Last Updated: 2003
Michael Ligh (email@example.com)
The Hamden Public School (HPS) district recognizes the importance of computers and technology in a child's educational development. It also acknowledges that no network is infallible; and the chance of encountering objectionable or threatening content is high. In a best-effort defense the district utilizes acceptable use polices, intelligent planning, and a strong technical staff to mitigate associated risks. Maintaining security from both intentional and accidental damages is not a simplistic motion, however; and we will be considering a breadth of attack mechanisms and threats that when combined are capable of, in laymen’s terms, making bad things happen. The subject of the study will be the district's only high school, which has an estimated $1.8 million computer network installed on site.
The largest infrastructure component is a Wide Area Network environment consisting of both Frame Relay and Private Virtual Circuits with connection speeds from 256kbps to 1.5MB/sec. The network extends between eleven academic buildings (9 elementary schools, 1 middle school, 1 high school) and two others (a central office and Town Hall). Channel Service Unit/Data Service Units and 10/100 Base T Cisco routers provide the WAN connectivity. Internet access is provided by a dedicated T1 connection, routed through a central hub located at Hamden High School (HHS). The network as a whole employs an Internet firewall and filtering system, on which details were denied.
The local area networks within each school or office operate in a switched Ethernet environment. Category 5E UTP network cabling provides the connection between desktop (workstations) and the wiring closets. The backbone, connecting all wiring closets and any devices more than 100 yards from each other, is made entirely of 100 megabit fiber optic cabling. All laptops (approximated 46) in the middle school's mobile labs have already gone wireless; and this technology is being considered for use elsewhere.
File servers are Pentium-based and operate at a minimum of 400 MHz with 128 MB RAM, 3COM 10/100 Ethernet controllers, 18 MB SCSI Ultra-Wide SCSI drives with RAID-5, tape (DAT) backups, redundant power supplies, and UPS battery backups. The common desktop workstation is also a Dell-distributed Pentium-based machine with a minimum 400 MHz processor, 64 MB RAM, 3COM 10/100 Ethernet controller, 6 GB hard disk, 3 1/2 floppy, CD-ROM, integrated speakers, and a 17" monitor. A majority are Dell Dimension XPS R400 series that additionally include DVD-ROMs and zip drives. The Hewlett-Packard printers are network-ready, black and white lasers of the HP 5si, HP 4000 and HP 8000 series.
The focus of this study, Hamden High School has over 700 networked desktops of the quality described above. All classrooms have both teacher and student computers available - a minimum of 2-4 in each room. In addition to the classroom computers, the high school has 9 computer labs including 2 state-of-the-art language labs and 2 music, graphics, and video-editing Macintosh labs. HHS uses the Microsoft Office Suite of applications for both PC and Macintosh platforms; and several include specialized programs such as NCS SAISIxp student information system and MUNIS financial management software.
The school stands four stories high directly off Dixwell Avenue - one of the main roads in Hamden, Connecticut. This main entrance from Dixwell is the only accessible route if being approached by vehicle - the remaining perimeter is closed off by surrounding fences and an acceleration ramp to US 15. This description is more important when considering possible escape routes - the only way in is the only way out. If a person wishes to leave on foot rather than by vehicle they must either hop fences or walk the Interstate.
Human reachable (without ladders and such) areas of the building are brick and cinderblock though breaks in continuity for glass windows with metal crosshatching do exist. The front of the building which faces Dixwell has three sets of double-doors made of steel and are locked from the inside out. Students and faculty are only allowed to enter these doors in the morning when school busses unload. Visitors and students arriving late must enter from the left or right of the building known as the B and D wings. Each wing has eight all glass doors which lead to a security desk and the two main stairwells. There are strategically places circular mirrors aimed at the stairs, giving the security personnel a visual advantage. When I entered a police officer was standing by and conversing with the school security guard - a normal situation they said.
In accordance with visitor regulations I had to sign in and explain the purpose of my presence. I was given an adhesive yellow hall pass for the outside of my clothing - no questions asked - no identification or verification required. The time setting is about 13:00 on a weekday so school is in session but several students are roaming the halls. Staff members have desks positioned in select hallways where they are able to monitor activity; prepared to handle disputes or suspicious behavior. They are equipped with hand-held radios for communication. I passed a few security guards while exploring the turf - they wore yellow sweaters with their positions embroidered in blue.
