York state high school student who asked not to be identified, says that “wireless makes networks much less secure.”

Set up correctly, wireless networks can be as secure as their wired counterparts. However, because wireless is a relatively new technology, some schools neglect basic security protocols, such as strong authentication and encryption.

A network intrusion detection system goes a long way toward keeping a network secure, says Tim Garton, director of IT at Gary and Jerri-Ann Jacobs High Tech High School in San Diego. Garton also recommends an ongoing software patch-management program so that students can’t manipulate known flaws in commercial software.

Such precautions also serve as a deterrent. Students see hacking into school networks as a game, states Perry, who says he’s never done it. They hack because they can. “Even though it’s a real crime, kids don’t see it that way,” he explains.

As information technology plays an increasingly larger role in education and the workplace, it’s up to schools to teach students cyberethics so they realize the consequences of their actions.

In fact, several public and private programs teach high school and college students hacking techniques and encourage them to use their skills in protecting business and government from malicious attackers.

At Valley Christian Schools in San Jose, Calif., the student acceptable-use policy spells out technology rules right alongside those about fighting and cheating. It even cites state and federal statutes that give teeth to the district’s zero-tolerance technology policies.

“One of the things we really need to make clear is that the government takes these cybercrimes very seriously,” says Mike Annab, the schools’ director of technology.

At the same time, it’s up to schools to remove temptation, Duval’s Alt adds. That requires schools to establish a strong security program—one that focuses on educating faculty and staff and fixes network vulnerabilities before students can exploit them.

“Then next year, you do it all over again,” Alt concludes.