The needler in the haystack.

Friday, January 28, 2011

Laxity, lack of planning set stage for schools' security breach

It was like a castor-oil moment.
 
Thursday night's special meeting of the Plainfield Board of Education put me in mind of those end-of-winter spoonful-of-cod-liver-oil sessions my brother and I were subjected to as kids.

Mom, Dad and village wisdom all dictated that it was good for you, but that didn't make it any less distasteful.

The subject matter was a presentation to the public on the recent security breach of the District's web-based Genesis parent/administration portal (which I wrote about previously here).

Despite assurances by the District's I.T. staff and Interim Superintendent Anna Belin-Pyles that fewer than one percent of the system's records were vandalized and that no data was lost (well, it seems it
actually was but it was later recovered, but that's a quibble), the bottom line is that laxity and lack of planning left the District open to the attack.

When the public was given time to ask questions, resident Scott Belin (who also chairs the Zoning Board of Adjustment), pressed the staff and interim superintendent on the District's I.T. plans, policies and procedures.

It came to light that while the District has a Disaster Recovery Plan for its computer networks and website, there is no Security Breach Incident Plan.

Ms. Belin-Pyles remarked that this was because 'security breaches are relatively new to the educational community'.

This took my breath away. For years now, those responsible for computer networks and Internet security have known, reported and discussed the ubiquity and persistence of attempts to breach, hack, vandalize and steal from their systems.

How could Plainfield's little corner of the universe have escaped noticing?

Best practice on the part of I.T. professionals is to ASSUME your system will be the target of attacks.

And to plan on it and have procedures in place for the eventuality.

It seems that the issue in this instance at Plainfield was laxity with regard to passwords.

Somehow, someone got access via a valid administrator's password to the system.

It does seem, from the crowing about the incident done by the intruders on public discussion boards, that the intent was to vandalize student records and wreak other sorts of havoc on the web-based system (such as $9,000 lunch fees) and not to STEAL commercially valuable data.

This is not the kind of behavior that serious hackers, intent on stealing valuable information (personal data, Social Security numbers, credit card info, passwords, etc.), participate in. They are intent on NOT BEING FOUND OUT, on NOT CALLING ATTENTION TO their intrusion.

So, the District caught a break this time.

And we were told there will be a tightening-up across the board: a new and stronger password policy, updated security procedures for all servers, and the development of a Security Breach Incident Plan including a clear chain of communication up the ladder.

That's all to the good, and we can hope it will be sufficient -- with vigilance -- to guard the District against future incidents.

After the public (there were five in attendance, if I count myself in) had its chance, Board members asked their own questions of the I.T. staff and Ms. Belin-Pyles.

This was where the scary side of small-d democracy came to the fore.

It became quite clear that the Board members, with all due respect, do not really grasp the nature of the problem. They pressed for details that can not be divulged while there is an active investigation, and showed a sketchy understanding of the District's computer network and internal policies and procedures concerning it.

That in itself is not so scary as realizing that the Board members will now be responsible for adopting policies and procedures to defend against future attacks. How will they know what are good policies and what are not?

It was surprising, and somewhat dismaying, to learn that only about 500 parents are signed up to make use of the Genesis student records system. I don't know how many parents (or households) there are for an enrollment of approximately 6,500 students, but surely 500 participants is a LOW number if not VERY LOW.

While the expense of the system may be justified by the number of teachers and administrators who use it (700, we were told), and the hours saved in preparing required submissions to the state, it would behoove the District to have a plan in place for increasing parental use of the system. What happens to those who don't participate? Are they simply left out of the loop? Or does the District have to go to the lengths of preparing and distributing duplicative paper-based info, which Genesis is supposed to do away with in the first place?

There was, however, one more issue that did not get any discussion: a District crisis communications policy.



Notice from District website

Following is the timeline presented by the I.T. staff and Ms. Belin-Pyles --

  • Tuesday, January 18, the attack began approximately 6:30 PM; the system was vulnerable until approximately midnight;
  • Wednesday, January 19, the Help Desk began getting calls that users could not log in at 8:00 AM;
  • Wednesday, January 19, I.T. staff restored the Genesis system on, but limited access;
  • Wednesday, January 19, a notice the system was unavailable was put on the District website;
  • Wednesday, January 19, law enforcement and educational authorities were contacted;
  • Thursday, January 20, principals and secretaries granted access to Genesis;
  • Saturday, January 22, Interim Superintendent's letter posted to website;
  • Monday, January 24, teachers granted access to Genesis; and lastly
  • Monday, January 31, expected parents will be granted access to Genesis system.
Except for the brief, uninformative notice on the website, it took FOUR DAYS for the District to address the issue with a letter from Ms. Belin-Pyles posted to the website.