The computer systems described earlier are protected differently depending on their intended usage by staff members or students. The staff systems run Novell Client for Windows and warns "Do not attempt to log on unless you have an authorized staff account." The student systems have slightly different configurations - settings in the BIOS do not allow the computer to enter the setup stage without the proper password. If the wrong sequence is entered, the monitor displays "system disabled" and there it will remain until it is rebooted with the correct password.
In the labs and classrooms, computers are physically secured in a very strange way. Cables are grouped into one or a few bundles and bonded with metal structures resembling handcuffs for wires. The bundle is secured to the desk or table with a master lock. In this way, a thief must either steal the entire computer lab or simply cut the cables and hope replacements are easy to find. Surge protectors and Ethernet jacks are on the floor below the computer stations.
The technologies described above are expensive to purchase, install, and maintain. Their use is only permitted under certain conditions and following the submission of a signed and approved AUP form, which even then grants only a privilege; not a right. The school reserves authority to revoke privileges from anyone who does not comply with the stated policies. Families are warned ahead of time that usage of the Internet may expose students to items that are illegal, defamatory, inaccurate or potentially offensive. For this reason, returning the signed AUP form is completely optional (though failure to do so removes all legitimate access). In addition to this policy, users are expected to act in a responsible and legal manner in accordance with district standards as well as state and federal laws.
We will not consider the AUP in detail because the existence of a policy by no means implies enforcement or a heightened state of security over organizations without them. At best they provide a post-hoc reaction (a plan to punish offenders), at which point the damage has already been done. A few select guidelines are as follows: staff and students may not download, install, or print files without permission; no configuration settings should be changed (even the wallpaper); no floppy disk or external sources of media should be introduced into the lab (new floppy disks are available); no food or drinks are allowed; students should never access the Internet without direct and continual supervision; and there should be no hacking, vandalizing, or otherwise damaging of the computers or network.
A threat is an actor, group, or nature that, context considered, could possibly represent a source of danger. Once identified, threats can be further categorized according to their motive, funding, capabilities, and intents. On a scale from 1 to 10 (with 10 being the most concerning) these threats will be ranked according to how likely they are to indeed become a source of danger for the network at HHS. A ranking of zero would indicate the threat is not even acknowledged.
- 10- Vandals are people who damage things for the fun of it, . The FBI's Uniform Crime Reports (UCR) of 2002 estimated (using a sample size of more than 200 million) that nearly 40 per cent of persons who commit vandalism are under 18 years of age, . This threat is of particular concern to HHS because the student body, and thus a majority of the network's users, consists of persons 15-18 years old. Vandalism does not have to entail gross and permanent damage; it could be a student scribbling their name on a monitor out of boredom or removing pieces from roller ball mouses so that they no longer roll (that was fun when I was 15 at least). The net effect could cause the school thousands of dollars in repair and cleaning fees which might subtract from the budget set aside for a new computer lab or other advancements in technology for educational purposes.
- 09 - Insiders are employees, board members, and other internal team members who have legitimate access to information and/or information technology, . As always, insiders pose a threat based mainly on their position (physical and/or logical) in relation to the information and devices we are trying to protect. Trust and loyalty are qualities that grow with time; and rarely are individuals associated with a company long enough to establish unmistakable relationships before they are exposed to sensitive assets. This threat is ranked high because of the abundance of dishonest people in the world and their ability to blend in with others. It would normally be set higher due to the fact that even the most honest and well-intentioned insiders make mistakes that can corrupt systems and their information. However, HHS has made respectable efforts to prevent accidental misuse. The Technology Department at HHS provides ongoing technology training programs for all educators including but not limited to teachers, superintendents, principals, and support staff. The training is offered at beginner, intermediate, and advanced levels.
