Tech Support For Dummies

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Monday, 21 January 2013

Student information systems rife with security flaws

Posted on 06:35 by Unknown
Here's an interesting story from Slashdot today about a college student being expelled after pointing out flaws in his college's student information system.

What he's seeing is no surprise. Starting with my days working for IBM's EduQuest division, for the past 20 years or so I've seen numerous K-12 and higher education student information systems chock full of security flaws. Stupid, silly security flaws like SQL injection, cross-site request forgery, URL manipulation, no passwords - you name it...none of which should've been around 10 years ago, much less today. But they're there.

Folks, if you work for a K-12 school, university, or you're a parent curious about how your student's information is being handled (and protected), start asking questions like:
  • When was the last time this application was tested for security flaws? (their vendor's SSAE 16 report won't cut it)
  • What was done about the flaws that have been discovered up to this point? (even when flaws are found, many people still have political, financial, and time management hurdles that get in the way of improvements)
Someone needs to be in charge of managing these risks.

Certain people at the school level will tell you that student information is secure because their auditor ran Nessus and everything checked out okay. Need I say more?

The student information system vendors will tell you their applications are secure because they have good programmers. Again, based on what I've seen, they're most definitely not.

Even if the vendors delivered flawless code, there's still integration and customization unique to each school that can introduce some ugly stuff that puts student information at risk.

Be wary and don't be afraid to push the people responsible for making things right.
Email ThisBlogThis!Share to XShare to FacebookShare to Pinterest
Posted in automated scanner oversights, FERPA, government regulations, pii, scary stuff, student information systems, third-party applications, web application security, web server security | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • How you can get developers on board with security starting today
    Some people - including a brilliant colleague of mine - think security is not the job of software developers . In the grand scheme of things...
  • NetScan Tools LE - a must-have for investigators
    Have you ever had a need to run a program and get a relatively small amount of data just to do your job but end up getting caught in the com...
  • "Top Blogs" list & some home security considerations
    I think I may have found the first sign that my blog is growing and gaining some traction. I've made it to the Top 20 Home Security Blog...
  • Wooo...HIPAA audits are coming & the irony of KPMG's involvement
    I've always believed that compliance is a threat to business [hence why I help businesses take the pain out of compliance by addressing ...
  • Great tool for seeking out sensitive info on your network
    One of the greatest risks in business today is the issue of unstructured information scattered about the network waiting to be misused and ...
  • It's hard being human
    Cavett Robert once said something about character that resonates within information security - especially regarding ongoing management and l...
  • Dario Franchitti and I
    As many of you know I'm a motorsports nut -both as a driver and a fan. This provided the influence for my Security On Wheels logo. Well,...
  • The value of partial code scanning, now
    Check out my new piece on the business value of partial code scanning where I outline why it's better to start your source code analysi...
  • Be it in healthcare or infosec, the short term is for losers
    With all the doctor & hospital visits I've gone (and am still going) through with family members in the past few years, I've com...
  • Live from #RSAC: Cloud computing's got some kinks (but you knew that)
    I'm attending the RSA Conference this week and just sat through a panel discussion on cross-jurisdictional issues in the cloud. It was p...

