Risky and Problematic "Surfing practices" of students in a school (as compared to adults in an office building) include:
- torrenting which opens up ports which should be closed
- use of lots of free apps which may not have good security
- the desire to hack
- for the feelings power, a la script kiddies
- risk taking behaviour in general which leads them to more risky sites
- the time to experiment - particulary with un-school-focused computer geeks
- studenst now-a-days are extremely savvy with technology, and so will do more things and go more places, exposing risk
- programming classes actually teach students the tools needed to learn hacking
- some students don't like school and so want to find a way to hurt the school
- the desire to get into the grading system to "tweak" grades
Good Targets Commonly Used At Schools:
- Widely used, popular products, such as Adobe Reader and Firefox plugins make for a good target.
- Flash Player plugin is particularly problematic lately. In the Zero day list from Symantec, Adobe Flash Player appears multiple times.
- Other browser plugins such as the Java plugin are also particularly vulnerable, and all such plugins are regularly used/required by students at schools.
- Microsoft Word and all Microsoft products are quite prone to attack, not only because they are popular and so make a good target, but also because they have the practice of using shared dll files (dynamically linked library) files for example, which by the very act of sharing expose security issues. "DLL Pre-loading Attack" is an example of one such DLL attack, in which the malware designer gets their own malicious DLL code to load before the real DLL code can.
- Windows machines (which are more prone to attack and are less secure than Unix and Mac computers.
- BitTorrent programs (UTorrent & Vuse) and other sharing software - which should not be used at school, but may very well be if not prevented. Other peer-to-peer software too, such as BearShare etc.
- And even simple, small, seemingly innocuous things such as a font downloaded by a student can bring in malware. For example, a Duqu/Flame infection via the TTF(True Type font) parsing engine - so malware disguising itself as a font.
Prevention
First of all note that the level of prevention that can be deployed depends on the financial resources of the school - so any conversation with a school about security should start here. A feasibility study for possible levels of protection needs to be done.
Network Security Personnel - a school could/should have a dedicated network and security expert, like our Jakub here at ISP - all he does all day long is network and security related.
Whitelists can be used, in which only certain IP addresses (websites and other Internet services) are allowed - for example, bbc.co.uk, wikipedia, isp.cz and so on - but this has limits, and students are not free to go many places around the Internet to do their research, and it can be a pain to keep on adding to the whitelist. So it's an easy, cheap solution, but it is very limiting.
Software Firewall implementation of Blacklists.
With this, there is Blocking of websites, servers, and all IPs of suspicious network requesters. This is possible to be implemented without any special hardware on the school's gateway computer.So with all firewalls there is blocking all non-standard protocols and activities. In fact, ativities involving non-standard upper port numbers are either blocked entirely or monitored more closely.
Hardware Firewall implementation of Blacklists.
Beyond using just software firewalls, dedicated hardware firewalls can be installed and managed. These are robust server-grade computers which are custom built to be firewalls, and do all that a firewall needs to do as efficiently as possible. At ISP our hardware and software firewalls are supplied by Sophos. Use of them requires a high degree of training, and usually a support contract in which Sophos personel are available 24/7 to manage issues which may arrise. As you know, if the firewall blocks more than it should, the Internet of the school seems to be down.
Completely Separate networks which can isolate sensitive parts of the school network which need to be kept up and running. We have 11 separate networks, which are entirely, physically, isolated from each other. This is, naturally, an expensive option, but just as naturally adds to the network security of the school.
Separate organizations and companies have their own network. As part of the separate networks strategy, even small networks owned and operated by companies working for the school must have their networks isolated from the rest. So at ISP, even the cafeteria and the CCTV company are on entirely physically separate networks.
Standardize Devices and Software. By standardizing the kind of devices allowed to be used, and also by standardizing the software on the school machines, the range of potential threats can be limited. Here at ISP, both the Middle School machines and the teacher machines are "cloned" at the beginning of the year, and furthermore, they are all the same kind of machine.
One other non-security advantage of this is that whenever a machine encounters a problem, it can be "wiped" and re-cloned, or "re-imaged". The image is changed and refined from year to year, and assures that all of the proper security settings and
Do not allow administrator privledges. This way students (and teachers) cannot change the security settings or install potentially threatening software. At ISP we do not disallow administrator privileges from for US student laptops, but we do with the teacher and MS laptops; this different approach makes sense since the MS and teacher laptops are owned (actually, leased) by the school and given to the students/teachers.