- 08 - Crackers are people who maliciously break into information systems and intentionally cause harm in doing so, . These individuals are a threat because they are plentiful among the population of computer and/or Internet users. The HHS network is especially vulnerable to these threats because the school provides information to parents about their children's homework assignments and progress via e-mail and/or HTTP. Furthermore, the wider community, including the majority of taxpayers who do not have children enrolled in the schools, are able to access useful resources through the network. Crackers can use these same entry points to gain unauthorized access or exceed authorized access.
- 07 - Hackers are people who enjoy using computers and exploring the information infrastructure and systems connected to it, . The network at HHS is built to facilitate curiosity and education by accessing information through technology. The students are, if you will, being "bred" to be proficient with computer systems and enhance their knowledge past conventional levels. For example, the HPS district is committed to children becoming experienced with keyboard and typing skill by 1st grade; and to be diverse in multimedia presentations by grade 6. They offer computer science courses in C++ and Visual Basic and allow students to practice on the systems on site. While not generally malicious, experiments can open holes to other attackers.
- 06 - Maintenance people are threats because they typically have access to physical locations in order to do routine maintenance tasks, . These sorts of threats are high because the element of trust is on their side. They are allowed access to labs without supervision and likely own a set of keys to those labs and other rooms throughout the building. Maintenance people are most threatening to HHS if they are extremely computer literate (and can exploit some vulnerabilities), hardly computer literate (and cause accidents), very sloppy (and spill liquids throughout the wiring closet), or ignorant (and clean the inside of servers with chemical solutions).
- 06 - Nature can pose a threat to HHS and the network. In fact, but a few things are not threatened by acts of nature. Storms that bring high winds, lighting, extreme temperatures, and/or heavy precipitation can damage any one of the infrastructure components described at the beginning of this paper. The school defines a major threat as anything that would cause less than ninety percent of the networked computers to be operational at any given time; which the forces of nature are capable of. Nature is not as large of a threat to HHS in the northeast United States as it is to other networks in more vulnerable geographic locations.
- 06 - Fraudsters are people who defraud others, . If fraudulent activity was obvious before or during execution it could be counteracted, however fraud is successful because those being defrauded do not realize until it is too late. The threat ranking is high because no defense can prevent everything and fraud covers such a wide range of activity. HHS does require students to carry ID cards at all times and be prepared to present them to faculty or staff members at any time. However, most adult fraudsters could get away with not having an ID or just use their fraudster skills to create a fake.
- 06 - Club initiates are people who break into information systems as part of a ceremony to become members of clubs, . A sense of belonging is important to adolescents; and the thrill-seeking nature of youths makes this threat of concern to HHS. While the serious clubs might target more sophisticated, publicly displayed networks; less serious clubs, especially members of the student body might find attacking their own school an attractive prank.
- 05 - Cyber-gangs are people who roam the information infrastructure breaking into systems and doing harm for fun and profit, . This threat is relevant to the network at HHS because gangs typically exercise little discrimination on who will become the next victim, making all Internet accessible networks equally likely to be stumbled upon.
- 05 - Professional thieves are people who make their living from stealing things, . Rationality states that as quality and quantity of one's assets increases, the more attractive they become to thieves. We often cannot put a price on the value of private information, but that does not mean crooks will not put a price on obtaining it. There is no question that HHS has the technology and equipment many criminals would risk prosecution to get their hands on. The on-site physical security is acceptable to prevent large scale removal of computer systems and its peripherals; however a creative criminal will find ways to circumvent defenses. One of the initiatives to ensure equity of access to technology that HHS employs is allowing educators and students to check-out computers from the school for weekend and summer usage. This allows professional thieves (possibly hybrid with a fraudster) an opportunity to check out a computer system and, naturally, not return it.
- 05 - Crackers for hire are people who get paid to break into systems and do harm, . In the event that a student is unsatisfied or angry with the school system he or she may hire a hacker with criminal incentives to damage the network or assets owned or operated by HHS. The threat is evident but miniscule because the most advanced crackers will demand higher fees for their services, which most high school students would not be able to afford. It would however be possible for a group of angry students to combine their financial efforts and meet the requirements to initiate a threat of this sort.
- 04 - Deranged people are a threat because they have a reduced intellectual capacity to act rationally, which stresses our ability to control or predict their behavior. HHS offers an education to students with learning disabilities and special needs and is committed to allowing them equitable access to a wide range of information and technological resources. Hazards created as a result of these types of threats are more likely to be accidental in nature and a product of incorrect or lack of information. There is also a threat that seriously deranged people might gain unauthorized access to the building or network and proceed with malicious activity. This will not increase the severity rating because the number of (unsupervised) seriously deranged people is low as is the possibility they would achieve their goals before being apprehended in the public setting.
- 04 - Hoodlums are people who hurt other people (in non-technical ways) in order to get what they want, . These sorts of threats are likely because bullies are prevalent at high schools and might pick on weaker students. In the likelihood that those students are proficient in computer hacking, hoodlums have a new weapon at their disposal.
- 04 - Terrorists are people who attempt to induce terror in others in order to forward their cause, . Specific causes in this regard are numerous, but methods of forwarding those causes are fairly basic - sever the bonds people are most accustomed or attached to. The threat of injury or death of children by a large scale attack against the school at which they presently reside is an ideal means for terrorists to induce such terror. The ranking is discounted because strikes of this sort are not especially common, however HHS is within approximately 80-90 miles of New York City - not afar from the location chosen in the September 11 attack.
- 03 - Whistle blowers are people who believe that crimes are being committed and that they have a duty to report them to the proper authorities, . These sorts of threats exist because of the potential rate of false positives. If authorities must expend time investigating inaccurately reported or nonexistent crimes they have less applicable time to devote to the real or more serious crimes. Furthermore, the AUP states that students must notify an adult immediately upon encountering materials which violate the rules of acceptable use. A good technical staff, such as the one at HHS, can manage their time wisely and quickly distinguish between serious and non-serious reports.
- 03 - Activists are people who believe in a cause to the point where they take action in order to forward their ends, . Individuals may disagree or grow concerned with the school's policy on preaching or demonstrating certain aspects of religion. Persons with strong beliefs of just about any social issue could become a threat to the school if the school does not act in accordance with those beliefs. Activists are also likely to start protests as a means to express their seriousness. Protests on school grounds could become very disruptive of the learning environment and could lead to riots.
- 01 - Private investigators are (private) individuals or corporate entities that investigate on a for-fee basis, . Parents (desperate ones) of children may hire a PI to find out why their son or daughter is skipping school, when they leave, and where they go. Board members suspicious of their peers and how funds are actually spent may hire a PI to seek the truth and ensure certain equipment is purchased, for what amounts it was purchased, and if it is being used for the proposed tasks. In their attempt to uncover secrets or verify claims, the PI may disrupt normal network activity.
- 01 - Consultants are people who work under their own control to provide contract services to others, . HPS does not require or seek external sources of consultation. The technology department handles security consulting and if these types of people are to be considered threats they can be more accurately described as insiders.
- 01 - Extortionists are people who obtain assets from others by using coercion or intimidation, . They commonly extort money or goods by threatening harm if not paid off, . Typically, students do not own or have access to things worth committing serious crimes over. The Hamden Public School district does indeed have access to large sums of money, however only through formal proposals and several layers of approval.
- 01 - Reporters are people who work for newspapers, news magazines, television, radio, or other media elements, . Due to their positions and motive, these types of people might be allowed access to the school where they could then carry out attacks. They may also be exposed to information not appropriate for public release and either accidentally or intentionally do so. HHS treats reporters as adult guest/visitors and requires them to register at the security desks located on the first floor of either the B or D wings of the building. According to policy, security is then supposed to announce their presence to the administration, but this did not happen on my visit.
- 01 - Customers are people who buy goods or services. In an indirect way, every tax payer is a customer of HHS. They are ultimately buying a better educational experience for their children and future generations. These types of customers would not pose a threat to the school unless everyone refused to pay taxes, which is prevented by the legal issues enforced by governments. On a much smaller scale, the school engages in fund raising exercises and sells school related supplies and garments. In these cases the supporters are either not referred to as customers (they are simply donating) or are not the threatening sort of customer.
