Evolution of Physical and Cyber Security in My District

by Kevin Richmiller – Director of Technology – City of St. Charles School District

This is a brief recount of how physical and cyber security has evolved in the City of St. Charles School District over the last eight years, and how physical security moved from being managed by the Facilities Department to mostly managed by the Technology Department. 

I started as Director of Technology for the City of St. Charles School District in July of 2012.  At that time all physical security was handled by the Facilities Department and cyber security by the Technology Department.  The district firewall was a very basic stateful inspection firewall that only actively looked at traffic on ports 80 and 8080.  We had two vlans, voice and data. We had five security cameras per building, and the exterior doors were left unlocked all day.  

That year we began talks of making our buildings more secure.  On December 13th, 2012, the board approved adding an Aiphone door buzzer system to every building so we could lock our exterior doors during the school day.  That next morning Sandy Hook happened which shook the entire school community.  The Aiphone project was fast tracked from a two month timeframe to a two week timeframe for installation.  Because this system involved cabling and wires, physical security slowly started shifting from being Facilities managed to Technology managed. 

That spring (2013) we began planning a bond issue for the following spring.  On the bond we added door access control and expanded our camera system from 75 cameras district-wide to 550 cameras.  Door access control and added cameras put physical security almost completely into the hands of the Technology Department.  The main thing the Facilities Department continued to manage was physical keys which most staff no longer required because of the access badges.  

During the last five or six years, we upgraded our firewall to a next-generation firewall, and we now monitor all ports, not just basic internet ports.  We also segmented as much out into separate vlans as possible.  This was a necessity as we discovered our outdated firewall could not keep up with growing demand, and outside entities were attempting to flood our network with DDoS attacks.  

As more and more products became web-based and the education field became apparent low hanging fruit for hackers, our district began yearly mandatory security awareness training for all staff and simulated phishing attacks to help staff identify phishing emails. The simulated phishing attack in our district that is most talked about, even three years later, is a phish around November appearing to be from Costco telling everyone they received a free turkey from the district for being such outstanding employees.  All they had to do was simply click the link below to claim their free turkey coupon.  That phishing attempt resulted in a 25% fail; apparently, our staff didn’t know our CFO as well as I do. 

With so many products now online and a need to ensure student and data privacy, two years ago our district began using a product called Education Frameworks.  This program does an initial review of a site’s privacy policy and provides a data privacy score.  We then review the score and make final determinations on if the site is safe for teachers and students to use in our district.  We were spending a tremendous amount of time going through privacy policies trying to determine if a site is safe for student usage.  Education Frameworks helps reduce our man hours spent on going through online privacy policies.    

Technology has changed rapidly these past eight years.  We have to be able to adapt and change with it or risk being left behind, both from a physical and cyber security standpoint.  Our district has made tremendous changes in the last eight years and more and more things keep falling into the responsibility of our Technology Department.  I believe most technology departments in education have seen the same or similar transformations over the last 10 years.

Things That Keep Me Up At Night

by Rob Landers, Director of Technology – School District of Washington

As I thought about what to do for my editorials, the most obvious things I could think of were topics that bugged me. Things that I had problems with. Things that don’t work the way they should, etc… But I didn’t want this to devolve into a complaint-fueled tirade every time it was my turn to speak. However, from an Ed Tech leadership position, there are numerous things that I deal with on a regular basis that cause me a great deal of concern, and I’m not necessarily sure how to address them. For my part, I’ll be discussing a few of these concerns with you all as we move forward. My goal is not to add to your headaches or worries but instead to spark conversations about how we can address these issues that we, likely, all have in common.

Having said all that, this month’s topic doesn’t really keep me up at night. It does, however, cause me a great deal of concern about how well we are preparing our students for the future. You see, in Washington, we have gone 1:1 in grades 3-12 with Chromebooks. Students are quite adept with these devices and have mastered the use of Google Drive, and, by most accounts, these devices serve our purposes quite well. But something happened a while back: our Network Administrator, whose daughter is in high school, was using one of the Windows PC’s in the library and couldn’t figure out how to save something so that she could get to it later. When her dad suggested using her H:\ drive, he was met with silence on the other end. Turns out, she had no idea what a Home drive was (or what any other network drive was, for that matter). And that’s coming from a child whose father is a “computer guy.” So I started asking my daughter (also a high schooler) what she knew about network drives and use of a Windows-based PC in general. The answers were pretty much the same. This is what got me thinking. If kids whose parents are very tech savvy, or work in the technology field, have little to no understanding of Windows PC’s then what do other kids know? Intuition tells me that they would know even less. And what happens when we send our “21st Century Learners” (a term which I despise, by the way….) out into the workforce and they are put in front of a Windows PC to do their work? Will they know what to do? The employer is certainly expecting them to know. I mean, this young person has just spent the last decade using a “computer” for most of their work on a daily basis. How could they not know what to do when faced with one of Mr. Gates’ finest creations?

The fact of the matter is that all “computers” are not created equal. There are major differences between systems and differences in how the user interacts with the device. For example, one of the biggest issues I’ve run across when a Chromebook user is on a Windows device is the concept of saving your work. Chromebook kids just don’t do it. They don’t know to do it. They haven’t been conditioned to do it like we were. Google just does it for them. It seems like a small thing, but when a student is standing in front of you, tears welling in their eyes, because they lost half of the paper they just spent an hour typing, it’s no longer just a small thing. In fact, it’s a pretty big thing to them. Now imagine if that was the sales projection data that the CEO wanted on her desk five minutes ago…definitely not a small thing at that point. And I’m sure that Mac districts have struggled with this, to a certain degree, for years. Sorry, but it’s a new situation to me, and I truly believe the difference between Mac and PC is less than the difference between Chromebook and PC. So I feel like we’re in a bigger hole now than in the past.

So what do we do?

Seriously, I’m asking you the question.

I don’t think there is an easy answer. If you’re like us, you’ve probably removed all of your computer labs from your buildings, and removed Computer Classes from your elective rotations. So now we’re really in a pickle.

We are just now starting to formulate a plan to attack this situation. Fortunately, we do have a very robust VDI system here in Washington. We believe we can leverage that system to help mitigate the situation. The idea is that we will develop a list of “Windows Competencies” (™ and © pending…) and then will work with our curriculum coordinators to embed these competencies into our existing curriculum where it makes sense. Then, in the course of those curricular lessons, teachers will have their students access the VDI (which presents as a Windows 10 desktop) so that they can learn to master those skills. Will it work? That is yet to be seen.

As I mentioned, we are early in the process and are still trying to identify the Windows Competencies on which we will be focusing. It’s not much at this point, but it is a plan. And having a plan is a great start. Maybe that’s why it doesn’t keep me up at night. Or maybe it’s all the bourbon.

 

The Pursuit of Certifications

Over the years, I’ve pursued a number of certifications, some successfully and some not. They have all been beneficial to me in varying degrees depending on the current challenges I’m facing. For me, obtaining a certification was not just to add a few more letters behind my title but was an endpoint to a journey of professional development. Even if I didn’t reach the goal of obtaining the official certification, I learned very valuable information along the way that made me a better IT leader. In the following, I’ll talk a little about a few of the certifications I an successfully and unsuccessfully pursued.

CISSP – Certified Information Systems Security ProfessionalISC2

This was one of the first certifications that I completed. It is often described as “an inch deep and a mile wide.” It is a great starting point for someone interested in information security. The knowledge base for the CISSP covers everything from types of encryption to physical security. 

I’ve found the CISSP to be very helpful. In K-12 we wear a large number of hats and support a variety of needs. The broad scope of the CISSP provides the foundation knowledge to help you with those various needs. I spent one year studying for the old, written version of the test which was 6 hours and 250 questions. They now have a shorter, computer adaptive test.

The CISSP is offered through ISC2. To qualify for the CISSP, you must have at least five years of cumulative, paid full-time work experience in two or more of the eight domains. To pass the test, you are given a maximum of three hours to complete the 100 to 150 items in the CISSP computer adaptive exam. After passing the test, you must get endorsed by a current CISSP. Feel free to reach out to me if you are in need of an endorsement. Similar to most of the certifications below, you must complete 120 CPEs over 3 years to remain in good standing. There is a fee for taking the test and an annual maintenance fee every year after passing the exam. 

There are a large number of resources available you can use to prepare for the CISSP. You will find plenty of books on Amazon. The actual ISC2 CBK for the CISSP is an extremely dry read and challenging to get through. SANS has some boot camps periodically in the region. MOREnet has also recently rolled out their “Professionally Evil CISSP Mentorship Program.”

