Threats Attacks And Defenses @ Hamden High School

Back Home

Last Updated: 2003

Michael Ligh (michael.ligh@mnin.org)

Abstract

The Hamden Public School (HPS) district recognizes the importance of computers and technology in a child's educational development. It also acknowledges that no network is infallible; and the chance of encountering objectionable or threatening content is high. In a best-effort defense the district utilizes acceptable use polices, intelligent planning, and a strong technical staff to mitigate associated risks. Maintaining security from both intentional and accidental damages is not a simplistic motion, however; and we will be considering a breadth of attack mechanisms and threats that when combined are capable of, in laymen’s terms, making bad things happen. The subject of the study will be the district's only high school, which has an estimated $1.8 million computer network installed on site.

Description of Infrastructure Components

The largest infrastructure component is a Wide Area Network environment consisting of both Frame Relay and Private Virtual Circuits with connection speeds from 256kbps to 1.5MB/sec. The network extends between eleven academic buildings (9 elementary schools, 1 middle school, 1 high school) and two others (a central office and Town Hall). Channel Service Unit/Data Service Units and 10/100 Base T Cisco routers provide the WAN connectivity. Internet access is provided by a dedicated T1 connection, routed through a central hub located at Hamden High School (HHS). The network as a whole employs an Internet firewall and filtering system, on which details were denied.

The local area networks within each school or office operate in a switched Ethernet environment. Category 5E UTP network cabling provides the connection between desktop (workstations) and the wiring closets. The backbone, connecting all wiring closets and any devices more than 100 yards from each other, is made entirely of 100 megabit fiber optic cabling. All laptops (approximated 46) in the middle school's mobile labs have already gone wireless; and this technology is being considered for use elsewhere.

File servers are Pentium-based and operate at a minimum of 400 MHz with 128 MB RAM, 3COM 10/100 Ethernet controllers, 18 MB SCSI Ultra-Wide SCSI drives with RAID-5, tape (DAT) backups, redundant power supplies, and UPS battery backups. The common desktop workstation is also a Dell-distributed Pentium-based machine with a minimum 400 MHz processor, 64 MB RAM, 3COM 10/100 Ethernet controller, 6 GB hard disk, 3 1/2 floppy, CD-ROM, integrated speakers, and a 17" monitor. A majority are Dell Dimension XPS R400 series that additionally include DVD-ROMs and zip drives. The Hewlett-Packard printers are network-ready, black and white lasers of the HP 5si, HP 4000 and HP 8000 series.

The focus of this study, Hamden High School has over 700 networked desktops of the quality described above. All classrooms have both teacher and student computers available - a minimum of 2-4 in each room. In addition to the classroom computers, the high school has 9 computer labs including 2 state-of-the-art language labs and 2 music, graphics, and video-editing Macintosh labs. HHS uses the Microsoft Office Suite of applications for both PC and Macintosh platforms; and several include specialized programs such as NCS SAISIxp student information system and MUNIS financial management software.

The school stands four stories high directly off Dixwell Avenue - one of the main roads in Hamden, Connecticut. This main entrance from Dixwell is the only accessible route if being approached by vehicle - the remaining perimeter is closed off by surrounding fences and an acceleration ramp to US 15. This description is more important when considering possible escape routes - the only way in is the only way out. If a person wishes to leave on foot rather than by vehicle they must either hop fences or walk the Interstate.

Human reachable (without ladders and such) areas of the building are brick and cinderblock though breaks in continuity for glass windows with metal crosshatching do exist. The front of the building which faces Dixwell has three sets of double-doors made of steel and are locked from the inside out. Students and faculty are only allowed to enter these doors in the morning when school busses unload. Visitors and students arriving late must enter from the left or right of the building known as the B and D wings. Each wing has eight all glass doors which lead to a security desk and the two main stairwells. There are strategically places circular mirrors aimed at the stairs, giving the security personnel a visual advantage. When I entered a police officer was standing by and conversing with the school security guard - a normal situation they said.

In accordance with visitor regulations I had to sign in and explain the purpose of my presence. I was given an adhesive yellow hall pass for the outside of my clothing - no questions asked - no identification or verification required. The time setting is about 13:00 on a weekday so school is in session but several students are roaming the halls. Staff members have desks positioned in select hallways where they are able to monitor activity; prepared to handle disputes or suspicious behavior. They are equipped with hand-held radios for communication. I passed a few security guards while exploring the turf - they wore yellow sweaters with their positions embroidered in blue.

The computer systems described earlier are protected differently depending on their intended usage by staff members or students. The staff systems run Novell Client for Windows and warns "Do not attempt to log on unless you have an authorized staff account." The student systems have slightly different configurations - settings in the BIOS do not allow the computer to enter the setup stage without the proper password. If the wrong sequence is entered, the monitor displays "system disabled" and there it will remain until it is rebooted with the correct password.

In the labs and classrooms, computers are physically secured in a very strange way. Cables are grouped into one or a few bundles and bonded with metal structures resembling handcuffs for wires. The bundle is secured to the desk or table with a master lock. In this way, a thief must either steal the entire computer lab or simply cut the cables and hope replacements are easy to find. Surge protectors and Ethernet jacks are on the floor below the computer stations.