- 01 - Organized crime is committed by groups of professional criminals, . Based on the types of information stored on these systems, professional criminals are likely to focus their interests elsewhere. Accordingly, the ranking for this threat is low, but above zero, because if any type of crime was to attempt to remove several of the computer systems from the school it would need to be of an organized nature. Moreover, if professional criminals wish to hide their identity they could attempt to use the HHS as a mask through which to route their attacks upon more desirable targets.
- 01 - Vendors are people who sell things,  which in this case, are then purchased by HHS or HPS. The technology department coordinates all purchasing of hardware and software through inventory control processes. The computers are Pentium-based and distributed by Dell; an acclaimed and trusted source to say the least. Likewise, printers are acquired from Hewlett-Packard. Entering contracts with vendors, and especially the multitude of DOA or service guarantees that accompany such large purchases, is insurance that HHS will not be victimized by the vendor itself.
- 01 - Competitors are individuals or companies in the same or similar businesses who stand to gain from one another’s loss, . We are dealing with educational facilities for youths here, which are not commonly victimized by other educational facilities. There is only one high school in Hamden so there is no conceivable risk for competition of resources or attendees. There is a budget afforded to the entire Hamden Public School district which may be unevenly distributed according to the needs of individual facilities, but this will not be considered competition because one school does not gain from another's loss nor does it act intentionally or necessarily have a say in the matter (decisions are made by the Director of Technology, Superintendent, and Board of Supervisors).
- 01 - Economic rivals are companies, groups, and governments that compete on a large scale with your companies, groups, and governments, . Please see the above description of competitors.
- 01 - Government agencies are groups that work for or alongside parts of government, . These sorts of threats are not likely to be interested in HHS or the information infrastructure associated with it. If they are interested it is not likely to be a malicious interest.
- 01 - Industrial espionage experts are people who specialize in harming companies to the benefit of other companies, . This threat is ranked low because there is little chance that any company or group of companies would benefit from losses suffered by a high school. Theoretically, if a company could disrupt the learning environment to an end that students do not learn; the companies that employ them in the future will be harmed. This is at best theoretical - very unlikely, and almost ridiculous.
- 01 - Tiger teams are people hired to demonstrate vulnerabilities in systems by exploiting those vulnerabilities, . No external sources of information assurance are sought by HHS. All vulnerability testing would be conducted by certified members of the technology department. Tiger teams hired by other organizations might mistake the HHS network as the one they are hired to evaluate. Due to the fact that tiger teams are not widely or commonly employed and even less likely is the possibility they would mistakenly direct attacks, this threat is ranked very low.
- 01 - Drug cartels are groups that combine forces in order to manufacture and sell drugs, ; and would only indirectly affect the network of computers at HHS. Students who use drugs obtained from drug cartels, or anyone for that matter, will be unable to make clear, rational decisions. While under the influence they might be more prone to cause accidents, or as a result of lowered inhibitions, engage in intentional damage of systems. Detection measures are in place (randomly announced walks through the school with drug dogs) at HHS to ensure drugs do not exist on or nearby the school's campus; but this does not prevent intoxicated individuals.
- 01 - Foreign agents and spies are people who professionally gather information and commit sabotage for governments, . Information transmitted across and stored within the networked computers at HHS and HPS district would provide little, if any, factual intelligence of interest to foreign agents or spies. For this matter they are also not likely to benefit from the destruction of any such information. The ranking received a one rather than a zero for two reasons: 1) threats of this type could exist if these individuals planted data on the school's network as a means of intercommunication and safe haven for sensitive files they would not want to be caught in possession of. A large high school network that provides access to thousands of students (potential culprits) - online 24/7 - would be ideal for this purpose. 2) In search of a specific network of computers, foreign agents and spies may accidentally enter or disrupt services on the HHS network. They might not realize which computer systems they have caused damage to until after the fact.
- 01 - Police are people tasked with enforcement of the law,  and are a threat when acting unethically, ignorantly, or in special case scenarios. Police are human beings like the rest of us and their actions and interests can be manipulated by a number of external stimuli such as bribes, threats, and exposure to pain and suffering. There are a number of police officers who regularly cruise the HHS parking lot, hallways, and general vicinity. If these individuals are presented with the ultimatum of carrying out a specified attack against the HHS network or else their family will be murdered by the time they make it home - most will choose to attack the network. They are not likely to be apprehended by other school officials, which is another reason they are in good position to become a threat. Similarly, police are often among the first individuals to encounter a crime scene and according to duty they will want to ask questions and gather evidence. If a computer lab at HHS is the crime scene, technically-challenged police might disturb the normal state of systems or cause other problems as a result of their lack of training or experience with the subject matter.
