NYSIR/Wright Risk Management Seminar Managing Internet

Download Report

Transcript NYSIR/Wright Risk Management Seminar Managing Internet

Risk Management for Technology Exposures
Common Internet
Risks Students
Common Security Risks
Prevention
Common Internet
Risks - Employees
Managing Internet
Risk
Recovery
Forensics
Security Audit
Sunshine Laws
and Public
Records
© Copyright Lower Hudson Regional Information Center (LHRIC ).
Managing Security Risks
Firewalls
Applications
Servers & Network
Policies
Desktops
User Awareness
Employee Risks
Personal Use
Privacy
Improper Access
Advertising
Politics
Fundraising
Harassment
Copyright
Confidentiality
Teacher Web Sites
Teacher Links
Internet Risks-Students
Improper Access
Harassment
Pedophiles
Copyright
:
Managing Internet Risks
Educational Forum
Disclosure and disclaimers
Enforcement
Educational Restrictions
District Strategies
Sunshine Laws & Public Records
Open Meetings Law
FOIL & E-Document Policy
Domain Names
CIPA & E-Rate
How Bad Is It?

Security incidents are rising exponentially
• 128,678 incidents from July 1-December 31st, 2001
• 2,437 vulnerabilities reported – double the previous
year
• 41% of companies experienced “critical attacks”
• 12.7% encountered 1 “emergency” and had to use
recovery measures


Source: Washington Post, January 28, 2002
Tension between security and ease of use
Many/most serious security incidents are caused by
your own students and disgruntled employees
Internal Hacks
60%-80% of hacks are internal -FBI
 Unauthorized Intrusions

• Admin accts; SASI access
• Personal laptop connected to school system

Changing settings
• Librarian’s surprise
Superintendent’s private files
 Employee w Backdoor access

Internal Hacks
Anonymous surfing - Port 443
 Hacked web sites
 Inadvertent damage

• Loading software from home
• Deleting important configuration files
• Attempting to help wiping our systems
Internet Hacks
E-Mail borne virus:
I Love You; Melissa; Anna K; Sircam;
Code Red; Nmda
Bubbleboy
 Worms:

• SQL Slammer; Polymorphic worms
Internet Hacks

Denial of Service attacks
• Examples

Parasitic attacks
• T1 used 24 hours per day
• Wireless scan
• Spamming and rejected e-mail
Copyright infringement
Software piracy
 Copying materials without permission
 Copying materials without citing sources

Improper Access

Access to Obscene and Inappropriate
Material from the School’s System
•
Inadvertent Access to Pornography
“It was an innocent search”
 Domain name spoofs
Hate Sites …How to Build a Bomb...
Doom & Duke Nukem
65% of T1 used for music downloads and uploads
11 Year old wins E-Bay bids in excess of $900,000

•
•
•
•
Pedophiles

Common profiles and operating
procedures
• Chat Rooms
• Bulletin Boards
• Working with Law Enforcement Officials
Harassment
Schools close in January on Internet
threat
 The Secret Service?
 “Bathroom Walls” Incident
 New Rochelle Harassment
 Mr. Bungle

Copyright Infringement

Everything on the Internet is protected by
Copyright
• If employer has the right & ability to supervise
the actions of the employee & has a financial
interest in exploitation…even if the employer
didn’t know…he may be liable
Copyright Infringement
Students cutting and pasting parts of Web
pages onto their own
 Improper use of student material

Establish an Educational Forum
Insure that policy and practice are aligned
 Insure that AUP is signed - affirmative
consent
 You can allow limited “self-discovery”

Disclosure and Disclaimers






What services will be or will not be provided:
• E-mail, FTP, Telnet, Listservs, Chats
Not responsible for interruptions & errors in
service
Not responsible for content, quality, accuracy of
services, products, and information
Are you using filtering or monitoring software
Not responsible for loss or damage from
“Viruses”
Third Party links
District Strategies
Supervise!
 Educate staff, students, and parents
 Develop a site limitation strategy
 Develop a solid AUP
 Keep policy decisions at the highest level

Educationally Based Restrictions

Criminal speech:
• Threats to the President, instructions on
breaking into computer systems, child
pornography, drug dealing, alcohol
purchase

Unauthorized access
• Login as someone else
• Browse someone else’s files
Educationally Based Restrictions

Inappropriate speech:
• Obscene, profane, vulgar, threatening,
harassment, personal attacks, prejudicial,
discriminatory, defamatory
• Dangerous information (if acted upon could
cause damage)
• Violations of privacy (revealing personal
information about others)
Educationally Based Restrictions

Inappropriate speech:
• Abuse of resources (chain letters,
“spamming”) Copyright infringement or
plagiarism
• Violations of personal safety (revealing
personal contact information about self or
others)
Enforcement - Due Process