This is hardly comforting and suggests the lack of any clear crisis communications policy, a lack that should be addressed by the Board of Ed as it works its way through the aftermath of this security breach.

Ironically, when the letter from Ms. Belin-Pyles did appear, it seemed to follow an outline I proposed to Maria Pellum (see here) last week, based on my experience as the city's public information officer.

Part of the District's responsibilities to the taxpayers and other stakeholders is timely, accurate and informative communications concerning breaking and/or crisis issues.

It goes with the turf, and I hope this will be addressed in a formal manner with procedures and policies.

Lastly, the venue and sound.

Holding the meeting in an auditorium that holds 1,300 people for an attendance of 11 (including staff and lawyers) besides the Board was wasteful of taxpayer dollars (heating the space). It was like a Leni Riefenstahl setting, without the crowds.

Couldn't there have been a Plan B, such as using the much more accommodating PHS Library?

Also, the sound system was execrable.

Well, not the system itself, but the use made of it. I had to ask for Board members to speak into the mikes, but they soon relapsed into speaking without pulling them close; Mr. Bloom was clearly audible even without the mike, but Mr. Sears waved the mike around but failed to hold it close enough for us to get the benefit of all but a few words he said. This is just a matter of someone teaching folks some good manners about using mikes.

Surely there is someone on the District's 1,000-member staff who could do that?


-- Dan Damon [follow]

View today's CLIPS here. Not getting your own CLIPS email daily? Click here to subscribe.

6 comments:

olddoc said...

Has anyone considered that the password used could have belonged to an administrator no longer with the system? A password that someone forgot to void.

Rob said...

They didn't plan on someone hacking into the system ???
Apparently none of them have seen movies for the past 20yrs or followed the news...it's happened since schools began getting computer systems.
Plainfield...once again proving..just because the state hands you wads of free money doesn't mean you have sense that God gave the village idiot ( sorry Jerry ) to spend it properly.
Maybe someone should sit the school board down and discuss - T E C H N O L O G Y...we can review that the kids aren't carrying pagers anymore, the devices are called C E L L P H O N E S...scary but true, yes..hand held wireless phones.

Anonymous said...

Dan, to expect the members of the BOE to understand the complex ins and outs of network security is a bit unrealistic. Most lay persons are minimally equipped to run their personal computers at home, and so it should be. The problem is that there has to be someone in charge of the network who is smarter than the collective community of extremely smart, and misdirected people who find it an adventure and a challenge to break into other people's networks.
It is seen as a game, and a competition, and they are relentless. As we all know, companies with HUGE information systems, with extremely sensitive data and resources that should be able to cover the security of that data, have been hacked and brought to their knees by these little adventurers.
So for heaven sake, please have some perspective and go easier on the folks at the BOE.
Thanks so much.
Michael

Dan said...

Michael -- Reread the post. I DON'T expect BOE members to know the ins and outs of computer networks and Internet security issues, any more than I expect our President to know everything that should be known about Egypt.

What I said is that the scary part of small-d democracy is that we put a lot of important stuff in the hands of people who cannot possibly know the ins and outs, AND YET WE GIVE THEM THE POWER TO MAKE POLICY DECISIONS THAT IMPACT US ALL.

It is a reason to lay awake in bed many nights.

But as Winston Churchill said, 'Democracy is the worst possible form of government...save for all the rest'.

Take care!

Anonymous said...

I think Michael hit the nail on the head. The BOE is ill equipped to deal with, not only the technology, but the basics of knowing how to lead and make a difference in education.

The BOE may have a panel of smart people, but they are most certainly not effective.

Anonymous said...

Dan,
I agree with the previous blogger that many large companies are hacked. If a hacker wishes to get into a system, it has been my experience they can and will access most systems in the world. Plainfield's district is not and will not be the only school system to be hacked. Whenever there is a network that has access beyond it's closed environment - it will be vulnerable to unauthorized access. It does not matter if it is a government, private sector or educational network. I do not agree that "there has to be someone in charge of the network who is smarter than the collective community of extremely smart, and misdirected people who find it an adventure and a challenge to break into other people's networks" I believe that to be an unrealistic expectation. There is always someone smarter than the last person - and there will always be someone attempting to out do the last. I believe in the Plainfield scenario the Interim Superintendent is handling the situation properly; Notify, the directly impacted, law enforcement and the general public. Investigate - via root cause analysis; What happen, how did it happen, how to avoid in the future. Investigate and prosecute - Cooperate with law enforcement to catch those responsible and implement safeguards and changes.) Do not disclose ALL of the updated changes to the environment (why give the hackers directions on how to penetrate the system again. Advice to the council - don't ask questions in a public forum that can undermine the investigation or place the system you are attempting to protect in a continued vulnerable state.

BTW - I am not presently appointed to the Zoning Board of Adjustment at this writing.

D. Scott Belin