- 01 - Information warriors are people who specialize in attacking information systems as part of government-sponsored military operations, . This threat is ranked very low because there is little information about or within the HHS network that a government could not attain by simply asking. A foreign government, or one which would potentially be denied or ignored if they were to seek permission, could find more intelligent and less financially burdening ways to obtain it. For example, a majority of the information about HHS's network, including the AUP, network layout, and strategic technology plans are provided free of charge on the school's webpage. More confidential information on individual student's, grade files, faculty and staff members, and such are not likely to be the target of a government-sponsored military operation.
- 01 - Various threats. The following threats are not likely to be interested in HHS or the information infrastructure associated with it. They are ranked non-zero because of the possibility of accidental damage caused by a misguided attack against a real enemy. Threats include global coalitions, nation states, infrastructure warriors, military organizations, and paramilitary groups.
Given the weighted threats (by ranking) defined in the previous section, the following list describes the weighted attack mechanisms they are likely to induce. However, just because those threats are inclined to attack in specific ways does not mean the HHS network is vulnerable. Accordingly, if HHS is not vulnerable, there is no risk, and there should not be valuable time and money wasted preparing a defense. Also to be considered are the consequences that HHS will suffer should the named attacks be successful. Consequences are described for the attacks that HHS is most vulnerable to.
Now that HHS has an idea of which types of people might threaten the network, how they are likely to attack, which mechanisms are going to be successful, and the consequences of such attacks - they can focus on defenses. State-of-the-art defenses for each and every attack would be great, but this is not financially possible. The thing to do is implement those that provide the most bang for the buck and mitigate the critical risks.
A problem encountered immediately is figuring out exactly how much money there is to use. The Connecticut Statewide Educational Technology Plan suggests the following funding pattern: workstations and peripherals 41%, network/cabling services 20%, professional development 12%, software (instructional and administrative) 8%, integration support 7%, operations and management 7%, and video projection systems 5%, . The (estimated) figure representing the cost of HHS's current network is $1.8 million. The seven percent afforded to operations and management leaves only $126,000. Unfortunately $1.8 million for technology is not a recurring payment and thus neither is the amount for operations and management. Unless some funds have been saved or the school is about to receive a grant, there is not very much money to work with here.
An intelligent start would be developing (and enforcing) stronger time, location, function, and other similar access limitations: 2907 (100%). Very little expenses would be required to achieve these goals, because the equipment and personnel already exist - they just need to be thrown in a higher gear. The present policies on visitations and building access are deprived of their meaning because enforcement is hardly adequate. This is a major reason many attack scenarios were rated with such high levels of success. By forcing security guards to verify identification and actually screen who enters and exits the building, HHS will have effectively lowered the risk of on-site attacks.
Lenient read, write, and execute permissions on file systems are also a major reason many vulnerabilities exist. HHS should at least upgrade the critical file servers and main office computers with operating systems capable of restricting access based on ownership. The number of successful attack mechanisms that deal with accidental misuse, information leakage, file modification, and arbitrary program installation are thus greatly reduced. Access control lists based on IP address or terminal port can reduce the likelihood of trust exploitations and any attacks conducted over the Internet or local area network, .
This defense as a whole could be expensive in terms of the time it takes to identify proper sets of controls for individuals and groups. However, all but ten of the attack mechanisms (viruses, observation in transit, insertion in transit, backup theft, dumpster diving, data gathering, cable cuts, implied trust, environmental control loss, audio/video viewing) that carry a weight greater than 50% are covered by time, location, function, and other similar access limitations.
Anomaly detection : 2729 (93%) is a great choice to follow up the previous defense. Not only does it cover a majority of attacks that time, location, function, and other similar access limitations covers, but it provides medium-to-well coverage of viruses and insertion in transit. Both automated and manual ways to detect anomalies are effective in pointing out suspicious behavior, but they are troubled by false positives and false negatives.