If it is educational, access can’t be
denied,restricted or suspended without due
process.
• Notice to student of alleged violation
• Opportunity for student to respond to allegation
• No denial of an account in advance of a hearing




Missouri suit
Arkansas suit
Ohio suit
Pennsylvania expulsion upheld
Court to school district: You can't stop a kid from creating
a personal web site critical of your schools: Missouri
school district becomes the latest to learn the hard way
From eSchool News staff and wire service reports February 1, 1999
Sending a clear signal to educators everywhere, a federal judge ruled Dec. 28 that
Woodland School District in Marble Hill, Mo., violated a high school student's free
speech rights when it suspended him for posting a personal web page criticizing his
school. The ruling makes clear that schools have no jurisdiction over what their students
do in cyberspace, provided it's done on their own time and from their own computers.
U.S. District Court Judge Rodney Sippel issued a preliminary injunction that prohibits
the district from using the suspension against student Brandon Beussink in grade and
attendance calculations. It also bars the district from punishing Beussink or restricting
his ability to post his home page on the internet.
"Dislike or being upset by the content of a student's speech is not an acceptable
justification for limiting student speech," Sippel wrote in his opinion.
Newslines--Arkansas district settles lawsuit over student’s
sexually explicit web page
eSchool News staff and wire service reports October 1, 2000
Arkansas’ Valley View School District has settled a lawsuit involving a student’s internet site so
it could begin the school year without the distractions of a court hearing, a school district
attorney said Aug. 18.
Dan Bufford said the court case was causing too much disruption. “We were looking at sending
six to eight teachers, seven to eight students, and three sets of parents from Jonesboro to Little
Rock to testify,” Bufford said. “The distractions and the expense of that was just too much.”
The American Civil Liberties Union sued the school district, contending the district wrongly
suspended Justin Redman for 10 days. He was suspended for producing a web site that mirrored
the school’s official web site, but included sexually explicit photos and text, some of which
named other students and administrators.
John Burnett, the ACLU’s state legal director, said the settlement doesn’t mean the organization
agrees with the district’s actions. “Every school board and every school board attorney in the
state is going to know about this case,” he said. “The schools are going to have to come to
realization that, just as they cannot visit discipline on students for something they said at a
weekend party, they cannot do it because of something a student said on the world wide web.”
District must pay teacher-bashing student $30K: Court
overturns suspension and upholds protection of student
speech on the internet
Gregg W. Downey May 1, 1998
A school district will pay $30,000 to one of its students who was suspended for making
fun of his band teacher on the internet, according to the Associated Press (AP). In
return, the student will drop his half-a-million-dollar lawsuit against the district for the
10-day suspension, AP reported.
Superintendent Beverly Reep of the Westlake school district in suburban Cleveland was
ordered in March by a federal judge to reinstate16-year-old Sean O'Brien. O'Brien had
been suspended for using his home computer to create a web site disparaging a band
teacher.
The superintendent said the district suspended O'Brien for violating a policy forbidding
students from showing disrespect to employees. A federal court told the school district
to stop trying to restrict O'Brien's right to free expression.
Pennsylvania judge: Expelling student for web site threats
is OK
From eSchool News staff and wire service reports September 1, 1999
A Lehigh Valley, Pa., school district did not violate a student’s constitutional right to
free speech when it expelled him last year for allegedly threatening a teacher on his
personal web site, a Northampton County Court judge ruled July 23.
Justin Swidler, now 15, was expelled in August 1998 after Bethlehem Area School
District officials saw his web site, in which he allegedly asked for donations to hire a hit
man to kill Nitschmann Middle School math teacher Kathleen Fulmer. Swidler’s family
described the site as
an attempt at satirical humor, not a terrorist threat.
The long-since-dismantled web site reportedly had a heading saying “Why She Should
Die” above a sentence reading, “Take a look at the diagram and the reasons I give, then
give me $20 to help pay a hit man.”
Enforcement - Consistency

