School districts, by nature, run open environments where administrators, teachers and students share information, so setting rules and restrictions for the sake of IT security may not always be top of mind.
Matthew Frederickson, director of information technology at Council Rock School District in Newtown, Pa., says that when he came to work for the district several years ago, one of his first tasks was to educate the community on IT security issues.
“We had some near misses where students hacked in and got further into the network than they should have, so I started looking at security frameworks,” he explains.
Frederickson based the district’s security program on the 20 Critical Security Controls from the Center for Internet Security and the SANS Institute. The CIS Critical Security Controls cover everything from continuous vulnerability assessments and remediation to malware defenses, wireless access control and penetration tests.
Given that he had nine people, plus himself, to manage 13,000 users districtwide, Frederickson also needed to find automated security tools that integrated well.
“With such a small staff and so many users to manage, I simply couldn’t hire six more people to work on IT security,” he says.
Frederickson deployed Lancope StealthWatch to manage the network and Ziften for Lancope, an endpoint management tool that works well with StealthWatch.
StealthWatch manages the network, making sure data flows across the switches properly. It also manages network security.
“In an organization this size, it really made a difference that all I had to do was configure the switches and no longer had to worry about security,” Frederickson says. “StealthWatch notices performance bottlenecks and can determine if we are getting potentially harmful packets from countries such as China.”
Frederickson says StealthWatch dramatically reduces the time it takes his staff to detect and remediate malware.
“In the past, malware could have been in the network for up to two weeks before we discovered it,” he says. “Now it can be detected and remediated in minutes.”
On the endpoint front, Ziften maintains a small footprint on the district’s computers, feeding data about potential malware to a central dashboard, where Frederickson’s team manages and remediates events remotely.
Frederickson also runs Trend Micro anti-virus software, which he says picks up 80 percent of any issues on the network. He says most of the remaining 20 percent of malware is remediated manually. And on the rare occasion when malware gets too far into any one system, Frederickson says they just reimage the computer using Microsoft’s System Center Configuration Manager.
Based on Frederickson’s experiences improving security at Council Rock School District, here are five best practices to consider.
1. Identify what the district wants to protect
The district decided that its internal assets were most important, Frederickson says. These assets include the district’s student information system and all the confidential data associated with students, teachers and administrators.
2. Select a framework
Council Rock used the CIS Critical Controls outlined by the SANS Institute, which attracts the top security people in the industry, Frederickson says — especially hands-on security people who do vulnerability assessments and testing. The critical controls provided an outline that allowed the district to develop a coherent plan.
3. Run a gap analysis
Take a realistic look at the district’s security program today and chart a reasonable period of time in which the district can improve. Frederickson says Council Rock received insights into its network within four hours of switching on StealthWatch, and it expects that the district’s security posture will gradually improve over several months.
4. Develop a strategy
IT managers must understand that no network can be 100 percent safe, Frederickson says. With the tools Council Rock deployed, along with strong passwords, the district has tried to make hacking into its network difficult enough that hackers will decide to bypass the district. As part of a strategy, develop a three- to five-year replacement cycle so when security technology and network infrastructure ages, the refreshes are planned for ahead of time and there’s money in the budget for them.
5. Implement a plan
Set benchmarks, whether they are weekly, monthly or quarterly, and stick to them. The dashboards built into today’s security tools offer metrics that let districts know if incidents are decreasing, or if districts need to try a new set of tools. Council Rock’s approach was to start by selecting a framework, then monitor its DNS firewalls with StealthWatch and finally focus on endpoint management.
Above all, Frederickson counsels that improving a school district’s security program takes time. In Council Rock’s case, it took about two years before all the pieces were in place, the tools were running properly and the organization’s culture had shifted to an emphasis on security.
“It starts with a framework, and the right tools are important, but security is a mindset. It takes time before the staff is properly trained and security becomes part of the culture,” Frederickson says.