Compromising vital infrastructure: problems in education security continue

Compromising vital infrastructure: problems in education security continue

The educational system and many of its elements are targets for cybercriminals on a regular basis. While education is a fundamental human right recognized by the United Nations, the financial means of many schools and other entities in the global educational system are often limited.

These limited budgets often result in weak or less-than-adequate protection against cyberthreats. Unfortunately, organizations in this industry are forced to economize and cut the costs of security.

Record keepers

Schools by nature have a lot of personal data on record—not only about their students, but in most cases, they also have records of the parents, legal guardians, and other caretakers of the children they educate. And the nature of the data—grades, health information, and social security numbers, for example—makes them extremely valuable for phishing and other social engineering attacks.

Ransomware can also have a devastating effect on educational institutions, as some of the information, like grades for example, may not be recorded anywhere else. If they are destroyed or held for ransom without the availability of backups, the results can be disastrous.

Special circumstances

Organizations in the education industry have some special circumstances to deal with when trying to protect their data and networks:

  • Many schools use special software that allows their students to log in both on premise and remotely so they can view their grades and homework assignments. These applications occasionally get hacked by students.
  • Growing networks enlarge the attack surface. Modern education requires children of young ages to learn computer skills, so many students are connected to the institution’s network at once.
  • If a tech-savvy student wants a day off, claims that he couldn’t access his homework assignments, or simply wants to brag, what’s to stop him from organizing or paying for a DDoS attack? Kids will be kids.
  • Schools often also harbor a mix of IoT and BYOD devices, which each come with their own potential problems. Some schools have noticed a spike in malware detections after holiday breaks, when infected devices get introduced back into the school environment.

The sensitive nature of the data and having an open platform for students at the same time creates a difficult situation for many educational institutions. After all, it is easy to kick in a door that is already half open— especially if there is a wealth of personally identifiable Information (PII) behind it.

The current situation

An analysis in December 2018 by SecurityScorecard ranked education as the worst in cybersecurity of 17 major industries. According to the study, the main areas of cybersecurity weaknesses in education are application security, endpoint security, patching cadence, and network security.

In our 2019 State of Malware report, we found education to be consistently in the top 10 industries targeted by cybercriminals. Looking only at Trojans and more sophisticated ransomware attacks, schools were even higher on the list, ranking as number one and number two, respectively.

So, it shouldn’t come as a surprise that according to a 2016 study entitled: The Rising Face of Cyber Crime: Ransomware, 13 percent of education organizations fall victim to ransomware attacks.

Malware strikes hard

Like many other organizations, educational institutions are under attack by the most active malware families, such as Emotet, TrickBot, and Ryuk, which wreaked havoc on organizations for the better part of the 2018–2019 school year.

Last May, the Coventry school district in Ohio had to send home its 2,000 students and close its doors for the duration of one day. The cause was probably a TrickBot infection, but the FBI is still busy with an ongoing investigation.

In February 2019, the Sylvan Union School District in California discovered a malware attack that made staff and teachers lose their connection to cloud-based data, networks, and educational platforms. Reportedly, they had to spend US$475,700 to clean up their networks.

On May 13, 2019, attackers infected the computer network of Oklahoma City Public Schools with ransomware, forcing the school district to shut down its network.

But it’s not just malware that educational institutions need to worry about. Scott County Schools in Kentucky paid US$3.7 million out to a phishing scam that posed as one of their vendors.

Unfortunately, that’s money many school districts, especially those in impoverished communities, cannot afford to pay out. So when can they do to get ahead of malware attacks before valuable data and funding fly out the bus window?


Recommended reading: What K–12 schools need to shore up cybersecurity


Countermeasures

Given the complex situation and sensitive data most educational organizations have to deal with, there are a host of measures that should be taken to lower the risk of a costly incident. Recognizing that many schools must divert public funding to core curriculum, our recommendations represent a baseline level of protection districts should strive toward with limited resources.

  • Separate educational and organizational networks, with grades and curriculum in one place, and personal data in another. By using this infrastructure, it will be harder for cybercriminals to access personal data by using leaked or breached student and teacher accounts.
  • DDoS protection. DDoS attacks are so cheap ($10/hour) nowadays, that anyone with a grudge can have an unprotected server taken down for a few days without spending a fortune. The possible scope of DDoS attacks has been increased significantly, now that attackers have started using Memcached-enabled servers. To put a stop to outrageously-large DDoS attacks, those servers should not be Internet-facing.
  • Educate staff and students about the dangers they are facing and the possible consequences of not paying enough attention. Teachers can absorb cybersecurity education into reading comprehension lessons, and staff could benefit from awareness training during professional development days.
  • Lay out clear and concise regulations for the use of devices that belong to the organization and the way private devices are allowed to be used on the grounds.
  • Backups should be up-to-date and easy to deploy. Ransomware demands are high and even when you pay them, there is always the chance the decryption may fail—or never existed in the first place.
  • Investing in layered protection may seem costly, but compared to falling victim to malware or fraud, the investments is worth it.

In fact, all of these measures will cost money and we realize that will need to come out of a tight budget. But funding, or the lack thereof, can not be an excuse for weak security. Cybercrime is one of the biggest chunks of the modern economy. And guess who’s paying for most of that? Those who didn’t invest enough in security.

What a strange paradox that one of the best weapons against cybercrime is education, but that organizations in education have the biggest problems with security. We at Malwarebytes, with the help of educational leaders, aim to change that.

Stay safe, everyone!

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.