Schools have double standard for
computer vandalism and crime
•
•
•
•
•
•
“It was just a joke.”
Nerd discipline
School yanks Internet access
Legal punishments
Incident policy
$10,000 damage award
The Evolution of 'Nerd Discipline'
As with most schools, our overall experience with computer technology,
classroom applications, networks, and controlled internet access has been positive and
productive. There is, however, a small, smart, and venturesome
segment of our student population whose actions sometimes make it otherwise.
These are individuals who use school computers--occasionally in conjunction with computers at
home--to test every rule, procedure, and established
guideline ... and thus challenge us to
devise new and different ways of dealing fairly and effectively with a whole new category of
"electronic" infractions. The infractions can range in severity from downloading objectionable
material to exchanging passwords, and from intentionally deleting student files to planting
software devices designed to disable one or more targeted workstations, a whole department, or
the school's entire network.
Through constant monitoring and review of policies and rules, we can make
every school's experience with computer technology as positive and productive
as it can and should be.
Jeannine Clark is an assistant principal at Clarkstown High School North in New City,
N.Y., and the school's building coordinator for the district's technology initiative.
School yanks student internet access
By Rebecca Flowers May 1, 1998
A school in Cloverdale, Calif., is being criticized for its decision to shut down student access to the internet
after two local teens were accused of hacking Pentagon
computers. Some charge the school overreacted in issuing the internet ban, but school officials disagree.
The two students, sophomores at Cloverdale High School, have not been charged with any crimes, and
investigators are certain the school's computer network was not used during any of the attacks. But the fear of
sabotage or retaliation compelled school officials to close down access to the internet for all students at the
school on March 5
Although the FBI had not contacted the school, John Hudspeth, the boys' computer science teacher, disabled
the hackers' network accounts and froze their personal directories.
"We had tried to limit the privileges of only the two hacking students, to allow the rest of the student body
and faculty to enjoy continued online services," said Bill Cox, president of the board of education. "But either
other students were helping our hackers out of friendship or because they saw hacking as 'cool’ or our
hackers had captured other account passwords and were using those accounts in direct violation of our
Acceptable Use Contract that all network users sign."
Threats of further retaliation in the Wired article coupled with attacks on one of the ISPs were enough to
convinced Cox that strong action was necessary. "Do we just wait around for our high school server to be
trashed?" he said. School officials said the temporary suspension was needed to allow them to regroup and
learn more about security. Cox also felt that the student body needed to think about the hacking issues in a
more reasoned light.
Enforcement - Legal Charges

Some of the Legal Charges Against Students/Staff

1st Degree Computer Tampering -Felony
3rd Degree Computer Tampering - Felony
2nd Degree Aggravated Harassment - Misdemeanor
3rd Degree Possession of a Controlled Substance - Felony

1st Degree Attempt to Distribute Indecent Material to Minors



Enforcement
Who do I call?
 When should I escalate
 How do I secure the evidence?
 How do I limit the damage?
 What long term actions are needed?

Personal Use

“School computers, networks, and Internet access are
provided to support the educational mission of the
school. They are to be used primarily for school-related
purposes. Incidental personal use must not interfere with
the employee’s job performance, must not violate any of
the rules contained in this policy or the student AUP, and
must not damage the school’s hardware, software, or
communications systems.”
• NSBA Legal Issues and Education Technology
Privacy

