In suburban Chicago, four high school students hacked into their school鈥檚 computer network in October and tampered with their grades.
That same month, an 18-year-old in Sacramento, Calif., was arraigned on 89 felony counts for hacking into his school district鈥檚 network.
And in Massillon, Ohio, three high school students cost their district at least $400,000 after they penetrated school computers last summer to raise grades for themselves and others.
Audio Extra | |
Staff writer Rhea R. Borja interviews Keith R. Krueger, the executive director of the Consortium for School Networking, on the issue of cyber security for school districts. (Windows Media file: 6.18) | |
|
While schools rightly fear break-ins to their computer systems by professional criminals, students are increasingly giving educators almost as much to worry about. Reports of students鈥 gaining access to school networks to change grades, delete teachers鈥 files, or steal data are becoming more common, experts say, and many districts remain highly vulnerable to costly and disruptive attacks.
鈥淪chool districts should be the most fearful of the way organized crime has taken over the hacker industry,鈥 said Steven E. Miller, the executive director of Cyber Security for the Digital District, an online project to help school leaders safeguard their networks. 鈥淏ut administrators鈥 biggest [technology] problems come from within their own system.鈥
There are several reasons why. Cyber security is a full-time job, and many districts, especially smaller ones, don鈥檛 have enough staff or money to adequately secure their networks against all potential threats, Mr. Miller said.
The 鈥渁nywhere, anytime鈥 accessibility of many networks can be tempting to students, who can penetrate them from both their school and home computers.
Unlike 10 years ago, moreover, people don鈥檛 have to be true computer geeks to become hackers. Online chat rooms, listservs, and Web sites that give step-by-step directions on how to hack make it easy for students鈥攁nd anyone else鈥攖o tap into networks rich with confidential data.
鈥淚f you have the slightest amount of [computer] knowledge, it takes less than five minutes to put together an attack code,鈥 Mr. Miller said.
In addition, as more districts centralize academic and other information to make data-driven decisions鈥攁s encouraged under the federal No Child Left Behind Act鈥攖hey may leave themselves even more open to cyber criminals if they don鈥檛 also build strong virtual fences around their networks.
鈥淪chool districts are moving from silos of information to data warehouses. So they are much more inviting targets,鈥 said Keith R. Krueger, the executive director of the Consortium for School Networking, a Washington-based nonprofit group that co-sponsored the Cyber Security project with Mass Networks Education Partnership in Allston, Mass.
Or, as Mr. Miller put it: 鈥淲e鈥檙e creating all of these honey pots, waiting for the bears to come.鈥
Hackers Change Scores
So-called e-crimes are rising in general, according to the CERT Coordination Center, part of the Software Engineering Institute at Carnegie Mellon University in Pittsburgh.
A project on cyber security for school districts recommends that technology officials follow a process of careful planning to keep computer systems safe.
Phase 1: Set Security Goals
Outcome: Security-Project Description: Craft a project description with goals, processes, resources, and decisionmaking standards.
Phase 2: Risk Analysis
Outcome: Prioritized Risk-Assessment Report: List and rank vulnerabilities in a report that will guide risk-reduction efforts.
Phase 3: Risk Reduction
Outcome: Implemented Security Plan: Regularly repeat risk-analysis and risk-reduction process to ensure effectiveness.
Phase 4: Crisis Management
Outcome: Crisis-Management Plan: Develop a blueprint for organizational continuity.
SOURCE: Cyber Security for the Digital District
E-crimes include installing computer viruses or spyware鈥攕oftware that illegally records personal data such as credit card numbers鈥攁s well as 鈥減hishing,鈥 a term used for tricking someone into electronically sharing personal data such as a Social Security or credit card number.
Thirty-five percent of the 819 respondents to CERTs 2005 e-crime survey, for example, reported an increase in cyber crime targeting their organizations, and 68 percent said that least one e-crime was committed against their employers in 2004.
But despite e-crime鈥檚 growth, 31 percent of respondents said their organizations lacked a formal system to track e-crime attempts, and almost 40 percent said their employers lacked a formal plan for responding to cyber crimes. The respondents were security or law-enforcement personnel who work in education, finance, and other fields.
Michael Riordan, the principal of the 1,770-student Oak Lawn High School in Oak Lawn, Ill., knows the threat from experience. In late September, three juniors and one senior hacked into Parent Portal, a software program that allows parents to see their children鈥檚 grades. They did not break into the district鈥檚 larger network, which contains student test data, grades, and other confidential information.
The students raised their homework and quiz scores by a few points in several subjects, just enough to bump up their grades. It wasn鈥檛 until Oct. 26鈥攁fter the students had unauthorized access for a month鈥攖hat a math teacher noticed that one student鈥檚 grades online didn鈥檛 match those in her gradebook.
