Keeping your school network safe
It’s important to review and manage your school’s network security. Teachers and students use the internet to connect with each other, share information, and learn. It can be hard to know what levels of access to set, and what rules and restrictions to put in place. But protecting your network isn’t an option, it’s a necessity. We’ve put together a guide to help you understand how you can keep your school network safe.
You need to think about what systems in your network are most important, and make sure you’re protecting them effectively. These systems are often the ones that contain important information, like:
- confidential data about students and staff, or
- financial information.
It may include your administration, building management, phone, and security systems.
This guide shows what a secure school network looks like. The actions we recommend in it are based on:
- incidents that have been reported to us, and
- the challenges we’ve heard schools face.
You may find that some of the terms and concepts in the guide are unfamiliar. If that’s the case, you can use it to help start a conversation with your IT support provider.
Challenges for schools
We’ve identified some key network security challenges that schools face, such as:
- Many of the devices that connect to your school’s network are bring your own devices (BYOD). Students or staff may be using a malware infected device and not know it. Because you can’t control them, it’s hard to manage security for them.
- You may have off-site staff or third parties who support your IT needs. Your staff may need to work from home and access systems or documents stored on the school network. This means that you might have remote access services set up for them. If remote access is not secured, attackers can use it to gain access to your network too.
- The devices connecting to your IT network may not be actively maintained. This means that they may be unpatched, running unnecessary services, and still have default credentials. Any of these situations could lead to an attacker getting easy access to a device.
- If devices on your IT network are not actively maintained, the data on them may not be getting backed up. If a device that isn’t backed up gets infected with malware or ransomware, the school may not be able to recover any data from it.
- Students and staff may reuse passwords across multiple accounts, or use easy-to-guess credentials. Enforcing two-factor authentication (2FA) for everyone to combat this may not be possible. Students and staff may not have a phone where they can get one-time passcodes.
- Students are still learning good security practices. They tend not to understand security threats on the internet and are more likely to:
- use unsecured networks
- download infected files
- share their password
- expose their devices to malware, like computer viruses.
Incidents involving school networks
We’ve seen a number of incidents affect school networks already. This includes:
- a large amount of password loss for student and staff cloud-based accounts. Phishing campaigns aimed at collecting usernames and passwords for common cloud services — like Gmail or O365 — are common
- ransomware attacks which lock the school’s network. All the data created since the last backup needs to be recreated
- malware or phishing pages hosted on school servers. This means there’s a page on the school’s website hosting malware, or trying to collect information from users
- school servers and accounts used to attack others. This could be through denial-of-service or brute forcing attacks, for example. This means that once an attacker has access to a device on the school’s network, they can use it to hide their identity and perform attacks on others. Some school email accounts have sent links to people to get them to visit a phishing page or to download malware
- vulnerabilities in devices on a school’s network being exploited. These are easy for attackers to identify, as a large number of the devices connect directly to the internet. There are search engines that let you identify vulnerable devices.
These types of incidents could lead to larger issues for schools, such as the loss of confidential data.
Critical controls for schools
Based on the challenges and incidents we’ve already seen, we recommend you implement the controls below for your school network. This is a comprehensive guide. Our advice is to sit down with your IT support provider to understand:
- where your gaps may be, and
- where you should prioritise your resources.
1. Talk to your IT support provider
- Get the contact details for your IT support team or person, and keep them in a handy location.
- Create an incident response plan and go through it together. It’s a good idea to have a list of contacts and a plan prepared before an incident happens.
- Ask them if they need to log into the network remotely, and why. If they do, find out what type of remote access they use. The best options are called IPsec or TLS/SSL VPN. If they use SSH or remote access software, make sure they use 2FA (another layer of authentication) as well.
- If your network provider is Network for Learning (N4L), you can call them for help with your web filtering or firewall, to discuss your school’s growing data consumption, and getting the most out of your internet connection.