Parents & Public can access Web Logs
• Exeter Schools
• Indiana Superintendents

E-Mail is discoverable in litigation
• Utah lawsuit

School Board’s e-communications may be in violation
of state’s Sunshine Laws
• South Carolina, Pennsylvania,
Court: Schools must let parents view internet-use logs
From eSchool News staff and wire service reports
November 20, 2000
In a decision with broad implications for schools nationwide, a New Hampshire judge
has ruled that the Exeter school district must make public copies of its internet history
logs so a father can check whether officials are doing enough to keep pupils away from
the web’s seedy side.
James Knight, a father of four whose children attended district schools until recently,
filed a lawsuit asking a judge to force the district to hand over its internet logs after
educators decided
not to use filtering programs on computers children use.
The programs, which have been criticized for their accuracy, block access to
objectionable internet sites. The district decided to use supervision and spot checks by
teachers instead
Superintendents’ use of school computers questioned
From eSchool News staff and wire service reports
March 5, 2001
An investigation of computer records from 49 Indiana school districts by the Indianapolis Star
has raised questions about what constitutes appropriate use of computers by administrators. In a
Feb. 18 story, the Star reported that superintendents who are in charge of enforcing their districts’
web-surfing policies often violate their own rules. While many school internet policies say web
surfing should be for educational use only, some Indiana superintendents are shopping for cars,
planning trips, and looking for other jobs on their district-issued computers, the Star reported.
In fact, one superintendent’s internet records reportedly included two sites with pornographic
material—an apparent violation of common school district internet policies, and one that cost
former Hamilton Southeastern Superintendent Robert Herrold his job in September. It was
Herrold’s example that prompted the Star’s investigation.
The Star’s review of 6,691 web sites on superintendents’ computers showed that half of the sites
clearly were education pages. But 3,000 other sites—some of which also could have been viewed
for educational purposes—ranged from the popular Amazon.com shopping site to more obscure
sites.
DA eyes agency's failure to release school internet logs: Utah
Education Network faces sanctions for overwriting data it was
ordered to disclose
Rebecca Flowers October 1, 1998
Failure to hand over certain logs that track the wanderings of school computer users on
the world wide web--including records showing attempts to visit sexually oriented or
other banned sites--could result in a criminal investigation by a county district attorney
in Utah. The target of the probe: the Utah Education Network (UEN), a public/private
consortium that provides internet service to Utah's K-12 schools districts.
In April, Michael Sims, an anti-censorship internet activist, filed for access to the
school computer logs under Utah's sunshine law. He wanted to check what web sites
were being blocked by internet content filters used by Utah schools.
At first, UEN officials refused Sims' request, claiming they didn't own the logs. They
said those records belonged to the individual school districts. Sims appealed that denial
to the State Records Committee. At a hearing last month, the committee agreed with
Sims and ordered that the computer logs, purged of any confidential material, be
released.
Private web forum snags school board
eSchool News staff and wire service reports October 1, 2000
Members of the Beaufort County (South Carolina) School Board and district
Superintendent Herman Gaither have come under fire for using a private internet
bulletin board to discuss school district matters. The private electronic forum might
constitute a violation of the state’s freedom of information laws, a South Carolina media
attorney says.
The issue raises questions about how existing laws meant to ensure the open exchange
of public information should be applied to modern technologies such as eMail and the
internet.
Gaither said he set up the bulletin board so he could share information with board
members on “sensitive or semiprivate information.” Only Gaither and board members
had access to the site, which let them read and respond to internal messages.
Jay Bender, the attorney for the South Carolina Press Association, said the state’s
Freedom of Information Act prohibits public agencies from using technology to conduct
their business in private and that the bulletin board might violate the law.
Board’s web feedback criticized
Elizabeth B. Guerard, Assistant Editor March 1, 2000
A Pennsylvania school board’s use of comments received over the internet has
set off a controversy involving the state’s sunshine laws, which require open
access to public meetings.
When Central Bucks School District officials were faced with tough decisions
that would uproot and place some 2,800 students in new schools, they solicited
feedback from parents over the internet instead of using the traditional, face-toface format of a school board meeting.
Administrators at the Doylestown, Pa.-based district—the third largest in the
state—say the process made it easy for them to see where the greatest need for
change was. But some parents who were unhappy with the proposed changes
have questioned the validity of transferring the democratic process online.
For one thing, the hundreds of electronic comments that were posted to the
district’s web site were not made public. Barry Kaufmann, executive director of
Common Cause Pennsylvania, a state public interest lobby, said parents should
be concerned that comments made online were not shared with others in the
community.
Improper Access

Images from web pages are stored in
cache and can be accessed from hard
drive even without Internet access
• Physics Teacher fired
• Dean of Harvard Divinity School
• Child Pornography on school computers
N.J. district sues teacher for allegedly viewing web
porn
From eSchool News staff and wire service reports March 1, 1999
The Bergenfield, N.J., board of education is suing a physics teacher to recoup wages it
paid him while he allegedly viewed computer pornography during school hours. The
viewing took place in a school physics room and included times when students were in
the room, school officials said.
According to the Associated Press, Alan Ross, who taught 11th- and 12th-grade
chemistry, physics, and earth science before being suspended without pay last year, also
has a tenure challenge pending. If Ross is found guilty, he would lose tenure and the
board would be allowed to fire him.
A report on computer-stored information viewed from Nov. 3 through Dec. 19, 1997
showed visits to about 2,900 sites, more than half of which were categorized as adult or
personal.All of the online visits occurred during school time--and about 55 percent
while students were present in the physics room, school officials said. No sites were
visited on the three days Ross was absent during that period, they said.
Harassment

Off color and potentially offensive Internet
jokes and e-mails circulating among staff
may create a “hostile” environment
• Teacher suspended
• Harassment rules apply equally to electronic
communications
• Report abuse
• Take immediate steps
Newslines--Judge upholds teacher’s suspension over
sexually explicit eMail
eSchool News staff and wire service reports September 1, 2000
A judge has upheld the three-week suspension without pay of a Scottsbluff, Neb.,
middle school teacher accused of repeatedly sending sexually explicit materials on
the school district’s eMail system.
Gerald Schmeckpeper was suspended in December for insubordination when he
disobeyed repeated requests to stop his eMail practice. The school board upheld the
suspension in January.
Schmeckpeper argued that he was told only to use caution when opening eMail.
But District Judge Robert Hippe on July 13 said there was sufficient evidence to
suspend Schmeckpepper. Schmeckpeper was receiving and sending eMail with
crude jokes and cartoons and had several sexually explicit pictures stored
electronically, Hippe said.
Copyright
LA Schools sued for $4.8 million in
copyright abuse case
 LA Schools settle copyright suit
 Fair Use suit could influence what schools
can publish on the web