Guidelines and Acceptible Use Policies

The technologies described above are expensive to purchase, install, and maintain. Their use is only permitted under certain conditions and following the submission of a signed and approved AUP form, which even then grants only a privilege; not a right. The school reserves authority to revoke privileges from anyone who does not comply with the stated policies. Families are warned ahead of time that usage of the Internet may expose students to items that are illegal, defamatory, inaccurate or potentially offensive. For this reason, returning the signed AUP form is completely optional (though failure to do so removes all legitimate access). In addition to this policy, users are expected to act in a responsible and legal manner in accordance with district standards as well as state and federal laws.

We will not consider the AUP in detail because the existence of a policy by no means implies enforcement or a heightened state of security over organizations without them. At best they provide a post-hoc reaction (a plan to punish offenders), at which point the damage has already been done. A few select guidelines are as follows: staff and students may not download, install, or print files without permission; no configuration settings should be changed (even the wallpaper); no floppy disk or external sources of media should be introduced into the lab (new floppy disks are available); no food or drinks are allowed; students should never access the Internet without direct and continual supervision; and there should be no hacking, vandalizing, or otherwise damaging of the computers or network.

Associated Threats

A threat is an actor, group, or nature that, context considered, could possibly represent a source of danger. Once identified, threats can be further categorized according to their motive, funding, capabilities, and intents. On a scale from 1 to 10 (with 10 being the most concerning) these threats will be ranked according to how likely they are to indeed become a source of danger for the network at HHS. A ranking of zero would indicate the threat is not even acknowledged.

- 10- Vandals are people who damage things for the fun of it, [1]. The FBI's Uniform Crime Reports (UCR) of 2002 estimated (using a sample size of more than 200 million) that nearly 40 per cent of persons who commit vandalism are under 18 years of age, [2]. This threat is of particular concern to HHS because the student body, and thus a majority of the network's users, consists of persons 15-18 years old. Vandalism does not have to entail gross and permanent damage; it could be a student scribbling their name on a monitor out of boredom or removing pieces from roller ball mouses so that they no longer roll (that was fun when I was 15 at least). The net effect could cause the school thousands of dollars in repair and cleaning fees which might subtract from the budget set aside for a new computer lab or other advancements in technology for educational purposes.

- 09 - Insiders are employees, board members, and other internal team members who have legitimate access to information and/or information technology, [1]. As always, insiders pose a threat based mainly on their position (physical and/or logical) in relation to the information and devices we are trying to protect. Trust and loyalty are qualities that grow with time; and rarely are individuals associated with a company long enough to establish unmistakable relationships before they are exposed to sensitive assets. This threat is ranked high because of the abundance of dishonest people in the world and their ability to blend in with others. It would normally be set higher due to the fact that even the most honest and well-intentioned insiders make mistakes that can corrupt systems and their information. However, HHS has made respectable efforts to prevent accidental misuse. The Technology Department at HHS provides ongoing technology training programs for all educators including but not limited to teachers, superintendents, principals, and support staff. The training is offered at beginner, intermediate, and advanced levels.

- 08 - Crackers are people who maliciously break into information systems and intentionally cause harm in doing so, [1]. These individuals are a threat because they are plentiful among the population of computer and/or Internet users. The HHS network is especially vulnerable to these threats because the school provides information to parents about their children's homework assignments and progress via e-mail and/or HTTP. Furthermore, the wider community, including the majority of taxpayers who do not have children enrolled in the schools, are able to access useful resources through the network. Crackers can use these same entry points to gain unauthorized access or exceed authorized access.

- 07 - Hackers are people who enjoy using computers and exploring the information infrastructure and systems connected to it, [1]. The network at HHS is built to facilitate curiosity and education by accessing information through technology. The students are, if you will, being "bred" to be proficient with computer systems and enhance their knowledge past conventional levels. For example, the HPS district is committed to children becoming experienced with keyboard and typing skill by 1st grade; and to be diverse in multimedia presentations by grade 6. They offer computer science courses in C++ and Visual Basic and allow students to practice on the systems on site. While not generally malicious, experiments can open holes to other attackers.

- 06 - Maintenance people are threats because they typically have access to physical locations in order to do routine maintenance tasks, [1]. These sorts of threats are high because the element of trust is on their side. They are allowed access to labs without supervision and likely own a set of keys to those labs and other rooms throughout the building. Maintenance people are most threatening to HHS if they are extremely computer literate (and can exploit some vulnerabilities), hardly computer literate (and cause accidents), very sloppy (and spill liquids throughout the wiring closet), or ignorant (and clean the inside of servers with chemical solutions).

- 06 - Nature can pose a threat to HHS and the network. In fact, but a few things are not threatened by acts of nature. Storms that bring high winds, lighting, extreme temperatures, and/or heavy precipitation can damage any one of the infrastructure components described at the beginning of this paper. The school defines a major threat as anything that would cause less than ninety percent of the networked computers to be operational at any given time; which the forces of nature are capable of. Nature is not as large of a threat to HHS in the northeast United States as it is to other networks in more vulnerable geographic locations.

- 06 - Fraudsters are people who defraud others, [1]. If fraudulent activity was obvious before or during execution it could be counteracted, however fraud is successful because those being defrauded do not realize until it is too late. The threat ranking is high because no defense can prevent everything and fraud covers such a wide range of activity. HHS does require students to carry ID cards at all times and be prepared to present them to faculty or staff members at any time. However, most adult fraudsters could get away with not having an ID or just use their fraudster skills to create a fake.

- 06 - Club initiates are people who break into information systems as part of a ceremony to become members of clubs, [1]. A sense of belonging is important to adolescents; and the thrill-seeking nature of youths makes this threat of concern to HHS. While the serious clubs might target more sophisticated, publicly displayed networks; less serious clubs, especially members of the student body might find attacking their own school an attractive prank.

