Not many schools in today’s world take cybersecurity seriously.Over the last couple of years, we faced some significant security breaches in our school, one instance where our school information system got hacked with the strut vulnerability, and another case was when we had a lot of email accounts hacked as a result of being phished.
After analyzing for days, we noticed that we were a constant target for bots and hackers for any of our public facing sites, Even if you have a firewall to keep you away from threats you are still susceptible, especially zero-day vulnerabilities and another thing to keep in mind is over 90 % of the attacks are due to human errors ( like submitting your credentials over a phishing link) or users going to the wrong sites.
To keep up with the ever-growing threat of cyber attacks I came up with a four-pronged approach to keep our school safe from cyber threats
I classified them as
- Servers Security
- Network Security
- Client Computer Security
- Cyber Security Awareness / End User Traning
1.1 Server Software Updates and Patches:In order to protect the servers, we made installed the latest patches and updates on all severe, quite often server administrators think installing patches and updates are not necessary or not very important, but we learned it the hard way when one of our systems got affected with the Apache Strut vulnerability, always schedule a weekly or monthly downtime for your servers to be updated
1.2 IPS / IDS and Firewall on all servers: We used the ever-reliable Symantec endpoint protection, although it said endpoint protection it worked for our servers too.We left the IPS and IDS at its default setting and configured the firewall to allow traffic to only the required ports.From the logs, it was clear that it was blocking IP address trying to exploit the vulnerabilities
1.3 CloudFlare (WAF & DDOS): We set up CloudFlare as additional security for any visitors trying to get to our public facing websites like school website or school information system.What CloudFlare does is it creates a barrier between the public cloud and our servers, cloud flare scans the visitor traffic to see if they are genuine or some bots trying to hack. Additionally, it also caches certain aspects of your website.This is basically a WAF (web application firewall), CDN ( Content delivery network ) and DNS server and all this for free , After few weeks of the free version we decided to switch to the 20$/month plan which includes an advanced WAF and a predefined set of rules against vulnerabilities for HTML, PHP, MySQL, WordPress, additionally it consists of a set predefined signature rules. This worked really well for us because we were able to prevent a lot of attacks on our public facing sites being blocked
Additionally, the free version provides basic DDOS, Ability to block or challenge malicious or blacklisted IP address, apart from that since CloudFlare acted as s DNS server for we no longer required to host additional public-facing DNS servers anymore thereby saving valuable resource on your server infrastructure
Every organization has a firewall, right? But have you configured it correctly? Well, check again
2.1 Layer 3 security: We allowed only incoming traffic to few of our services from the public that we restricted them to specific ports ( like your School information system, websites and Learning management system) the requirements can vary from org to org.It might be beneficial to keep track of the ports and public NAT assignments on a Google Sheet or Excel sheet.
What about outgoing traffic?
Generally, it is ok to allow all, we restricted dangerous ports and specific blacklisted IP’s
since we had the cloud-based Meraki MX 600, we were able to do the following
2.2 Layer 7 firewall: this gave us the ability to control traffic based on applications like Windows updates, YouTube, AV updates, etc
2.3 IPS & IDS: this is very important for schools especially when you have 1:1 laptop environment and since the Meraki MX 600 comes with IPS & IDS from Sourcefire and Snort it did a pretty good job of blocking malicious files being downloaded into the school network (ever wondered how to mackeeper at bay 🙂
2.4 Core Network Switch / Router security enhancements: It would be good practice to have Access Control list to disallow traffic between VLANs, for, e.g., Allowing your guest VLAN to access only the Internet and not any of the internal resources like servers and such
additionally security on the network switches
-port security based on sticky Mac to allow only designated IP phones to connect to that particular port
-shutting down unused ports to prevent unauthorized computers from accessing the school network
2.4 Wifi network security: Since we had the cloud-based Meraki access points, we could detect and block rogue access points and DHCP servers.Additionally, we could restrict and control traffic based on SSID for, e.g., We could limit traffic like YouTube and updates on per SSID basis. You don’t necessarily need Meraki to implement these changes most if the enterprise wireless systems have these abilities.
3.Client computer security
3.1 Endpoint Security: First and foremost it is absolutely necessary to implement endpoint security, and we opted for the ever-reliable Symantec endpoint security which comes with IPS and IDS.We also took advantage of Symantec Endpoint Security Manager, it is basically a server that communicates with all the clients and is also used to push virus updates to your clients.The dashboard present within the SEPM also gives you a bird’s eye view of the clients that are infected and that have not been updated and also gives you the ability to push firewall policies to all your clients. In short, I can’t stress how important it is to have an anti-virus software for your clients that can be managed by a server and one that provides you a dashboard
3.2 OpenDNS: How do you protect your student and teacher computers once they are out doing the school network? , I know your answer is probably endpoint security, But I beg to differ, endpoint security or anti-virus software is always a reactive measure, we wanted something more proactive in nature, to be able to prevent the staff from going to the malicious sites and blocking phishing links while they were away from our school network.Last year we had about hundreds of Gmail accounts hacked because a phishing link went viral and if we had the Open DNS we would have been able to block them from being accessed even if they were off campus.
How does it Work ?: So basically OpenDNS has a roaming client that is installed on the client computers, which means that once installed all the DNS queries are routed through OpenDNS servers, then through the dashboard we can can block website categories like porn, social networks, gambling, this is especially good if you have a 1:1 school network where students take their computers home.It also gives the ability to block malicious website, phishing links, bot network websites, site that contain the virus, download links and URL’s that include viruses, etc. The dashboard gives a good understanding of the clients that have a high number of traffic hitting the malicious websites and which sites and categories were blocked.I used to think this was not necessary, but in today’s world especially in schools of our size where over two thousand user accounts are susceptible to being hacked, I would highly recommend some kind of cloud-based DNS protection
4.Cyber Security Awareness / Traning
Last but not the least, user awareness and training are of paramount importance.The schools should have a process where they update the Acceptable / Responsible use policy on a regular basis, set up cyber security awareness weeks where the tech dept along with tech integrators conduct workshops for teachers and students on how to stay safe in cyberspace.
Check out my Cyber Security google slide presentation ( feel free to use it as a reference )