Full text

(1)

ENHANCING INFORMATION SECURITY

& STRENGTHENING USER EDUCATION

提升 學校資訊保安 加強 用戶教育

黃健威老師(Albert Wong)

資訊科技教育領袖協會(AiTLE)主席

英華書院(YWC)資訊科技統籌及電腦科老師

手提 / Whatsapp:9028 9443 / 電郵:albertwong@aitle.org.hk

(2)

HOT again

(3)

NOT YET INCLUDING OTHERS

(like ransomware)

(4)

BUT IN FACT

NOT NEW

(5)
(6)
(7)
(8)
(9)
(10)
(11)
(12)

https://www.edb.gov.hk/tc/edu-system/primary-secondary/applicable-to-primary-secondary/it-in- edu/Information-Security/information-security-in-school.html

(13)
(14)

https://www.ogcio.gov.hk/en/our_work /information_cyber_security/governme nt/doc/G3.pdf

(15)
(16)
(17)
(18)

ENHANCING INFORMATION SECURITY

& STRENGTHENING USER EDUCATION

提升 學校資訊保安 加強 用戶教育

黃健威老師(Albert Wong)

資訊科技教育領袖協會(AiTLE)主席

英華書院(YWC)資訊科技統籌及電腦科老師

手提 / Whatsapp:9028 9443 / 電郵:albertwong@aitle.org.hk

(19)

TODAY EXPERIENCE SHARING BASED ON

• SECaaS

• School IT Management

• School ICT / CL Teaching

(20)

SECaaS

• “Security as a Service” pilot project

• user training

• security check and audit

(21)

SECaaS

• “Security as a Service” pilot project

• user training

security check and audit

(22)

SECaaS : Website Security Check

Critical

• The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Exploit is trivial and/or readily available. Probability of exploit is high.

High

• The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

(23)

SECaaS : Website Security Check

Medium

• The unauthorized disclosure of information could be expected to have a serious adverse effect on organizational

operations, organizational assets, or individuals.

Low

• The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational

operations, organizational assets, or individuals.

(24)

SECaaS : Website Security Check

• CMS for Website

Using cookie to store username and password

especially for CMS admin page

• allows attackers do unlimited brute-force attack

(25)

SECaaS : Website Security Check

• CMS for Website

• some non-school-related news

• exists in the website's database

• or even accessible webpages

(26)

SECaaS : Security Risk Assessment

• IT Security Policy

• Access Control

• Security Incident Management

• Vulnerability Scan

• Web Penetration Test

(27)

SECaaS : Security Risk Assessment

• IT Security Policy

• Access Control

• Security Incident Management

• Vulnerability Scan

Web Penetration Test

(28)
(29)

學 校 資 訊 容 易 因 網 頁 伺 服 器 未 進 行 加 密 及 有 效 認 證

在 傳 輸 過 程 中 被 駭客截取

令 學 生 或 家 長 個

人資料外泄。

(30)

USER EDUCATION :

PASSWORD HANDLING

Teaching ICT :

social implication

(31)
(32)
(33)
(34)
(35)

CONTENT

• Who are we ?

• Where are we ?

• IT in education vs computer subject

• Systems managed by IT in education

• Not related to IT in education

• Your first system in YWC : eClass

• Your first system login

(36)

CONTENT

• Who are we ?

• Where are we ?

• IT in education vs computer subject

• Systems managed by IT in education

• Not related to IT in education

• Your first system in YWC : eClass

Your first system login

(37)
(38)
(39)
(40)
(41)

http://gettingtolean.com/wp- content/uploads/2016/01/iu- 5.jpeg

(42)
(43)
(44)
(45)
(46)
(47)
(48)
(49)
(50)
(51)

SECaaS : Security Risk Assessment

• IT Security Policy

• Access Control

• Security Incident Management

• Vulnerability Scan

Web Penetration Test

(52)
(53)

SECaaS : Security Risk Assessment

• Communications Security

• System acquisition, development &

maintenance

(54)

SECaaS : Security Risk Assessment

• Communications Security

Cleartext submission of password

• System acquisition, development &

maintenance

Password field submitted using GET method

(55)

