Information Security in Education/Professional Development
Professional Development in Computer Security
editIntroduction
editThe administrators and users of a computer network represent the greatest vulnerability to the system (Lehtinen, Russell & Gangemi, 2006).[1]. One of the strongest defenses against compromised security is to train and inform the staff of an institution. This chapter will focus on why users pose a large threat; it will also expand on many topics that can be the focus of professional development. These topics include but are not limited to explaining an institution's Acceptable Use Policy (AUP) in plain English, explaining proper system access etiquette and the description of a phishing scam.
The Weakest Link
editThe human factor in information security is known as the weakest link in computer security (Schneier, 2000) [2] Many security breaches occur as a social engineering attack. “In this type of attack, an attacker uses human interaction (social skills) to obtain or compromise information about an organization or its computer systems”(Schneier, 2000. pg. 266)[2]. An example of using social skills to attack a network might be for an attacker to send an e-mail to the employees of an institution telling them to clickhere.exe and receive a $10 coupon to a local coffee shop. The user will open the e-mail and download the attachment. At this time, a virus or a worm may be infecting their computer and since the user's computer is networked, the entire network may be infected in a matter of minutes. The link that was downloaded and caused an entire network to go down for hours or days may have been saved if the user was educated on how a virus comes to them from an external source.
Like Figure 1, security is a chain, but if any of the links in that chain are broken, the entire system may be vulnerable (Schneier, 2000)[2] experts in the field believe that social engineering will always work because humans inherently want to trust. Humans will trust if they believe that the ‘attack’ is coming from one of their contacts or friends. A good example of this was the “ILOVEYOU worm of the 1990s cloaking itself in an e-mail from people the recipient knew” (Schneier, 2000, pg. 268)[2]. Future attackers will come up with new and creative ways of hiding viruses and worms. Scam artists will develop new ways of receiving personal information from people in the digital world. The key to protecting a system is to continually educate the users giving them up-to-date information.
Training Topics
editAcceptable Use Policies In Plain English
editBefore a staff member is asked to read and sign an institution's AUP, it is a good idea to share real-world examples with them. Professional development opportunities during the school year provide time for administrators or presenters to share incidents that may have occurred at neighboring educational institutions. This technique may allow staff members to understand where many of the policies originate from when creating the district's AUP.
Real-World Examples
edit1. Middleton-Cross Plains teachers served suspensions for inappropriate emails [1]
2. Teacher Fired for Inappropriate Behavior on MySpace Page [2]
3. Teacher Placed On Leave For Inappropriate Behavior [3]
4. Inappropriate school computer use contributed to the death of Phoebe Prince [4]
5. This is not a newsflash: Teachers use social media too [5]
6. Inappropriate Student-Teacher Relationships Online [6]
7. Teacher Arrested for Inappropriate Texts, Touching [7]
8. Broken Trust: Inappropriate student-teacher relationships [8]
Some Acceptable Use Policies use vocabulary terms that can be confusing to users. The following section defines some confusing terms.
Vocabulary
edit1. Executable Files
An executable file is any file that ends with the extension of '.exe'. When a user clicks on an 'exe' file, a built-in routine automatically executes code that can set several functions into motion. Exe files are used to install and run programs and routines (Kayne, 2010).[3] Executable files are particularly dangerous because a virus or a worm can infect your computer through this application.
2. Virus
A Computer Virus is a program that can copy itself and infect a computer without the permission or knowledge of the user. A Computer Virus has two major characteristics: the ability to replicate itself, and the ability to attach itself to another computer file. Every file or program that becomes infected can also act as a Virus itself, allowing it to spread to other files and computers (Antivirus Ware, 2010). [4]. Viruses behave in different ways. Some viruses stay active only when the application it is part of is running. Turn the computer off and the virus is inactive. Other viruses will operate every time you turn on your computer after infecting a system file or network.
The following ways are suggestions to limit how viruses infect a computer (Myron, n.d.) [5]:
-Load only software from original disks or CD's. Pirated or copied software is always a risk for a virus. (This is why your school district's network administrator might not allow you to load your own software).
-Execute only programs of which you are familiar as to their origin. (Programs sent by email should always be suspicious).
