Full text

(1)

ENHANCING INFORMATION SECURITY

& STRENGTHENING USER EDUCATION

提升 學校資訊保安 加強 用戶教育

黃健威老師(Albert Wong)

資訊科技教育領袖協會(AiTLE)主席

英華書院(YWC)資訊科技統籌及電腦科老師

手提 / Whatsapp:9028 9443 / 電郵:albertwong@aitle.org.hk

(2)
(3)
(4)
(5)
(6)
(7)
(8)
(9)

https://www.edb.gov.hk/tc/edu-system/primary-secondary/applicable-to-primary-secondary/it-in- edu/Information-Security/information-security-in-school.html

(10)
(11)

https://www.ogcio.gov.hk/en/our_work /information_cyber_security/governme nt/doc/G3.pdf

(12)
(13)
(14)
(15)

ENHANCING INFORMATION SECURITY

& STRENGTHENING USER EDUCATION

提升 學校資訊保安 加強 用戶教育

黃健威老師(Albert Wong)

資訊科技教育領袖協會(AiTLE)主席

英華書院(YWC)資訊科技統籌及電腦科老師

手提 / Whatsapp:9028 9443 / 電郵:albertwong@aitle.org.hk

(16)

EXPERIENCE SHARING BASED ON

• SECaaS

• School IT Management

• School ICT / CL Teaching

(17)

SECaaS

• “Security as a Service” pilot project

• user training

• security check and audit

(18)

SECaaS

• “Security as a Service” pilot project

• user training

security check and audit

(19)

SECaaS : Website Security Check

Critical

• The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Exploit is trivial and/or readily available. Probability of exploit is high.

High

• The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

(20)

SECaaS : Website Security Check

Medium

• The unauthorized disclosure of information could be expected to have a serious adverse effect on organizational

operations, organizational assets, or individuals.

Low

• The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational

operations, organizational assets, or individuals.

(21)

SECaaS : Website Security Check

• CMS for Website

Using cookie to store username and password

especially for CMS admin page

• allows attackers do unlimited brute-force attack

(22)

SECaaS : Website Security Check

• CMS for Website

• some non-school-related news

• exists in the website's database

• or even accessible webpages

(23)

SECaaS : Security Risk Assessment

• IT Security Policy

• Access Control

• Security Incident Management

• Vulnerability Scan

• Web Penetration Test

(24)

SECaaS : Security Risk Assessment

• IT Security Policy

• Access Control

• Security Incident Management

• Vulnerability Scan

Web Penetration Test

(25)
(26)

學 校 資 訊 容 易 因 網 頁 伺 服 器 未 進 行 加 密 及 有 效 認 證

在 傳 輸 過 程 中 被 駭客截取

令 學 生 或 家 長 個

人資料外泄。

(27)

USER EDUCATION :

PASSWORD HANDLING

Teaching ICT :

social implication

(28)
(29)
(30)
(31)
(32)

CONTENT

• Who are we ?

• Where are we ?

• IT in education vs computer subject

• Systems managed by IT in education

• Not related to IT in education

• Your first system in YWC : eClass

• Your first system login

(33)

CONTENT

• Who are we ?

• Where are we ?

• IT in education vs computer subject

• Systems managed by IT in education

• Not related to IT in education

• Your first system in YWC : eClass

Your first system login

(34)
(35)
(36)
(37)
(38)

STOP

(39)
(40)
(41)
(42)
(43)
(44)
(45)
(46)
(47)
(48)

SECaaS : Security Risk Assessment

• IT Security Policy

• Access Control

• Security Incident Management

• Vulnerability Scan

Web Penetration Test

(49)
(50)

SECaaS : Security Risk Assessment

• Communications Security

• System acquisition, development &

maintenance

(51)

SECaaS : Security Risk Assessment

• Communications Security

Cleartext submission of password

• System acquisition, development &

maintenance

Password field submitted using GET method

(52)

SECaaS : Security Risk Assessment

• Password field submitted using GET method

This page contains a form with a password field

This form submits user data using the GET method

Contents of the password field will appear in the URL

Even HTTPS is applied to the server

Password will not completely safe from others

GET request will be logged in browser history or log files

(53)

SECaaS : Security Risk Assessment

• The effect is

Get one, hack many

(54)
(55)

https://www.aitle.org.hk/?p=5983

(56)

Other coming AiTLE events

• STUDENT TRAINING PACKAGES (IT INNOVATION LAB) SOLUTIONS SHOW

• https://www.aitle.org.hk/?p=5916

• EDMODOCON HONG KONG 2019

• https://www.aitle.org.hk/?p=5849

• “IMPORTANCE OF COMPUTER SCIENCE OUR NEXT GENERATION”

• https://www.aitle.org.hk/?p=5953

(57)

Other coming AiTLE events

• SAMSUNG SOLVE FOR TOMORROW 2019 全港學界科技比賽

• https://www.aitle.org.hk/?p=5887

• 1 MILLION HKD SCHOLARSHIP COMPUTER SCIENCE COMPETITION FOR HIGH SCHOOL STUDENTS

• https://www.aitle.org.hk/?p=5936

(58)

Mr. Albert Wong

IT Manager & Teacher, Ying Wa College (YWC) Chairman, Association of IT Leaders in Education (AiTLE)

Email : 9028 9443 / albertwong@aitle.org.hk Website: https://www.aitle.org.hk

Figure

Updating...

References

Related subjects :