Information Security in Education/Case Studies

=Case Studies= When the average person thinks of network security within a school they often think of the student trying to hack into the system to change their grade, to see if they can take over their friend’s computer, or to put a prank up on the school website. In light of the current network dangers these may be some of least of the school system worries.

All of the following cases are based upon real situations. As you read through each case ask yourself these questions:
 * a) What should be the very first course of action?
 * b) Should the public be informed about the situation? If so, how will their trust be regained?
 * c) What steps should be taken to prevent similar attacks in the future?
 * d) What are the ethical issues of this situation?
 * e) How should students be dealt with if they were the people initiating the attack?

Breached Passwords
There are many ways for people to get passwords. What they do once they have them can be devastating. The important first step in data security is for everyone to take password security seriously. Choosing good passwords, not posting it on your computer, making sure no one is looking when you are typing it in are all simple steps in password security. For password security tips see the page on Safeguarding passwords for today's technology.

Brute force
Hackers used brute force password cracking program to break into the district’s computers and initiated a batch of bogus transfers out of the school’s payroll account. The transfers were kept below $10,000 to avoid the anti-money laundering reporting requirements. The hackers had almost 20 accomplices they had hired through work at home job scams. Over $100,000 was successfully removed from the account. Two days later a school employee noticed the bogus payments. Unfortunately, unlike consumers who typically have up to 60 days from the receipt of a monthly statement to dispute any unauthorized charges, organizations and companies have roughly two business days to spot and dispute unauthorized activity. This is because school organizations that bank online fall under the Uniform Commercial Code. Due to this law, the district was able to get less than $20,000 of the transfers reversed.



Shoulder surfing
A former student “shoulder surfed” (physically observed) the password of an employee while still in high school. After graduating, he used this information to get into the district’s student information system. From there, he gained access to a different district’s payroll data including birth dates, social security numbers, and bank account information of 5000 current and former employees. This information was then used for identity theft purposes including requesting and using credit cards, creating checks and altering bank account information. The perpetrator was caught and arrested after attempting to use a fake check at a local store. At a cost of $62,000 the district gave all of the affected employees fraud prevention and resolution services. According to the district superintendent, the district suffered “damage to our reputation with the public and our employees. Hundreds of hours were spent investigating the extent of the compromised data and developing the plans and procedures to protect staff from further exposure to fraud.... answering employee questions, and preparing internal and external communications. It is impossible to measure lost productivity as employees worried about their financial security and work to change bank account and payroll information."

Key logger
A group of students installed a keystroke-tracking program (this could also fall under malware or student hacking) on computers at their high school to grab the user names and passwords of about 10% of the students, teachers, parents, and administrators that use the system. The students then used this password information to access the system to change grades for themselves and others. They did not seem to do anything else to the system while they had access.

Malware
Programs can be installed into a computer with dangerous consequences. See the page on malicious software for a more indepth description of these types of programs

Malware
A school computer containing no confidential information was hooked to the network containing the personal information of over 15,000 students. This computer was breached with malware designed to steal sensitive data. Names, addresses, phone numbers, dates of birth and Social Security numbers were all part of the database that was potentially exposed to this malware. It is uncertain if any of this information was actually accessed, but the malware was found to have been on the breached computer for approximately five years.

Botnet
A school network administrator was contacted concerning spam e-mail and other attacks emanating from the district system. When the administrator looked into the problem, it was discovered several computers had been infected with a botnet. Several of the district computer’s operating systems had been commandeered and were being used by the person controlling the botnet for illicit activities.

Lost Flash Drive
A school employee was using a flash drive to transfer personal information of 6000 employees for job related purposes. The information included names, addresses, phone numbers, dates of birth and Social Security numbers. This flash drive went missing. There is currently no evidence that the sensitive information has been accessed or used inappropriately.

Stolen & Returned Mobile Storage Device
A mobile storage device was stolen and retrieved in a matter of three hours. The thief was apprehended. The device contained names and Social Security numbers for approximately 1600 individuals in a welfare reform program. A computer expert could not determine if the information on the data storage device had been copied off it. There is currently no evidence that the sensitive information has been accessed or used inappropriately.

Stolen Laptop
A district business office laptop was stolen. The laptop contained sensitive employee and student data. The laptop was password protected and contained data in a format that would not be easily accessible. There is currently no evidence that the sensitive information has been accessed or used inappropriately.

Protecting the School’s Investment
The district has decided to initiate a one-to-one initiative. Each child from middle school through high school will be issued an internet and wireless enabled laptop for use both in and outside of school. Since this is a significant investment of tax dollars, the school board would like a system put into place for theft protection. The system administrator installs a program for remote access of each computer with the capability to track the IP address and take a picture of the current user. If a computer is reported as missing the system will be activated and the information can be used to recover the computer. There is no mention of this software to the students or parents. If a thief was aware of this software they may be able to disable it, defeating its purpose. Only two district employees have the capability to activate this system.

A student was called into the office by the assistant principal and accused of wrong-doing. The proof supplied included a picture of the student taken by his school issued laptop’s webcam after school hours in the privacy of his home.

a) Is this type of system appropriate for use on a school computer? b) Should students be made aware of this type of system being installed on the computer? c) How can the school ensure this system is used correctly? d) What other methods could be used for theft protection and prevention?

FTP installed
A member of a school association installed a file transfer program onto a server without permission, inadvertently exposing the names, birth dates and Social Security numbers of thousands of associated members around the country. The program was installed and had the information exposed for almost a year before it was discovered.

Wrong information uploaded
An assessment specialist who handled testing data accidentally uploaded personal information including names, Social Security numbers, birth dates and test scores of the district’s 17,000 students to a Web site for an unrelated school study.

Student Hacking
Approximately 67 percent of teens admit to "having tried, on at least one occasion, to hack into friends' instant messaging or social network accounts" (Masters, 2009) Students need to be taught proper ethical behavior when it comes to the internet and computer usage.

Grade "Fixing"
A group of high school students managed to infiltrate the school district's records management system. Once in they changed grades for students who paid them to accomplish this task. The students said in addition to the money, they did it for kicks, to prove they could do it.

Moving files
A high school student taking a networking class hacked into an administrator's user file. Once in, he changed student's passwords, remotely shut down computers, and created and copied folders in an assistant principal's file. He just wanted to see what he could get away with and didn't do any real damage despite his capability to do so.

Looking around
A third grade student used the teacher's password to gain access to the instructor's portion of the blackboard online learning environment. Once in, he changed some student's passwords and some of the homework assigned.

Senior Project
A 15 year old student used three hacking programs to gain access to the district records management system in 200 milliseconds. Once in, he lowered his grades, since he couldn't raise them, he already had 4.0. He then wrote a three page paper on how to improve the security of the system. Finally, he proceeded to help the district to improve the security of the network in general.

Links
Here are some links to sites to find more real life, school network security breach stories:  scmagazine Slashdot.org net-security.org New York Times Washington Post WKRN

Here are the links to read the stories these cases were based upon: