ENHANCING INFORMATION SECURITY
& STRENGTHENING USER EDUCATION
提升 學校資訊保安 及 加強 用戶教育
黃健威老師(Albert Wong)
資訊科技教育領袖協會(AiTLE)主席
英華書院(YWC)資訊科技統籌及電腦科老師
手提 / Whatsapp:9028 9443 / 電郵:albertwong@aitle.org.hk
HOT again
NOT YET INCLUDING OTHERS
(like ransomware)
BUT IN FACT
NOT NEW
https://www.edb.gov.hk/tc/edu-system/primary-secondary/applicable-to-primary-secondary/it-in- edu/Information-Security/information-security-in-school.html
https://www.ogcio.gov.hk/en/our_work /information_cyber_security/governme nt/doc/G3.pdf
ENHANCING INFORMATION SECURITY
& STRENGTHENING USER EDUCATION
提升 學校資訊保安 及 加強 用戶教育
黃健威老師(Albert Wong)
資訊科技教育領袖協會(AiTLE)主席
英華書院(YWC)資訊科技統籌及電腦科老師
手提 / Whatsapp:9028 9443 / 電郵:albertwong@aitle.org.hk
TODAY EXPERIENCE SHARING BASED ON
• SECaaS
• School IT Management
• School ICT / CL Teaching
SECaaS
• “Security as a Service” pilot project
• user training
• security check and audit
SECaaS
• “Security as a Service” pilot project
• user training
• security check and audit
SECaaS : Website Security Check
• Critical
• The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Exploit is trivial and/or readily available. Probability of exploit is high.
• High
• The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
SECaaS : Website Security Check
•
Medium
• The unauthorized disclosure of information could be expected to have a serious adverse effect on organizational
operations, organizational assets, or individuals.
•
Low
• The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational
operations, organizational assets, or individuals.
SECaaS : Website Security Check
• CMS for Website
• Using cookie to store username and password
• especially for CMS admin page
• allows attackers do unlimited brute-force attack
SECaaS : Website Security Check
• CMS for Website
• some non-school-related news
• exists in the website's database
• or even accessible webpages
SECaaS : Security Risk Assessment
• IT Security Policy
• Access Control
• Security Incident Management
• Vulnerability Scan
• Web Penetration Test
SECaaS : Security Risk Assessment
• IT Security Policy
• Access Control
• Security Incident Management
• Vulnerability Scan
• Web Penetration Test
學 校 資 訊 容 易 因 網 頁 伺 服 器 未 進 行 加 密 及 有 效 認 證
在 傳 輸 過 程 中 被 駭客截取
令 學 生 或 家 長 個
人資料外泄。
USER EDUCATION :
PASSWORD HANDLING
Teaching ICT :
social implication
CONTENT
• Who are we ?
• Where are we ?
• IT in education vs computer subject
• Systems managed by IT in education
• Not related to IT in education
• Your first system in YWC : eClass
• Your first system login
CONTENT
• Who are we ?
• Where are we ?
• IT in education vs computer subject
• Systems managed by IT in education
• Not related to IT in education
• Your first system in YWC : eClass
• Your first system login
http://gettingtolean.com/wp- content/uploads/2016/01/iu- 5.jpeg
SECaaS : Security Risk Assessment
• IT Security Policy
• Access Control
• Security Incident Management
• Vulnerability Scan
• Web Penetration Test
SECaaS : Security Risk Assessment
• Communications Security
• System acquisition, development &
maintenance
SECaaS : Security Risk Assessment
• Communications Security
• Cleartext submission of password
• System acquisition, development &
maintenance
• Password field submitted using GET method
SECaaS : Security Risk Assessment
• Password field submitted using GET method
• This page contains a form with a password field
• This form submits user data using the GET method
•
Contents of the password field will appear in the URL
•
Even HTTPS is applied to the server
• Password will not completely safe from others
• GET request will be logged in browser history or log files
SECaaS : Security Risk Assessment
• The effect is
• Get one, hack many
https://www.aitle.org.hk/?p=5983
Other coming AiTLE events
• AiTLE X AWS : HOUR OF CODE (With Career Chat / Sharing) Workshop For Students
• https://www.aitle.org.hk/?p=6069
• AiTLE EVENT : MDM Selection and Migration
• https://www.aitle.org.hk/?p=6081
• AiTLE SEMINAR : School Information Security Seminar
• https://www.aitle.org.hk/?p=6079
Other coming AiTLE events
• AiTLE + HKITDA : Student Innovation And Technology Award 學生科技創意大賽(SITA)
• https://www.aitle.org.hk/?p=6031
Other coming AiTLE events
• AiTLE SEMINAR : School Information Security Seminar
• Date : 2019-12-17 (TUE)
• Time : 1800-2030
• Venue : HKPC
• Content :
• Security API and Security Scoring (HKPC)
• How to protect sensitive data while set up school website and IT systems? (UDomain)
• Free WebScan Services - Introduction and Teachers' sharing on usage
• Onsite Registration for [ FREE Security Scoring services ] & [ FREE WebScan Services ]
• Speakers :
• Professional(s) from HKPC, Udomain, ASTRI,HKIRC
• Teacher enjoyed the services of Free WebScan services
• https://www.aitle.org.hk/?p=6079
HOT again Solutions ???
就最近咁多學校伺服器被 HACK,資料外洩,不如
大家諗吓學校有啲乜野可以做,讓大家留意。例如:
• 儘可能停用可以停用並對街的伺服器
•
重新檢視FIREWALL ACL,看看有沒有之前 RULES
其實已經無用(例如一些之前因試用設備或系統
時開放的 IP 或 PORT, WEBSAMS TRAINING 7010
不用對街的)
就最近咁多學校伺服器被 HACK,資料外洩,不如
大家諗吓學校有啲乜野可以做,讓大家留意。例如:
• 風頭火勢,停咗 WEBSAMS 對街之開放(RESTRICT TO CONNECTION ONLY FROM ITED NETWORK OR EVEN FROM WEBSAMS SEGMENT ONLY)
• WEBSAMS TRAINING INSTANCE 唔用的話,最好
UNINSTALL
就最近咁多學校伺服器被 HACK,資料外洩,不如
大家諗吓學校有啲乜野可以做,讓大家留意。例如:
• 將不同系統內多餘(或可被替代)的個人資料刪去
(例如運動會程式內之「出生日期(用來計 GRADE」
及「身份証號碼(用作 DEFAULT WEBLOGIN PASSWORD)」
• 更新 SERVER (WINDOWS) 及 PACKAGES (LINUX) , 盡可 能不使用已無 / 將無 SUPPORT 版本, 例如 WINDOWS SERVER 2008 或 更早版本
就最近咁多學校伺服器被 HACK,資料外洩,不如
大家諗吓學校有啲乜野可以做,讓大家留意。例如:
• 在 SERVERS 減少或停止使用非官方 PLUG IN (例如 WORDPRESS OR CMS 系統)及非官方 PACKAGES AND UPDATE CHANNEL (針對 LINUX 系統)
•
更改網絡設備之登入資訊,切勿使用 DEFAULTPASSWORD (OR EVEN USERNAME)
Mr. Albert Wong
IT Manager & Teacher, Ying Wa College (YWC) Chairman, Association of IT Leaders in Education (AiTLE)
Email : 9028 9443 / albertwong@aitle.org.hk Website: https://www.aitle.org.hk