Managing and maintaining e-security

Schools are now reliant upon the internet and broadband services for day-to-day operations and activities. These technologies bring a huge range of opportunities and benefits, offering new ways to support teaching and learning and streamline operational and administrative processes.
    
However, they also bring a range of risks if not managed and maintained appropriately, including the loss of sensitive, confidential personal data and potentially, where network services deteriorate or fail as a result of a security incident, reduced or lost capability to deliver timetabled events and scheduled teaching and learning.
    
Taking these potential risks into account, it is important that schools put appropriate mechanisms in place to maintain the integrity and availability of their network services and resources. CESG estimate that about 80 per cent of known attacks would be defeated by embedding basic e-security practices for people, processes and technology.

The threat landscape
School systems are threatened by a growing array of risks and dangers that require informed and effective mitigation to avoid the potential loss and damage that can result. In summary, threats can include malicious technical attacks, which can include external attempts to compromise systems through methods such as Distributed Denial of Service (DDoS) attacks, malware propagation (such as Trojan horses) or physical hacking attempts. Typically these attacks seek to gain access to school data and systems, to use school systems to mount further attacks on other systems, or use school systems for illegal or unauthorised purposes, leading to reputational damage.
    
Alternatively, accidental attacks can act as problematic risk. Issues can also arise that may not be malicious or deliberate (for example, attacks created as a result of programming errors, bugs in software or user entry), but can be equally problematic.
    
Internal attacks can include the introduction of infected devices or storage facilities (like USB flash drives) into networks, and malicious or accidental actions by users.
    
Social engineering risks typically result from exposure of an internal weakness, such as poor password use (or passwords being written down and left visible), or emails or websites designed to capture credentials from unsuspecting users (typically referred to as ‘phishing’). Many security experts believe that the biggest risk to any system continues to be an ignorant or careless user.
    
It is important to understand whether any particular security requirements have already been set out that certain types of E  organisation are expected to comply with. Where more than one ‘agency’ uses a single network and security infrastructure, it may be necessary to consider additional security undertakings. As an example, a school that also hosts a council, health or emergency service unit within their premises will need to consider the security requirements of each agency using the network. It is essential to segregate the traffic of each agency to maintain the security levels required.

Ten steps for managing e-security
The scale and scope of e-security issues and risks today necessitates a holistic approach that encompasses a range of technical measures alongside organisational policy approaches. CESG has set out ten related actions and measures to help schools implement, manage and maintain e-security effectively.
   
Firstly, via an information risk management regime. This involves recognising and taking ownership of and responsibility for e-security at a senior level and ensuring that all staff and pupils are aware of, understand and abide by all their obligations and responsibilities. Schools should establish and maintain via  regular review an e-security policy which sets out the approach for managing risks, issues and incidents. The e-security policy should inform the school’s acceptable use policy (AUP) for IT; this key document should set out everything that end users need to know in an accessible way.
   
The second related measure is secure configuration. This involves keeping an inventory of all school IT hardware and software and making sure that policies and procedures are in place to ensure all changes are authorised, documented and implemented appropriately. It also involves establishing processes for monitoring and the timely updating of systems as required; for example, when new versions of software (including operating systems, web browsers and plugins) are released, when security patches become available or when hardware or software goes ‘end of life’.
    
This is when suppliers end their support for outdated or superseded products and services, such as when Microsoft ended its support for Windows XP after 12 years in April 2014. Any security issues subsequently identified in unsupported products and services will not be rectified by suppliers, potentially creating security vulnerabilities if they are not replaced. Another aspect of securing IT configuration involves locking down hardware, operating systems and software to prevent access to facilities which could be used to compromise network security, either maliciously or accidentally. Inventories must include all school hardware and software, for example school-provided staff mobile phones need to be included and kept secure through locking and password policies.
   
The next measure is through network security. School, local authority and regional broadband networks provide access to the internet and other networks that could be the source of attacks, for example through the distribution of malware or distributed denial of service (DDoS) attacks. These are increasing in number and are becoming increasingly easy to initiate. It is important to remember that a security vulnerability or incident in one school could potentially impact on many other schools and organisations as well.
    
For example, a successful denial of service attack may flood a local authority or regional network with traffic, preventing all schools from using the network even though only one school has been targeted. Schools therefore not only have responsibilities in relation to their own users but to any other schools and institutions they share network services and infrastructure with. It is therefore essential to ensure the perimeter of the school’s network is policed appropriately.
    
Technical measures to assist here include firewalls, filtering of websites for malicious as well as inappropriate content, antivirus and malware checking, monitoring and establishing appropriate internal network security configurations. Wireless network security is an important consideration here too, to prevent access from unauthorised users and devices. Antivirus and other malware tools need to be updated regularly to keep pace with new and changing threats.

Another measure to consider is managing user privileges. This involves controlling what individual users can and cannot do on the network. User privileges need to be differentiated and set appropriately so that all users can access the facilities they E  require while minimising the potential for deliberate or accidental misuse of the network. Processes should be set up for creating, managing and deleting user accounts when they are no longer needed.
    
