Back to School: Rethinking Security In Education

Security-in-Education_Brett-White_Juniper-Networks

Ash Halford, Director of Systems Engineering at Juniper Networks Australia and New Zealand

Growing up in a world almost permanently connected, our children today are as much online as they are in the physical world. Yet, while permanent connectivity and interconnectedness presents students with many opportunities, it also exposes them to many threats online, some of which may bridge the gap and cross over into the physical world.

With the upcoming Notifiable Data Breach (NDB) scheme coming into effect in February 2018, non-government schools have little choice but to bring security to the forefront and ensure their privacy policies and procedures are compliant with the new NDB requirements. However, simply complying with the new regulation will not be enough to keep students, teachers and parents out of harm’s way; education and security must go hand-in-hand. In fact, when drawn upon in tandem, they work to improve each other.

As it happens, education plays a pivotal role in unlocking both the opportunities presented by the online world, while also locking the door to threats and preventable risk. This symbiosis is something our industry, as well as the education sector, should pay more attention to. Let me explain.

Understanding the threat landscape
Consider an internet-facing parent portal, in which parents can view and modify their contact details and, by extension, those of their child. If these portals are not implemented in a secure fashion, it’s very easy to access the personal information, including the home address, of a given student. It’s not hard to imagine how the unauthorised access of such information could have security implications in the physical world. In fact, Victorian schools have recently been in hot water after two separate cases of hacking saw the illegal access of the schools’ online management systems. Used by schools to manage and streamline operations, the system allowed schools to manage permission forms for events, organise payment of fees and access student progress and semester reports. All of these functions involved sharing personal information.

At this stage, we have only just scratched the surface of external threats in this environment, but what about the insider threat?  Of course, we can consider obvious threats such as students attempting to access assignments or exams ahead of time, or even modifying their grades after the assessment. But what about more damaging scenarios whereby a student feels unfairly treated by a member of staff and hacks them as an act of retribution? Security devices can play a crucial role in preventing this kind of attack or, at a minimum, creating an evidence trail that could help confirm or deny a claim that the teacher was hacked. While this is a standard use case for security in education, there are much more powerful ways to bring security into the picture.

Security as an enabler for educational outcomes
Consider the student who, rather than paying attention during class, is browsing the internet or chatting with friends online. Not an uncommon scenario by any stretch of the imagination. As a result of this distraction, the student’s grades are seen to slip.  This is a perfect opportunity to leverage the visibility provided by security devices to enable educational outcomes.

To put it another way, security devices open the door to a discussion (with the student), based on proxy logs, about the appropriate use of the internet during class time and the measures that could be implemented to remove the distraction, allowing the student to turn their grades around.

The challenge here is to strike a balance between being too prohibitive and too permissive.  If we are too prohibitive, users will find a way to bypass security controls, and we will lose the opportunity to have these discussions with the students.  If we are too permissive, we run the risk of violating our duty of care to our students.  This is a fine line that educational institutions must walk when considering their security policies.

The application of user-aware and time-based URL filtering policies on the school’s proxy is one way to navigate this situation. Here’s how it could work. Unobtrusive technology exists today that generates logs, and records URLs and page categories based on user activity. Correlating this data with class time and a student’s grade trajectory, one can see if a student’s in-class browsing habits are having a negative impact on their grades. If this is the case, a time-based security policy can be applied to that student, or a group of students, to restrict their browsing during class time.

However, where we start to see a nice symbiosis is when we start teaching security in schools. Too many people today believe that security gets in the way of innovation and development. If security is an after-thought, it can force the developer to go back and try and shoehorn security into their application at the 11th hour, introducing unnecessary delays and potential security loopholes. With coding taught as part of the ICT curriculum in many schools already, the foundations exist for teaching the next generation of software engineers to design with security in mind from the beginning, resulting in more secure applications being developed in a timelier manner.

Security breaches are now commonplace in the world of our children. This is a natural opportunity for our industry to introduce students to some of these security techniques as part of an ICT curriculum, in a controlled environment, and to take time to discuss the morals and ethics associated with penetration testing and hacking.  In this way, we have a chance to steer students with an interest in hacking down the white hat path into a potential career in information security.  We’re already seeing this approach yield impressive results. Earlier this year, Code Cadets at Canberra Grammar School discovered and responsibly disclosed a zero-day vulnerability in the ‘Capture the Flag’ (CTF) competition at the B-Sides security conference- before going on to win first prize.

It’s never too early to consider security and what better time than in the classroom when the mind is eager to learn and experiment.


[mailerlite_form form_id=1]
The following two tabs change content below.
Education Technology Solutions
Education Technology Solutions has been created to inspire and encourage the use of technology in education. Through its content, Education Technology Solutions seeks to showcase cutting edge products and practices with a view to expanding the boundaries and raising the standards of education curricula. It introduces teachers and IT staff to the latest products, services and developments in education technology with a view to providing practical how-to guidance designed to facilitate the integration of those products and services into the school environment in the most productive and beneficial manner possible.

There are no comments

Add yours