Categories

  • active directory
  • application firewalls
  • APTs
  • aslr
  • atm security
  • audio programs
  • audit logging
  • automated scanner oversights
  • back to basics
  • backups
  • big brother
  • bitlocker
  • budget
  • business case for security
  • business continuity
  • BYOD
  • car hacking
  • careers
  • certifications
  • change management
  • checklist audits
  • cissp
  • clear wireless
  • cloud computing
  • communication
  • compliance
  • computer glitch
  • conferences
  • consulting
  • content filtering
  • cool products
  • cool sites
  • cross-site request forgery
  • cross-site scripting
  • csrf
  • customer no service
  • cybersecurity bill
  • data at rest
  • data breach laws
  • data breaches
  • data centers
  • data destruction
  • data leakage
  • data protection
  • data retention
  • database security
  • degrees
  • desktop management
  • disaster recovery
  • disk imaging
  • disposal
  • dns
  • document security
  • domino
  • DoS attacks
  • drive encryption
  • e-discovery
  • ediscovery
  • employee monitoring
  • encrypting data in transit
  • encryption
  • end point security
  • ethical hacking
  • exchange
  • experience
  • expert witness
  • exploits
  • facebook
  • FERPA
  • file integrity monitoring
  • firewalls
  • forensics
  • full disk encryption
  • global warming
  • goal setting
  • good blogs
  • government intrusion
  • government regulations
  • great quotes
  • hacking
  • hardware
  • hipaa
  • hitech
  • hitech act
  • home security
  • humor
  • identity access management
  • identity theft
  • IIS
  • incident response
  • information classification
  • information security quotes
  • intel
  • intellectual property
  • internal threat
  • java
  • Kevin's books
  • Kevin's interviews
  • Kevin's keynotes
  • kevin's panels
  • kevin's quotes
  • Kevin's security content
  • Kevin's seminars
  • Kevin's videos
  • laptop encryption
  • laptop security
  • legal
  • Linux
  • locking screens
  • low-hanging fruit
  • malware
  • marketing hype
  • message from Kevin
  • messaging security
  • metasploit
  • metrics
  • mobile apps
  • mobile security
  • motivation
  • multi-factor authentication
  • network analysis
  • network complexities
  • network protocols
  • network security
  • networking essentials
  • Novell
  • office
  • online backup
  • online safety
  • open source security
  • owasp
  • p2p
  • passwords
  • patch management
  • patching
  • pci 6.6
  • pci dss
  • PCNAA
  • penetration testing
  • people problems
  • personal responsibility
  • phishing
  • physical security
  • pii
  • podcasts
  • policy enforcement
  • politics
  • presentations
  • privacy
  • quality assurance
  • recommended books
  • recommended magazines
  • recycling
  • remote access security
  • ridiculous password requirements
  • risk analysis
  • risk management
  • rogue insiders
  • ROI
  • RSA 2012
  • running a business
  • saas
  • salary
  • scary stuff
  • sccm
  • sdlc
  • security assessments
  • security audits
  • security awareness
  • security committees
  • security leadership
  • security management
  • security operations
  • security policies
  • security policy
  • security scans
  • security standards
  • security statistics
  • security technologies
  • security testing tools
  • security tools
  • selling security
  • sharepoint
  • small business
  • smartphone security
  • SMBs
  • social media
  • software development
  • source code
  • source code analysis
  • special offer
  • SQL injection
  • sql server
  • ssl
  • storage security
  • student information systems
  • stupid security
  • success
  • telecommuting
  • testimonials
  • thinking long term
  • third-party applications
  • threat modeling
  • time management
  • training
  • twitter
  • uncool products
  • unstructured information
  • unstructured infromation
  • user awareness
  • vendors
  • virtual machine security
  • visibility
  • voip
  • vulnerability assessments
  • web 2.0
  • web application security
  • web browser security
  • web server security
  • webcasts
  • WebInspect
  • whitelisting
  • whitepapers
  • Windows
  • Windows 7
  • windows 8
  • windows 8.1
  • Windows Mobile
  • windows security
  • Windows Vista
  • wireless
  • wireless security
  • zero tolerance

Blog Archive

  • ▼  2013 (35)
    • ►  November (3)
    • ►  October (3)
    • ►  September (1)
    • ►  August (2)
    • ►  July (3)
    • ►  June (1)
    • ►  May (4)
    • ►  April (4)
    • ►  March (4)
    • ►  February (5)
    • ▼  January (5)
      • What's your communication style?
      • Introducing the brand new Hacking For Dummies, 4th...
      • Student information systems rife with security flaws
      • Dear Neal Boortz,
      • How are you getting your points across?
  • ►  2012 (77)
    • ►  December (2)
    • ►  November (2)
    • ►  October (4)
    • ►  September (3)
    • ►  August (3)
    • ►  July (4)
    • ►  June (5)
    • ►  May (9)
    • ►  April (5)
    • ►  March (10)
    • ►  February (14)
    • ►  January (16)
  • ►  2011 (163)
    • ►  December (15)
    • ►  November (11)
    • ►  October (9)
    • ►  September (16)
    • ►  August (13)
    • ►  July (8)
    • ►  June (13)
    • ►  May (18)
    • ►  April (16)
    • ►  March (13)
    • ►  February (13)
    • ►  January (18)
  • ►  2010 (170)
    • ►  December (10)
    • ►  November (14)
    • ►  October (7)
    • ►  September (27)
    • ►  August (20)
    • ►  July (8)
    • ►  June (15)
    • ►  May (4)
    • ►  April (23)
    • ►  March (21)
    • ►  February (11)
    • ►  January (10)
  • ►  2009 (55)
    • ►  December (5)
    • ►  November (10)
    • ►  October (21)
    • ►  September (19)
Powered by Blogger.

About Me

Unknown
View my complete profile