Tag Archives: security

Three Lessons for Schools from the Wannacry Ransomware Attack

All weekend, computer systems around the world have been hit by a ransomware attack termed “WannaCry.” Ransomware is a nefarious cyber-security attack that essentially holds your computer and its files hostage until you pay the requested amount of money

to unlock it. Ransomware attacks have been on the rise over the years, but this weekend’s attack has been especially widespread and nefarious, attacking the NHS in the United Kingdom, public and private businesses (such as FedEx), and likely more governmental entities than any of us would like to consider. The cyber-attack, however, also highlighted a number of easily fixable security holes in home and business computers. If your students are interested in talking about this event, here are some best practice tips you can give to them to keep their systems safe and secure:

Keep Your Systems Up to Date

The majority of the compromised systems were out of date. For example, a large number of them were running Windows XP. Microsoft stopped releasing security updates to its Windows XP system more than two years ago. Even so, an alarming number of systems still run on this out-dated OS. Others were running more recent Windows operating systems, but they had not installed critical security updates. As comfortable as we get with our operating systems, it is imperative to keep them up to date for this very reason. I’ve heard people comment that they don’t update because they “don’t want their computer/phone to stop working.” The reality is, the opposite is true! By not running critical security updates, your system becomes susceptible to malware and hacking, which will at best slow it down, and at worst, will lock down your system.

Don’t Use Pirated Software

Aside from the ethical implications, pirated software is a significant security risk. First, you never really know what you get when you download and install that package. Additionally, if you run unregistered software on your machine, then you also cannot run critical security updates. This easily compromises your system. Wide-spread software piracy is prominent in some countries, most notably China and Russia. However, I’ve also seen it in a number of offices and homes right here in the United States. For example, rather than pay for an office/home-wide Microsoft license, users will purchase one or two licenses and install on multiple devices. Cutting these corners also might safe you some money in the short run, but the security loopholes leave you at greater risk.

Educate Yourself about Phishing

phishing

Courtesy of Edward Richard Contrera https://www.flickr.com/photos/35484468@N07/4894714911

Phishing is a nefarious means of getting a user to click on a link or a file to install malware onto their device. Some phishing attacks are sloppy and obvious; they are replete with typos and non-sequiturs. However, phishing attacks have gotten more sophisticated, including spoofing accounts to make an email look like it came from a friend or a colleague. Always exercise caution and skepticism when opening an email that doesn’t quite “feel right.”

As more data is moved to the cloud and we are reliant on digital systems, the more commonplace cyber-attacks will be. Educating your community and students about the current attacks can help to prevent the next one!

Advertisements

SXSWedu – Becoming a Security Ninja

Courtesy of Intel Free Press on Flickr

Courtesy of Intel Free Press on Flickr

I can’t believe that I’m at SXSWedu!! I’m so excited for the opportunity to be around forwarding thinking, innovative educators. The first session that I’m attending is “There is No Try: Becoming a Security Ninja.” This is an important topic as we go to more cloud computing and third party technology services. The speakers are Aimee Guidera of Data Quality Campaign, Brian Rawson, Joel Reidenberg (who unfortunately was snowed in and couldn’t make it), and Lori Fey of the Ed-Fi Alliance.

This panel discussion is based as an interactive discussion, so let’s hope that I can capture the meat of the round-table! The speakers argue that data is vital for effective education today. However, we must ensure that we can safeguard that data. It’s important to use actionable, quality, and useful information but must let people feel safe using it. Parents and educators are vital for the discussion of security and educational data.

Student data privacy is one of the most important and prevalent topics in education today. Lori states that the objective of this panel is to highlight the concerns of student data and usage today. Aimee says that it’s important to distinguish bad information that is often promulgated on social media and discuss the legitimate concerns surrounding student data. Other key questions are who owns student data and what are appropriate uses of that data? Also, it’s important to keep up with federal statues of student data,  such as COPA, especially with children under 13. Also, how do we bridge the gap between security and responsible use/accessibility?

What are some of the gaps in policy that must be addressed as we move forward?

Brian states that our primary obligation is to secure and protect data that we have of students. All of the stake holders (parents, administrators, students, vendors, and government) are all key to ensuring that this data is not only effective, but protected. Vendor contracts must be compliant with federal law and government must ensure that we execute these policies effectively. Technology today enables data capture on an unprecedented scale, yet our laws and policies are racing to catch up (and are woefully behind). Our guidelines must play catchup. Another key issue is that we must be transparent in our collection, use, and protection of data.

Brian highlights vendor contracts: they must be secure and explicit, data breech and disclosure procedures must be outlined, and what exactly will be done with that data. The contracts must be public, available, and accessible to anyone who wants access to it. He also argues that FERPA training must be in place for vendor staff. Joel Reidenberg published a report recently on “Privacy and cloud computing in the Public Schools.”