CETL – Certified Educational Technology LeaderCoSN

The CETL is a certification that I have repeatedly started but not completed. In the very early CETL days, I participated in the CETL field test. I passed the Part 1 multiple choice section of the test but did not pass the Part 2 essay section of the test. For me, the CETL remains on my to-do list. 

The CETL is important because it represents that an individual has the knowledge and mastery to lead a K-12 EdTech environment. The CETL recognizes that most of us have come from either a technical or curricular background and the need to have a balanced understanding of both sides. 

The best part of studying for the CETL is that it directly applies to the day-to-day work we do. It will make you a better K-12 EdTech leader even if you don’t take, or in my case, pass the test. There are numerous resources available to study for the CETL. Missouri and METL also have a large number of mentors available to guide someone in the journey to the CETL. Below are some currently available resources:

The METL board is working to put together a CETL Cohort. Please feel free to reach out to us if you are interested in pursuing the CETL.  

CEH – Certified Ethical HackerEC-Council 

CEH is by far the coolest sounding certification. This is probably why I have never completed the CEH. CEH is a more technical certification, covering areas outside my strengths. I’ve taken a CEH course and read a test prep book. I still haven’t reached a level of comfort with the content to give me the confidence to take the test. It is a more hands on certification covering the foundational knowledge required to be a white hat hacker. In my opinion, having experience with command line, basic programming, and networking are important when looking at the CEH. I’ve learned a lot of good information, techniques, and tools in my pursuit of the CEH.

The CEH is provided by the EC-Council. The test is 125 questions over 4 hours. Similar to the CISSP there are continuing education credits, 120 over 3 years. The test covers six tasks and seven knowledge domains.

Tasks: 

  1. System Development & Management
  2. System Analysis & Audits 
  3. Security Testing/Vulnerabilities
  4. Reporting
  5. Mitigation
  6. Ethics 

Knowledge:

  1. Background
  2. Analysis/Assessment
  3. Security
  4. Tools/Systems/Programs
  5. Procedures/Methodology
  6. Regulation/Policy
  7. Ethics

If you want to see how you might do on the CEH, the EC-Council does have an online assessment. While I don’t know if I will ever complete the CEH, I would be ecstatic to have a staff member with the CEH knowledge and skills helping protect our environment. 

ITIL – IT Infrastructure LibraryAXELOS

I am proud to say that I am a certified ITIL Expert v3. The first METL CTO Clinic I attended I met a couple of colleagues that were going to take an ITIL Foundation course. Not knowing anything about ITIL, I thought it would be a good chance to continue to collaborate with these individuals. At the end of that course, I not only understood ITIL but had a new way to look at our approach to IT. ITIL is a set of best practices built around IT Service Management (ITSM). It provides structure around the entire lifecycle of delivering a service to an end user. 

The current version of ITIL is ITIL 4. There are 4 progressive certifications for the current version: 

  • Foundation
  • ITIL 4 Managing Professional
  • ITIL 4 Strategic Leader
  • Master

I don’t recommend getting all the ITIL certifications, unless that is your professional goal. I do recommend that any person of leadership in your IT organization take an ITIL Foundation course and attempt to take the test. The Foundation course introduces you to the ITIL vocabulary and builds the basic understanding needed for an organization to start moving towards these best practices. All of my ITIL work was done through Centriq in a boot camp to certification test type structure. In case you are wondering, I did not pass ALL my ITIL certification tests the first time. 

CISM – Certified Information Security ManagerISACA

A friend of mine, in commercial IT, recently asked me if I would be interested in studying for the CISM with him. I’m just starting to learn more about the CISM. It is a certification on my roadmap for the future. As information security becomes a larger issue for school districts, I feel the knowledge gained through the CISM will help me better support our community. 

Conclusion

Certifications do not mean an individual is good at their job or as a leader. At a minimum, it means the individual acquired a scope of information long enough to pass an evaluation of some sort. I like to use certifications as a way to push my own professional learning. I’m successful if at the end of the journey I’m better able to support my community, not if I have a few more letters behind my name.

Thank you,
Jason Rooks, CIO, CISSP, ITIL, MBA…