Take the average secondary state school. The average school network manager has to contend with 600 to 800 PCs, 4 or 5 servers, a hundred teaching staff who usually aren’t very IT literate, plus a thousand or more other users (also known as students) who are very IT literate and definitely looking to break his network. Often the Network Manager has only one or two network staff to assist. So in terms of network size and numbers of hostile users – his task is typically much bigger in scale than many commercial counterparts.
As internet access is now mission critical to teaching, having an operational network and one that does not allow access to undesirable and illegal websites is absolutely mandatory; as is blocking of anyone external trying to get into the school network for whatever dubious reason.
This is also a political environment, where the Network Manger is in a no win situation. If network security or availability is poor or broken, it’s his fault. If staff members lose files it’s his fault. If little Wayne’s father is complaining to the school governors that his son can browse pornographic sites from school PCs – again it’s his fault. So undoubtedly there are also multiple threat vectors to the Network Manager’s job security!
To survive these multiple threats Network Managers do the simple things well and don’t trust to luck or good judgement by users. Some of this involves developing simple processes. Some of this involves policing and protecting by technology. In short it’s devising a ‘Security Survival Plan’, which often includes the following action items:
- If possible put users in a ‘Walled Garden’ internet filtering group – only allow them to see a restricted set of sites. This blocks both undesirable content and the likelihood of downloading malware. The allowed sitelist may contain several hundred or even thousands of sites – but these are of known reputation.
- Block all illegal and undesirable sites for everyone including staff. Overblock rather than underblock.
- Lock down PCs using low cost but effective software designed for the job (onetime costs of about £5), so no hostile user or malware can take out a workstation – regardless of the Microsoft patch status.
- Teaching staff will undoubted want to visit non-work related internet sites for online shopping and booking holiday travel. Put the most popular and reputable into an allow list thus aiding protection against malware. Insist they use PCs that are locked down if they want totally free ranging access, is another alternative.
- Pupils will want/expect access to Bibo and Facebook. Some schools will want to provide this access say at lunchtime. As long as allow/block timebands are in place on the internet gateway device to prevent access during ‘working hours’ and access is being undertaken from locked down PCs, this is an acceptable compromise.
- If possible adopt a belt and bracers approach to scanning for malware. Load each laptop and desktop with market leading AV software, but also undertake scanning on the incoming internet feed – maybe this is done upstream in the education network – if not implement a different AV and Anti-Malware scanner at the school gateway.
- Have in place Acceptable Use Policies (AUPs) because if you need to take sanctions against hostile users, you need to have the legal groundwork in place. Such policies also spell out the obvious to staff – don’t download software onto laptops and don’t mess with AV or other security settings. Put into simple words, simple protection measures that the both staff members and pupils have to literally sign-up to.
Many schools use NetPilot or SoHoBlue products on which to implement key elements of their Survival Plan. So there are some obvious points to learn from the education sector and implement in the business world too!