Alleged software piracy could cost LA schools $4.8 million
eSchool News Staff Reports August 1, 1998
A coalition of software makers that includes Microsoft Corp. has targeted the Los Angeles
Unified
School District (LAUSD), alleging its teachers and other employees have illegally copied
software
programs.
The charges of piracy could cost the nation's second-largest school district (after New York City)
nearly $5 million over the next three years.
Under a proposed settlement, the district would pay $300,000 to the Business Software Alliance
(BSA), a trade group based in Washington State that was formed by Microsoft and other software
producers to protect their copyrights.
But the real cost of the settlement, which at press time was still subject to board approval, is the
estimated $4.5 million the district would be forced to spend to replace the unlicensed software
that allegedly has spread throughout its classrooms.
Newslines--LAUSD school board settles software piracy
charge
eSchool News Staff and Wire Reports April 1, 1999
The Los Angeles Unified School District (LAUSD) will pay a computer trade group $300,000 to
settle a lawsuit alleging that copyrighted computer programs were being unlawfully duplicated
for use in schools.
The settlement, approved Feb. 9 by the LAUSD school board, also requires the district to spend
$1.5 million over the next three years on an eight-member team to find and eliminate any
unauthorized software and to train staff and students on district policy prohibiting the unlawful
duplication of computer programs.
The Business Software Alliance, an organization formed by Microsoft Corp., Novell Inc., and
other computer software companies, alleged that the West Valley Occupational Center in
Woodland Hills used unauthorized copies of numerous types of software, including Microsoft
Word and Adobe Photoshop.
The group said it had found at least 1,399 copies of software that it contended were being used
without authorization and asked for more than $562,000 in compensation.
LAUSD officials admitted no wrongdoing, but their legal counsel recommended settling to avoid
an even more costly court battle.
Newspaper 'fair use' challenge could limit what schools
and others post on the web: LA Times and Washington
Post sue web site for copyright infringement
From eSchool News staff and wire reports November 1, 1998
In a case with broad implications about what you can post on your schools' web sites, the Los
Angeles Times and the Washington Post have filed a copyright-infringement lawsuit against the
operator of a site that posts their stories without permission.
The lawsuit, filed Oct. 1 in a federal court in Los Angeles, accuses the Free Republic site of using
hundreds of stories from the two newspapers, violating their copyrights and diverting users and
potential revenue from their own sites.
Rex Heinke, an attorney for the newspapers, said the Free Republic site has been posting the
stories "on a very large scale for a very long time.” Reproducing the stories without the
publishers' consent is financially detrimental to the newspaper companies, Heinke said. The
newspapers rely on hits to their own web sites to generate advertising sales, he said.
The Free Republic site, based in Fresno, Calif., posts the stories and allows users to write
comments about them. The site's operator, Jim Robinson, said he has ignored warnings from the
newspapers because the practice is protected by the First Amendment and the "fair use" doctrine
of copyright law.
Security

Switches
• Physical safety

Routers
• Updates and patches, possible paths,

Firewalls
• Updates and patches, DMZ
Security
Passwords
 Process for alerts
 Forensics
 Redundancy and recoverability

• Documentation

Policies
• reporting, escalating, employees
leaving,evidence
Former employee charged with school district hacking
eSchool News Staff Reports March 1, 2000
A former school district worker who quit after being passed over for a promotion was
charged with hacking into his old employer’s computer system.
Randall Chua Antonio, 32, was charged Jan. 24 with seven felonies in connection with
30 computer break-ins over 11 months at the San Diego Unified School District.
Antonio pleaded innocent to the charges, which include disrupting computer services,
destroying data, and accessing a computer system without permission.
He is accused of hacking into the district’s computers so that employees couldn’t access
the system or to destroy data, but authorities don’t believe any student information was
compromised, said Gayle Falkenthal, a spokeswoman for the San Diego County District
Attorney’s office.
Antonio worked nine years at the district’s maintenance operation center, where he
designed and administered its computer system and web site. He quit in August 1998
and the alleged break-ins began a month later and continued for a year, court records
show.
Teacher Web Sites
Sites created by teachers for their
students that are not hosted on the
school’s computer system may expose the
teacher to risk.
 Whenever possible migrate the teacher’s
site to the school system where he/she is
protected by the schools AUP, and
computer use policies

Teacher Assigned Links

“The links in this area will let you leave the school district
site. The linked sites are not under the control of the
district, and the district is not responsible for the contents
of any linked site, or any changes or updates to such
sites. The district is providing these links to you only as a
convenience, and the inclusion of any link does not imply
endorsement of the site by the district.”
• NSBA Legal Issues in Education Technology
Confidentiality


The Family Education Rights and Privacy Act
(FERPA) requires schools to have a policy that
grants parents the rights to inspect and review
the educational records of their children within
45 days of a request.
FERPA also requires a parent’s written consent
before disclosing personally identifiable
information about a student.
Advertising

