You need to think about what systems in your network are most important, and make sure you’re protecting them effectively. These systems are often the ones that contain important information, like:
- confidential data about students and staff, or
- financial information.
It may include your administration, building management, phone, and security systems.
This guide shows what a secure school network looks like. The actions we recommend in it are based on:
- incidents that have been reported to us, and
- the challenges we’ve heard schools face.
You may find that some of the terms and concepts in the guide are unfamiliar. If that’s the case, you can use it to help start a conversation with your IT support provider.
The recommendations we make here are very similar to those in our guide for IT professionals. CERT NZ’s critical controls explain the top things we recommend IT support providers put in place to keep networks safe.
Challenges for schools
We've identified some key network security challenges that schools face, such as:
- Many of the devices that connect to your school’s network are bring your own devices (BYOD). Students or staff may be using a malware infected device and not know it. Because you can’t control them, it’s hard to manage security for them.
- You may have off-site staff or third parties who support your IT needs. Your staff may need to work from home and access systems or documents stored on the school network. This means that you might have remote access services set up for them. If remote access is not secured, attackers can use it to gain access to your network too.
- The devices connecting to your IT network may not be actively maintained. This means that they may be unpatched, running unnecessary services, and still have default credentials. Any of these situations could lead to an attacker getting easy access to a device.
- If devices on your IT network are not actively maintained, the data on them may not be getting backed up. If a device that isn’t backed up gets infected with malware or ransomware, the school may not be able to recover any data from it.
- Students and staff may reuse passwords across multiple accounts, or use easy-to-guess credentials. Enforcing two-factor authentication (2FA) for everyone to combat this may not be possible. Students and staff may not have a phone where they can get one-time passcodes.
- Students are still learning good security practices. They tend not to understand security threats on the internet and are more likely to:
- use unsecured networks
- download infected files
- share their password
- expose their devices to malware, like computer viruses.
Incidents involving school networks
We’ve seen a number of incidents affect school networks already. This includes:
- a large amount of password loss for student and staff cloud-based accounts. Phishing campaigns aimed at collecting usernames and passwords for common cloud services — like Gmail or O365 — are common
- ransomware attacks which lock the school’s network. All the data created since the last backup needs to be recreated
- malware or phishing pages hosted on school servers. This means there’s a page on the school’s website hosting malware, or trying to collect information from users
- school servers and accounts used to attack others. This could be through denial-of-service or brute forcing attacks, for example. This means that once an attacker has access to a device on the school’s network, they can use it to hide their identity and perform attacks on others. Some school email accounts have sent links to people to get them to visit a phishing page or to download malware
- vulnerabilities in devices on a school’s network being exploited. These are easy for attackers to identify, as a large number of the devices connect directly to the internet. There are search engines that let you identify vulnerable devices.
These types of incidents could lead to larger issues for schools, such as the loss of confidential data.
Critical controls for schools
Based on the challenges and incidents we’ve already seen, we recommend you implement the controls below for your school network. This is a comprehensive guide. Our advice is to sit down with your IT support provider to understand:
- where your gaps may be, and
- where you should prioritise your resources.
1. Talk to your IT support provider
- Get the contact details for your IT support team or person, and keep them in a handy location.
- Create an incident response plan and go through it together. It’s a good idea to have a list of contacts and a plan prepared before an incident happens.
- Ask them if they need to log into the network remotely, and why. If they do, find out what type of remote access they use. The best options are called IPsec or TLS/SSL VPN. If they use SSH or remote access software, make sure they use 2FA (another layer of authentication) as well.
- If your network provider is Network for Learning (N4L), you can call them for help with your web filtering or firewall, to discuss your school’s growing data consumption, and getting the most out of your internet connection.
2. Understand your environment
To be able to secure your school environment, you need to know what’s in it. Create and maintain a list of the hardware and software that’s used in your network, and who owns it. Your IT support provider can help with this. You’ll need to keep details of:
- what it’s used for
- who manages security vulnerabilities and incidents related to the hardware/software
- how users log in on this hardware or software.
For hardware, ask your IT support person what steps they've taken to secure the device.
- Have they turned off services and ports that aren’t needed?
- Have they changed the default login to a different, stronger password?
- Do they regularly apply the most recent updates (or patches) for the device's operating system?