District information-technology employees disabled Parent Portal for two days to fix the problem and to install more online barriers. Then officials handed out 10-day suspensions to the boys, who also received zeros for the affected quizzes and assignments, and were barred from using school computers for the remainder of their high school careers.
鈥淸Parent Portal] is a wonderful resource, but unfortunately there was a flaw in the operations of the program,鈥 Mr. Riordan said. 鈥淭he logon procedure is supposed to go through a series of checks and balances. But one checks-and-balances process did not take place.鈥
Ensuring a secure network is a district responsibility, said Joseph M. Shearn, the president of Century Consultants Ltd., the student-information-software company that created Parent Portal. The Lakewood, N.J.-based company works with more than 2,000 schools nationwide. Mr. Shearn said that as far as he knew, none of his other clients had experienced a similar hacking incident.
鈥淲e as an applications company supply the application, and we put in software to allow logins and passwords,鈥 he said. 鈥淲here do you lock down the security? That鈥檚 up to the school district.鈥
A Dynamic Tension
And therein lies the cyber-security conundrum, say some technology experts. Unlike banks or the Pentagon, which must safeguard their information under many layers of security, schools tend to share information among teachers, students, and parents.
Experts advise superintendents to get answers on basic security questions from their chief technology officers.
1: How are we doing so far?*
2: Do we have a security plan?
3: Do we have adequate security and privacy policies in place?
4: Are our network-security procedures and tools up to date?
5: Is our network perimeter secured against intrusion?
6: Is our network physically secure?
7: Have we made our users part of the solution?
8: Are we prepared to survive a security crisis?
* For example, have security breaches occured, and if so, what caused them?
SOURCE: Cyber Security for the Digital District
鈥淎 school by definition should be a relatively open environment. The best way to learn is to take a risk, to explore,鈥 said Mr. Miller of the Cyber Security project. 鈥淏ut there鈥檚 a tension between that and preventing kids from doing the wrong thing.鈥
So how do you have a collaborative technology network that鈥檚 also safe from attack?
Prepare for the unexpected, Mr. Miller advised. Have a Plan B that accounts for the network鈥檚 strengths and weaknesses. And make sure that school administrators understand a network鈥檚 possible security risks.
鈥淎t some point, a security problem is going to occur in every school system in every network in the world. It鈥檚 unavoidable,鈥 Mr. Miller said. 鈥淪o assume that something is going to happen.鈥
Bob Blackney, the technology director of the 27,000-student Placentia-Yorba Linda school system in Orange County, Calif., agrees that no system is 100 percent secure.
鈥淭he best computer is one that鈥檚 locked in a vault and unplugged,鈥 he said. 鈥淏ut [teachers and students] want the Wild, Wild West. They want access 24/7.鈥
In addition, district networks tend to be 鈥渉ard on the outside and soft in the middle,鈥 Mr. Blackney said. He means that networks may have firewalls to dissuade outsiders from breaking in. But they don鈥檛 tend to have barriers on the inside to block users from accessing certain types of information they shouldn鈥檛 see.
Mr. Blackney also knows that from experience. He was the technology director of neighboring Chino Valley Unified district in the spring of 2003. That鈥檚 when a high school junior hacked into his school鈥檚 database and changed grades for himself and a friend. He also viewed some of the 1,744 Social Security numbers of the school鈥檚 students.
District officials rushed letters to parents informing them of the incident, and encouraged them to let credit-reporting agencies know to place a fraud alert on their children鈥檚 files. Mr. Blackney said district officials expelled the boy and filed a civil lawsuit.
The district, he said, received some $20,000 from the student鈥檚 family to better secure the district network. That upgrade cost the district about $200,000.
Chino Valley鈥檚 technology network was 鈥渂etter than most,鈥 Mr. Blackney said. But it couldn鈥檛 prevent the student from accessing sensitive data. That鈥檚 because a school employee, not thinking that the boy would use the password illicitly, gave the student the employee鈥檚 personal password.
Educating employees as well as students on cyber responsibility could go a long way toward making networks safer, say technology experts such as Marie L. Scigliano. She鈥檚 the technology director for the 10,000-student Palo Alto, Calif., school district. She got her own wake-up call two years ago, when a local reporter viewed a confidential student report by easily tapping into an unsecured middle school wireless-computer system, which allowed her to get onto the school network.
So Ms. Scigliano and her technology team refashioned the wireless system to make it harder for outsiders to get in. They also released a six-page report detailing the legal responsibilities of school employees to protect student privacy and the appropriate use of school e-mail and other online programs.
鈥淚t was an open environment, no doubt about it,鈥 Ms. Scigliano said of the wireless system. 鈥淲e were bringing new [technology] tools to the schools. But we didn鈥檛 realize the challenges they had.鈥