Attacks on Web Sites Put Technology Officials on Alert
The tremor of fear that rippled through the "dot-com" community this month after computer hackers attacked and shut down several popular commercial Web sites also buffeted officials who watch over school data networks.
"I certainly asked my network expert about it," said Lee G. Peters, the superintendent of the Onandaga Board of Cooperative Educational Services, an agency in Syracuse, N.Y., that provides data services to more than 50 area school districts.
The attacks were carried out by individuals who used the Internet and some commonly available software tools to gain access to computers at various organizations, including at least two U.S. universities. The hackers instructed the computers to bombard the World Wide Web sites with bogus requests for information, overloading their systems to the point of temporary collapse.
The incidents have raised concerns that school district computers linked to the Internet could be used to create mischief in the same way, or that similar attacks could be launched against school Web servers.
"School districts are in the same state of unpreparedness as businesses, but only worse. They have a fence without a lock on the gate," said Winn Schwartau, the president of Interpact Inc., a security-awareness consulting firm in Seminole, Fla.
"It's a wake-up call to educational institutions," said Allison Taylor, the director of marketing at PGP Security, a division of Network Associates, in Santa Clara, Calif.
School data networks already face constant low-level assaults by hackers, Mr. Peters said.
"We average 20 attempted attacks a month," he said. "They come from all over," including Europe.
To date, no one has been able to crack Onandaga's system without an official identification number, Mr. Peters said.
But in August, the system suffered a major breach when someone who had stolen a legitimate ID number and password logged on and altered data records.
The changes were detected after teachers at Ithaca High School noticed vulgar language appearing in the teacher-comment section of student report cards. From an outside computer, the intruder changed more than 1,000 records, including students' grades and possibly some health records, officials said.
Last week, New York state troopers arrested a suspect in the case, a 17-year-old Ithaca boy who dropped out of school.
School Web sites have also become a frequent target for electronic graffiti artists, several administrators said.
The Rockford, Ill., school district's site was defaced last April, said Jim Jennings, the district's communications director and "webmaster." A student whom Mr. Jennings called "a bright young man with too much time on his hands" got into the district Web server and changed about a dozen Web pages.
Since that incident, the 27,000-student district has added security equipment and made sure that all ports, or entry points, that can be used to change data on the server are closed unless they are needed for a legitimate purpose, Mr. Jennings said.
For now, most districts are probably less likely than businesses to be struck by the massive "denial of service" assaults that temporarily crippled the Web sites of Yahoo!, CNN, eBay, and Amazon.
That's because online retailers depend on Web servers much more than schools do, school computer experts say.
But schools' vulnerability will grow as they link more computers and networks to the Internet and move more functions to their Web sites, the experts add. "The whole idea is to make sure you make information available 24-7"—meaning round-the-clock, all week long—"and to make sure you receive information," Mr. Jennings said. "We've got hits from all over the world on our programs and [class] reunions."
In other districts, Web-based information systems already have become vital.
Bob Moore, the director of information and technology in the Blue Valley district in Overland Park, Kan., said his district's network distributes to staff members sensitive information that would be sorely missed if it were unavailable because of a hacker attack.
"Many of our students have to take medications throughout day and have serious health conditions. All that information is on the computer system, and a nurse and other key people in the system have to have access to it on demand," Mr. Moore said. Another feature gives school personnel immediate information about who is authorized to pick up a child from school.
"People tend to think of personnel information and grades [being on the school network], but you get into real safety, health, and legal issues," he said.
While school districts have been expanding their data networks and linking them to the Internet, many have not made matching upgrades to security, experts say.
The level of data security "vastly differs from district to district," Ms. Taylor of PGP Security said. Though districts place a higher priority on data security and planning than the business sector does, she said, "the challenge in the education sector is the budgetary constraints."
A "firewall," which selectively blocks communication between the network server and the Internet or computers on the network, is the first line of defense against hackers.
But districts shouldn't rest easy just because they have one, Mr. Schwartau, of Interpact, said. "People say they think they have a firewall and are safe. That's one of the most naive things they could say," he said. "There are so many ways to get around it, so many hacks."
The best defense is to wrap the network in layers, Ms. Taylor said. That way, a hacking technique that penetrates one defensive layer may be caught by the second layer, or the third.
Unfortunately, Ms. Taylor said, districts tend to omit some layers when their budgets are tight.
School districts generally first buy anti-virus software, then invest in firewalls for their networks, she said. But they usually omit what is termed "active security," a system that orchestrates a whole range of security measures in an automatic response to attacks. Such a system, which Ms. Taylor described as "high end," would shut down communication with an external computer—or seal off a group of internal computers—if it detected an attack.
Equally important to the technical tools, experts emphasize, are the human tasks of planning the level of access to be allowed eacsh type of user of the system, teaching users not to give out passwords, and supervising and updating the security system regularly.
Vol. 19, Issue 24, Page 5