How To Prepare Your System From Student Hackers

1. Separate administrative and student computing

2. Secure passwords

Again, self-evident, but even if you don’t expire passwords regularly, you should at least check them for strength. As part of the implementation process of a new online student information system, Joanne Arvay, technology coordinator for the Scotch Plains-Fanwood School District in New Jersey, reinforces with administrators and supervisors the importance of using a secure password, one with a combination of letters (upper and lower case), numbers and a special character or two. “If a password is easy to remember,” Arvay says, “then it is generally easy to guess.” She also suggests staff members use mnemonics to help remember their passwords.

“Students watch like a hawk when teachers or counselors log into the system,” Arvay says. “They seem to be genetically programmed to acquire passwords.” She has chided teachers and administrators who want to use overly simple passwords, reminding them to be smarter than their students. “If a staff member feels that their password has been compromised, it’s vital that they change it immediately,” she adds.

3. Security-focused design

Mary Cullinane, Microsoft’s academic program manager at Philadelphia’s School of the Future project, has an ideal situation: starting from zero. “We boiled it down to the three A’s: administration, automation and authentication,” Cullinane says. “We use centralized console software to manage installation, updates and access. We have a single sign-on. Every teacher, administrator and student will have a smart card and a PIN. Everything they can do is determined by their profile.”

Arvay says it’s important for key backups and restore points to be stored offsite: If a server and its tape or disk backup are in the same room — or even in the same building — both are subject to loss by fire, water damage, vandalism or theft.

4. Top-down awareness

Chris Seiberling, manager of the technology audit and planning program at the Mass Networks Education Partnership, a technology-focused nonprofit organization in Allston, Mass., is blunt when asked where the responsibility lies. “The superintendent!” he exclaims.

Despite his technical chops, he’s quick to point out that human factors dictate the security of the school’s data, and that the agenda is set from the top. Many superintendents, despite advanced degrees and managerial training, have little appreciation for the quantity or sensitivity of the data under their purview.

“Schools have more data on kids than ever before,” Seiberling says. “The information ranges from family financial status for free meals eligibility to special needs and mental health.”

5. Lock down everything

Marnin Goldberg, computer support technician for New Jersey’s Lawrence Township public schools, is a strong believer in central control. “As long as you provide responsive service and the systems do everything the teachers and administrators need, they are willing to work with centralized control,” Goldberg says. The team he works with controls the drive image on all machines. In addition, the team takes the precaution of using Basic Input/Output System and Open Firmware passwords.

Moreover, teachers typically ask the students to reboot at the end of each period so the machine is clean for the next class.

6. Think like a kid

When testing new applications or security provisions, Goldberg does his best to think the way the students do. “What do I want to do?” he asks himself. “Run games? Upload a keylogger from a USB key or a floppy? IM my friends? Get admin access? Surf blocked sites?” With this mindset, he attacks the software from their point of view, and occasionally finds flaws that didn’t occur to him on the first pass.

An increasing number of schools have expanded their tech-ed curriculum to include Cisco maintenance and programming. “It doesn’t take long until the kids decide to attempt to break into the school’s routers,” Goldberg says. “So you’ve got to make sure that they’re locked down tight, with all updates and patches applied.”

7. Teach the teachers

Rob Stevens, priincipal consultant on Philadelphia’s School of the Future project, says it’s critical to include security as part of the teachers’ professional development time. “We believe in technology by example,” Stevens says. “If we can demonstrate safe computing practices with results that will engage the students and demonstrate how to replicate them, teachers will use them.”

Administrators at the Scotch Plains-Fanwood School District agree that securing their district’s information is everyone’s responsibility — not just the IT department’s. And yet technology coordinator Arvay says, “Sometimes it’s difficult to take time from staff training to address security issues.” She often has to rely on e-mail and one-to-one contact with staff to make them aware of threats.

8. Use professional programs

Homegrown attendance packages and standalone grade-book programs often don’t measure up to current security needs. They may have vulnerabilities based on the language in which they were developed and are often poorly documented. Many were never intended for multiuser use.

However, modern scheduling, grading and attendance software has excellent security and scales to multiple users. Backup is either inherent or tied in with normal server backup procedures.