We have to be constantly vigilant to prevent malware, trojans, and other bad actors from taking root in our school networks to steal personally identifiable information (PIA) and money. Besides web filtering, antivirus, patching, and now advanced endpoint protection, we also have to look at policies. Some of what I am about to list are pretty obvious. Others may not be so obvious but are vitally important in the anytime/anyplace world we live in.
Policies to think about:
- Do you allow remote access? If so is it via VPN or via a true remote access solution gateway such as VMware Horizon (aka View)? Remember VPN access, depending upon how it is configured, may expose the remote network not under your control to your internal network. Minimally it exposes the workstation or laptop connection which may or may not be under your control. VPNs from unmanaged machines may open you up to virus/malware exposure otherwise blocked by your normal defenses. If you are doing a virtual desktop solution, we really don't care that much about the remote user because they are using your desktop managed by you to do what they need to do. However, if you have clipboard or USB access, you may be allowing people to copy data in or out of your network. We can control clipboard and USB access via policy.
- Do you allow cached credentials in web browsers? Cached credentials could allow a person wandering up to one of your workstations to access sensitive data without knowing anything. (i.e. Student Services such as SchoolTool). The solution is to create a group policy preventing cached passwords. Remember there are group policies available for Microsoft Internet Explorer, Google Chrome, Mozilla Firefox, and Microsoft Edge.
- Do you have a login inactivity timeout and/or a timed, password protected screen saver? If a teacher is doing grades and doesn't sign out, what happens? If the payables clerk goes to lunch, what happens? This is a simple group policy.
- Do you allow any remote access clients (i.e. LogmeIn, TeamViewer, GotoMyPC, etc.)? There should be absolutely no alternative ways to access the school's network outside of approved, trackable ways for authorized users. These can generally be blocked by group policy or via the firewall.
- Most schools either are Google Apps or Microsoft Office 365 environments. Some are both. Do you allow other, non-approved file sharing applications such as Dropbox? Only the Microsoft One Drive and Google Drive suite of file sharing applications should be allowed. Approved district admins can set rights, determine who can share what and get reports on what is being accessed. We can generally block those, unapproved apps via Group Policy.
- Are you looking in Google Apps Admin or Office 365 for unusual access patterns? Google Apps, for instance, has just substantially improved seeing foreign access and other potentially dangerous use patterns.
- Are you forcing those working with confidential data to be using some form of multi-factor authentication (MFA)? You should. For instance, Google can text a code to your phone or use your phone's GMAIL application to approve a new, foreign login request. Office 365 can do the same thing. There are also application tie-ins to Google Authenticator (free) and Microsoft Authenticator (also free).
- Do you allow your vendors such as security, HVAC, refrigeration, alarm, and other IoT devices to see inside your network or are they on separate, discrete vendor VLANs that allow them to do what you hired them to do, but at the same time keep them isolated from your internal network. Many of the well-publicized data breaches in the news came from poorly maintained, third-party devices on major corporate networks.
- Are you allowing browser synchronization? This is a newer and potentially huge exposure in our quest for easy, "anytime, anyplace" access. Google Chrome can sync browser data between the school computer and another computer outside the district. Here is Google's definition of syncing:
What does Chrome Sync do?By default, Chrome sync settings are to "Sync everything". Everything means: apps, autofill, bookmarks, extensions, Omnibox history, passwords, settings, themes, and open tabs. Syncing everything provides the most consistent experience across devices.Aug 17, 2012
The default if you sync is everything. This creates potential data leaks as if you have cached login information in the district, it now appears on an unmanaged machine that is synced out of the district. Also, you sync your personal browsing history from home into the school's computer! In the Windows environment Microsoft Edge and Mozilla Firefox have the same features. We can block this behavior via group policy. Google Chrome syncing can also be blocked by the Google Apps Admin without a group policy. In the Apple environment, Apple Safari does similar things.
- Are you planning to add Advanced Endpoint Protection (AEP) such as Paladin CyberSentinel Endpoint Detect & Respond to your most sensitive financial, and student and staff data users to have an added layer of protection? You should.
- In your end-user education do you teach that those teachers and staff accessing district and subscription resources from a home computer should:
- Maintain current anti-virus
- Have their computers patched
- Not cache IDs and passwords to sensitive data
- Not be synced with district web browsers they might use.
- Have a separate login on their home computer from the rest of their family to lessen the exposure of inadvertent cached IDs or passwords or syncing of personal browsing history, etc.
While this list is by no means complete, it is a very good start to dramatically limiting the possibility of data leaks. If you'd like to implement any of these suggestions or discuss your specific situation, give us a call.