School employees are often involved in
outside businesses and they may find it
tempting to advertise or solicit using the
school’s e-mail.
• Prohibition should include sending messages
from home or other outside computer to
school district e-mail users.
Politics

Any e-mail sent from the school computer
system contains the school’s return
address. It is the same as using the
school’s letterhead. Accordingly,
employees should be put on notice not to
have their own opinions mistakenly
attributed to the district.
• Superintendent’s e-mail sparks state inquiry
Newslines--Middle school principal suspended for eMail
violation
eSchool News Staff and wire service reports February 1, 2000
A Massachusetts middle school principal was suspended for 10 days because she sent an
eMail message to her staff urging them to vote for a political candidate. Mary A. Toomey,
principal of the South Lawrence East School, might also have violated state ethics laws.
“As a result of the investigation, I determined that Mary Toomey exercised poor
judgment,” said Lawrence Public Schools Superintendent Mae E. Gaskins.
Toomey eMailed the school’s staff soliciting their votes for Nancy J. Kennedy, who was
running a sticker campaign for school committee. She sent the eMail the day before the
Oct. 5 primary election.
The eMail said Kennedy needed voters to place stickers printed with her name directly
on the ballot. The stickers would be available at the school’s front office, according to the
eMail message.Kennedy received the votes she needed and went on to win a spot on the
committee. School committee spokeswoman Martha E. Previte said Toomey should
have received a harsher punishment.
Fundraising
Schools may decide to permit fundraising
with prior approval or they will prohibit it.
 If they permit fundraising activity they must
be careful not to discriminate and bar any
speakers based on the message.

Sunshine Laws

The use of e-mail and conferencing
tools have raised questions.
• If one Board member e-mails another about
school board business is that a violation of the
state’s sunshine laws?
• How about when board members use the
telephone, e-mail, or faxes to poll one another
about board business?
• What about soliciting feedback from the public
electronically?
Private web forum snags school board
eSchool News staff and wire service reports October 1, 2000
Members of the Beaufort County (South Carolina) School Board and district
Superintendent Herman Gaither have come under fire for using a private internet
bulletin board to discuss school district matters. The private electronic forum might
constitute a violation of the state’s freedom of information laws, a South Carolina media
attorney says.
The issue raises questions about how existing laws meant to ensure the open exchange
of public information should be applied to modern technologies such as eMail and the
internet.
Gaither said he set up the bulletin board so he could share information with board
members on “sensitive or semiprivate information.” Only Gaither and board members
had access to the site, which let them read and respond to internal messages.
Jay Bender, the attorney for the South Carolina Press Association, said the state’s
Freedom of Information Act prohibits public agencies from using technology to conduct
their business in private and that the bulletin board might violate the law.
Board’s web feedback criticized
Elizabeth B. Guerard, Assistant Editor March 1, 2000
A Pennsylvania school board’s use of comments received over the internet has
set off a controversy involving the state’s sunshine laws, which require open
access to public meetings.
When Central Bucks School District officials were faced with tough decisions
that would uproot and place some 2,800 students in new schools, they solicited
feedback from parents over the internet instead of using the traditional, face-toface format of a school board meeting.
Administrators at the Doylestown, Pa.-based district—the third largest in the
state—say the process made it easy for them to see where the greatest need for
change was. But some parents who were unhappy with the proposed changes
have questioned the validity of transferring the democratic process online.
For one thing, the hundreds of electronic comments that were posted to the
district’s web site were not made public. Barry Kaufmann, executive director of
Common Cause Pennsylvania, a state public interest lobby, said parents should
be concerned that comments made online were not shared with others in the
community.
Prevention - Firewalls

What data do you want to protect?
• Known databases such as student and
financial info.
• Local databases kept on hard drives

What is a firewall?
• Not a content filter
Poor configurations and lack of patch
maintenance very common
 Personal firewalls for your home

Prevention - Firewalls

Intrusion Detection Software
• 5,000 port scans per day
What is a DMZ?
 Web server dilemmas

• Placement of server
• Access for content management
Prevention - Servers

Keep up with server maintenance and security
patches
• Nmda took advantage of known holes
• Code Red, Polymorphic worms

Subscribe to virus definitions and be sure to
update
• Not all virus protection software is created equal

Remove all generic and guest defaults after
install
• Web server hacked via generic login

Check for inactive web modules
• They can be accessed and generic setups abused
Prevention - Desktops

A: drive
• Vulnerable to infected floppy disks and other nonauthorized files and applications

C: drive
• Vulnerable to configuration changes, and access to
restricted resources (students hid Internet access)

FTP
• Vulnerable to downloads of infected files or other nonauthorized files and applications
Prevention - Desktops

Windows Explorer
• Students see all network resources

Right Click
• Students can cut, paste, and delete important
files including system configuration
Prevention - Network

Require specific logons
• Lab aid giving generic logons so students could
bypass system
• Pornography found on C: drive in teachers’ room

Secure your remote access to network
• Maintenance done by third parties
• Virtual Private Networks (VPNs)

Are your hubs and switches physically secure?
Prevention - Network
Configure your routers with access lists
 Check hubs, switches and routers for web
management modules and change default
passwords

Prevention - Applications

Microsoft Office – “save as”
• Can student see network drives?

