Ed tech companies are not immune to hackers and vulnerabilities. But schools can protect themselves
A few years ago I was attending a meeting at my county office, where a vendor who runs a popular education site was making a presentation. If I’m being honest, I’ll admit I wasn’t paying close attention. It was a product our district was already using, and I was our top level administrator for my district’s domain on the site. Stifling a yawn or two, I started to do what any bored student would do—see if I could break stuff.
Eventually, I happened upon an exploit by chance. I was working both in my district’s instance (the domain and accounts registered for our schools) as well as the one the county office set up for this presentation. Sometimes when I signed out of one, it signed me out of the other as well.
I signed into my district as the top-level admin, and then redirected to the county site by simply changing the URL. In doing so I gained top level privileges to the county’s instance, too, which should have been reserved exclusively for the vendor reps making the presentation. I raised my hand and asked, “Do you know someone can gain higher privileges than they should have?”
In response I was told, “That’s not possible.”
So, I deleted parts of the presentation content I shouldn’t have had access to. Now I had their attention.
Next page: How secure is student data, really?
The reps said they’d pass my report of the vulnerability along to the development team. I tend not to make too many friends at these meetings.
Being online means accepting risk
Attacks and data theft are all over the news (think: Sony Pictures). Both high and low profile targets are breached every day it seems, and the trend doesn’t appear to be letting up. As a teacher or administrator using various web-based tools, the question will probably come up, “How secure is my and my students’ data?” It’s an important one, and the only antidote to paranoia is knowledge.
There are two primary categories of attacks. The first are known vulnerabilities. The attack I performed at the county meeting was a known vulnerability, commonly known as cookie hijacking. The cookie I hijacked was the cookie generated when I logged into my district’s instance of the service. Poor security signing from the website allowed a session cookie to be used in multiple places, including other computers and accounts that should not have access. In this case, the developers quickly corrected the oversight. That’s the issue with known vulnerabilities: they are caused by human error. The method of each attack is well known, therefore everyone should be diligent following the practices and procedures to keep these security holes closed.
The other category is known as “zero-day” vulnerabilities. Zero-day, as in the number of days the vulnerability has been known. Very recently, Adobe Flash player has had a number of zero-day vulnerabilities focused against it resulting in a flurry of patches and advisories to switch the plugin to manual activation in your web browser. Zero-day vulnerabilities are very challenging to guard against, and also very challenging to find.
Next page: What you can do to protect your school
The risks are manageable
The relative difficulty of discovering new zero-day attacks means that these methods fetch a hefty sum in underground trading due to their rarity. Typically those who are purchasing the heretofore unknown exploits are looking to make a return on their investment. Schools, and the services that work with schools, are low priority targets, as frequently the data isn’t valuable to hackers. The most valuable resource schools provide to criminals are the many computers on fast internet connections to create a bot-net—a remotely controlled collection of computers used to send spam or other nefarious data.
Known vulnerabilities are more common and there is extensive information about how to exploit the holes, and protect against them on the internet. Keep up with all of your updates (you have moved on from XP, right?) and follow established good practices and you will have very few vulnerabilities.
What you can do
While you can take steps to secure your own resources, the data you send to online partners is dependent on those companies following best practices as well. The first thing to think about is what data is being sent to your partners. An example might be using an ID which is not confidential. Every site needs a unique ID for each student, and some will ask for the Statewide Student ID, but in many cases other, less sensitive data can be used.
Another consideration is how the services acquire student information. Creating an exemption in the firewall to make a connection, sending information over unencrypted connections (like email), or making a direct connection to the student information or the directory server are all practices that significantly increase your exposure to security breaches.
The last consideration is to check if your online partner has made the appropriate preparations themselves. Here are some questions to ask that will help in determining if they have the right precautions in mind: How do you monitor for data breaches? What is your protocol and notification policy after finding there was a breach? What backup and disaster recovery methods do you have in place?
If you’re doing everything you can do, the remainder of the responsibility is on them. A responsible partner will have answers ready for these questions and will take your concerns seriously. If the response is “That’s not possible,” it may be time to leave your partner—and their vulnerabilities—behind.
Jared Prolo is coordinator of assessment, research, and evaluation services for the San Mateo-Foster City School District in California. Previously he served as IT program specialist and technology facilitator.
- TC- What student choice and agency actually looks like - November 15, 2016
- What student choice and agency actually looks like - November 14, 2016
- App of the Week: Science sensor meets your smartphone - November 14, 2016