- 05 - Cyber-gangs are people who roam the information infrastructure breaking into systems and doing harm for fun and profit, [1]. This threat is relevant to the network at HHS because gangs typically exercise little discrimination on who will become the next victim, making all Internet accessible networks equally likely to be stumbled upon.

- 05 - Professional thieves are people who make their living from stealing things, [1]. Rationality states that as quality and quantity of one's assets increases, the more attractive they become to thieves. We often cannot put a price on the value of private information, but that does not mean crooks will not put a price on obtaining it. There is no question that HHS has the technology and equipment many criminals would risk prosecution to get their hands on. The on-site physical security is acceptable to prevent large scale removal of computer systems and its peripherals; however a creative criminal will find ways to circumvent defenses. One of the initiatives to ensure equity of access to technology that HHS employs is allowing educators and students to check-out computers from the school for weekend and summer usage. This allows professional thieves (possibly hybrid with a fraudster) an opportunity to check out a computer system and, naturally, not return it.

- 05 - Crackers for hire are people who get paid to break into systems and do harm, [1]. In the event that a student is unsatisfied or angry with the school system he or she may hire a hacker with criminal incentives to damage the network or assets owned or operated by HHS. The threat is evident but miniscule because the most advanced crackers will demand higher fees for their services, which most high school students would not be able to afford. It would however be possible for a group of angry students to combine their financial efforts and meet the requirements to initiate a threat of this sort.

- 04 - Deranged people are a threat because they have a reduced intellectual capacity to act rationally, which stresses our ability to control or predict their behavior. HHS offers an education to students with learning disabilities and special needs and is committed to allowing them equitable access to a wide range of information and technological resources. Hazards created as a result of these types of threats are more likely to be accidental in nature and a product of incorrect or lack of information. There is also a threat that seriously deranged people might gain unauthorized access to the building or network and proceed with malicious activity. This will not increase the severity rating because the number of (unsupervised) seriously deranged people is low as is the possibility they would achieve their goals before being apprehended in the public setting.

- 04 - Hoodlums are people who hurt other people (in non-technical ways) in order to get what they want, [1]. These sorts of threats are likely because bullies are prevalent at high schools and might pick on weaker students. In the likelihood that those students are proficient in computer hacking, hoodlums have a new weapon at their disposal.

- 04 - Terrorists are people who attempt to induce terror in others in order to forward their cause, [1]. Specific causes in this regard are numerous, but methods of forwarding those causes are fairly basic - sever the bonds people are most accustomed or attached to. The threat of injury or death of children by a large scale attack against the school at which they presently reside is an ideal means for terrorists to induce such terror. The ranking is discounted because strikes of this sort are not especially common, however HHS is within approximately 80-90 miles of New York City - not afar from the location chosen in the September 11 attack.

- 03 - Whistle blowers are people who believe that crimes are being committed and that they have a duty to report them to the proper authorities, [1]. These sorts of threats exist because of the potential rate of false positives. If authorities must expend time investigating inaccurately reported or nonexistent crimes they have less applicable time to devote to the real or more serious crimes. Furthermore, the AUP states that students must notify an adult immediately upon encountering materials which violate the rules of acceptable use. A good technical staff, such as the one at HHS, can manage their time wisely and quickly distinguish between serious and non-serious reports.

- 03 - Activists are people who believe in a cause to the point where they take action in order to forward their ends, [1]. Individuals may disagree or grow concerned with the school's policy on preaching or demonstrating certain aspects of religion. Persons with strong beliefs of just about any social issue could become a threat to the school if the school does not act in accordance with those beliefs. Activists are also likely to start protests as a means to express their seriousness. Protests on school grounds could become very disruptive of the learning environment and could lead to riots.

- 01 - Private investigators are (private) individuals or corporate entities that investigate on a for-fee basis, [1]. Parents (desperate ones) of children may hire a PI to find out why their son or daughter is skipping school, when they leave, and where they go. Board members suspicious of their peers and how funds are actually spent may hire a PI to seek the truth and ensure certain equipment is purchased, for what amounts it was purchased, and if it is being used for the proposed tasks. In their attempt to uncover secrets or verify claims, the PI may disrupt normal network activity.

- 01 - Consultants are people who work under their own control to provide contract services to others, [1]. HPS does not require or seek external sources of consultation. The technology department handles security consulting and if these types of people are to be considered threats they can be more accurately described as insiders.

- 01 - Extortionists are people who obtain assets from others by using coercion or intimidation, [1]. They commonly extort money or goods by threatening harm if not paid off, [1]. Typically, students do not own or have access to things worth committing serious crimes over. The Hamden Public School district does indeed have access to large sums of money, however only through formal proposals and several layers of approval.

- 01 - Reporters are people who work for newspapers, news magazines, television, radio, or other media elements, [1]. Due to their positions and motive, these types of people might be allowed access to the school where they could then carry out attacks. They may also be exposed to information not appropriate for public release and either accidentally or intentionally do so. HHS treats reporters as adult guest/visitors and requires them to register at the security desks located on the first floor of either the B or D wings of the building. According to policy, security is then supposed to announce their presence to the administration, but this did not happen on my visit.

- 01 - Customers are people who buy goods or services. In an indirect way, every tax payer is a customer of HHS. They are ultimately buying a better educational experience for their children and future generations. These types of customers would not pose a threat to the school unless everyone refused to pay taxes, which is prevented by the legal issues enforced by governments. On a much smaller scale, the school engages in fund raising exercises and sells school related supplies and garments. In these cases the supporters are either not referred to as customers (they are simply donating) or are not the threatening sort of customer.

