提升

(1)

ENHANCING INFORMATION SECURITY

& STRENGTHENING USER EDUCATION

提升 ^{學校資訊保安} ^及加強 ^用戶教育

黃健威老師（Albert Wong）

資訊科技教育領袖協會（AiTLE）主席

英華書院（YWC）資訊科技統籌及電腦科老師

手提 / Whatsapp：9028 9443 / 電郵：albertwong@aitle.org.hk

(2)

(3)

(4)

(5)

(6)

(7)

(8)

(9)

https://www.edb.gov.hk/tc/edu-system/primary-secondary/applicable-to-primary-secondary/it-in- edu/Information-Security/information-security-in-school.html

(10)

(11)

https://www.ogcio.gov.hk/en/our_work /information_cyber_security/governme nt/doc/G3.pdf

(12)

(13)

(14)

(15)

ENHANCING INFORMATION SECURITY

& STRENGTHENING USER EDUCATION

提升 ^{學校資訊保安} ^及加強 ^用戶教育

黃健威老師（Albert Wong）

資訊科技教育領袖協會（AiTLE）主席

英華書院（YWC）資訊科技統籌及電腦科老師

手提 / Whatsapp：9028 9443 / 電郵：albertwong@aitle.org.hk

(16)

EXPERIENCE SHARING BASED ON

• SECaaS

• School IT Management

• School ICT / CL Teaching

(17)

SECaaS

• “Security as a Service” pilot project

• user training

• security check and audit

(18)

SECaaS

• “Security as a Service” pilot project

• user training

• security check and audit

(19)

SECaaS : Website Security Check

• Critical

• The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Exploit is trivial and/or readily available. Probability of exploit is high.

• High

• The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

(20)

SECaaS : Website Security Check

•

Medium

• The unauthorized disclosure of information could be expected to have a serious adverse effect on organizational

operations, organizational assets, or individuals.

•

Low

• The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational

operations, organizational assets, or individuals.

(21)

SECaaS : Website Security Check

• CMS for Website

• Using cookie to store username and password

• especially for CMS admin page

• allows attackers do unlimited brute-force attack

(22)

SECaaS : Website Security Check

• CMS for Website

• some non-school-related news

• exists in the website's database

• or even accessible webpages

(23)

SECaaS : Security Risk Assessment

• IT Security Policy

• Access Control

• Security Incident Management

• Vulnerability Scan

• Web Penetration Test

(24)

SECaaS : Security Risk Assessment

• IT Security Policy

• Access Control

• Security Incident Management

• Vulnerability Scan

• Web Penetration Test

(25)

(26)

學校資訊容易因網頁伺服器未進行加密及有效認證

在傳輸過程中被駭客截取

令學生或家長個

人資料外泄。

(27)

USER EDUCATION :

PASSWORD HANDLING

Teaching ICT :

social implication

(28)

(29)

(30)

(31)

(32)

CONTENT

• Who are we ?

• Where are we ?

• IT in education vs computer subject

• Systems managed by IT in education

• Not related to IT in education

• Your first system in YWC : eClass

• Your first system login

(33)

CONTENT

• Who are we ?

• Where are we ?

• IT in education vs computer subject

• Systems managed by IT in education

• Not related to IT in education

• Your first system in YWC : eClass

• Your first system login

(34)

(35)

(36)

(37)

(38)

STOP

(39)

(40)

(41)

(42)

(43)

(44)

(45)

(46)

(47)

(48)

SECaaS : Security Risk Assessment

• IT Security Policy

• Access Control

• Security Incident Management

• Vulnerability Scan

• Web Penetration Test

(49)

(50)

SECaaS : Security Risk Assessment

• Communications Security

• System acquisition, development &

maintenance

(51)

SECaaS : Security Risk Assessment

• Communications Security

• Cleartext submission of password

• System acquisition, development &

maintenance

• Password field submitted using GET method

(52)

SECaaS : Security Risk Assessment

• Password field submitted using GET method

• This page contains a form with a password field

• This form submits user data using the GET method

•

Contents of the password field will appear in the URL

•

Even HTTPS is applied to the server

• Password will not completely safe from others

• GET request will be logged in browser history or log files

(53)

SECaaS : Security Risk Assessment

• The effect is

• Get one, hack many

(54)

(55)

https://www.aitle.org.hk/?p=5983

(56)

Other coming AiTLE events

• STUDENT TRAINING PACKAGES (IT INNOVATION LAB) SOLUTIONS SHOW

• https://www.aitle.org.hk/?p=5916

• EDMODOCON HONG KONG 2019

• “IMPORTANCE OF COMPUTER SCIENCE OUR NEXT GENERATION”

(57)

Other coming AiTLE events

• SAMSUNG SOLVE FOR TOMORROW 2019 全港學界科技比賽

• 1 MILLION HKD SCHOLARSHIP COMPUTER SCIENCE COMPETITION FOR HIGH SCHOOL STUDENTS

(58)

Mr. Albert Wong

IT Manager & Teacher, Ying Wa College (YWC) Chairman, Association of IT Leaders in Education (AiTLE)

Email : 9028 9443 / albertwong@aitle.org.hk Website: https://www.aitle.org.hk

提升

ENHANCING INFORMATION SECURITY

& STRENGTHENING USER EDUCATION

提升 學校資訊保安 及 加強 用戶教育

ENHANCING INFORMATION SECURITY

& STRENGTHENING USER EDUCATION

提升 學校資訊保安 及 加強 用戶教育

EXPERIENCE SHARING BASED ON

• SECaaS

• School IT Management

• School ICT / CL Teaching

SECaaS

• “Security as a Service” pilot project

• user training

• security check and audit

SECaaS

• “Security as a Service” pilot project

• user training

• security check and audit

SECaaS : Website Security Check

SECaaS : Website Security Check

Medium

Low

SECaaS : Website Security Check

• CMS for Website

• Using cookie to store username and password

• especially for CMS admin page

• allows attackers do unlimited brute-force attack

SECaaS : Website Security Check

• CMS for Website

• some non-school-related news

• exists in the website's database

• or even accessible webpages

SECaaS : Security Risk Assessment

• IT Security Policy

• Access Control

• Security Incident Management

• Vulnerability Scan

• Web Penetration Test

SECaaS : Security Risk Assessment

• IT Security Policy

• Access Control

• Security Incident Management

• Vulnerability Scan

• Web Penetration Test

學 校 資 訊 容 易 因 網 頁 伺 服 器 未 進 行 加 密 及 有 效 認 證

在 傳 輸 過 程 中 被 駭客截取

令 學 生 或 家 長 個

人資料外泄。

USER EDUCATION :

PASSWORD HANDLING

Teaching ICT :

social implication

CONTENT

CONTENT

STOP

SECaaS : Security Risk Assessment

• IT Security Policy

• Access Control

• Security Incident Management

• Vulnerability Scan

• Web Penetration Test

SECaaS : Security Risk Assessment

• Communications Security

• System acquisition, development &

maintenance

SECaaS : Security Risk Assessment

• Communications Security

• Cleartext submission of password

• System acquisition, development &

maintenance

• Password field submitted using GET method

SECaaS : Security Risk Assessment

• Password field submitted using GET method

• This page contains a form with a password field

• This form submits user data using the GET method

Contents of the password field will appear in the URL

Even HTTPS is applied to the server

SECaaS : Security Risk Assessment

• The effect is

提升 ^{學校資訊保安} ^及加強 ^用戶教育

提升 ^{學校資訊保安} ^及加強 ^用戶教育

學校資訊容易因網頁伺服器未進行加密及有效認證

在傳輸過程中被駭客截取

令學生或家長個