TOOLS FOR THE TEKS: INTEGRATING TECHNOLOGY IN THE CLASSROOM

Computer Security 101 for Teachers

by Wesley A. Fryer
www.wesfryer.com
September 2004

For most teachers, the topic “computer security” may sound about as interesting as a TAKS test grammar review does to the average fourth grader. However, just as the TAKS test that can become very important for parents and students when it has not been passed, failures to understand computer security issues and act sensibly can lead to significant, negative life events for teachers. These events may be trivial, like embarrassment over accidentally installing a virus or forwarding a virus-infected attachment to a colleague. Or they can be substantial and even life-changing, if they involve the loss of critical computer files not backed up elsewhere or identity theft that can take years to track down and straighten out.

Like many computer related subjects, the arena of security is one fraught with many acronyms and unfamiliar vocabulary words. Discussions about security (especially by “IT experts”) can quickly leave classroom teachers lost amidst a torrent of jargon and technical terms. The increasing importance of computer technology, and the information contained and transmitted by computers used both at school and at home, makes it essential for EVERY computer user to become more aware of security related problems as well as actions which can prevent or help resolve security related problems before or when they occur. This article outlines six different ways classroom teachers can become more proactive in taking computer security threats seriously, and hopefully minimize the potential for these threats to become destructive realities either in their classroom or at home.

A MULTI-LAYERED APPROACH: EVERYONE’S BUSINESS

In its official clinic, “Microsoft Security Guidance Training,” Microsoft recommends that organizations of all sizes use a “Defense-in-Depth” model when approaching security issues. This paradigm calls for a wide variety of proactive security measures at six different levels, starting with basic user awareness and proceeding to encryption of the data eventually transmitted and received over the network by computer users. Microsoft has become, by necessity since its operating systems are the most targeted and exploited computing platforms in the world, an excellent source of information relating to computer security for “average” users as well as IT professionals (www.microsoft.com/security/).

We live in a networked world becoming ever more connected each day. It is essential that every classroom teacher, as well as student on campus, understand computer security is everyone’s business. The behavior of individual users can and does drastically affect the computer use and access to resources for other users on the same local network, and even across the globe. Computer Economics (www.computereconomics.com) estimates virus costs in 2003 worldwide exceeded $12.5 billion. There are both direct and indirect costs when it comes to computer security, and it is always better to prevent rather than patch and repair. An ounce of prevention is worth a pound of cure, both in the doctor’s office and in the arena of computer security.

ACTION ISSUE #1: PASSWORD SECURITY

Every computer user accessing email has a password, and most people today are likely to have more passwords and PIN numbers than they have fingers (and maybe toes!) Access to digital information ranging from email to bank account and insurance information has resulted in a proliferation of passwords, yet most people fail to follow recommended procedures when it comes to password security.

The “best practice” when it comes to password security is to use a “secure passphrase” and not write it down anywhere, and change the passphrase often. The “worst practice” of password security is likely using a common word found in the dictionary or part of someone’s name, and writing it on a post-it note prominently displayed on the computer monitor for easy reference. Few (if any) people I know actually follow this recommended “best practice,” but MANY I know follow the “worst practice” or a behavior pattern that comes very close.

The raw processing power of modern computers is making the true “security” of any password suspect. Computers can now crunch through so many possible passwords using customized hacker dictionaries in such a short amount of time that most passwords can be “hacked” relatively easily. These can include email passwords, WEP passwords used to “secure” home or school wireless networks, as well as other applications. Prospects for a simple computing existence with few usernames and passwords to remember seem rather dim in the early part of the twenty-first century for many. What is a teacher to do? Here are some specific steps EVERY teacher should understand and practice relating to password security:

If you must write down your password, protect the piece of paper containing your username and password like you protect your credit cards. (1) Do NOT write your password on a piece of paper you post on the computer monitor or even leave in your classroom desk. Anyone who obtains your password can virtually “do business” as you in the electronic environment, and every teacher must be acutely aware of the importance of protecting passwords.
If the authentication system you are using does not allow you to use a “password phrase” (composed of several words), use a password with at least eight characters including some “special” keyboard characters. Do not use the word “password,” the name of one of your children, or any common word that can be found in a dictionary as your password.
Never include a password or your social security number in an email message. Unless you are using PGP encryption (www.pgpi.org) or a comparable encryption method, any email you send with either your school district account or another account (like Yahoo mail) can be readily intercepted and read by other prying eyes.
Never enter your social security number or a credit card number on a webpage that is not encrypted (the web address will start with https:// instead of http://.) Even if a webpage is encrypted with a technology like SSL and has a https:// address, it is still possible for hackers to intercept and obtain the information you send electronically. If you make purchases online, consider getting a separate credit card that you use exclusively for online purchases, and request a low credit limit from the bank. Monitor your statements closely for fraud.