Microsoft Office and Encarta templates
• Students get Internet access and can
download unauthorized Microsoft patches
Downloads of plugins and other software
 Programming courses such as C++ and
Visual Basic

• Have access to basic network functions
Prevention - Policies

.exe files
• Slow Internet and/or network performance
• Overwhelmed hard drives and network servers

Passwords
• No policy on changing
• Fewer passwords for ease of use purposes
• “Shoulder surfing” , yellow stickies, etc.

Disks from home
• Technical vulnerabilities
• Copyright vulnerabilities
Prevention - Policies

Loading software locally
•
•
•
•

Technical issues – not in “Ghost image”
Printing and application support issues
Copyright issues
Accidentally “blow out” system
Docking home computers
• Students running “cracking” programs and access
SASI passwords
• Keychain hardrives
Prevention - Policies

Removal of access when someone leaves
• E-mail, Calendar, network logon, etc.

Early notification of problems such as viruses
• What process in place to notify users of new viruses,
etc.

More than one person with key knowledge and
access.
• Network backdoors setup
• Secret backups and password changes done before
termination
• 18 months rebuilding system because of no
documentation
Prevention – Policies

Students doing maintenance
• May compromise security intentionally or
unintentionally

Enforcement of Policies
• If practice doesn’t follow policy than policies
are not valid.
Recovery

Save to the network
• Saving to the C: drive means no backups

Verify that they are done
• Who is responsible? Who is their backup?



External backups vs internal
Proper tape rotation
Off-site storage
Periodic backup check before and emergency
Recovery

Damaged servers
•
•
•
•

RAID drives
Maintenance contract or spare drives
Mirrored or backup servers
Hot site
Routers, switches, hubs
• Maintenance contract of replacements
Recovery
Applications media archived
 Escalation procedure to move to recovery
quicker and to limit damages

• May need to isolate problem
• May need to change passwords
Forensics

Log files:
•
•
•
•
•
Intrusion detection logs
Firewall logs
Router logs
Server logs
Application logs
Forensics




Unique log-ins
Isolate systems
Notify authorities
Print screens (IM’ing, chat, e-mail, etc.)
• Terror threat to local HS
• Ballad of an e-mail terrorist


Hard Dive recovery
Anonymizer sites
Open Meetings Law
Electronic distribution of Board
packets:OK
 E-mail between members considered a
written memo and is discoverable.
 Interaction via e-mail, bulletin board, chat,
instant messaging, or video conference
most likely constitutes a meeting and is in
violation.

Open Meetings Law
Resource:
 Robert Freeman

• Committee on Open Government
• www.dos.state.ny.us.coogwww.html
• [email protected]
FOIL & e-Document Policy

Are e-mail, web logs, spreadsheets & word processing
documents considered records under FOIL?
•
•
•
•
•
•
•
Web site logs
Policy directives
Correspondence and memos related to business
Work schedules and assignments
Agendas and minutes of meetings
Drafts of documents circulated for comment
Any document that initiates, authorizes or completes a business
transaction
FOIL & e-Document Policy



Administrators must plan for and design a filing
structure that can adequately support
operational needs and record keeping
requirements.
Generally, records transmitted through e-mail
and electronic systems will have the same
retention periods as records in other formats.
e-Mail addresses of officers and staff &
computer access codes are exempt.
• Can be used to gain unauthorized access to a
computer or transmit a virus.
FOIL & e-Document Policy

Parents & Public can access Web Logs
• Exeter Schools
• Indiana Superintendents

E-Mail is discoverable in litigation
• Utah lawsuit

School Board’s e-communications may be in violatio
of state’s Sunshine Laws
• South Carolina, Pennsylvania,

