Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

A practical guide to IT security-Up to University project

This booklet is meant to help teachers and system administrators in high schools when it comes to IT security, digital identity and cybersecurity. The content is universal although it was elaborated under the Up to University project.

  • Be the first to comment

  • Be the first to like this

A practical guide to IT security-Up to University project

  1. 1. A PRACTICAL GUIDE TO Up2U ICT SECURITY The Up2U ecosystem is based on the use of the Internet, cloud systems and the Bring Your Own Device (BYOD) approach. Creating a safe and secure ICT learning environment for all the schools involved in the project pilots is a priority. This guide offers practical, simple suggestions for schools on how to achieve such an environment. A Framework of Whole-School Awareness, Responsibilities, Policies and Procedures Establish a Security Task Force For the Security Task Force, we suggest combining all the human resources inside the school that can help to identify security risks and create a common security vision for your school. Complete collaboration at each level is key. Manage All the Users  For systems that handle sensitive information, we recommend applying strict user configurations. To be able to associate users with devices and contact them in case of need, it is necessary to set up a register of users.  Use standard accounts with limited privileges. Allow the use of administrative accounts only for users with appropriate skills.  Use administrative accounts only to perform operations that require privileges. Create a Hardware and Software Inventory  We recommend creating an inventory (manually or with automatic software) of the existing devices connected to the network, recording MAC address, hostname, function, owner, associated office, etc.  It could be useful to collect network-connected devices discovery with an alert system in case of anomalies and the identification of portable electronic devices.  Create a list of authorised software and an inventory of installed software.  Perform regular system scans to detect unauthorised software. Create a School Security Policy We recommend that, as a minimum, a school security policy should address the following: Make it clear to users that:  IT resources are for institutional purposes only  They should avoid using videogames, downloading illegal software (MP3, movies, etc.)  It is forbidden to launch cyberattacks on internal and external systems Regularly inform users about cautions:  Beware of phishing emails. Some clues are:  Strong sense of urgency  Suspicious sender’s address  Generic greetings and signature  Spoofed hyperlinks  Spelling and layout (poor grammar)  Suspicious attachments  Avoid browsing untrusted sites and clicking on any link  Download and install software and apps only from trustworthy sites  Delete programs or apps no longer used
  2. 2. The innovation action leading to these results has received funding from the European Union's Horizon 2020 research and innovation programme under Grant Agreement No. 732049 - Up2U Improve password security:  Ensure that users:  Never disclose the passwords, especially via the Internet  Make passwords long and complex (at least 12 characters, mixing capital letters, numbers, and symbols). You can create a long password using a passphrase, i.e. four or more random words grouped together and used as a password.  Create a unique password for each account  Never use personal information  Consider using a password manager  Periodically force the password change  Use two-factor authentication, if available Keep Updated!  Keep all software (both application and system) updated and patched (in automatic mode if allowed).  Keep all of your personal electronic device software updated also. Manufacturers release updates as they discover vulnerabilities in their products. Automatic updates make this easier for many devices – including computers, phones, tablets and other smart devices – but you may need to manually update other devices. Only apply updates from manufacturer websites and built-in application stores – third-party sites and applications are unreliable and can result in an infected device. When shopping for new connected devices, consider the brand’s consistency in providing regular support updates.  It is important to keep up with new vulnerabilities and take regular maintenance actions.  Use updated vulnerability scanning tools.  Verify that vulnerabilities emerging from scans were resolved either by means of patches or by implementing appropriate countermeasures, or by documenting and accepting a reasonable risk.  Use only supported software and operating systems (for example, avoid MS Windows XP).  The main attack vector is the browser, especially if it is not kept up to date! Be Aware!  Check the logging of DHCP server operations (usually enabled by default).  Manage every access to the network by registering the account, timestamp, MAC address, and IP address.  Periodically perform an internal or external vulnerability assessment to pre-emptively identify your vulnerabilities before the bad guys do. Implement a Backup Programme  Perform regular backups of critical data and, at longer intervals, of the entire system. Many cloud solutions are available to help you do this.  Ensure confidentiality of data in backup copies by encryption. The encryption performed before transmission allows safe remote backup in the cloud.  Ensure that removable devices containing backups (for instance, external hard disks or USB pen drives) are not permanently accessible from the system, to prevent local attacks from engaging security copies.  Beware of inserting unknown USB devices into school systems. They could contain a hidden malware!  A robust data backup programme can save the day if you’re hit by ransomware. Create an Incident Procedure Every school system should have a cyber-incident response plan in place. If people know what to do in the event of a problem, its impact can be minimised. After the incident, you should document what happened and share all the information, to prevent similar cases in the future. Apply Security Acceptable Use Policies Each network user should sign a Security Acceptable Use Policy. The school can follow the templates and guidance on the website of the learning network WMnet ( http:// ).
  3. 3. A SECURE ICT SYSTEM Customise Network and System Configuration Network Hardening  Configure router appropriately (antispoofing filters, filters that allow accessing only to institutional services)  Segment network into separate subnetworks, applying, in relation to the context, the most rigorous policies  DMZ subnet exposed to the internet (DNS, web server, mail server)  Subnetwork for Management and Administration  Subnetwork for didactics and laboratories  Subnet for students and guests (BYOD: smartphone, tablet, notebook)  Subnetwork for printers, video surveillance, building automation, IoT devices, etc.  Install at least one network firewall blocking incoming connections to all subnets (excluding DMZ), possibly also with NAT function  Mitigate attacks carried out by email by analysing messages before they reach the recipient’s box. Do this by configuring antispam and antivirus software on mail server.  Install a web filtering solution to protect users from malicious sites while they are surfing  Enable wireless security  Use the strongest encryption protocol available (WPA2/WPA3)  Change the router’s default administrator password  Change the default Service Set Identifier (SSID)  Disable WiFi Protected Setup (WPS)  Reduce wireless signal strength  Turn the network off when not in use (or configure a wireless schedule)  Disable Universal Plug and Play (UPnP) when not neededKeep all router and network devices updated to the latest firmware version  Disable remote management  Monitor for unknown device connections Firewalls Firewalls provide protection against outside attackers by shielding your computer or network from malicious or unnecessary network traffic. Firewalls can also prevent malicious software from accessing a computer or network via the internet. Firewalls can be configured to block data from certain locations, applications or ports while allowing relevant and necessary data through. Firewalls require trained professionals to support their configuration and maintenance. Most firewall products come preconfigured and ready to use. Since each firewall is different, you will need to read and understand the documentation that comes with it to determine whether the default firewall settings are sufficient for your needs. Firewalls do not guarantee that your computer will not be attacked. Firewalls primarily help protect against malicious traffic, not against malicious programs (i.e., malware), and may not protect you if you accidentally install or run malware on your computer. However, using a firewall in conjunction with other protective measures (e.g., anti-virus software and safe computing practices) will strengthen your resistance to attacks.
  4. 4. The innovation action leading to these results has received funding from the European Union's Horizon 2020 research and innovation programme under Grant Agreement No. 732049 - Up2U System Hardening  Define and implement standard configurations and systems hardening policies:  Uninstall unnecessary software  Disable unnecessary services  Share only necessary hardware resources and protect them  Prevent changes to the configuration or installation of software  Correct default software and hardware configurations (many products are preconfigured too openly)  Configure clients and servers to use only encrypted protocols: SSH, HTTPS, IMAP and SMTP over SSL/TLS  Install antivirus software locally (verify automatic update)  Install firewall and Intrusion Prevention System (IPS) locally  Install a Web Application Firewall (WAF) on the web server  Disable automatic execution of contents when connecting removable devices  Disable automatic execution of dynamic contents (e.g. macros) in files  Turn off automatic opening of emails  Disable automatic preview of file contents  Before connecting a new device to the network, replace default administrative credentials with safe values
  5. 5. On the login page ( you will find all the following authentication methods: Up2U has sought to provide solutions that allow users to manage user identities on platforms available from the project. To access Up2U services, go to the platform link: platform and access the login page. WHAT IS A DIGITAL IDENTITY? Digital identity is the virtual representation of the real identity that can be used during electronic interactions with people or machines. What are authentication and authorisation?  Authentication Authentication is the first mechanism we activate when we want to log in to an environment by providing information that uniquely identify ourselves (our credentials).  Authorisation Authorisation is the second mechanism that is activated, once the authentication procedure is successful. It is a check carried out by the service we want to access, based on the information we previously provided. Single Sign-On (SSO) Single sign-on (SSO) is the mechanism by which, within an organisation, a user can use the same credentials to access multiple services because there is a single infrastructure managing digital identities. When does digital identity become federated? Digital identity becomes federated when the single sign- on mechanism is extended out of its native organisation and gives access to a multitude of services provided by different organisations. Therefore, a user can access services and resources of all the federated organisations without changing the credentials he/she uses within his/ her home organisation. Authentication with single sign-on (SSO) Authentication is the process by which a user provides information that uniquely identifies themselves (their credentials). Authorisation is the mechanism by which a Up U IAM solutions
  6. 6. The innovation action leading to these results has received funding from the European Union's Horizon 2020 research and innovation programme under Grant Agreement No. 732049 - Up2U system determines what level of access a particular authenticated user should have to secured resources controlled by the system. eduGAIN The eduGAIN service interconnects academic identity federations around the world, enabling the trustworthy exchange of information related to identity, authentication and authorisation. eduGAIN helps students, researchers and educators access online services while minimising the number of accounts users and service providers have to manage – reducing costs, complexity and security risks. eduGAIN is used for giving access to the Up2U ecosystem to all academic and NREN users of the project. Local registration Up2U affords users without an identity provider (IdP) the chance to become a “member” of the Next-Generation Digital Learning Environment (NGDLE). The Up2U WebSSO front end provides a local user registration option. Authentication via social networks Social Network Login is single sign-on for end users. Using existing login information from a social network provider such as Facebook, Twitter, or Google, the user can sign in to a third-party website instead of creating a new account specifically for that website. This simplifies registrations and logins for end users. All channels are managed by a Lightweight Directory Access Protocol (LDAP) layer. LDAP user authentication is the process of validating a username and password combination with a directory server. LDAP directories are standard technology for storing user, group and permission information.
  7. 7.  Use anti-virus software.  Don’t open emails or messages or attachments from unknown sources. Be suspicious of any emails or messages or attachments that are unexpected, even if they come from a known source.  Protect your device from Internet intruders.  Regularly download security updates and patches for operating systems and other software.  Use hard-to-guess passwords. Mix upper case, lower case, numbers and other characters not easily found in the dictionary. Make sure your password is at least twelve characters long.  Back-up your data on disks or cloud storage regularly.  Don’t share access to your device with strangers. Learn about file-sharing risks.  Disconnect from the Internet when you’re not using it.  Check your security on a regular basis.  Make sure you know what to do if a device or system is believed to be infected or corrupted. CYBER-SECURITY TIPS FOR STUDENTS 10 tips on BYOD 1. Use encryption to protect your data (Settings -> Security -> Encrypt device), even if you are going to reset the smartphone. 2. Do not install software from untrustworthy markets. (Trusted markets are, e.g.: Google Play, Apple’s App Store, Amazon’s Appstore for Android.) Check and understand application permissions. 3. Wipe your data remotely if the device is lost or stolen (Google Android Device Manager, Lost Android, Anti-Theft, Cerberus, etc.) and pay attention to the data on your dismissed devices. 4. Use a passcode or password to protect the device. It is a bit cumbersome but it is certainly safe. A good password would be the best, but at least a non-trivial sequence. 5. Turn on the Bluetooth only when needed. 6. Avoid connecting to unknown wireless networks. 7. Keep all devices updated with the latest firmware version. 8. Backup your data. 9. Avoid storing usernames and passwords on the device or in the browser. 10. Do not jailbreak or root the device (jailbreaking or rooting a device are processes that remove the platform’s restrictions, allowing users to install any applications from any market, install a modified operating system, and have administrative user permissions)
  8. 8. The innovation action leading to these results has received funding from the European Union's Horizon 2020 research and innovation programme under Grant Agreement No. 732049 - Up2U
  9. 9. What is GDPR? The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). GDPR came into effect across the European Union on May 25 2018, replacing the Data Protection Directive 95/46/EC, aiming at:  harmonising data privacy laws across Europe  protecting and empowering data privacy of all EU citizens  redesigning the way organisations across the region approach data privacy Who does GDPR apply to? It applies to those who process personal data. More exactly it applies to those who “determine the purpose and means of processing of personal data” (Article 4 paragraph 7). The processing of personal data must take place in compliance with the principles and the rules established by the GDPR. In the Up2U project, the purposes and the means by which the personal data are processed is determined by the partners in the project in accordance with the contents of the Grant Agreement and the Up2U Consortium Agreement. Therefore, in Up2U, the Data Controller is the group of participants in the project, who have issued a regulation on their respective obligations and responsibilities, signing a specific agreement (Joint Controller Agreement). HOW GDPR APPLIES TO SCHOOLS INVOLVED IN THE Up2U PROJECT GDPR compliance of the UP U project If your school joins the Up2U project, personal data coming from teachers, school staff and students (data subjects) using our tools and ICT services will be controlled and processed by Up2U. No actions are required by pilot schools in order to be compliant with GDPR inside the Up2U project, as the schools do not process personal data, do not collect any data, and do not determine the purposes and means of the processing of personal data inside the Up2U project. The pilot schools are informed through the Memorandum of Understanding (MoU) about the foreseen activities of the Up2U project, in order to verify that the project’s actions correspond with the mission of the school. The Data Controller is the group of Up2U partners who have to sign a Joint Controller Agreement, which serves to regulate the respective tasks, the internal relationships between the joint Data Controllers and the management of the activities towards the data subjects and the authority. The contact person for the rights of data subjects is, in compliance with Art. 26, the “Contact Point”, represented by: the GÉANT Association. The processing of personal data will start on the occasion of access to the Next-Generation Digital Learning Environment (NGDLE) platform and will end at the end of the Project.