- 01 - Organized crime is committed by groups of professional criminals, [1]. Based on the types of information stored on these systems, professional criminals are likely to focus their interests elsewhere. Accordingly, the ranking for this threat is low, but above zero, because if any type of crime was to attempt to remove several of the computer systems from the school it would need to be of an organized nature. Moreover, if professional criminals wish to hide their identity they could attempt to use the HHS as a mask through which to route their attacks upon more desirable targets.

- 01 - Vendors are people who sell things, [1] which in this case, are then purchased by HHS or HPS. The technology department coordinates all purchasing of hardware and software through inventory control processes. The computers are Pentium-based and distributed by Dell; an acclaimed and trusted source to say the least. Likewise, printers are acquired from Hewlett-Packard. Entering contracts with vendors, and especially the multitude of DOA or service guarantees that accompany such large purchases, is insurance that HHS will not be victimized by the vendor itself.

- 01 - Competitors are individuals or companies in the same or similar businesses who stand to gain from one another’s loss, [1]. We are dealing with educational facilities for youths here, which are not commonly victimized by other educational facilities. There is only one high school in Hamden so there is no conceivable risk for competition of resources or attendees. There is a budget afforded to the entire Hamden Public School district which may be unevenly distributed according to the needs of individual facilities, but this will not be considered competition because one school does not gain from another's loss nor does it act intentionally or necessarily have a say in the matter (decisions are made by the Director of Technology, Superintendent, and Board of Supervisors).

- 01 - Economic rivals are companies, groups, and governments that compete on a large scale with your companies, groups, and governments, [1]. Please see the above description of competitors.

- 01 - Government agencies are groups that work for or alongside parts of government, [1]. These sorts of threats are not likely to be interested in HHS or the information infrastructure associated with it. If they are interested it is not likely to be a malicious interest.

- 01 - Industrial espionage experts are people who specialize in harming companies to the benefit of other companies, [1]. This threat is ranked low because there is little chance that any company or group of companies would benefit from losses suffered by a high school. Theoretically, if a company could disrupt the learning environment to an end that students do not learn; the companies that employ them in the future will be harmed. This is at best theoretical - very unlikely, and almost ridiculous.

- 01 - Tiger teams are people hired to demonstrate vulnerabilities in systems by exploiting those vulnerabilities, [1]. No external sources of information assurance are sought by HHS. All vulnerability testing would be conducted by certified members of the technology department. Tiger teams hired by other organizations might mistake the HHS network as the one they are hired to evaluate. Due to the fact that tiger teams are not widely or commonly employed and even less likely is the possibility they would mistakenly direct attacks, this threat is ranked very low.

- 01 - Drug cartels are groups that combine forces in order to manufacture and sell drugs, [1]; and would only indirectly affect the network of computers at HHS. Students who use drugs obtained from drug cartels, or anyone for that matter, will be unable to make clear, rational decisions. While under the influence they might be more prone to cause accidents, or as a result of lowered inhibitions, engage in intentional damage of systems. Detection measures are in place (randomly announced walks through the school with drug dogs) at HHS to ensure drugs do not exist on or nearby the school's campus; but this does not prevent intoxicated individuals.

- 01 - Foreign agents and spies are people who professionally gather information and commit sabotage for governments, [1]. Information transmitted across and stored within the networked computers at HHS and HPS district would provide little, if any, factual intelligence of interest to foreign agents or spies. For this matter they are also not likely to benefit from the destruction of any such information. The ranking received a one rather than a zero for two reasons: 1) threats of this type could exist if these individuals planted data on the school's network as a means of intercommunication and safe haven for sensitive files they would not want to be caught in possession of. A large high school network that provides access to thousands of students (potential culprits) - online 24/7 - would be ideal for this purpose. 2) In search of a specific network of computers, foreign agents and spies may accidentally enter or disrupt services on the HHS network. They might not realize which computer systems they have caused damage to until after the fact.

- 01 - Police are people tasked with enforcement of the law, [1] and are a threat when acting unethically, ignorantly, or in special case scenarios. Police are human beings like the rest of us and their actions and interests can be manipulated by a number of external stimuli such as bribes, threats, and exposure to pain and suffering. There are a number of police officers who regularly cruise the HHS parking lot, hallways, and general vicinity. If these individuals are presented with the ultimatum of carrying out a specified attack against the HHS network or else their family will be murdered by the time they make it home - most will choose to attack the network. They are not likely to be apprehended by other school officials, which is another reason they are in good position to become a threat. Similarly, police are often among the first individuals to encounter a crime scene and according to duty they will want to ask questions and gather evidence. If a computer lab at HHS is the crime scene, technically-challenged police might disturb the normal state of systems or cause other problems as a result of their lack of training or experience with the subject matter.

- 01 - Information warriors are people who specialize in attacking information systems as part of government-sponsored military operations, [1]. This threat is ranked very low because there is little information about or within the HHS network that a government could not attain by simply asking. A foreign government, or one which would potentially be denied or ignored if they were to seek permission, could find more intelligent and less financially burdening ways to obtain it. For example, a majority of the information about HHS's network, including the AUP, network layout, and strategic technology plans are provided free of charge on the school's webpage. More confidential information on individual student's, grade files, faculty and staff members, and such are not likely to be the target of a government-sponsored military operation.

