Oct 31 2006

How To Prepare Your System From Student Hackers

Precociousness is the motivation that drives most student hackers, but some aim to intentionally wreak havoc on your network. Either way, protecting your school's data and systems from the nosy or malicious student is just as important as protecting it fr

Security is a journey, not a destination. The moment you sit back and pronounce that “everything is secure” is the moment you’re letting down your guard and inviting disaster. Also, every journey is different, determined by your district’s needs, legacy applications, hardware, funding, staffing levels and experience. To make your journey safe and enjoyable, we’ve gathered these useful travel tips:

1. Separate administrative and student computing

It seems obvious, but it’s not always easy to separate the school administration from the students. Some students are highly motivated to hack, and if they can see the back-office servers or applications, they’ll try to crack them. Even if the systems reside on the same physical network, they need to be partitioned. While partitioning should protect subsystems, school districts should keep student and administrative systems on physically separate networks.

2. Secure passwords

Again, self-evident, but even if you don’t expire passwords regularly, you should at least check them for strength. As part of the implementation process of a new online student information system, Joanne Arvay, technology coordinator for the Scotch Plains-Fanwood School District in New Jersey, reinforces with administrators and supervisors the importance of using a secure password, one with a combination of letters (upper and lower case), numbers and a special character or two. “If a password is easy to remember,” Arvay says, “then it is generally easy to guess.” She also suggests staff members use mnemonics to help remember their passwords.

“Students watch like a hawk when teachers or counselors log into the system,” Arvay says. “They seem to be genetically programmed to acquire passwords.” She has chided teachers and administrators who want to use overly simple passwords, reminding them to be smarter than their students. “If a staff member feels that their password has been compromised, it’s vital that they change it immediately,” she adds.

3. Security-focused design

Mary Cullinane, Microsoft’s academic program manager at Philadelphia’s School of the Future project, has an ideal situation: starting from zero. “We boiled it down to the three A’s: administration, automation and authentication,” Cullinane says. “We use centralized console software to manage installation, updates and access. We have a single sign-on. Every teacher, administrator and student will have a smart card and a PIN. Everything they can do is determined by their profile.”

Arvay says it’s important for key backups and restore points to be stored offsite: If a server and its tape or disk backup are in the same room — or even in the same building — both are subject to loss by fire, water damage, vandalism or theft.

4. Top-down awareness

Chris Seiberling, manager of the technology audit and planning program at the Mass Networks Education Partnership, a technology-focused nonprofit organization in Allston, Mass., is blunt when asked where the responsibility lies. “The superintendent!” he exclaims.

Despite his technical chops, he’s quick to point out that human factors dictate the security of the school’s data, and that the agenda is set from the top. Many superintendents, despite advanced degrees and managerial training, have little appreciation for the quantity or sensitivity of the data under their purview.

“Schools have more data on kids than ever before,” Seiberling says. “The information ranges from family financial status for free meals eligibility to special needs and mental health.”

5. Lock down everything

Marnin Goldberg, computer support technician for New Jersey’s Lawrence Township public schools, is a strong believer in central control. “As long as you provide responsive service and the systems do everything the teachers and administrators need, they are willing to work with centralized control,” Goldberg says. The team he works with controls the drive image on all machines. In addition, the team takes the precaution of using Basic Input/Output System and Open Firmware passwords.

Moreover, teachers typically ask the students to reboot at the end of each period so the machine is clean for the next class.

6. Think like a kid

When testing new applications or security provisions, Goldberg does his best to think the way the students do. “What do I want to do?” he asks himself. “Run games? Upload a keylogger from a USB key or a floppy? IM my friends? Get admin access? Surf blocked sites?” With this mindset, he attacks the software from their point of view, and occasionally finds flaws that didn’t occur to him on the first pass.

An increasing number of schools have expanded their tech-ed curriculum to include Cisco maintenance and programming. “It doesn’t take long until the kids decide to attempt to break into the school’s routers,” Goldberg says. “So you’ve got to make sure that they’re locked down tight, with all updates and patches applied.”

7. Teach the teachers

Rob Stevens, priincipal consultant on Philadelphia’s School of the Future project, says it’s critical to include security as part of the teachers’ professional development time. “We believe in technology by example,” Stevens says. “If we can demonstrate safe computing practices with results that will engage the students and demonstrate how to replicate them, teachers will use them.”

Administrators at the Scotch Plains-Fanwood School District agree that securing their district’s information is everyone’s responsibility — not just the IT department’s. And yet technology coordinator Arvay says, “Sometimes it’s difficult to take time from staff training to address security issues.” She often has to rely on e-mail and one-to-one contact with staff to make them aware of threats.

8. Use professional programs

Homegrown attendance packages and standalone grade-book programs often don’t measure up to current security needs. They may have vulnerabilities based on the language in which they were developed and are often poorly documented. Many were never intended for multiuser use.

However, modern scheduling, grading and attendance software has excellent security and scales to multiple users. Backup is either inherent or tied in with normal server backup procedures.

Bill Machrone is a New York-based technology journalist.


At one school that fell victim to a student break-in last year, the situation was fairly typical: an unguarded administrator’s machine, a poorly protected password and a student who installed a remote-control program and changed grades from home. According to the school’s IT director, who requested anonymity, the incident caused the district to toughen existing policies and create additional ones regarding the misuse of computers and data. However, the school district still suffers from a lack of a centralized means to protect its policies, the IT director told EdTech. One group controls the network sign-on, another controls the administration package, and yet another sets up machines and issues passwords in a given building.