ACTION ISSUE #2: SOCIAL ENGINEERING

Computer security continues to get more complex, much to the pleasure of commercial security firms and software manufacturers, and attacks upon computer systems continue to grow more sophisticated and elaborate. While it may take a genius to author and create the hacker tools featuring graphical user interfaces now readily available over the World-Wide Web, it does not take a genius to use these tools. As the volume and complexity of computer attacks increases, the tendency for computer security attacks to involve “social engineering” has also grown dramatically.

“Social engineering” means that the author of a particular virus or computer attack has designed their “product” so it relies on end users taking a specific action in order to deliver the “payload” or release the malicious code into the computer operating system. The author is trying to socially engineer, or change, user behavior. A common example of socially engineered virus email are messages with a subject line like, “Here is the file you requested,” and a zipped file attachment accompanied by a short password in the email message body. Most server-based virus scanning programs are not presently configured to automatically scan encrypted, compressed file attachments like zip files, so malicious hackers have devised a new approach to prevent their virus files from being intercepted before the user gets them: They create an encoded zip file that is sent to the user and not scanned (and blocked) by the email server.

Don’t be a foolish victim of social engineering and follow the instructions of an email like the one previously described! If a user does this, after entering the password to open the encrypted zip file, most likely a virus will begin infecting the local system and possibly other systems on the same network, and the virus may propagate further (and automatically) using the installed email program and address book of the user. Protect yourself and your address book friends by not falling prey to socially engineered email or webpages that encourage you to take action of some type on your computer. When in doubt, ask someone in your district’s IT department before opening a suspicious email attachment or following the advice contained in an unsolicited email message. Attachments with the extensions “.vbs” and “.exe” should always be suspect. Many school districts are now employing email attachment filters which remove these types of potentially harmful files at the server, so the mail message users receive is benign. Even if filtering is employed on the mail server, users should continue to be watchful and vigilant for suspicious email messages.

ACTION ISSUE #3: BACKUPS

A common joke among computer security experts explains there are two types of computer users in the world: those who back up their data and those who have not lost any computer data yet. Every computer is susceptible to theft. Other problems including power surges or destructive viruses can cause data to become lost or irreparably damaged. If data you save on the computer is important to you, make sure it is being regularly backed up.

Files saved on a network server should be regularly backed up to a removable media of some type, which is physically stored off-site to protect against a fire loss that consumes the entire building. Check with your district IT department about the status of network backups, and find out how often your network user folder (if you have one) is backed up. If a network user directory is available to you and is regularly backed up, get in the habit of using it to save all your school data. This is analogous to driving with car insurance, instead of driving without it like teachers who save everything in “My Documents” without ever making their own file backups.

Files saved on a local hard drive in your classroom are most likely not backed up at all. If you maintain your own electronic gradebook, consider keeping printed copies of all grades at the end of each term along with electronic backups. Key drives or thumb drives, which connect to an open USB port on your computer, offer large storage capacities and may have enough room for you to backup most or all of your school documents on a regular basis. To answer the question, “How often should I backup my data?” ask yourself how many days back you would be willing to go and lose all the new data you have entered into your computer. That answer should define your own data backup schedule, which should be in addition to network backups handled by your district IT department.

ACTION ISSUE #4: ANTIVIRUS AND SPYWARE/ADWARE REMOVAL SOFTWARE

Unless you are a Macintosh user running OS X, always make sure you are running antivirus software on your computer with current virus definitions. (While there have been “proof of concept” viruses for Mac OS X, as of early fall 2004 there have not been any actual viruses written for and reported on OS X.) Make sure your virus program is scheduled to perform regular scans of your entire hard drive and network documents directory, as well as having “realtime protection scanning” enabled.