- 01 - Various threats. The following threats are not likely to be interested in HHS or the information infrastructure associated with it. They are ranked non-zero because of the possibility of accidental damage caused by a misguided attack against a real enemy. Threats include global coalitions, nation states, infrastructure warriors, military organizations, and paramilitary groups.

Vulnerabilities Assessment and Consequences

Given the weighted threats (by ranking) defined in the previous section, the following list describes the weighted attack mechanisms they are likely to induce. However, just because those threats are inclined to attack in specific ways does not mean the HHS network is vulnerable. Accordingly, if HHS is not vulnerable, there is no risk, and there should not be valuable time and money wasted preparing a defense. Also to be considered are the consequences that HHS will suffer should the named attacks be successful. Consequences are described for the attacks that HHS is most vulnerable to.

• spoofing and masquerading : 97 (100%) - the network as a whole is vulnerable because young students and uneducated staff are inclined to pressing buttons and hitting keys without really knowing or thinking about what they are doing. In this way they can easily be tricked into exposing their passwords or personal information. Consequences include information leakage to malicious parties.
• Trojan horses : 95 (97%) - since vendors are a minimal threat, the chance of Trojans creating a vulnerability on HHS network as a result of being planted in hardware or firmware is low. However, insiders, crackers, crackers for hire, hackers, club-initiates, and cyber gangs are likely to introduce Trojan programs to the network. Consequences include a multitude of unintended or inappropriate behaviors, not limited to the installation of back doors and remote surveillance programs.
• viruses : 82 (84%) - external media is not "allowed" to be brought from home and used in the computer labs for fear it may contain a virus. Even if this was enforced whole-heartedly the network is still vulnerable to viruses because it is connected to the Internet 24/7. This enables viruses to potentially be downloaded during a web browsing session or they might propagate when a student legitimately checks his or her email. Consequences include anything that the theoretical virus is programmed to do, not limited to complete infrastructure crash and data destruction.
• modification in transit : 80 (82%) - insertion in transit : 76 (78%) - observation in transit : 76 (78%) - the local area networks operate in switched Ethernet environments, which make it more difficult to observe, modify, or insert traffic in transit. The vulnerability exists because the switches themselves and ports leading to them are not secured - people with physical access to a lab can rearrange port assignments and/or introduce new devices to the network. Consequences include leakage of information or inaccurate responses from (any type of) queries.
• shoulder surfing : 79 (81%) - the computer systems are in open environments where students, faculty, and in some cases strangers can observe keystrokes and screen content. A few labs have clear plexiglass barriers between stations, which by no means provide protection from nosy on-lookers. Consequences include the risk of stolen passwords for use in gaining system privileges and causing further damage.
• fictitious people : 78 (80%) - students are "required" to carry their identification cards at all times, however this is not enforced. The security desks are neat and might relieve some security concerns of parents but there is no real security - I entered the building and was welcomed to roam freely without even stating my name. Consequences include anything a number of other attacks such as vandalism, theft, or acquisition of information by claiming to be someone else.
• backup theft, corruption, or destruction : 77 (79%) - student records, homework assignments, funding information, and other data are no doubt stored on some type of removable media on school grounds. This leaves them vulnerable to insiders, maintenance people, vandals, professional thieves, and fraudsters. Consequences include permanent loss of information or anything that might occur as a result of modification of that information.
• resource availability manipulation : 77 (79%) - as stated earlier, HPS consists of 11 academic buildings - all of which route through the central hub at HHS for Internet connectivity. A successful denial of service against HHS then affects the entire school district. Consequences include temporary denial of service to large numbers of people.
• data diddling : 77 (79%) - protection missetting exploitation : 55 (56%) - many of the computers at HHS run Windows 98, which was before Microsoft released the NT platform. As a result the ability to manage file access permissions (write access) based on ownership. That means most of information on the disk is vulnerable to users accidentally or intentionally modifying them no matter who they are logged in as. Consequences include unauthorized access or modification of any files stored on the computer.
• errors and omissions : 76 (78%) - the network is vulnerable because maintaining 700+ computer systems on a day-to-day basis is quite a task. Even expert technical departments eventually make mistakes and overlook things that need reconfiguring. Consequences include opening holes for attackers that could have been prevented.
• perception management a.k.a. human/social engineering : 76 (78%) - strategic or tactical deceptions : 66 (68%) - bribes and extortion : 36 (37%) - the HHS information infrastructure (not just the computer network) is vulnerable because youths are easily persuaded and gullible - and teachers are naturally understanding, caring, and willing to help. Most everyone at some point in their lives have been tricked and ultimately taken advantage of - it probably will happen again. Consequences include leakage of information and any number of things a creative person could try to attain by taking advantage of other people.
• dumpster diving : 76 (78%) - paper work on a heavily populated student body must be maintained by the school office. Old records are probably thrown in the garbage - and though the main office might have shredders - the classrooms and computer labs do not. Sensitive information brought from home or anywhere else can find its way into the trash, where it is vulnerable to anyone with physical access inside or around the building. Consequences include leakage of information.
• PBX bugging : 75 (77%) - call forwarding fakery : 55 (56%) - the network does not seem to be vulnerable to this attack because it does not widely employ the use of modems and call forwarding services.
• residual data gathering : 75 (77%) - data aggregation : 47 (48%) - internal (especially hard disks) or external media at HHS are probably not often formatted (or otherwise removed of) traces of information they once stored. Systems are thus vulnerable to attackers recovering deleted documents or other data. Consequences include leakage of information.
• process bypassing : 74 (76%) - the network is vulnerable because attacks of this sort are normally accomplished by relatively unsophisticated people using only knowledge gained while on the job, [1].
• collaborative misuse : 73 (75%) - several of the threats such as club initiates and cyber-gangs are likely to collaborate their misuse of the system. Insiders are also a large threat and are likely to collaborate with outsiders.
• piggybacking : 71 (73%) - the school is vulnerable to most attacks of this sort even with security in place. The guards are not aggressive enough and pay sub-par attention to importance of verifying everyone's identity. This is even more of a problem in the mornings right after busses unload - blending in with the crowd is simple. Consequences include vandalism and theft.
• cable cuts : 68 (70%) - the wiring to all network or electronic components is in plain view and easily accessible. Common objects around the high school - scissors for example - could be used by just about anyone to cut cables and cause problems. Consequences include large scale denials of service and repair fees.
• error-induced mis-operation : 68 (70%) - invalid values on calls : 64 (65%) - illegal value insertion : 56 (57%) - error insertion and analysis : 52 (53%) - input overflow : 52 (53%) - multiple error inducement : 18 (18%) - the network is vulnerable due to the number of inexperienced programmers that could run their codes on the computer systems as assignments. Consequences include a variety of unexpected or unintended behaviors.
• implied trust exploitation : 68 (70%) - the entire network is vulnerable because all of 700+ computers and peripherals are designed for sharing files and most other types of information. Consequences include easily exploitable vulnerabilities and removal of sharing privileges in the future.
• inappropriate defaults : 68 (70%) - HHS buys computer systems in bulk from venders and if one has an inappropriate default the likelihood that they all do is very high. Consequences include complete system compromise as a result of easily guessed passwords or viral spread as a result of out-date definitions.
• induced stress failures : 67 (69%) - the number of users demanding network bandwidth at any point in time - or speedy transactions from their 400+ MHz machines - is capable of overloading components of the infrastructure and causing them to fail. Consequences include denials of service to individual components of the network as a whole.
