Evolution of Physical and Cyber Security in My District

by Kevin Richmiller – Director of Technology – City of St. Charles School District

This is a brief recount of how physical and cyber security has evolved in the City of St. Charles School District over the last eight years, and how physical security moved from being managed by the Facilities Department to mostly managed by the Technology Department. 

I started as Director of Technology for the City of St. Charles School District in July of 2012.  At that time all physical security was handled by the Facilities Department and cyber security by the Technology Department.  The district firewall was a very basic stateful inspection firewall that only actively looked at traffic on ports 80 and 8080.  We had two vlans, voice and data. We had five security cameras per building, and the exterior doors were left unlocked all day.  

That year we began talks of making our buildings more secure.  On December 13th, 2012, the board approved adding an Aiphone door buzzer system to every building so we could lock our exterior doors during the school day.  That next morning Sandy Hook happened which shook the entire school community.  The Aiphone project was fast tracked from a two month timeframe to a two week timeframe for installation.  Because this system involved cabling and wires, physical security slowly started shifting from being Facilities managed to Technology managed. 

That spring (2013) we began planning a bond issue for the following spring.  On the bond we added door access control and expanded our camera system from 75 cameras district-wide to 550 cameras.  Door access control and added cameras put physical security almost completely into the hands of the Technology Department.  The main thing the Facilities Department continued to manage was physical keys which most staff no longer required because of the access badges.  

During the last five or six years, we upgraded our firewall to a next-generation firewall, and we now monitor all ports, not just basic internet ports.  We also segmented as much out into separate vlans as possible.  This was a necessity as we discovered our outdated firewall could not keep up with growing demand, and outside entities were attempting to flood our network with DDoS attacks.  

As more and more products became web-based and the education field became apparent low hanging fruit for hackers, our district began yearly mandatory security awareness training for all staff and simulated phishing attacks to help staff identify phishing emails. The simulated phishing attack in our district that is most talked about, even three years later, is a phish around November appearing to be from Costco telling everyone they received a free turkey from the district for being such outstanding employees.  All they had to do was simply click the link below to claim their free turkey coupon.  That phishing attempt resulted in a 25% fail; apparently, our staff didn’t know our CFO as well as I do. 

With so many products now online and a need to ensure student and data privacy, two years ago our district began using a product called Education Frameworks.  This program does an initial review of a site’s privacy policy and provides a data privacy score.  We then review the score and make final determinations on if the site is safe for teachers and students to use in our district.  We were spending a tremendous amount of time going through privacy policies trying to determine if a site is safe for student usage.  Education Frameworks helps reduce our man hours spent on going through online privacy policies.    

Technology has changed rapidly these past eight years.  We have to be able to adapt and change with it or risk being left behind, both from a physical and cyber security standpoint.  Our district has made tremendous changes in the last eight years and more and more things keep falling into the responsibility of our Technology Department.  I believe most technology departments in education have seen the same or similar transformations over the last 10 years.

Increase Technology Integration in a Pandemic

by Rich Wilson – Director of Technology – Francis Howell School District

School districts across the U.S. quickly shifted gears from in-person face-to-face learning to a remote learning environment during the COVID-19 pandemic. We all became very familiar with new terms, such as social distancing, community spread, droplets, flattening the curve, and alternate methods of instruction (AMI). In addition, terms such as Zooming, Google Hangouts, e-learning, digital citizenship that are familiar to us, as technology leaders became common vernacular for our administrators, teachers, students, and families. Along with these new terms for our districts and communities came a quick learning curve around such digital tools.

In my district, we have a variety of subscriptions to software and online resources. Yet we did not universally utilize many of those resources we paid for or promoted. The reasons varied from lack of interest to learn, hesitancy or no desire to learn, and not having time to learn. Many in my district lamented the fact there was not time to learn, nor felt as though they needed to be trained first before using. As “tech people”, we have learned many of our skills by doing. I like to say, contrary to popular belief, I did not have a college course to learn Adobe Acrobat, Excel, or pick any software package. We have learned through our experiences by exploring and out of necessity to learn a system as part of our desire to learn more and our work responsibilities.

During our school closures, hundreds of our faculty and staff learned not only what Zoom was, but also how to use it. As we allowed Zoom and other resources, our teachers rose to the occasion with some guidance and learned in a very short period of time how to effectively use Zoom and other online resources. The need and desire of our teachers to serve and connect with their students and classes was the driving force. Most learned on the fly (with some instructional videos and guides) how to video conference with their students and classes to continue teaching and learning during the pandemic closure. One day during the closure, I was at a school for device and hotspot distribution. I listened in as a group of teachers, paras, and staff were trading Zoom tips and tricks. Most said they had not ever heard of this Zoom thing just until a couple of weeks ago.” I was ecstatic to hear about their successes in learning and the collaboration around their new learning.

Through this experience, folks in my district and community have a deeper desire to learn more about technology and how it can be leveraged to enhance both teaching and learning. Moreover, with the increased level of implementing digital resources during AMI, I have witnessed a higher confidence level around learning new technology skills in our faculty and staff. No longer can we see technology as a tool to implement if one wants to, but many more see technology resources as an integral part of teaching and learning of our students. Through the years, we have preached this message. Now more members our districts and community are seeing this need and are more receptive than ever to the message. Now is our time to shine even brighter to further advance technology integration in our districts for the betterment of our staff and students.

IoT is Everywhere

by Melissa Tebbenkamp – Director of Instructional Technology – Raytown Quality Schools

As I ponder recent conversations I’ve had around data and cybersecurity, I can’t help but recall several energy-driven discussions on the Internet of Things (IoT). These discussions revolve around several key questions: What really is IoT? Why does it matter? How is IoT used in education? And, is IoT really a risk?

When schools think about the Internet of Things (IoT), many think about a teacher using a digital assistant, laptops or maybe even cell phones.  It is true that IoT includes personal devices and items around our homes, such as video doorbells, home automation, networked thermostats, smart televisions, and now even my blender, but it is so much more than these personal devices. 

In school, IoT devices are everywhere and can include student learning and assistive devices, glucose monitoring devices, security cameras, access control doors, networked HVAC and lighting control, vending machines, freezer/refrigerator monitors, and projectors, just to name a few. When overlooked, they can lead to network and data privacy vulnerabilities. If not managed properly, these networked devices can open a door to your network that may allow a malicious person to leverage them for a DDOS attack or mine your network and servers for valuable data. An example can be found in the EdScoop article Ransomware used HVAC to infect Michigan K-12 district.

The requests for IoT on our networks are not slowing down. Advances in technology make these devices easier to deploy, which at times, makes them harder to manage. There is hope, by following a few best practices, you can minimize your risk and begin embracing the devices that help to make the business of education more effective and impactful.

 

  • Adopt a data security framework that includes these five steps: Identify, Protect, Detect, Respond, Recover. For risk mitigation, your focus should be on the first 3 steps. 
    • Have a procurement process in place that requires someone to evaluate all devices that attach to the network prior to purchase and installation. Knowing what is on your network is critical, evaluating the devices before purchase is even better.
    • Protecting your network from IoT devices can be as much of an art as it is process-related. Know your network and determine the best path for your system.
      • Segment IoT devices on their own virtual network so they cannot communicate in your production (computing, servers, etc) environments.
      • Ensure that new or stray devices cannot connect to your production environments. 
      • Change the password on all IoT devices from the manufacturer default. If the device does not allow a root password, do not allow it on your network or isolate it so that it cannot be reached from other devices.
      • Stay current on software and firmware updates. If the manufacturer does not release firmware updates, you may want to question their security practices and how the device is connected to the network to determine your level of risk. 
    • Ensure you have the correct tools to detect “rogue” devices or services on your network. This may include network monitoring to alert to new traffic as well as reviewing log files. If you know your “normal” network traffic, it is much easier to identify a new device and/or abnormal traffic.
  • Explore Cyber Malpractice insurance and ask your vendors what coverage they offer if their device is compromised on your network.
  • Note that consumer devices are just that, intended for consumers, not institutions. Check the terms of service and privacy policy to see if commercial/educational use is allowed and what protections they offer.
  • Check for privacy concerns. Determine what data a device is collecting and if it could potentially cause an exposure of biometric, PII or FERPA data.
  • If the device allows or requires a vendor to connect to your network, be sure to secure that connection and ensure that they can only access the necessary equipment/systems to manage the device.
  • Manage staff, student and vendor personal devices separately. These may include smart/fitness watches, voice assistants on phones and glucose monitoring devices. School systems should have a policy and procedure around these devices and limit the level of access they have on the network.

To help educational leaders navigate this complex challenge, the Consortium for School Networking (CoSN) recently released a guide on Securing IoT Devices on School Networks that discusses these practices as part of their cybersecurity initiative. More information can be found at https://cosn.org/cybersecurity

 

About the author: Melissa Tebbenkamp has served as the director of Instructional Technology for Raytown Quality Schools since 2006.  Raytown Quality Schools is a tier one suburb of Kansas City, Mo. and educates 9,000 students a year. Melissa is a CoSN national Board member, a founding member and chair-elect of CoSN’s Missouri state chapter and was one of the first people in the U.S. to attain certification as a Certified Education Technology Leader. She also led the Raytown Quality Schools (Missouri) to becoming one of the first cohort to receive the CoSN Trusted Learning Environment Seal.

Things That Keep Me Up At Night

by Rob Landers, Director of Technology – School District of Washington

As I thought about what to do for my editorials, the most obvious things I could think of were topics that bugged me. Things that I had problems with. Things that don’t work the way they should, etc… But I didn’t want this to devolve into a complaint-fueled tirade every time it was my turn to speak. However, from an Ed Tech leadership position, there are numerous things that I deal with on a regular basis that cause me a great deal of concern, and I’m not necessarily sure how to address them. For my part, I’ll be discussing a few of these concerns with you all as we move forward. My goal is not to add to your headaches or worries but instead to spark conversations about how we can address these issues that we, likely, all have in common.

Having said all that, this month’s topic doesn’t really keep me up at night. It does, however, cause me a great deal of concern about how well we are preparing our students for the future. You see, in Washington, we have gone 1:1 in grades 3-12 with Chromebooks. Students are quite adept with these devices and have mastered the use of Google Drive, and, by most accounts, these devices serve our purposes quite well. But something happened a while back: our Network Administrator, whose daughter is in high school, was using one of the Windows PC’s in the library and couldn’t figure out how to save something so that she could get to it later. When her dad suggested using her H:\ drive, he was met with silence on the other end. Turns out, she had no idea what a Home drive was (or what any other network drive was, for that matter). And that’s coming from a child whose father is a “computer guy.” So I started asking my daughter (also a high schooler) what she knew about network drives and use of a Windows-based PC in general. The answers were pretty much the same. This is what got me thinking. If kids whose parents are very tech savvy, or work in the technology field, have little to no understanding of Windows PC’s then what do other kids know? Intuition tells me that they would know even less. And what happens when we send our “21st Century Learners” (a term which I despise, by the way….) out into the workforce and they are put in front of a Windows PC to do their work? Will they know what to do? The employer is certainly expecting them to know. I mean, this young person has just spent the last decade using a “computer” for most of their work on a daily basis. How could they not know what to do when faced with one of Mr. Gates’ finest creations?

The fact of the matter is that all “computers” are not created equal. There are major differences between systems and differences in how the user interacts with the device. For example, one of the biggest issues I’ve run across when a Chromebook user is on a Windows device is the concept of saving your work. Chromebook kids just don’t do it. They don’t know to do it. They haven’t been conditioned to do it like we were. Google just does it for them. It seems like a small thing, but when a student is standing in front of you, tears welling in their eyes, because they lost half of the paper they just spent an hour typing, it’s no longer just a small thing. In fact, it’s a pretty big thing to them. Now imagine if that was the sales projection data that the CEO wanted on her desk five minutes ago…definitely not a small thing at that point. And I’m sure that Mac districts have struggled with this, to a certain degree, for years. Sorry, but it’s a new situation to me, and I truly believe the difference between Mac and PC is less than the difference between Chromebook and PC. So I feel like we’re in a bigger hole now than in the past.

So what do we do?

Seriously, I’m asking you the question.

I don’t think there is an easy answer. If you’re like us, you’ve probably removed all of your computer labs from your buildings, and removed Computer Classes from your elective rotations. So now we’re really in a pickle.

We are just now starting to formulate a plan to attack this situation. Fortunately, we do have a very robust VDI system here in Washington. We believe we can leverage that system to help mitigate the situation. The idea is that we will develop a list of “Windows Competencies” (™ and © pending…) and then will work with our curriculum coordinators to embed these competencies into our existing curriculum where it makes sense. Then, in the course of those curricular lessons, teachers will have their students access the VDI (which presents as a Windows 10 desktop) so that they can learn to master those skills. Will it work? That is yet to be seen.

As I mentioned, we are early in the process and are still trying to identify the Windows Competencies on which we will be focusing. It’s not much at this point, but it is a plan. And having a plan is a great start. Maybe that’s why it doesn’t keep me up at night. Or maybe it’s all the bourbon.

 

The Pursuit of Certifications

Over the years, I’ve pursued a number of certifications, some successfully and some not. They have all been beneficial to me in varying degrees depending on the current challenges I’m facing. For me, obtaining a certification was not just to add a few more letters behind my title but was an endpoint to a journey of professional development. Even if I didn’t reach the goal of obtaining the official certification, I learned very valuable information along the way that made me a better IT leader. In the following, I’ll talk a little about a few of the certifications I an successfully and unsuccessfully pursued.

CISSP – Certified Information Systems Security ProfessionalISC2

This was one of the first certifications that I completed. It is often described as “an inch deep and a mile wide.” It is a great starting point for someone interested in information security. The knowledge base for the CISSP covers everything from types of encryption to physical security. 

I’ve found the CISSP to be very helpful. In K-12 we wear a large number of hats and support a variety of needs. The broad scope of the CISSP provides the foundation knowledge to help you with those various needs. I spent one year studying for the old, written version of the test which was 6 hours and 250 questions. They now have a shorter, computer adaptive test.

The CISSP is offered through ISC2. To qualify for the CISSP, you must have at least five years of cumulative, paid full-time work experience in two or more of the eight domains. To pass the test, you are given a maximum of three hours to complete the 100 to 150 items in the CISSP computer adaptive exam. After passing the test, you must get endorsed by a current CISSP. Feel free to reach out to me if you are in need of an endorsement. Similar to most of the certifications below, you must complete 120 CPEs over 3 years to remain in good standing. There is a fee for taking the test and an annual maintenance fee every year after passing the exam. 

There are a large number of resources available you can use to prepare for the CISSP. You will find plenty of books on Amazon. The actual ISC2 CBK for the CISSP is an extremely dry read and challenging to get through. SANS has some boot camps periodically in the region. MOREnet has also recently rolled out their “Professionally Evil CISSP Mentorship Program.”

CETL – Certified Educational Technology LeaderCoSN

The CETL is a certification that I have repeatedly started but not completed. In the very early CETL days, I participated in the CETL field test. I passed the Part 1 multiple choice section of the test but did not pass the Part 2 essay section of the test. For me, the CETL remains on my to-do list. 

The CETL is important because it represents that an individual has the knowledge and mastery to lead a K-12 EdTech environment. The CETL recognizes that most of us have come from either a technical or curricular background and the need to have a balanced understanding of both sides. 

The best part of studying for the CETL is that it directly applies to the day-to-day work we do. It will make you a better K-12 EdTech leader even if you don’t take, or in my case, pass the test. There are numerous resources available to study for the CETL. Missouri and METL also have a large number of mentors available to guide someone in the journey to the CETL. Below are some currently available resources:

The METL board is working to put together a CETL Cohort. Please feel free to reach out to us if you are interested in pursuing the CETL.  

CEH – Certified Ethical HackerEC-Council 

CEH is by far the coolest sounding certification. This is probably why I have never completed the CEH. CEH is a more technical certification, covering areas outside my strengths. I’ve taken a CEH course and read a test prep book. I still haven’t reached a level of comfort with the content to give me the confidence to take the test. It is a more hands on certification covering the foundational knowledge required to be a white hat hacker. In my opinion, having experience with command line, basic programming, and networking are important when looking at the CEH. I’ve learned a lot of good information, techniques, and tools in my pursuit of the CEH.

The CEH is provided by the EC-Council. The test is 125 questions over 4 hours. Similar to the CISSP there are continuing education credits, 120 over 3 years. The test covers six tasks and seven knowledge domains.

Tasks: 

  1. System Development & Management
  2. System Analysis & Audits 
  3. Security Testing/Vulnerabilities
  4. Reporting
  5. Mitigation
  6. Ethics 

Knowledge:

  1. Background
  2. Analysis/Assessment
  3. Security
  4. Tools/Systems/Programs
  5. Procedures/Methodology
  6. Regulation/Policy
  7. Ethics

If you want to see how you might do on the CEH, the EC-Council does have an online assessment. While I don’t know if I will ever complete the CEH, I would be ecstatic to have a staff member with the CEH knowledge and skills helping protect our environment. 

ITIL – IT Infrastructure LibraryAXELOS

I am proud to say that I am a certified ITIL Expert v3. The first METL CTO Clinic I attended I met a couple of colleagues that were going to take an ITIL Foundation course. Not knowing anything about ITIL, I thought it would be a good chance to continue to collaborate with these individuals. At the end of that course, I not only understood ITIL but had a new way to look at our approach to IT. ITIL is a set of best practices built around IT Service Management (ITSM). It provides structure around the entire lifecycle of delivering a service to an end user. 

The current version of ITIL is ITIL 4. There are 4 progressive certifications for the current version: 

  • Foundation
  • ITIL 4 Managing Professional
  • ITIL 4 Strategic Leader
  • Master

I don’t recommend getting all the ITIL certifications, unless that is your professional goal. I do recommend that any person of leadership in your IT organization take an ITIL Foundation course and attempt to take the test. The Foundation course introduces you to the ITIL vocabulary and builds the basic understanding needed for an organization to start moving towards these best practices. All of my ITIL work was done through Centriq in a boot camp to certification test type structure. In case you are wondering, I did not pass ALL my ITIL certification tests the first time. 

CISM – Certified Information Security ManagerISACA

A friend of mine, in commercial IT, recently asked me if I would be interested in studying for the CISM with him. I’m just starting to learn more about the CISM. It is a certification on my roadmap for the future. As information security becomes a larger issue for school districts, I feel the knowledge gained through the CISM will help me better support our community. 

Conclusion

Certifications do not mean an individual is good at their job or as a leader. At a minimum, it means the individual acquired a scope of information long enough to pass an evaluation of some sort. I like to use certifications as a way to push my own professional learning. I’m successful if at the end of the journey I’m better able to support my community, not if I have a few more letters behind my name.

Thank you,
Jason Rooks, CIO, CISSP, ITIL, MBA…