Aimee also highlights that FERPA is not the ned all be all of student data and security. In fact, this conversation is continuing at the state and local level. She argues that this is vital as we have not done a great job of ensuring that parents and guardians understand what is going on with their student’s data.

Is There Agreement that Student Data is a Valuable Tool?

Some of the audience members step in here to bring up that data is valuable to understand where students are in their learning and how they can help students to progress in their academics. Additionally, because privacy and security is at the forefront of discussion we are getting better at retaining info. Purser argues that electronic data is actually more secure than the “olden days” when we kept manila folders with student content that could easily be lost or picked up by prying eyes.

Data is important to focus and improve instruction in the classroom. It has increased exponentially and it can show us in a focused way what a student needs. It takes away wasted time where we used tests and reviews to try to gauge a student’s progress.  This information helps us to use this information as a diagnostic tool to pinpoint students’ needs.

Another audience member brings up the point that the data is only as good as the assessment. As such, we need to have multiple assessments that are addressed in multiple modalities. This way, the information can be put into one screen for teachers to see where/how students are struggling. We need to get the tools that are best for the student. “Data is not just a test score.” It has numerous different data points that we must explore and examine. We must use and collect data continuously to limit surprises. We must change the conversations about using tests and data as a “gotcha” and using it “as a flashlight” so that we can help every child succeed.

Another audience member asks how we train teachers for using data as an effective diagnostic. For data to be used effectively, training and effective professional development is vital. I would argue that this is also important when it comes to security of the students.

Who owns the Data?

So who owns student data? Can a parent “opt-out” of allowing a vendor having access to their student’s data? This is a current hot topic in the world of education. Parents/Guardian are concerned about who has access to their child’s data. At the same time, we need to ensure that educators have the best tools available to help their students. If we have 200 students, can we have multiple different tools/methods for each student? I can imagine the nightmare of management for teacher if some students can have data on the cloud or with specific vendors.

Aimee argues that this is why it’s important to bring parents into the discussion. They become especially nervous when they don’t understand the tools or content. Often they will pick up wrong and inaccurate information. We must make sure that they understand the role and value of data. This is true also for vendors – they must listen to the concerns of parents/administrators/teachers. They cannot dismiss those concerns and meet people where they are.

Brian also argues that we need to develop a standard lexicon when it comes to information security. We must be able to have a shared vocabulary in order to have effective conversations with one another, parents/guardians, and vendors. Security and privacy are different issues. Aimee also argues that we all need to change our responsibilities and understanding of data. This is now a shared endeavor – we all have a role to play in this conversation.

Aggregate Data vs. Individual Data

Aggregate data can be helpful, but one audience member brings up the issue that access to information on an individual level can be limited. For example, college counselors can have trouble getting access to individual data to help low-income and at risk youth become college ready.

Linking and sharing data is important but also requires effective tools in securing and protecting that data. Again, aggregate data is readily accessible. However, the struggle comes with the individual level. If we cannot link data to students, how can we effectively use it?

Aimee highlights that we also have to clarify for parents the difference between aggregate and individual data. We must limit individual, identifiable information to very few users. This is not all information that higher level politicians at the state or federal level. They may need to know that girls in low income areas are struggling with math, not the names of those individual girls.

Teaching Students Data Literacy

We focus on educating parents about data, but another audience member brings up the importance of educating students on their data literacy. While students are becoming more tech savvy, they are not always familiar with the importance of their data – how to protect it and how it can be used. So how do we go about having those conversations with students?

Courtesy of mikolajgr, http://mikolajgr.deviantart.com/

Courtesy of mikolajgr, http://mikolajgr.deviantart.com/

Many students, especially as they get older, do want more ownership and agency of their lives as well as their work. Technology has been effectively employed in high schools and is now trickling down to middle and lower schools. It’s important to have age appropriate discussions with students about this content and data. At the same time, we have to ensure that students are aware of their own presence online, especially in the realm of Social Media. Common Sense Media has some great resources in this realm. We must teach students how to protect their own information online.

Who is Beholden to the Data?

When FERPA was drafted, no one anticipated the glut of student data that would arrive. Specifically, the issue of targeted advertising. This is something that we must investigate as we go forward. Common Sense Media argues that student data should never be used for commercial purposes and I would wholly agree.

This is an issue that is currently going through federal and state legislation. Data is not cut and dry, nor is ownership. For example Google+ is a prominent tool used for Google Hangouts between teachers and students. Now, it is tied with local advertising. You can opt-out, but it requires a concerted effort. Commercialization of data is very specific and can target advertising to students and parents.

Conclusions

At the end of the day, the key issues here are cleaning up and demystifying privacy and security with student data, building a common vocabulary, and defining (via legislation and policy) the obligations of schools and vendors. This is not one organization’s job, it is a big conversation that must take place over multiple conversations in various contexts. As Aimee says, “We all must do it.” It’s also important to understand that there is a cost, nothing is “free.” So when using vendor’s material it’s important to understand what the business model is that supports the service.