• network service and protocol attacks : 65 (67%) - all computers on the network are fluent in TCP, an efficient but by no means perfect communication language - leaving them vulnerable to several known attacks. Consequences include system crash or compromise.
• excess privilege exploitation : 65 (67%) - the privilege to enter the building is granted within seconds of approaching the security desk. The privilege of logging on to a system with a student account is granted with a password. The privilege of logging on to a system with staff, faculty, or administrator also is granted with just a password. The network is vulnerable to excess privilege exploitation because any visitor coming across a system on which the user did not log out or left a username in plain view on the screen can become that user. Consequences include installation of Trojans, viruses, leakage of information, or destruction of data.
• false updates : 65 (67%) - the need to provide computer systems with the most recent updates is always a necessity. There may be times when students or uneducated staff are using lab resources and software programs will prompt them that new updates are available. Consequences include installation of arbitrary programs.
• wire closet attacks : 63 (64%) - wire closets are locked but nonetheless accessible by insiders and maintenance men. Consequences include large scale denials of service and repair fees.
• peer relationship exploitation : 63 (64%) - systems on the network are to some degree protected from the Internet with a firewall but there is no such device protecting those systems from each other. In this manner, hosts on the same local network - and even those throughout other schools (because they all connect to HHS) are vulnerable to this type of attack. For example, if an attacker breaks into a computer at HHS they have a good chance penetrating any directly connected network because of this relationship. Consequences include being framed for an attack against other networks and complete infrastructure compromise.
• system maintenance : 62 (63%) - repair-replace-remove information : 61 (62%) - inadequate maintenance : 22 (22%) - the large number of resources available within the infrastructure, paired with the fact that sometimes things break, introduces the vulnerability that maintenance attempts could break it even more. Consequences include denials of service or data destruction.
• privileged program misuse : 61 (62%) - replay attacks : 60 (61%) - content-based attacks : 59 (60%) - man-in-the-middle : 58 (59%) - audit suppression : 50 (51%) - below-threshold attacks : 49 (50%) - these are dissimilar attacks but they are grouped together because the network is vulnerable to them for a similar reason. It has already been established that threats such as hackers, crackers, crackers for hire, and cyber-gangs are likely to present hazards to the infrastructure; and chances are high they will use one of these methods to carry out their attack or cover it up after they are finished. The vulnerabilities exist because HHS cannot defend against every type of attack at every stage in time. Consequences include anything the attacker is capable of doing.
• undocumented or unknown function exploitation : 61 (62%) - it is hardly rational to expect the technical department, much less the network users, to be familiar (or even aware of) every function associated with hardware or software components. More importantly, what they do not know about the cannot build effective defenses against; and this creates vulnerabilities as a result.
• environmental control loss : 56 (57%) - environment corruption : 54 (55%) - the network is vulnerable to these sorts of attacks (accidental or intentional) because the school has several chemistry labs, wood working studios, heating, and air-conditioning rooms that can cause gases, chemicals, dust and other particles to damage the computer systems. Consequences include damaged equipment and access to resources.
• audio/video viewing : 55 (56%) - the main workstations in computer labs at HHS do not have microphones or video capturing peripherals attached, however the addition of audio and video capabilities to every classroom is one of the goals stated in the technology plan. Consequences include loss of privacy.
• password guessing : 55 (56%) - the administrators at HHS have not prepared a password policy with minimum requirements and information on choosing hard to guess passwords. Thus, it is only a matter of time (if not already) until attackers are able to enter the system using stolen accounts.
• emergency procedure exploitation : 54 (55%) - the school has both random and announced fire drills, during which attackers can lag behind and gain unsupervised access to the computer systems.
• repudiation : 54 (55%) - verbal disputes over signed/unsigned AUP forms, early dismissal notices, hall passes, permission forms, pledged exams, and library fees are likely to occur at HHS.
• infrastructure interference : 54 (55%) - the infrastructure is vulnerable because so many people involved with HHS (parents, students, faculty, staff, janitors, etc) take for granted that components will remain accurate and precise. For example, the bus schedule (with departure times down to the minute) and exact routes are available for all 11 academic institutions in the HPS district is available via the web. Tampering with these web pages could cause chaos and a wide range of missed busses, lost children, and late arrivals.
• combinations and sequences : 53 (54%) - the infrastructure is vulnerable to this type of attack because it is vulnerable to 2+ other attack mechanisms, allowing combinations of them very likely to also succeed.
• inadequate notice exploitation : 52 (53%) - users are only allowed to use Internet and computer services after reading and signing an AUP. Therein, guidelines and rules specify what can and cannot be done and describes the consequences of non-compliant action. The problem (why the network is vulnerable) is that enforcement is rare and policies are sometimes not clearly defined.
• infrastructure observation : 52 (53%) - HHS is vulnerable to this sort of attack because they are proud of their infrastructure and willing to share details with most anyone. Furthermore, observations can be made by simply visiting the school and looking around.
• imperfect daemon exploits : 50 (51%) - the school has its own website, mail servers, and etcetera. Due to the fact that only a few daemons have ever been shown to avoid large subsets of these exploits, [1] the HHS network is likely to be vulnerable to several.
• fire : 43 (44%) - the building has several fire extinguishers located behind panes of glass alongside of lockers. Not to mention the number of electricity and cabling that is wired throughout the building, several fire extinguishers were missing - "4:20" was written on the glass instead.
• race conditions : 43 (44%) -breaking key management systems : 40 (41%) - hardware failure - system flaw exploitation : 40 (41%) - hangup hooking : 39 (40%) - modeling mismatches : 36 (37%) - testing : 36 (37%) - reflexive control : 35 (36%) - restoration process corruption or misuse : 32 (32%) - kiting : 30 (30%) - electronic interference : 30 (30%) - salami attacks : 27 (27%) - simultaneous access exploitations : 24 (24%) - desychronization and time-based attacks : 23 (23%) - dependency analysis and exploitation : 22 (22%) - covert channels : 20 (20%) - van Eck bugging : 18 (18%) - selected plaintext : 16 (16%) - device access exploitation : 14 (14%) - interrupt sequence mishandling : 8 (8%) - interprocess communication attacks : 8 (8%) - attacks of this sort do not create inherent vulnerabilities for the information infrastructure at HHS because they are either very complex, uncommon, or do not apply (given the network's characteristics described earlier).
• power failure : 42 (43%) - file servers are protected by redundant power supplies and UPS battery backups, however the hundreds of workstations throughout the school are not.
• distributed coordinated attacks : 42 (43%) - most networks are vulnerable to these sorts of attacks because of their distributed nature - they can attack from any number of directions.
• get a job : 36 (37%) - the hiring process for schools is often lengthy and comprehensive, especially for potential faculty members. This does not negate the possibility of one using fraud or deception to gain a position.
• flood : 35 (36%) - earth movement : 7 (7%) - solar flares : 6 (6%) - volcanoes : 6 (6%) - severe weather : 6 (6%) - the network's components are not in a likely location to suffer effects from these sorts of attacks and thus they are not (extremely) vulnerable.
• static : 23 (23%) - floors in computer labs at HHS are carpet, increasing the chance of static buildup as users approach them. However, users do not often have access to the insides of components, where static is most dangerous.
• cryptanalysis : 17 (17%) - cryptography is not a common feature of the network infrastructure so attacks against it are not likely. Cryptanalysis as a mechanism to decipher password hashes could yield extreme vulnerabilities but this is more accurately described as password guessing.
• relocation : 9 (9%) - computer systems and labs are not mobile and they are not commonly transported to new locations.
• sympathetic vibration : 8 (8%) - this is a protocol driven network and the complexity of finding an oscillatory behavior is low, [1].