Create an Electronic document policy
• Sample
FOIL & e-Document Policy
Resource:
 State Archives and Record Administration
(SARA)

www.archives.nysed.gov/services/recmgmt.htm
Court: Schools must let parents view internet-use logs
From eSchool News staff and wire service reports
November 20, 2000
In a decision with broad implications for schools nationwide, a New Hampshire judge
has ruled that the Exeter school district must make public copies of its internet history
logs so a father can check whether officials are doing enough to keep pupils away from
the web’s seedy side.
James Knight, a father of four whose children attended district schools until recently,
filed a lawsuit asking a judge to force the district to hand over its internet logs after
educators decided
not to use filtering programs on computers children use.
The programs, which have been criticized for their accuracy, block access to
objectionable internet sites. The district decided to use supervision and spot checks by
teachers instead
Superintendents’ use of school computers
questioned
From eSchool News staff and wire service reports March 5, 2001
An investigation of computer records from 49 Indiana school districts by the Indianapolis
Star has raised questions about what constitutes appropriate use of computers by
administrators. In a Feb. 18 story, the Star reported that superintendents who are in charge of
enforcing their districts’ web-surfing policies often violate their own rules. While many
school internet policies say web surfing should be for educational use only, some Indiana
superintendents are shopping for cars, planning trips, and looking for other jobs on their
district-issued computers, the Star reported.
In fact, one superintendent’s internet records reportedly included two sites with
pornographic material—an apparent violation of common school district internet policies,
and one that cost former Hamilton Southeastern Superintendent Robert Herrold his job in
September. It was Herrold’s example that prompted the Star’s investigation.
The Star’s review of 6,691 web sites on superintendents’ computers showed that half of the
sites clearly were education pages. But 3,000 other sites—some of which also could have
been viewed for educational purposes—ranged from the popular Amazon.com shopping site
to more obscure
sites.
DA eyes agency's failure to release school internet logs: Utah
Education Network faces sanctions for overwriting data it was
ordered to disclose
Rebecca Flowers October 1, 1998
Failure to hand over certain logs that track the wanderings of school computer users on
the world wide web--including records showing attempts to visit sexually oriented or
other banned sites--could result in a criminal investigation by a county district attorney
in Utah. The target of the probe: the Utah Education Network (UEN), a public/private
consortium that provides internet service to Utah's K-12 schools districts.
In April, Michael Sims, an anti-censorship internet activist, filed for access to the
school computer logs under Utah's sunshine law. He wanted to check what web sites
were being blocked by internet content filters used by Utah schools.
At first, UEN officials refused Sims' request, claiming they didn't own the logs. They
said those records belonged to the individual school districts. Sims appealed that denial
to the State Records Committee. At a hearing last month, the committee agreed with
Sims and ordered that the computer logs, purged of any confidential material, be
released.
Private web forum snags school board
eSchool News staff and wire service reports October 1, 2000
Members of the Beaufort County (South Carolina) School Board and district
Superintendent Herman Gaither have come under fire for using a private internet
bulletin board to discuss school district matters. The private electronic forum might
constitute a violation of the state’s freedom of information laws, a South Carolina
media attorney says.
The issue raises questions about how existing laws meant to ensure the open exchange
of public information should be applied to modern technologies such as eMail and the
internet.
Gaither said he set up the bulletin board so he could share information with board
members on “sensitive or semiprivate information.” Only Gaither and board members
had access to the site, which let them read and respond to internal messages.
Jay Bender, the attorney for the South Carolina Press Association, said the state’s
Freedom of Information Act prohibits public agencies from using technology to
conduct their business in private and that the bulletin board might violate the law.
Board’s web feedback criticized
Elizabeth B. Guerard, Assistant Editor March 1, 2000
A Pennsylvania school board’s use of comments received over the internet has
set off a controversy involving the state’s sunshine laws, which require open
access to public meetings.
When Central Bucks School District officials were faced with tough decisions
that would uproot and place some 2,800 students in new schools, they solicited
feedback from parents over the internet instead of using the traditional, face-toface format of a school board meeting.
Administrators at the Doylestown, Pa.-based district—the third largest in the
state—say the process made it easy for them to see where the greatest need for
change was. But some parents who were unhappy with the proposed changes
have questioned the validity of transferring the democratic process online.
For one thing, the hundreds of electronic comments that were posted to the
district’s web site were not made public. Barry Kaufmann, executive director of
Common Cause Pennsylvania, a state public interest lobby, said parents should
be concerned that comments made online were not shared with others in the
community.
E-Document Policy
• Create and enforce an e-document policy that
minimizes the time the information is stored
• Enforce the policy in a uniform way
• Create a litigation response that preserves data at
the outset of litigation
• Educate employees on the need for a business
approach to e-documents
– NSBA Legal Issues and Education Technology
Domain Names

Norwichschools.org vs Norwichschools.com
• Purchase all available names

Maintain all school domain names rigorously
• Porno site appears under school name
• High cost of re-purchase

Legitimate third parties have put up school web sites that
many parents believe is the “official” school site.
• Irate e-mails that school didn’t respond
CIPA & E-Rate
Must certify that all users are protected
from inappropriate materials
 Must have public meeting
 Must have AUP