Incident response plan resource
2. Understand your environment
To be able to secure your school environment, you need to know what’s in it. Create and maintain a list of the hardware and software that’s used in your network, and who owns it. Your IT support provider can help with this. You’ll need to keep details of:
- what it’s used for
- who manages security vulnerabilities and incidents related to the hardware/software
- how users log in on this hardware or software.
For hardware, ask your IT support person what steps they’ve taken to secure the device.
- Have they turned off services and ports that aren’t needed?
- Have they changed the default login to a different, stronger password?
- Do they regularly apply the most recent updates (or patches) for the device’s operating system?
You may have software that’s bought and managed by your school, or you may have cloud-based software which is controlled by a vendor and accessed over the internet. Either way, you’ll need to know:
- how it’s accessed. Software can either be installed on your computer and accessible only from the school network, or cloud-based and accessible from anywhere on the internet. This is an important piece of information that will inform a lot of your risk-based decisions
- who needs access and what it’s used for. This will help give you context on how it should be secured
- who has administrator/privileged access. Aim to reduce the number of admin accounts to those who really need it
- how often it gets software updates and by who. Software updates often include fixes to security issues that are found, so it’s important to update the software as soon as they’re available
- that actions are being recorded. These records are known as logs. See the network management section for the kind of actions that should be recorded.
Keep a note of when this info was last reviewed. Make sure you update it when any hardware or software in the network changes.
3. Secure student and staff access
Once you understand what’s in your environment, you can take steps to secure different areas. A good place to start is through securing access.
There are several policies we recommend about access that will help protect your network.
- A user’s password should always be long, strong, and unique to each system. Each system should have a password configuration or policy that requires passwords to be like this. Give guidelines to staff and students encouraging them to use unique passwords for each system.
- Get your IT support provider to set account lockout thresholds. This will lock an account after a certain number of unsuccessful login attempts. It can help secure an account if an attacker is trying to guess their way into it.
- Enable 2FA, especially for cloud-based software and software used to access the school network remotely. If possible, the school should enforce this for all users. For example, in G Suite you can force all users to use the Google Authenticator two-factor authentication application. This gives them a one-time code each time they sign on.
- Consider single-sign on (SSO) for each system. This means a user would only have to remember their domain password to access different SSO-connected systems. This would limit the amount of password reuse that may occur, but it would make it more important to use 2FA.
Using two-factor authentication to protect your accounts
4. Secure access to the school network
Students and school staff may bring their own devices and connect them to the school network. There are a few ways you can make sure the right devices are accessing the network, and only approved software is run while on the network.
- Consider using certificates to authenticate devices on to the school network. This means each device would have a file, given to them by the school, that says their device is allowed to access the network. The school can use this certificate to control what the device can access and do while on the network.
- Use WPA2 or a later version encryption for wireless access. Protect it with a long, strong password that’s not publicly discoverable. Don’t post the wireless password on the school’s website, for example.
- Create a software or application whitelist for the school. This means that only approved software can run. This will stop staff or students accidentally downloading and running malware.
5. Configure network security controls
Your school’s network is where all your data is held. It’s important to design and configure the network so that you know what’s going on at all times, and can keep your data safe. Make sure:
- student-owned devices (BYOD) are on a separate network from the rest of the school-owned devices and servers
- outgoing traffic from the network is filtered for inappropriate or malicious content
- outgoing traffic from the network is analyzed to detect abuse of school resources — like a spike of traffic to a specific destination, for example
- the network is protected from a flood of traffic or connection attempts, like a denial-of-service attack
- logs are configured across the network to detect, at a minimum:
- spikes and unusual inbound and outbound traffic
- actions taken by administrators or critical accounts
- unsuccessful access attempts.
- logs are sent to a central location and reviewed. Central location access is limited to only those who need it
- security alerts get sent to the school principal and the IT support provider
- data is backed up daily to a location that’s off the network.