The defense-in-depth security model could be strengthened even more by mixing in some detection before failure : 2346 (80%), integrity checking : 2340 (80%), and redundancy : 2277 (78%). Detection before failure might involve acquiring some environment-condition monitoring devices with the ability to automatically shut down equipment before it overheats or otherwise becomes damaged. Integrity checking might require periodically calculating and comparing cryptographic checksums or cross-referencing a person's statement of their name with several forms of identification. These are both affordable ways to prevent or detect potential attacks against the infrastructure's vulnerabilities. Redundancy (investing in the use of backups) on the other hand might be a little over the current budget, but should be considered - especially in the future if funds increase. Once again, many of the attacks covered by access limitations and anomaly detection are covered by these three because they approach the same problem from different angles. In addition, environmental control loss, backup theft, implied trust relationship exploitation, and cable cuts are addressed by implementing these defenses. This leaves only 4 (observation in transit, dumpster diving, residual data gathering, and audio/video viewing) of the attacks weighted 50% or above without coverage.
Several other defenses exist with a comparable security-cost tradeoffs if the five mentioned so far prove unworthy. Risks of (among other things) information leakage can be battled with authenticated information : 2224 (76%) - content checking : 2198 (75%) - filtering devices : 2055 (70%) - information flow controls : 1894 (65%) - authorization limitation : 1790 (61%) - encryption : 1754 (60%) - secure or trusted channels : 1715 (58%) - encrypted authentication : 1475 (50%) -or inspection of incoming and outgoing materials : 1834 (63%).
Accidental misuse and many of the intentional methods to exploit the vulnerabilities at HSS can be prevented to some degree with defenses such as: least privilege : 1925 (66%) - limited function : 1868 (64%) - or disable unsafe features : 1690 (58%). Finally, limitations on physical access can be countered with defenses like: control physical access : 1966 (67%) - human intervention after detection : 1949 (67%) - physical security : 1920 (66%) - sensors : 1668 (57%) - lockouts : 1563 (53%) - and alarms : 1530 (52%).
On the other hand, several defenses are either too expensive to employ or will not be effective in mitigating risks. For example, awareness of implications : 1728 (59%) would probably not make a huge difference because the existing AUP provides this awareness. The problem is attackers, conceivably, forget or ignore it. Limited sharing : 1361 (46%) is also not a good choice of defense because one of the network's main purposes is to provide the ability to share files. Numbering and tracking all sensitive information : 1261 (43%) might be very time consuming to define "sensitive" and review log files; and it may also violate someone's privacy. Separation of equipment so as to limit damage from local events : 1163 (40%) is not an option because the purpose of a lab is to gather students together in an environment where they can listen (to the teacher), work (on the computers), and learn (whatever) simultaneously. If students were situated several doors down from each other as a result of equipment separation - the teaching process would not be very efficient.
Standby equipment : 818 (28%) is a good idea because it provides backup and uptime mechanisms, but the cost is high. Locks : 768 (26%) are also a good idea but they already exist in all the right places. The human aspect (security guards) of physical access is what is lacking. Dynamic password change control : 406 (13%) and hard-to-guess passwords : 367 (12%) are not likely to reduce many vulnerabilities. For example, hard-to-guess passwords are useless against shoulder surfers and observation in transit. Biometrics : 241 (8%) are just plain too expensive and futuristic for the high school at this time.
The Hamden Public School district's plan for technology believes that "the benefits to students from access to the Internet, in the form of information resources and opportunities for collaboration, exceed any disadvantages," . It is unclear which scale is being used to make this conclusion, but it is clear that vulnerabilities exist, risks are taken daily, and consequences are not far behind. Hamden High is not the richest school (though not the poorest) and cannot afford to build sound defenses against anything and everything all of the time. They can, however, strategically choose the best - (and most affordable) defenses and optimize education with security in mind.
 The New Security Database at www.all.net. Available www.all.net or via the simulator on White Glove.
 The FBI UCR of 2002. Available www.fbi.gov/ucr/cius_02/html/web/arrested/04-table41.html
 The Hamden Public Schools Education Technology Plan. Available: