Growing up in a world almost permanently connected, our children today are as much online as they are in the physical world. Yet, while permanent connectivity and interconnectedness presents students with many opportunities, it also exposes them to many threats online, some of which may bridge the gap and cross over into the physical world.
With the upcoming Notifiable Data Breach (NDB) scheme coming into effect in February 2018, non-government schools have little choice but to bring security to the forefront and ensure their privacy policies and procedures are compliant with the new NDB requirements. However, simply complying with the new regulation will not be enough to keep students, teachers and parents out of harm’s way; education and security must go hand-in-hand. In fact, when drawn upon in tandem, they work to improve each other.
As it happens, education plays a pivotal role in unlocking both the opportunities presented by the online world, while also locking the door to threats and preventable risk. This symbiosis is something our industry, as well as the education sector, should pay more attention to. Let me explain.
Understanding the threat landscape
At this stage, we have only just scratched the surface of external threats in this environment, but what about the insider threat? Of course, we can consider obvious threats such as students attempting to access assignments or exams ahead of time, or even modifying their grades after the assessment. But what about more damaging scenarios whereby a student feels unfairly treated by a member of staff and hacks them as an act of retribution? Security devices can play a crucial role in preventing this kind of attack or, at a minimum, creating an evidence trail that could help confirm or deny a claim that the teacher was hacked. While this is a standard use case for security in education, there are much more powerful ways to bring security into the picture.
Security as an enabler for educational outcomes
Consider the student who, rather than paying attention during class, is browsing the internet or chatting with friends online. Not an uncommon scenario by any stretch of the imagination. As a result of this distraction, the student’s grades are seen to slip. This is a perfect opportunity to leverage the visibility provided by security devices to enable educational outcomes.
To put it another way, security devices open the door to a discussion (with the student), based on proxy logs, about the appropriate use of the internet during class time and the measures that could be implemented to remove the distraction, allowing the student to turn their grades around.
The challenge here is to strike a balance between being too prohibitive and too permissive. If we are too prohibitive, users will find a way to bypass security controls, and we will lose the opportunity to have these discussions with the students. If we are too permissive, we run the risk of violating our duty of care to our students. This is a fine line that educational institutions must walk when considering their security policies.
The application of user-aware and time-based URL filtering policies on the school’s proxy is one way to navigate this situation. Here’s how it could work. Unobtrusive technology exists today that generates logs, and records URLs and page categories based on user activity. Correlating this data with class time and a student’s grade trajectory, one can see if a student’s in-class browsing habits are having a negative impact on their grades. If this is the case, a time-based security policy can be applied to that student, or a group of students, to restrict their browsing during class time.
However, where we start to see a nice symbiosis is when we start teaching security in schools. Too many people today believe that security gets in the way of innovation and development. If security is an after-thought, it can force the developer to go back and try and shoehorn security into their application at the 11th hour, introducing unnecessary delays and potential security loopholes. With coding taught as part of the ICT curriculum in many schools already, the foundations exist for teaching the next generation of software engineers to design with security in mind from the beginning, resulting in more secure applications being developed in a timelier manner.
Security breaches are now commonplace in the world of our children. This is a natural opportunity for our industry to introduce students to security techniques as part of an ICT curriculum, in a controlled environment, and to take time to discuss the morals and ethics associated with penetration testing and hacking. In this way, we have a chance to steer students with an interest in hacking down the white hat path into a potential career in information security. We’re already seeing this approach yield impressive results. Earlier this year, Code Cadets at Canberra Grammar School discovered and responsibly disclosed a zero-day vulnerability in the ‘Capture the Flag’ (CTF) competition at the B-Sides security conference- before going on to win first prize.
It’s never too early to consider security and what better time than in the classroom when the mind is eager to learn and experiment.