  10. 10. The innovation action leading to these results has received funding from the European Union's Horizon 2020 research and innovation programme under Grant Agreement No. 732049 - Up2U
  11. 11. OER GUIDELINES “Roadmap” for the use of OER Step : Choose a Creative Commons Licence to License the OER In order to choose a CC licence for a learning object such as an OER, or for any other work or creation, you should be able to answer four questions:  Do you agree with the fact that other people could copy and distribute your contents without any kind of permission?  Do you agree with the fact that other people could edit and adapt the contents when they use them?  Do you mind other people making money out of your contents?  If you allow modifications to your work, would you like the new content to carry the same licence that you chose? CC has an online service that could help identify the appropriate licence, based on answering those basic questions. Step : Search for Basic Objects with a Compatible Licence There are six different Licences of Use and each bears special conditions. Selecting resources is a matter of finding those with a Licence of Use compatible with the one you are going to use, so that they can be integrated as a Business Object (BO) in your Learning Object (LO). A compatibility chart is provided. Step : Acknowledge the Resources Used It is important to acknowledge the resources used in your Learning Object. A useful acronym to remember, to help ensure you make a correct attribution of each resource, is “TYAOL”, which points to the five aspects to cite: TITLE The name or title of the work. YEAR The date the work was published. AUTHOR The name of the work’s creator. ORIGIN Where the work can be found. LICENCE How the work can be used. It is important to understand the compatibility among the permissions and conditions of the six CC licences in order not to override the wishes of the authors of the works you use.
  12. 12. The innovation action leading to these results has received funding from the European Union's Horizon 2020 research and innovation programme under Grant Agreement No. 732049 - Up2U Step : Define the Metadata When you publish your own resource, the service where it will be published should include and relate it to the same basic information – also known as the metadata or descriptive signature – that you use to attribute or cite the work of another person. In short, remember the acronym TYAOL and make sure the information is clearly visible so that other people can make the correct attribution to your work. Additionally, it is advisable to include:  Entity(ies): Evaluate in each case the need to also associate data such as the entity, institution or organisation that supports the production process, and the respective collaborators.  Contact: Provide contact details, e.g. an email address that you check frequently, so that someone who is interested in your resource can communicate with you. In the case of a Learning Object, it is suggested that the material includes a page or credit space where the metadata is incorporated.Thus, even when the material is moved from the original publication site, it will retain the data needed for proper acknowledgement and recognition. Step : Publish or Distribute the Work The last step in building your OER is to publish or distribute it, to make it available to your students and to other potential users as well. There are different mechanisms for sharing digital information, for example, sending the file by email or uploading it to a social network for students to download and view on their devices. The effectiveness of these methods is proven. However, the Up2U platform provides another way to share these resources online that:  Saves time. If you publish the OER in a single site, you only need to indicate the link or address for anyone to access it from any device, either to view it or download it.  Potentially expands the audience. Potentially increases the number of users and their access to the resource, especially considering that this is the intention when licensing with CC.  Makes it easy to view. Enables a direct and immediate visualisation of the OER without downloading.  Ensures best practices are followed for the publication and distribution of information, through the use of forms. Up2U offers a range of web services that work as repositories of content to share, and which include forms that prompt completing fields such as: Up U Tools to Create and Reuse OERs A selection of tools in the Up2U ecosystem that enable the creation and managing of OERs is shown below. Moodle Web: Up2U platform: Tutorial: Moodle_video_tutorials H P Web: Tutorial: Examples: applications Knockplop Web: Tutorial: knockplop/ SeLCont Web: Tutorial: option=com_content&view=article&id=142&Itemid=9  Title.  Description.  Category.  Tags or keywords.  Language. Suitable services for publishing OERs include those used to search for information, for example:  For images, audio, vídeo: DSpace.  For text: blogs, websites.  For sharing a folder: a cloud service such as CERNBox.