Automated user provisioning systems can provide a way to manage these risks including automatically deleting the accounts of users that have left the school, something which is often overlooked. Password management processes and policies can ensure both that passwords are strong (i.e. not easy to guess either manually or via a dictionary attack, for example requiring upper and lower case letters as well as numbers and/or symbols) and that they are changed regularly. Monitoring user activity is also important here; it is advisable to inform all users that their usage of the network may be monitored if this is the case. The key document for doing this is the school’s IT acceptable use policy (AUP). It is essential that all users are aware of and understand the school’s AUP which should be reviewed regularly and updated as necessary.

User education and awareness
All users need to understand their e-security obligations and responsibilities and user education and training are essential if this is to be achieved. As stated above, schools should develop a user security policy and embed this within their IT acceptable use policy (AUP). Training and induction processes should be available for all new users (staff and pupils); new threats emerge all the time so AUPs need to be reviewed and refreshed regularly.
    
Key aspects for end users include password policies, use of removable media/personal devices in school and remote access to school network facilities (for example, remote access for staff to the school management information system). All users should be made aware of and understand any disciplinary processes and sanctions for misuse in the event of malicious e-security incidents. Schools should ideally encourage a strong culture of e-security in order to keep the use of disciplinary procedures and sanctions to a minimum. The key here is ensuring that everyone understands e-security risks and their own responsibilities in relation to them.
   
Additionally, schools should be aware of incident management. The nature and range of issues and threats means all schools will experience an e-security incident at some point. Having plans and procedures in place in advance for logging, reporting on, monitoring and dealing with e-security incidents will help ensure that any damage is minimised, that services can return to normal as soon as possible and that lessons can be learned to prevent similar incidents from occurring again.
    
These lessons may need to be applied in a range of areas. For example, it may be necessary to update a firewall’s configuration after an incident. This may in turn lead to a review of configuration and patch management processes. Similarly, it might be necessary to update the school’s AUP, which then leads to a review and update of e-security awareness training for pupils and staff.

Moreover, malware prevention is an important consideration for schools to prioritise. Malware is any malicious code or content which could damage the confidentiality, integrity and availability of a school’s network and IT services. Malware can proliferate in many ways, for example via email attachments, social media, malicious websites or removable media such as USB flash drives.
    
Key ways to mitigate the risks from malware include antivirus and malware scanning, web filtering to block access to known malicious websites and also encouraging appropriate user behaviours in relation to aspects such as web browsing, accessing email and using removable media in school. Again, user education and training in relation to the school’s AUP for its IT services are key here.
   
On the other hand, monitoring systems, network traffic and user activity allows attacks and other e-security incidents to be detected quickly, allowing a rapid and effective response in keeping with defined incident management processes. It is also important to preserve event logs as potential evidence in dealing with an as yet undiscovered misdemeanour. It is important that key individuals are tasked with reviewing the outputs from monitoring systems and responding to alarms and alerts.
    
Reports, logs and alarms are all useless if no one is responsible for or has the time to look at or respond to them. Means for storing and accessing data from monitoring also need to be considered, as monitoring systems can rapidly generate large amounts of data. User activity monitoring processes need to be able to spot unauthorised, accidental or malicious usage and should be able to identify the user, the activity that prompted the alert and the information or service the user was attempting to access.

Final measures
It is important to control what can enter and leave the organisation via removable media and personal IT devices, especially as such devices become more widely available and used in schools. Key risks in relation to removable media include information leakage and theft and the potential for the introduction of malware into the school.
    
Protections in this areas include limiting what data can be stored on which type of media/device together with strategies for encrypting removable media and or secure remote access to centrally held data. Holding date centrally negates the need for multiple copies to be created and transferred via removable media.
   
Finally, schools must be attentive to and ready to manage home and mobile working. Pupils and staff need to be able to access school systems from home and elsewhere from a range of devices, in order to extend learning opportunities and support administrative functions. A key development in this area is ‘bring your own device’ (BYOD) where users wish to connect their own personal devices to school wireless networks.
    
Risks include the possible loss or theft of staff laptops and the potential for access to and leakage of sensitive information from devices with limited security features. User education is paramount in this area; technical strategies may include encrypting school‑owned devices to prevent unauthorised access and use. Schools should include consideration of remote and mobile working in their overall security policy, particularly in relation to securing teacher laptops that are used in school, at home and potentially other locations as well.
    
Another consideration is how to ensure security across multi-site schools that share a single network; whilst collaboration between such sites is important this must be implemented in such a way that does not compromise overall network security.

Conclusion
Regardless of whether they procure and manage their own broadband services or subscribe to services provided by a local authority or regional broadband consortium (RBC), all schools need to ensure they have an appropriate and up to date strategy in place to ensure the security and integrity of their networks and systems are maintained.
    
All schools should draw up a policy for how e-security is managed, maintained and reviewed in the light of new and emerging issues and risks. E-security is not something that can be ‘fixed’ on a one-off basis; the changing nature of the threat landscape means that e-security policies and strategies require regular review and update if they are to remain effective.

This guidance from the CESG was originally published by the Educational Network.

Further information
http://tinyurl.com/p9btw2z