-Computer uploads and "system configuration" changes should always be performed by the person who is responsible for the computer. Password protection should be employed. (This is usually done by district professionals).
-Check all shareware and free programs downloaded from on-line services with a virus checking program.
-Purchase a virus program that runs as you boot or work your computer. Up-date it frequently. (Your school district takes care of this already).
3. Other Types of Malware
Examples: Worms, spyware and trojan horses.
-A worm is an independent program that reproduces by copying itself from one computer to another, usually over a network (large concern for a school district). Like a virus, a worm worstens the damage it does by spreading quickly from one site to another. Unlike a virus, which attaches itself to a host program, a worm keeps its independence; it usually does not modify other programs (Lehtinen et al., 2006). [1].
-Spyware can detect and report a user's activity of a computer and/or the internet (Lehtinen et al., 2006). [1]. Your school dsitrct most likely employs these programs to monitor the use of district equipment and the use of the internet. A specific type of spyware, called a keylogger can actually record the strokes of the keyboard that the user inputs. When in the wrong hands, a keylogger can capture sensitive information, including passwords.
-Trojan horses are named due to its method of getting past computer defenses by pretending to be something useful (Lehtinen et al., 2006). [1]. When the computer lets the program in, it unleashes its malicious code.
For more information, please refer to another chapter in this Wikibook, Malicious software
System Access Etiquette
editHave you ever logged onto your district's computer and then walked away to do other things? If you answered yes, you may be putting your information and/or the network at risk. Once a computer is logged on, an unauthorized user does not have to go through the process of trying to guess a password. An unauthorized user may change a grade, write an e-mail posing as the authorized user, upload a malicious program, install spyware type software, or the unauthorized user may delete important information from the authorized user's account.
Lehtinen et al. (2006). [1]. has some suggestions on how users can be the first defense to the network:
-Protect your password and do not display it.
-Create a healthy length for a password. (For more on this, please refer to another chapter of this Wikibook, Safeguarding passwords for today's technology.
-Refrain from using a district account for personal use (social networking- Facebook, Twitter, MySpace, online shopping, personal communication, etc...)
-Do not allow a user to use a computer you have already logged into.
-Log out of applications when finished using them.
-Log out of computer while not in the classroom.
-Refrain from logging into more than one station.
-Do not open any attachment with the file extension (.exe) because it is an executable file and may harm your computer or the entire network. Recall the definition of an executable file in the vocabulary section of this chapter.
-Do not respond to any e-mails asking for sensitive information such as your password, phone number and/or address. For more on this, please refer to the phishing section in this chapter.
-Report any suspicious e-mails, unauthorized changes of protected information, and monitor student use of system.
Phishing
editA specific type of social engineering attack can occur digitally by the use of phishing. “Phishing attacks use email or malicious websites to solicit personal information by posing as a trustworthy organization” (McDowell, 2004, para. 2) [6]. Some trustworthy organizations can include charity foundations, educational institutions, and/or health-related establishments. Users of a district's network need to be particularly aware of phishing scams. A phishing scam will most likely come to the user through e-mail. A sender might ask for sensitive information such as the recipient's username, password, phone number, address, etc. Users should NEVER give out this sensitive information. All phishing type e-mails need to be reported to your network administrator immediately because you may avoid the scam, but your colleagues may not.
References
edit- ↑ a b c d e Lehtinen, R., Russell, D., and Gangemi, G.T. (2006). Computer security basics. Sebastopol, CA: O'Reilly Media, Inc.
- ↑ a b c d Schneier, B. (2000). Secrets and lies. Indianapolis, Indiana: Wiley Publishing, Inc.
- ↑ Kayne, R. (2010). What is an EXE file?. WiseGeeks. Retrieved from http://www.wisegeek.com/what-is-an-exe-file.htm
- ↑ Antivirus Ware. (2010). What is a computer virus? Antivirus Ware. Retrieved from http://www.antivirusware.com/articles/computer-virus.htm.
- ↑ Myron, H. (n.d.) What is a computer virus? Newton. Retrieved from http://www.newton.dep.anl.gov/teachers/compvir.htm
- ↑ McDowell, M. (2004). National Cyber Alert System. Retrieved from http://www.us-cert.gov/cas/tips/ST04-014.html