Tag: cybersecurity

For Schools, Socially Distanced Learning Underscores Need For Stronger Data Protection

By Wayne Dorris, CISSP, business development manager, cybersecurity, Axis Communications, Inc.

Wayne Dorris

What does “security” mean in the context of a school? Until recently, the first things that came to mind were probably physical security technologies like surveillance cameras, metal detectors, access control stations, and even just good old fashioned locks.

But the recent COVID-19 crisis has changed that: because of the nationwide shift toward remote learning that the pandemic has prompted, schools have been forced to reevaluate their cybersecurity policies and requirements as they work to keep their data safe amid increased reliance on videoconferencing, learning management portals, and other online educational tools.

Distance Learning Tools in the Spotlight

One of the first security concerns to gain public attention was the vulnerability of the web’s most popular videoconferencing tools. Zoom, in particular, gained notoriety for the problem of “Zoom Bombing,” where random individuals would be able to drop into meetings run by others without being invited.

With much of the population working from home and relying on remote web conferencing tools, Zoom saw a massive spike in daily users, 10 million in December 2019 to 200 million in March 2020—a dramatic increase that put the previously small problem of Zoom Bombing into the public eye.

Zoom has, fortunately, implemented additional security controls specifically designed to combat Zoom Bombing, but these controls are optional and must be selected by the user. This underscores the need for effective training.

It isn’t fair to pick on Zoom, of course—in fact, Zoom’s problems highlight one of the biggest struggles facing both schools and businesses specializing in remote learning tools. Such a massive spike in remote users over a short period of time means that IT departments lacked the time to evaluate the security controls for remote learning products, and the makers of those products may not have had time to refine those controls for such heavy use.

Learning management systems (LMS) are a great example of this. Used to store grades and enable students to remotely turn in homework, LMS have long been a convenient tool for schools; however, they have generally had the benefit of operating within the safety of the school’s network. And although a bored student might occasionally attempt to hack their grades, LMS platforms have generally not been in the crosshairs for cyberattackers.

Continue Reading

University’s Security Teams Must Work Under The Assumption That A Successful Cyber Attack Will Occur

Response from Doron Pinhas, CTO, Continuity Software.

Doron Pinhas
Doron Pinhas

As higher education institutions compete for prospective students and look to improve offerings for those during scouting, registration and on campus, universities are already using innovations such as artificial intelligence-enabled teaching assistant programs and advanced data collection and analysis to gain an edge.

The IT environments on which universities depend are most often hybrid and multi-cloud, and because of all the new technologies should be available 24X7. Think about course registration system that is down exactly as everyone is trying to register.

From a cybersecurity perspective, the university’s security teams must work under the assumption that a successful attack will occur, and ensure the organization’s ability to recover its systems and data in a very short time from such an event;

One pressing area of improvement is assuring the ability to recover your data. One of the most alarming scenarios of a cyberattack is when both the data and its backup are destroyed in a hacking incident, thus leaving the organization with no way to recover.

This could be a result of a ransomware attack where encrypted data has been propagated to the recovery copies or because the attacker stole credentials allowing the deletion of both data and its backup. An attack with such consequences can derail any organization, leading to severe business outcomes.

We see many organizations looking at automating cyber resilience configuration assessments, whose aim is to ensure that recovery and backup copies of data are kept in a secure and isolated manner while meeting cyber-recoverability configuration best practices and compliance with regulations and standards and security baseline requirements.

These objectives are achieved using automatic and continuous processes of knowledge-driven IT configuration analysis to ensure compliance with vendor and industry best practices, and detection and repair of deviations from best practice.

How To Protect Against Data Loss and Cyberattacks

Superhero, Girl, Speed, Runner, Running

Response from Mihai Corbuleac, senior IT consultant, StratusPointIT

The impact on reputation, operations and financial resources from a successful cyberattack can be wide-ranging and, hence, devastating. From data loss to extensive downtime, your IT staff and senior management team carries the heavy weight of responsibility.

So, if you don’t have sufficient expertise in-house, try to outsource, because the cost to reputation alone, if sensitive data is compromised, will make that investment viable. Check what systems are connected to the internet and if they don’t have to be, disconnect them, in order to reduce your exposure to cyber-attacks.

Make sure you back up your data regularly, and ensure you can restore from backups fast. Once you verify that you can recover from an attack, then start implementing some of the protections that are necessary to keep your data safe. Last but not least, train all your staff, make sure they understand how easy it is to unwillingly upload malware.

Additionally, email service is still the most common delivery method for malware which means that the human component is still the weakest link in the security chain and that’s because they don’t know what to expect, what an attack looks like, etc.

Employees should be educated in regard to cybersecurity, and business executives should begin using training platforms for that. Also, ensure that all employees access their work email from secure devices, preferably not their personal devices, they don’t open unsolicited emails or download suspicious attachments.

What Steps Must Education’s IT Leaders Take To Protect Back End Data and Information?

Response from Nathan Maxwell, founder Communication Concepts, Inc.