You may have software that's bought and managed by your school, or you may have cloud-based software which is controlled by a vendor and accessed over the internet. Either way, you'll need to know:
- how it’s accessed. Software can either be installed on your computer and accessible only from the school network, or cloud-based and accessible from anywhere on the internet. This is an important piece of information that will inform a lot of your risk-based decisions
- who needs access and what it’s used for. This will help give you context on how it should be secured
- who has administrator/privileged access. Aim to reduce the number of admin accounts to those who really need it
- how often it gets software updates and by who. Software updates often include fixes to security issues that are found, so it’s important to update the software as soon as they’re available
- that actions are being recorded. These records are known as logs. See the network management section for the kind of actions that should be recorded.
Keep a note of when this info was last reviewed. Make sure you update it when any hardware or software in the network changes.
3. Secure student and staff access
Once you understand what’s in your environment, you can take steps to secure different areas. A good place to start is through securing access.
There are several policies we recommend about access that will help protect your network.
- A user’s password should always be long, strong, and unique to each system. Each system should have a password configuration or policy that requires passwords to be like this. Give guidelines to staff and students encouraging them to use unique passwords for each system.
- Get your IT support provider to set account lockout thresholds. This will lock an account after a certain number of unsuccessful login attempts. It can help secure an account if an attacker is trying to guess their way into it.
- Enable 2FA, especially for cloud-based software and software used to access the school network remotely. If possible, the school should enforce this for all users. For example, in G Suite you can force all users to use the Google Authenticator two-factor authentication application. This gives them a one-time code each time they sign on.
- Consider single-sign on (SSO) for each system. This means a user would only have to remember their domain password to access different SSO-connected systems. This would limit the amount of password reuse that may occur, but it would make it more important to use 2FA.
4. Secure access to the school network
Students and school staff may bring their own devices and connect them to the school network. There are a few ways you can make sure the right devices are accessing the network, and only approved software is run while on the network.
- Consider using certificates to authenticate devices on to the school network. This means each device would have a file, given to them by the school, that says their device is allowed to access the network. The school can use this certificate to control what the device can access and do while on the network.
- Use WPA2 or a later version encryption for wireless access. Protect it with a long, strong password that's not publicly discoverable. Don't post the wireless password on the school's website, for example.
- Create an approved software or application list for the school. This means that only approved software can run and can stop staff or students accidentally downloading and running malware.
5. Configure network security controls
Your school’s network is where all your data is held. It’s important to design and configure the network so that you know what’s going on at all times, and can keep your data safe. Make sure:
- student-owned devices (BYOD) are on a separate network from the rest of the school-owned devices and servers
- outgoing traffic from the network is filtered for inappropriate or malicious content
- outgoing traffic from the network is analysed to detect abuse of school resources — like a spike of traffic to a specific destination, for example
- the network is protected from a flood of traffic or connection attempts, like a denial-of-service attack
- logs are configured across the network to detect, at a minimum:
- spikes and unusual inbound and outbound traffic
- actions taken by administrators or critical accounts
- unsuccessful access attempts.
- logs are sent to a central location and reviewed. Central location access is limited to only those who need it
- security alerts get sent to the school principal and the IT support provider
- data is backed up daily to a location that’s off the network.
Get more safety and security support
Several organisations are available to support schools with their digital learning, safety, and security. Together, CERT NZ, Network for Learning, Netsafe, and the Ministry of Education provide advice and support to schools on how to keep their students safe online.
CERT NZ supports people and organisations to manage cyber security incidents. We also provide up-to-date information and advice on how to prevent security incidents.
Many school cyber security incidents are complex and entwined with online safety incidents. If you’re not sure where to go to for help, report it to CERT NZ to receive confidential advice. We operate on a no-wrong doors policy. If one of our partner agencies is better placed to help, we’ll connect you to them with your express permission.
Network for Learning (N4L)
Network for Learning (N4L) connects more than 2400 schools across New Zealand to fast, reliable, safe, uncapped internet via its Managed Network. The service is fully funded and managed for schools, allowing every student and teacher seamless access to the internet for their learning, regardless of where they go to school. The company works alongside education, government, and technology partners to help schools get the most from digital connectivity.
For more information, call 0800 LEARNING (0800 532 764)
Netsafe is an independent, non-profit New Zealand organisation focused on online safety. Netsafe investigate complaints of online bullying, abuse and harassment under the Harmful Digital Communications Act 2015.
For more information, call 0508 NETSAFE (0508 638 723), or visit www.netsafe.org.nz External Link
Ministry of Education
The Ministry of Education has information about their Risk Management Scheme for participating schools which includes cyber insurance cover. Non–participating schools should check with their insurance provider to see what, if any, cyber cover is included.
To find a local Ministry of Education office, visit www.education.govt.nz. External Link