Tag: IT Security

ISBA IT Strategy and Cyber Security Conference

The main conference venue before things began on Wednesday

On Wednesday I had the opportunity to present a session at the ISBA’s IT Strategy and Cyber Security Conference in London.   I had previously volunteered to contribute to the conference and was expecting and had planned for a small breakout session anticipating around 20 people.   On the day upon arriving at the conference I found out that my breakout session would be following Mark Steed’s keynote speech in the main conference venue and therefore with quite a few more than 20 people.

The session very much focused on my thoughts and experiences around cyber security with key messages around the extent of the risk we all face plus the opposing extremes of over confidence in security efforts or a constant need for heavy security measures at the expense of school operational efficiency.    I described my approach as being one of a “healthy” paranoia and of a robust risk assessment and risk recording process.

You can read my slides from the session here.

 

Home Tech: Some security tips

Yesterday I sat the ISACA Cybersecurity Fundamentals exam as part of my programme of continual professional development.   This got me thinking about what tips we might give our students in making their home technology a little bit safer.     As such I came up with the points below:

  • Passwords: This is an obvious one!   Make sure all devices connecting to your network have appropriate passwords set.    The longer the passwords are the better.    Also avoid using passwords across multiple devices and/or web services.
  • Network Devices: Any accessible devices such as Wi-Fi printers, network web cams, etc. represent a possible intrusion point.    It is therefore very important that you check the default settings for devices, especially in relation to the security settings and also any default access passwords, which you should immediately change.
  • Wi-Fi SSID: Make sure your SSID doesn’t give any info away about your router.   By default the SSIDs are usually something like SKY35735 or DlinkWD501 or similar giving hackers a starting point in that they now know the make and possibly the model of the device they are seeking to compromise.    As such it makes sense to change the default password when initially setting up your router.
  • Router Admin Password: The default admin password and username are often set to simply “admin”.  This means once in, a malicious actor can easily take admin control of the router and leave themselves a permanent back door to your network, resources and data.    Another key tip therefore is to change the admin password or both the username and password.
  • Web Admin: By default web admin is usually enabled meaning a user can access the administrative interface of the router via Wi-Fi.    Disabling this means that to access the admin interface a user would need to be physically connected your home network or router thereby reducing the possible access and the associated risk.
  • Wi-Fi Security: Make sure that you have either WPA or preferably WPA2 enabled in your Wi-Fi security settings.   This is all the more important if you have an older router which may still be using WEP or even worse a router where the default is set to Open and therefore no security is applied.

The above are just a couple of tips, of which many more could be added specific to different types of devices, operating systems, manufacturers, etc.    Hopefully the above represents a useful starting point.

 

IT Security in schools

Have been considering IT security within schools recently and in particular password security.   Schools have a number of different systems each requiring users to have login credentials in order to access them.    This includes the schools Management Information System (MIS), computer login or Active Directory credentials, Parents evening booking systems and a multitude of other possible systems.

The ideal setup has always been to have an integrated environment  meaning that login credentials were synchronized across different services.   This would mean that users only have a single password which they need to remember, which would therefore allow for users to be encouraged to use a more complex and secure password.   A systems Admin could even set policy to require a certain level of password complexity.      I am no longer as convinced as to the merits of this approach.

As we look to make use of more systems within schools we engage more companies as the providers of the services we need.    Each new service increases our digital footprint in terms of the risk to which we are exposed.   We may have a reasonably high level of confidence as to Microsoft or Googles security, however can we say we have the same level of confidence with regards the provider of our SMS system, room booking system and school app?      Just consider the number of services impacted upon by Heartbleed.    If we have lesser confidence in the security of these service providers,  we are accepting they are of a higher risk yet we are entrusting them with the synchronized user credentials for all services.    Should these services become compromised then Microsofts, Googles and all other services, no matter how good their security is, are also compromised as the hackers have the appropriate login credentials.    An integrated environment is therefore not as secure as we believe.

I do not have an answer for the above issue however the approach I am currently examining is the use of password managers such as LastPass and 1Password.   They allow the user to have a single master password however this then manages a whole set of passwords which are different for each service being used.    Should a less secure service become compromised this would not impact on other services.   There is still the risk of the master password becoming compromised however you would hope that the service providers providing password managers are significantly more focused and capable on security than the provider of a schools library or similar systems.  This leaves the users selection of their password and it I think that’s an important point to finish on.

Ultimately the weakest link in the security chain is that of the users themselves.    The above may help in addressing security however the most important issue in IT security is and continues to be educating users to be aware and vigilant plus and to select passwords which are suitably secure.