Defenses and Risk Mitigation

Now that HHS has an idea of which types of people might threaten the network, how they are likely to attack, which mechanisms are going to be successful, and the consequences of such attacks - they can focus on defenses. State-of-the-art defenses for each and every attack would be great, but this is not financially possible. The thing to do is implement those that provide the most bang for the buck and mitigate the critical risks.

A problem encountered immediately is figuring out exactly how much money there is to use. The Connecticut Statewide Educational Technology Plan suggests the following funding pattern: workstations and peripherals 41%, network/cabling services 20%, professional development 12%, software (instructional and administrative) 8%, integration support 7%, operations and management 7%, and video projection systems 5%, [3]. The (estimated) figure representing the cost of HHS's current network is $1.8 million. The seven percent afforded to operations and management leaves only $126,000. Unfortunately $1.8 million for technology is not a recurring payment and thus neither is the amount for operations and management. Unless some funds have been saved or the school is about to receive a grant, there is not very much money to work with here.

An intelligent start would be developing (and enforcing) stronger time, location, function, and other similar access limitations: 2907 (100%). Very little expenses would be required to achieve these goals, because the equipment and personnel already exist - they just need to be thrown in a higher gear. The present policies on visitations and building access are deprived of their meaning because enforcement is hardly adequate. This is a major reason many attack scenarios were rated with such high levels of success. By forcing security guards to verify identification and actually screen who enters and exits the building, HHS will have effectively lowered the risk of on-site attacks.