Educational institutions are a target for cyber crime, just like any other business or non-profit. Concrete, measurable steps need to be taken to protect assets. Making use of a framework greatly helps this. A framework has specific metrics and criteria included in it. This provides a tangible resource to assess against. Usually, an outside team is brought in to walk through the assessment. Once the assessment is done, a remediation list exists. With a list, priorities are established and budget/human capital are applied. 

FERPA is a federal law that addresses privacy of student records. It is not broad enough for a school to base its entire cyber security posture on. 

Specific steps that all institutions should take include:

What should education’s IT leaders be most aware about the current treat landscape?

The old saying, “When everything is important, nothing is important” comes to mind. There are always external threats. They will never go away. But, learning institutions are in a unique spot when it comes to insider threats. Insider threats, in a traditional business, are where staff are working as, or being used by, criminals. Schools are unique targets for insider threats.

They exist to encourage learning, challenging ideas, trying new things, even pushing boundaries. Labs need to be setup for students to learn and try things. The same systems students use for learning, academia uses for grading, class management, and transcript creation. Students are brought very close to critical systems. Insider threats are very real threat to educational institutions. 

How Education Leaders Can Address Cyber Security Issues

By Dror Liwer, co-founder and CISO of Coronet.

Dror Liwer

At a time when schools systems are collecting more data than ever and implementing new technology to improve their classrooms, education leaders must act to better secure the personal information of their students, staff and stakeholders. Unfortunately, instead of bolstering security, reports are showing that the education industry ranks dead last in cyber security, pointing to low awareness, limited budgets and a lack of expertise, making many schools easy targets for cyber criminals.

The growing threat against schools

Educational data is a valuable black-market commodity because student records often contain information such as birth dates, addresses, Social Security numbers and, in some cases, financial records. In fact, since 2016, K-12 institutions have been hit with more than 400 cyber security incidents, and in 2018 alone, there were 122 publicly-disclosed cyber security incidents impacting schools in 38 states, according to the K-12 Cybersecurity 2018 Year in Review report.

Additionally, in December 2018, a hacker stole the personal details for more than 500,000 staff and students from the San Diego Unified School District. And just a few weeks ago, Louisiana Governor John Bel Edwards issued a statewide emergency declaration in response to a cybersecurity incident that affected several school districts. That same month, Watertown city school district in New York was hit with a severe attack that prevented employees from logging into accounts or accessing files. The bottom line is, based on the treasure-trove of data educational organizations have access to, coupled with a lack of budget, awareness and protocol, schools are vulnerable to advanced cyber attacks, and criminals know it.

New technology brings new risk

Fortunately, awareness is spreading. Technology chiefs indicated in the CoSN IT Leadership survey that cyber security is now one of their top priorities. Education leaders are also recognizing that these attacks not only have the potential to cause financial loss for schools, donors, students, and staff, but they can also erode trust in the educational institution itself. For students, it’s not just about their privacy and preventing identity theft, but also about their future academic and workplace careers.
Ultimately the problem for school systems rests in constrained budgets, inadequate cyber security staffing, and in some cases, senior leaders who may not truly understand the threats they are facing. Out of 17 industries analyzed, education ranked last in cyber security, according to the 2018 Education Cybersecurity Report.

Most schools are accustomed to putting student education at the forefront, and while they may also devote energy and resources to physical security, it can be easy to overlook the modern threats lurking in connected systems. Behind the promise and excitement of smart boards, smart TVs, laptops, tablets, and IoT devices, criminals are waiting to exploit vulnerabilities.

One major issue is the large number of staff and administrative users with personal and school devices that expands the attack surface. Many schools now have students utilizing their own laptops during school hours, bringing more points of vulnerability into the school. For example, students or faculty could be working remotely on an unsecured Wi-Fi network, opening the possibility of an attacker gaining access to a school’s system. Many also use apps such as Office 365, Dropbox, GSuite and Slack to communicate and collaborate on projects. While these apps do offer some security, they are often no match for the advanced cyber threats that are changing daily. If a student were to unknowingly share a document infested with malware to Dropbox, it could compromise the entire system.

Taking action

There are several actions that educators should take to mitigate cyber risks. One place to start is with a simple risk assessment to identify vulnerabilities. This could include an inventory of all devices and connections in the system, including BYODs, along with apps and software. During this assessment, questions should be asked such as “How is the technology being used?” and “What processes and protocols are in place?” Comprehensive risk assessments can often reveal several simple ways a school can improve its security.

Other cost-effective steps that leaders should take include:

Additionally, schools, much like enterprises, should have a system to backup data and a plan for recovery should an attack occur. For it is slowness or lack of preparedness that often leads to the most serious disruption.

Education leaders can find several resources to assist with planning, including those at the Readiness and Emergency Management for Schools Technical Assistance Center and The National Initiative for Cybersecurity Education (NICE).

Finally, as human awareness is a critical component of cyber security, students, faculty and staff should be educated on cyber security issues, how to reduce the risks and what procedures to follow in the event of a breach. For all employees, such training should occur before every school year and for students, computer security literacy should begin as early as the third grade. While cyber security risks will always be a reality in today’s digitally-connected environment, school-wide awareness, planning, and education can reduce many of your vulnerabilities lowering their risk and better protecting the sensitive data of their students and faculty.