Unfortunately, antivirus software is proving to be inadequate to protect computer systems against proliferating spyware and adware programs often installed by naïve and unaware Windows computer users. The website GetNetWise has an excellent spotlight section on Adware and Spyware, including information about different tools that can be used to find and eliminate these programs (www.getnetwise.org/spotlight/). Another good source to find current, popular and safe adware/spyware removal tools is CNET’s download center (www.download.com). Search for the word “spyware” and sort the resulting list by number of total downloads to see ratings and more information for the most popular software tools. Use caution when choosing to remove installed programs on your computer: if the infected computer is at school in your classroom, ask the IT department to take care of these problems for you. If the computer is your own laptop or a home computer, however, you may have to attempt removal of adware/spyware yourself, or find a computer-savvy friend who can assist in this process.

ACTION ISSUE #5: SOFTWARE AND OPERATING SYSTEM UPDATES

Keep your computer up to date with the latest security patches from the operating system manufacturer. This includes Macintosh as well as Windows-based computer systems. Each computer you use should be configured to, at a minimum, automatically download available security updates for your computer and inform you when they are ready to be installed. This should be done on at least a weekly basis. Many common computer viruses are not able to infect computer systems that are patched/updated with the latest software updates from the manufacturer.

Be aware that updating operating system software on your computer may, in some cases, make specific software applications on your computer inoperable. It is important for this reason to not only check regularly for operating system updates, but also software updates for the programs you use most frequently. Again, at school hopefully the IT department will take care of these technical details for you.

Do not install major operating system updates on your school computer, like Microsoft’s Windows XP Service Pack 2 (www.microsoft.com/athome/security/protect/), without first checking with your IT department to see if the district’s computers should use this update yet. When a major new update to an operating system is released, it often pays to not be an “early adapter,” since some bugs and problems are inevitable with a major upgrade. The much more locked-down and customizable features relating to security included in the Windows XP Service Pack 2 are likely desirable for both school and home computers. Before, during and after installation of these updates, however, users should be aware that the functionality and performance of many programs (especially those affected by tighter firewall settings) may be affected.

ACTION ISSUE #6: PREVENT HACKER ATTACKS

A firewall is a virtual protective barrier which can prevent electronic access, either outgoing from or incoming to your computer. At one time in the not-so-distant past, a single firewall for all users in a school district was adequate protection against security threats. In today’s increasingly complex computer security environment, however, it is vital that each computer workstation as well as server computer connected to a network be protected with a firewall, as well as antivirus and anti-spyware/adware software applications previously described.

As the number of home users with broadband Internet access (cable or DSL modem) continues to increase, the need to secure home networks is also growing. Linksys (www.linksys.com) is a popular brand of home Internet routers and hubs which can share a single broadband connection with multiple computers, connected both with fixed wires as well as wireless network access cards. Whether you use a Linksys product or not, their recommendations for securing a home wireless network are good advice (www.linksys.com/splash/wirelessnotes.asp). If you do not follow these recommendations, it is likely a neighbor could (or maybe already has) gained access to the Internet through your connection, which is traceable to your home address, and could download pornography or other illicit materials over your Internet connection without your consent or knowledge. Linksys recommends at a minimum, home wireless networks should:

Turn the broadcast SSID name off and change the default SSID name on your wireless router/access point. This may prevent someone from easily “browsing” onto your wireless home network, because the name is not broadcast in standard format using a standard name. For example, by default all Linksys wireless routers have the SSID name "linksys." Consult the user guide for your wireless router/access point to learn the default IP address, username, and password used to make these configuration changes using an Internet browser like Internet Explorer.
Change the default password for the administrator account, and change it often. This can prevent someone from taking over administrative control over your Internet routing device.
Enable “MAC address filtering.” In this context, “MAC” does not refer to Macintosh, but to the unique identification number associated with each network adapter (wired and wireless.) WEP password encryption is falsely perceived by many to be a secure way to control access to a home or campus wireless network, but WEP passwords can be relatively easily defeated using a variety of tools readily available online. By enabling MAC address filtering, only computers with MAC addresses entered into the routing device are permitted to use the network and access the Internet.

None of these methods are failsafe as far as keeping determined and knowledgeable hackers out of your home wireless network, but they certainly can make the prospect much more difficult. Like an installed home burglar alarm, hopefully steps you take at home to safeguard your network will cause potential wrongdoers to perceive your wireless network as a relatively difficult (and therefore not worth the effort) network to hijack for a free ride on the information superhighway, and they will opt to go elsewhere.