Tag Archives: school policy

CyberSecurity Part 3: Simple Penetration Testing for K12 Schools

By Tony DePrato | Follow Me on LinkedIn

Cybersecurity Part 2 will be featured in the Tie Magazine. After it is released, I will post the article on the blog.

I have been following a few online threads where schools are considering contracting penetration testers. For those who may not know, penetration testing (pentesting) is a security assessment, an analysis, and progression of simulated attacks on an application (web, mobile, or API) or network to check its security posture. The objective is to penetrate the application or networksecurity defenses by looking for vulnerabilities. These are usuallyweaknesses or flaws that an attacker could exploit to impact confidentiality, integrity, or availability. This goal is the same whether performing application pentesting or network pentesting. ~ https://cobalt.io/pentest

As a consultant, I am not opposed to K12 schools using consultants. However, I have seen some red flags out there from pentesting consultants. I want to highlight those issues, and also provide a method for K12 schools to get started on this process in an easy and low-cost manner.

Finding a Good Pentester

The Conversation

School: We are looking for someone to help test our security.

Pentester: Great. I can do that ( credentials and background presented). 

School: What do you need?

Pentester: I need a list of (x,y,z). I need an office to work from. I need to interview…

What is wrong here?

Here is how this should go

School: We are looking for someone to help test our security.

Pentester: Great. I can do that ( credentials and background presented). 

School: What do you need?

Pentester: I need a contract protecting me if I break into one or more of your services. I need a contact person to send my findings to. I need a timeline. 

A pentester’s job is to find the weaknesses and to find a way to access your organization. If you provide access, not only is the job easier, but they could simply report an issue that is unlikely to occur. I witnessed a similar scenario where a firm was asking for the keys to break into the car.

There may be a point where you want a pentester to become a student and see what a student can do with the access provided. There may be a point where you want them to test spaces used by the public during events.  If you provide and manage laptops, a good pentester will need one of the school’s laptops. 

These are reasonable requests. Asking the school to literally give them a roadmap and set of targets is not reasonable. 

Doing Your Own Testing

I have a list of standards schools should work towards to be secure. Some these do not always connect well to third party services, public-facing websites, etc. 

Over the last few months, I have developed a checklist for pentesting K12 school websites and resources. 

TestDefinition
Subscription and Services DiscoveryCan your subscriptions and services be easily discovered?
Files Exposed to the PublicAre there files publicly available that supposed to be private?
Calendars Exposed to the PublicIs calendar data that should be private, private?
Staff and/or Student Email HarvestingCan your staff and/or student PII be used to create a database for phishing and spamming?
Portals and SISAre your portals and SIS properly secured and difficult to brute force attack?
Websites and Social MediaAre websites and social media properly secured; is the media being used legally and correctly?
Cloud ServicesHave cloud services been properly secured?
Third-Party SharingIs anyone sharing your content and do they have permission?
FTP, SSH, and TelnetAre any of these protocols a threat to your school via publically accessible information?
Email BlacklistIs your email domain blacklisted?
Email Header CheckIs there any data in your header that could be anonymous or lead to blacklisting?
Email Catch-All for Non Existent EmailsIs your email set up to catch any email that does not exist and alert someone?
SMTP RelayIs your email system running services that would allow an attacker to use your email for a criminal act; send an email on someone’s behalf?
4xx and 5xx Error CheckDo the 4xx and 5xx pages on your public-facing services configured properly and supportive of trusted users?
HTML FormsAre any HTML Forms vulnerable to low-level URL based attacks? (Will also review CAPTCHA.)

I score these on a scale of 1-5 and document the issues/results. The next level is researching the solutions to correct the problems. Keep in mind, many solutions are in policies and procedures. This means issues need to be articulated for school leaders, teachers, students, and parents. 

In other words, avoid jargon and lingo.

Doing as much due diligence as possible before contracting someone will not only save time and money, but it will also help to further educate the community.

If you do not know what is actually dangerous, then everything could be sold as dangerous. 

Transgender School Policy: What’s Yours?

Follow Me on Twitter @msmeadowstweets

Unless you are a novice educator, you have taught transgender students. You may not have realized it at the time, but I assure you that you have. Increasingly, educators are becoming aware that they have transgender kids in their classrooms, which can sometimes catch us off-guard. Most of us do not have formal training, or even experience, meeting the needs of transgender children. Yet, when a gender nonconforming child is placed in our care, everyone from senior leadership to classroom teachers to instructional assistants will appreciate having clear guidance on how to support them.

What Does Transgender Mean?