Lenient read, write, and execute permissions on file systems are also a major reason many vulnerabilities exist. HHS should at least upgrade the critical file servers and main office computers with operating systems capable of restricting access based on ownership. The number of successful attack mechanisms that deal with accidental misuse, information leakage, file modification, and arbitrary program installation are thus greatly reduced. Access control lists based on IP address or terminal port can reduce the likelihood of trust exploitations and any attacks conducted over the Internet or local area network, [1].

This defense as a whole could be expensive in terms of the time it takes to identify proper sets of controls for individuals and groups. However, all but ten of the attack mechanisms (viruses, observation in transit, insertion in transit, backup theft, dumpster diving, data gathering, cable cuts, implied trust, environmental control loss, audio/video viewing) that carry a weight greater than 50% are covered by time, location, function, and other similar access limitations.

Anomaly detection : 2729 (93%) is a great choice to follow up the previous defense. Not only does it cover a majority of attacks that time, location, function, and other similar access limitations covers, but it provides medium-to-well coverage of viruses and insertion in transit. Both automated and manual ways to detect anomalies are effective in pointing out suspicious behavior, but they are troubled by false positives and false negatives.

The defense-in-depth security model could be strengthened even more by mixing in some detection before failure : 2346 (80%), integrity checking : 2340 (80%), and redundancy : 2277 (78%). Detection before failure might involve acquiring some environment-condition monitoring devices with the ability to automatically shut down equipment before it overheats or otherwise becomes damaged. Integrity checking might require periodically calculating and comparing cryptographic checksums or cross-referencing a person's statement of their name with several forms of identification. These are both affordable ways to prevent or detect potential attacks against the infrastructure's vulnerabilities. Redundancy (investing in the use of backups) on the other hand might be a little over the current budget, but should be considered - especially in the future if funds increase. Once again, many of the attacks covered by access limitations and anomaly detection are covered by these three because they approach the same problem from different angles. In addition, environmental control loss, backup theft, implied trust relationship exploitation, and cable cuts are addressed by implementing these defenses. This leaves only 4 (observation in transit, dumpster diving, residual data gathering, and audio/video viewing) of the attacks weighted 50% or above without coverage.

Several other defenses exist with a comparable security-cost tradeoffs if the five mentioned so far prove unworthy. Risks of (among other things) information leakage can be battled with authenticated information : 2224 (76%) - content checking : 2198 (75%) - filtering devices : 2055 (70%) - information flow controls : 1894 (65%) - authorization limitation : 1790 (61%) - encryption : 1754 (60%) - secure or trusted channels : 1715 (58%) - encrypted authentication : 1475 (50%) -or inspection of incoming and outgoing materials : 1834 (63%).

Accidental misuse and many of the intentional methods to exploit the vulnerabilities at HSS can be prevented to some degree with defenses such as: least privilege : 1925 (66%) - limited function : 1868 (64%) - or disable unsafe features : 1690 (58%). Finally, limitations on physical access can be countered with defenses like: control physical access : 1966 (67%) - human intervention after detection : 1949 (67%) - physical security : 1920 (66%) - sensors : 1668 (57%) - lockouts : 1563 (53%) - and alarms : 1530 (52%).

On the other hand, several defenses are either too expensive to employ or will not be effective in mitigating risks. For example, awareness of implications : 1728 (59%) would probably not make a huge difference because the existing AUP provides this awareness. The problem is attackers, conceivably, forget or ignore it. Limited sharing : 1361 (46%) is also not a good choice of defense because one of the network's main purposes is to provide the ability to share files. Numbering and tracking all sensitive information : 1261 (43%) might be very time consuming to define "sensitive" and review log files; and it may also violate someone's privacy. Separation of equipment so as to limit damage from local events : 1163 (40%) is not an option because the purpose of a lab is to gather students together in an environment where they can listen (to the teacher), work (on the computers), and learn (whatever) simultaneously. If students were situated several doors down from each other as a result of equipment separation - the teaching process would not be very efficient.

Standby equipment : 818 (28%) is a good idea because it provides backup and uptime mechanisms, but the cost is high. Locks : 768 (26%) are also a good idea but they already exist in all the right places. The human aspect (security guards) of physical access is what is lacking. Dynamic password change control : 406 (13%) and hard-to-guess passwords : 367 (12%) are not likely to reduce many vulnerabilities. For example, hard-to-guess passwords are useless against shoulder surfers and observation in transit. Biometrics : 241 (8%) are just plain too expensive and futuristic for the high school at this time.

Summary, Conclusions, and Further Work

The Hamden Public School district's plan for technology believes that "the benefits to students from access to the Internet, in the form of information resources and opportunities for collaboration, exceed any disadvantages," [3]. It is unclear which scale is being used to make this conclusion, but it is clear that vulnerabilities exist, risks are taken daily, and consequences are not far behind. Hamden High is not the richest school (though not the poorest) and cannot afford to build sound defenses against anything and everything all of the time. They can, however, strategically choose the best - (and most affordable) defenses and optimize education with security in mind.

Bibiography

[1] The New Security Database at www.all.net. Available www.all.net or via the simulator on White Glove.

[2] The FBI UCR of 2002. Available www.fbi.gov/ucr/cius_02/html/web/arrested/04-table41.html

[3] The Hamden Public Schools Education Technology Plan. Available: www.hamden.k12.ct.us/technology/techplan.pdf