Home‎ > ‎Departments‎ > ‎Technology‎ > ‎

Info-Security Blog

Protecting the PII of students

posted Apr 29, 2013, 8:06 AM by Jason Tozer   [ updated Apr 29, 2013, 8:06 AM ]

In the last installment, I discussed personally identifiable information (PII), how it relates to you, and how you can protect your PII.  This time, I want to explore securing the PII of our students.  One of the fastest growing exploits is identity theft of student information; specifically, high school and college students (Student Identity Theft).  This theft is primarily occurring from social networking sites.  Securing the PII of students requires the same diligence you would use to secure your own PII.  The same pitfalls that can trip up adults trip up our students.  While they may be more tech savvy than many adults, they are still children and are often too trusting.  That is where we can help.


The Family Education Rights and Privacy Act (FERPA) was signed into law in 1974.  There is much written on FERPA, but in a nutshell it requires schools that receive federal funding to obtain written permission from a parent or eligible student in order to release student records.  This is one reason we have a section on the annual RSU #20 emergency form that allows parents to accept or decline having student information posted on the web.  In 1974, the concern was not for student PII being placed on the web:  The intent was to protect paper documentation associated with a student. Today, FERPA regulations have increased importance given the use of blogs and websites by staff and students.  School districts and staff can be held liable for not following FERPA guidelines.  For more on FERPA violations, take a look a these links:


Wisconsin middle school posts list of failing students

Teacher resigns after posting blog with personal student info

School District found in violation of privacy law


The Title XIII-Children's Online Privacy Protection Act of 1998, also known as COPPA, concerns the collection of personal information from children under the age of 13.  COPPA is directed toward commercial sites such as Facebook, Myspace, or Twitter. COPPA details what a website must have in its privacy policy, what information can be gathered, and how the site must display its privacy policy.  If you read the privacy policy for Facebook, you will see a disclaimer that one must be 13 years of age or older to register. That's COPPA. 


From Facebook's privacy policy:


No information from children under age 13. If you are under age 13, please do not attempt to register for Facebook or provide any personal information about yourself to us. If we learn that we have collected personal information from a child under age 13, we will delete that information as quickly as possible. If you believe that we might have any information from a child under age 13, please contact us through this help page.


Know of any students under 13 that have a Facebook account? 


Information security education is not designed to scare you into no longer using the Internet.  It is designed to raise your awareness of infosec issues.  What can we do to help our students?  First, become familiar with FERPA, if you aren't already.  Understand what guidelines we are required to follow to protect student information.  Second, practice keeping your PII safe from unnecessary exposure.  Make that part of your daily routine.  This practice will help you in your daily routines with students.  Third, reinforce with our students the dangers of sharing personal information, regardless of medium.  Use our wonderful Digital Citizenship resources developed in-house by Barb Rehmeyer and Tracy Hayslip.  Class links are located in the lower left of the side bar.  Take a few minutes, when you have an opportunity, and check it out.


Here are some additional sites:


http://www.i-safe.org

http://ikeepsafe.org

http://www.netsmartz.org


Books:

Always Use Protection: A Teen's Guide to Safe Computing.  Dan Appleman.  Apress.  ISBN: 978-1-59059-326-4



Next time: the importance of password protection

Phishing, Spyware & PII

posted Apr 29, 2013, 8:05 AM by Jason Tozer   [ updated Apr 29, 2013, 8:05 AM ]

In "What is Information Security," we looked at the guiding principles of information security: C-I-A and your responsibility in maintaining the security of information systems in RSU #20.  In this installment, I want to discuss personally identifiable information, aka PII.  PII is anything that identifies you, such as a driver's license number, SSN, credit card number, or fingerprint.  There were 11 million cases of identity theft in 2009 in the United States alone (Identity Theft).  How can we protect ourselves?  Here are some tips taken from Computer Security: 20 Things Every Employee Should Know:

1. Be careful when giving out personal information.  Know with whom you are conversing. 
2. Check your monthly bank and credit card statements.  Review your credit report annually.
3. Properly destroy your personal information: buy a cross-cut shredder.

Phishing and Spyware:

 Phishing, not a misspelling, is one a form of identity theft.  The term first began in the IT realm during the early to mid-1990s.  Typically this occurs through email, but can also occur via phone or a social networking website.  Some phishing schemes are blatantly false or suspect.  Have you received an email from the Nigerian prince wanting to give you millions?  Did you contact the prince?  Probably not.  Other phishing schemes are extremely clever.  "I'm stuck in London and I've been robbed,” has tricked a number of people in sending money to help out their friend(s) in need.  The email, or in some cases a Facebook account, has been hijacked.  When the email arrives in your mailbox, it appears to be coming from a friend of yours; someone that is in your email contact list.  This scam uses an unsuspecting victim's email address book to blast out emails asking for money and that request arrives in your email inbox.  How many email addresses are in your personal email account?  How many from the RSU #20 email address book?  What would happen should your address book be compromised?

Spyware is a broad term for software applications that monitor your actions on the computer.  Spyware is typically encapsulated in an email, but can also be delivered from a website.  From an email, spyware delivery typically requires the user (you) to click on a link.  From a website, spyware delivery is typically accomplished through "drive-by" downloads: it is delivered in the background as you view a web page.  At the least, spyware slows down a computer.  At the worst, spyware will harvest PII.

How can we protect ourselves?  Here are some tips taken from Computer Security: 20 Things Every Employee Should Know:

1. Don't open an email unless you know the sender and don't provide PII in response to an email or a pop-up.
2. Don't pirate software.  Don't download programs with which you are not familiar, especially on you RSU #20 computer.  The time to repair could run into days just for the hardware and does not include the time to repair your credit history should you release PII.
3. At home, secure your computer.  Block pop-ups.  Use anti-virus and anti-spyware software.  Make sure to keep them up to date.