Transgender describes someone whose gender identity does not match the one they were assigned at birth (usually based on external sex characteristics). Transgender people may be ‘out’, or not; their gender identity (how they feel inside) may match their gender expression (how they present themselves on the outside), or not. There is a lot of diversity in gender nonconformity, and some countries or regions may use different terminology for similar concepts (i.e. Hijra for our friends in South Asia, for example).

Why Do We Need a Transgender Policy?

If you haven’t yet been asked how your school supports transgender and gender nonconforming children, you will face this question at some point. International schools around the world are finding that families with transgender children are applying to attend, or that a current student may be transitioning. This happens in religious schools. It happens in conservative countries. It happens in elementary and primary divisions. The interests of the school and, most importantly, of the child, will be best served if a solid policy is in place. Schools that take the lead here will find that they are on the forefront of child-centred practice in the international community.

A Model Policy for Schools

GLSEN (pronounced ‘glisten’) is a non-profit organization whose mission is, “To create safe and affirming schools for all, regardless of sexual orientation, gender identity, or gender expression”. They are leaders in the field, and backed by research, so you can feel confident referring to them for sound advice. GLSEN’s transgender model district policy  offers school decision-makers sample language and reliable advice on topics as varied as student gender transitions, parent/guardian involvement, access to gender-segregated activities and facilities, and dealing with media requests. You could literally copy/paste their text into your own handbooks; it is written with schools’ needs in mind.

Transgender Policy in International Schools

International schools generally exercise a degree of independence from both local and foreign regulations, while also operating within at least the partial confines of both. Naturally, these responsibilities need to be taken into consideration before implementing any new policy. That being said, GLSEN’s suggested policy document uses straightforward language that would suit many international contexts. And, while I encourage you to consider adopting the model policy in its entirety, it is neatly organized and concisely written so that it would be possible to lift out the sections that are most relevant to your school as a starting point, until the full text could be approved.

Not So Sure?

Many people, even well-intentioned school leaders, harbor bias against gender nonconforming people. While we, as professional educators, are committed to serving all of our students, we may still find ourselves neglecting to protect transgender children in the same way we look after others. Decision-makers may feel nervous about endorsing policies that so much as acknowledge the presence of transgender children at their school. This takes some courage and forward thinking. We still have a long way to go in ensuring equal educational opportunities for transgender and gender nonconforming students around the world. A proactive policy is a step forward in making our international schools safe and inclusive places of learning.

Can I help? If you are interested in updating your transgender policy, but have questions about how to do so in a manner that is consistent with your school’s mission, stakeholders’ values, or local context, please do not hesitate to contact me. I would be delighted to serve as a resource.

5 Concrete Ways to Address #metoo and #timesup in International Schools

Follow Me on Twitter @msmeadowstweets

Tarana Burke, founder of the #metoo movement

Everybody’s talking about it. #metoo and #timesup are trending hashtags and campaigns that represent an age-old issue: sexual harassment. This is a global phenomenon, and certainly – unfortunately– present in international schools. Whether you’re inspired by Oprah’s Golden Globes speech, or moved by the flood of #metoo’s on your social media feed, or simply realize that you are in a position to make your school a better, safer place for working and learning, here are five concrete ways to start:

  1. Establish a rock-solid policy/plan on sexual harassment. I had the honour of serving on the committee which revised Hong Kong International School’s sexual harassment policy, and I can tell you that crafting an effective one requires a lot of thoughtful effort. Take stock of resources in your locality, read plans from other schools, and write it up in painstaking detail. Don’t assume that everybody agrees on things like the definition of ‘sexual harassment’. Remember to consider what to do if an accused harasser lives on campus or in school housing, a common arrangement in international schools. Waiting until you’ve got a crisis on campus is not the time to think about how to manage it.
  2. Publish your plan everywhere. Your plan will only be useful if people understand how it works, and trust that it will be followed. If students/staff do not know who to go to when they’ve been harassed, or don’t believe that the policy will be enforced, it is useless. Make your policy and plan visible to everyone. Tell families and students about it. Talk about it at staff meetings. Do this routinely, or at least once a year.
  3. Listen to reports of sexual harassment. Believe the reporters. Put your policy/plan into action as soon as someone reports.
  4. Reframe reports of sexual harassment as an opportunity. Nobody looks forward to the HR/PR issues that can come up when sexual harassment takes place within a school community, and there can be a temptation to see reports as a nuisance. Instead, consider that the sexual harassment has already happened, and the school now has a chance to improve the safety of everybody in their community, thanks to the reports. Express gratitude to reporters for their bravery and willingness to help make the school a better place for all.
  5. Turn this into a teachable moment. Children need to be taught the knowledge and skills to deal with sexual harassment, starting from a young age. Leverage this current conversation (or use it as inspiration) to reinforce your school’s curriculum on the topic.

How does your school ensure that community members know what to do in cases of sexual harassment?