SECaaS : Security Risk Assessment

• Password field submitted using GET method

This page contains a form with a password field

This form submits user data using the GET method

Contents of the password field will appear in the URL

Even HTTPS is applied to the server

Password will not completely safe from others

GET request will be logged in browser history or log files

(56)

SECaaS : Security Risk Assessment

• The effect is

Get one, hack many

(57)
(58)

https://www.aitle.org.hk/?p=5983

(59)

Other coming AiTLE events

• AiTLE X AWS : HOUR OF CODE (With Career Chat / Sharing) Workshop For Students

• https://www.aitle.org.hk/?p=6069

• AiTLE EVENT : MDM Selection and Migration

• https://www.aitle.org.hk/?p=6081

• AiTLE SEMINAR : School Information Security Seminar

• https://www.aitle.org.hk/?p=6079

(60)

Other coming AiTLE events

• AiTLE + HKITDA : Student Innovation And Technology Award 學生科技創意大賽(SITA)

• https://www.aitle.org.hk/?p=6031

(61)

Other coming AiTLE events

AiTLE SEMINAR : School Information Security Seminar

Date : 2019-12-17 (TUE)

Time : 1800-2030

Venue : HKPC

• Content :

• Security API and Security Scoring (HKPC)

• How to protect sensitive data while set up school website and IT systems? (UDomain)

• Free WebScan Services - Introduction and Teachers' sharing on usage

• Onsite Registration for [ FREE Security Scoring services ] & [ FREE WebScan Services ]

• Speakers :

• Professional(s) from HKPC, Udomain, ASTRI,HKIRC

• Teacher enjoyed the services of Free WebScan services

https://www.aitle.org.hk/?p=6079

(62)

HOT again  Solutions ???

(63)

就最近咁多學校伺服器被 HACK,資料外洩,不如

大家諗吓學校有啲乜野可以做,讓大家留意。例如:

• 儘可能停用可以停用並對街的伺服器

重新檢視

FIREWALL ACL,看看有沒有之前 RULES

其實已經無用(例如一些之前因試用設備或系統

時開放的 IP 或 PORT, WEBSAMS TRAINING 7010

不用對街的)

(64)

就最近咁多學校伺服器被 HACK,資料外洩,不如

大家諗吓學校有啲乜野可以做,讓大家留意。例如:

• 風頭火勢,停咗 WEBSAMS 對街之開放(RESTRICT TO CONNECTION ONLY FROM ITED NETWORK OR EVEN FROM WEBSAMS SEGMENT ONLY)

• WEBSAMS TRAINING INSTANCE 唔用的話,最好

UNINSTALL

(65)

就最近咁多學校伺服器被 HACK,資料外洩,不如

大家諗吓學校有啲乜野可以做,讓大家留意。例如:

• 將不同系統內多餘(或可被替代)的個人資料刪去

(例如運動會程式內之「出生日期(用來計 GRADE」

及「身份証號碼(用作 DEFAULT WEBLOGIN PASSWORD)」

更新 SERVER (WINDOWS) 及 PACKAGES (LINUX) , 盡可 能不使用已無 / 將無 SUPPORT 版本, 例如 WINDOWS SERVER 2008 或 更早版本

(66)

就最近咁多學校伺服器被 HACK,資料外洩,不如

大家諗吓學校有啲乜野可以做,讓大家留意。例如:

• 在 SERVERS 減少或停止使用非官方 PLUG IN (例如 WORDPRESS OR CMS 系統)及非官方 PACKAGES AND UPDATE CHANNEL (針對 LINUX 系統)

更改網絡設備之登入資訊,切勿使用 DEFAULT

PASSWORD (OR EVEN USERNAME)

(67)

Mr. Albert Wong

IT Manager & Teacher, Ying Wa College (YWC) Chairman, Association of IT Leaders in Education (AiTLE)

Email : 9028 9443 / albertwong@aitle.org.hk Website: https://www.aitle.org.hk

Figure

Updating...

References

Related subjects :