Here are some sites with additional information:

http://www.us-cert.gov/nav/report_phishing.html
http://www.snopes.com
http://www.antiphishing.org/ (check out the resources page)

Next installment: Securing the PII of our students

Information Security - What is it?

posted Apr 29, 2013, 8:03 AM by Jason Tozer   [ updated Apr 29, 2013, 8:03 AM ]


Computer security may seem to throw unnecessary roadblocks into your daily routines in RSU #20.  However, the importance of security can not be over emphasized and you are an key piece in the security of Information Technology (IT) systems throughout our RSU.  This information security blog/news is designed to raise your awareness of the vital importance of data security in general, and IT security specifically.

First, I would like to recommend a basic, easy-to-read booklet on computer security.  It is titled, "Computer Security, 20 Things Every Employee Should Know, " ISBN# 0-07-226282-6, and published by McGaw-Hill Professional Education.  The cost is about $8.00.  This booklet contains basic security information and is written for the non-geek.  It is not full of technical jargon and drives home the importance of maintaining computer security.

There are three fundamental principles in effective security whether one is dealing with IT security or security in general:  Confidentiality, Integrity, and Availability.  In the IT security field, we refer to this as the C-I-A triad.  

Confidentiality:  This implies a trust or a feeling of assurance.  In security, this is ensuring data is not disclosed to unauthorized persons.
Integrity:  From the dictionary, "a rigid adherence to a standard of values."  In security, data integrity is the reliability that information received is in an identical state to when it was last accessed by an authorized person.

Availability:  Accessibility to data by authorized users.

This triad forms the building blocks for IT and information security.  Your role in information security is vital.  Security is a chain- only as good as the weakest link.  When working with data (digital, verbal, or written), we, as employees, present a vulnerability to that data.  To have an effective security program, we all must be aware of our responsibilities.  Let the journey begin.


Passwords: why use them?

posted Apr 29, 2013, 7:53 AM by Jason Tozer   [ updated Apr 18, 2017, 6:30 AM by Bob Bradford ]

In this installment, I want to discuss passwords and password protection.  In previous discussions, we have looked at the C-I-A triad, phishing, spyware, your PII, and protecting the PII of students.  Now, what do we do to secure that information and prevent compromise?  Passwords are the keys to information access and function as the keys to your home, office, or vehicle.  Having the correct key gives access to your home, office, or vehicle.  If you use an ATM or debit card, pay bills online, or use online banking you are familiar with passwords or pins.  Passwords, pins, and keys all have a common thread: to allow authenticated access. 

Information security utilizes three concepts to control access to computer and network systems.  These are designed to restrict user access based on needs and authorization.  In information security, we refer to this concept as AAA:  Access Control, Authentication, and Auditing.  Passwords fall under the Authentication category of AAA.  Password protecting computer systems and data prevents unauthorized access.  Password protection ensures C-I-A is maintained and protects assets and information.  Weak passwords or the sharing of passwords puts those assets or information at risk for compromise.  Your password identifies you to the computer or network.  However, information systems are not smart enough to realize that it may not be you that is actually typing in the password.  Weak passwords, passwords that are written down, or passwords that have been shared cannot be considered valid authentication.  Once someone has your password, they can become you as far as a computer or network is concerned.  Do you loan out the keys to your vehicle to anyone you meet on the street?

I suggest creating a password of at least 8 characters using letters (upper and lower), numbers, and special characters.  Using 8 characters of upper case, lower case, numbers, and special characters provides 7.2 quadrillion possible combinations and would take 83.5 days to crack using today’s supercomputers.  Use a phase or an event that occurred in your life and make it into a passphrase.  Passphrases are easy to remember.  For example, "I went canoeing on Lake Superior in June 1981," could be the root phrase and serve as the mnemonic.  Taking just the first letter of each word, before the date, creates IwcoLSi.  Add ^81 or 81#6 or @681 adds complexity and brings the length over eight characters.   Make the passphrase identifier unique to you, but not easily identifiable.

Ensure you have different passwords for your various accounts.  Can't remember that many passwords?  Use the same, strong passphrase as a base and add an identifier.  For example, you sign up for a Facebook account this month and need a password.  Based on our example it might be IwcoLSi^81#6FB0511.  Ripping this apart, we see that the passphrase is the same (IwcoLSi^81#6) and I have added FB (Facebook) 05 (May) 11 (2011) to the end.  You could add the FB0511 in the middle or at the beginning. Running IwcoLSi^81#6 through Kaspersky Labs password checker results in a strong password;  try running your password through Microsoft's password checker.  Be wary of running your password through any other online password tester as you cannot rely on the integrity of the website: that site might be collecting passwords to add to password cracking dictionaries.

Do's and Don'ts

Don'ts:
1. Don't use passwords that are easy to guess.  Birthdays, pet names, and family member names are considered weak passwords.
2. Don't write down your password.  If you need to write down a password, protect that information.  Don't write in on the top case of your laptop.  Don't write it on a sticky note and place it on your monitor or under your keyboard.
3. Don't share your password.  
4. Don't use the same password for everything.

Do's:
1. Do create a strong password using a passphrase.  Use at least 8 characters with uppercase, lowercase, numbers, and special characters.
2. Do protect your password as you would your keys.
3. Do change your password at least 4 times a year.
4. Do change the default password you are given.
5. Do use multiple passwords.  

Resources:
(Neither site tests the strength of a password).

http://www.lockdown.co.uk/?pg=combi - How long to crack a password.
http://blogs.sans.org/windows-security/2009/06/12/how-long-to-crack-a-password-spreadsheet/ - How long to crack a password. Heavy on the geek speak, though.

1-4 of 4