Lucy Security works with many K-12 districts across the country to help build cybersecurity awareness and protect against phishing attacks (most ransomware attacks start with a simple phishing email.)
Below are some comments from Colin Bastable, Lucy CEO, about the types of trends and issues he sees and what K-12 IT departments can do to protect their employees, pupils and district resources from clever cyber attackers.
According to Colin Bastable, CEO of security awareness training firm Lucy Security:
Education: an easy target for cyber attackers
K-12 school districts range from fewer than 100 employees to several thousand. Some have tiny budgets, and some have more significant resources, but they all struggle with vulnerability to cybersecurity attacks. Just this week, CNN reported that a Texas school district lost $2.3 million to an email phishing scam. Unfortunately, this news is just the latest in an ever-increasing trend of cyberattacks targeting K-12 schools.
According to the K-12 Cybersecurity Resource Center, more than 752 cyber incidents at K-12 schools have been reported since January 2016, resulting in loss of productivity as well as much-needed funds.
Common K-12 cyber scams
One common scam is the Gift Card Scam, where an email purporting to be from the school principal or a head of department asks an administrator or assistant if they can buy some $100 gift cards. Often, this might be during a break, such as Thanksgiving, when the school staff are unlikely to meet.
Once the admin has the cards, they email a reply (to the fake email address) saying “I have them” and the thief asks them to scratch off the security number and send pictures of the cards, “because I need to get the gift to the students today.”
Another common attack is to send a change of bank deposit details to the school payroll staff.
These are quite simple attacks, yet extraordinarily successful. More sophisticated attacks involve BEC (Business Email Compromise) attacks, like the gift card scam, but involving hundreds, thousands and millions of dollars in losses, where the imposter asks for urgent payments to be authorized.
Ransomware attacks are also prevalent in K-12 and local governments, causing multi-million-dollar losses and billions of losses worldwide.
Response from Samir Tout, professor of information assurance, School of Information Security and Applied Computing, Eastern Michigan University.
In the last decade, we have witnessed a shift in the IT landscape with the rise of cloud computing, mobile devices and the Internet of Things (IoT). As a result, a new era has begun—one that brings along promising infrastructural enhancements, albeit with new challenges to the modern enterprises, including educational institutions. This necessitates that IT leaders at schools and universities perform a thorough analysis of how this will impact their systems, networks, and most importantly their data.
Educational institutions produce a massive amount of data about their students and staff. Such data constitutes a luring treasure trove for hackers who may launch advanced attacks against various layers of the school/university systems. IT leaders at these institutions must pay attention to key measures that are still common even to a great degree to the modern IT landscape.
If established, these measures would mitigate or possibly eliminate the risks of potential intrusions. They include: system hardening, secure perimeter architecture, anti-malware and endpoint defenses, strong encryption, establishing and adopting security policies, and applying information security principles such as least privilege, separation of duties, and role-based access control.
Furthermore, one of the most forgotten yet important measures is security awareness training and professional development for the staff that maintain the institution’s infrastructure. This has become even more vital with the advent of the modern IT landscape mentioned above, as staff members must stay up-to-date or otherwise risk being ill-equipped to properly maintain the infrastructure and its hosted data.
IT leaders must set strategic goals that embrace the above measures as part of the fabric of the institution. This means, among other things, that they include them in their strategic plan, allocate proper budgets for them, and support them with resources and, when necessary, expedited approvals.
Good cyber hygiene is critical to protecting “back end data.” Regular software updates and patch management are critical in mitigating known software vulnerabilities.
Two-factor authentication is vital to hedge against phishing and other social engineering attacks. Appropriate data encryption serves to protect critical data. And, vulnerability scanning/management of the environment is key to identifying and closing all known system vulnerabilities.
Modern firewalls and end-point protection protect against ransomware and reduce the overall threat landscape. And cyber security awareness training for all users is critical to help them understand common social engineering-based threats and attacks. Assess and validate cyber security controls in place to protect data stored in any hosted/cloud-based system.
The current IT landscape is full of concerns. Anything that cybercriminals can monetize is a risk. Probably the most common problem I hear about is ransomware, which can be addressed by managing patches/updates and ensuring off-site backups are regularly completed (and isolated).
You know what you’re doing, and the service you’re providing is helping teachers teach and students learn. In my case, that’s directly what my colleagues and I are doing, putting teachers and students together in web and video conferences, integrated with their learning management systems. I know what we’re doing is making the process of education easier, better and more efficient. We’re absolutely helping more students access their teachers and helping more teachers use the modern tools of teaching.
That’s comforting. And rewarding.
But it is also isolating and challenging at the same time.
The 22 part is that for anyone to recognize your work, they have to see you, know you’re there. They need to understand that great bridges require great bridge builders.
The catch part is that, if you do your education IT job well, you’re invisible. Your IT can be so good, so seamless and so intuitive that no one has any idea you were ever there. Or that it did not simply just work that way to start.
In IT, being invisible is winning, even though it may not always feel that way. I liken it to what a studio-level makeup artist must feel – you know, the person who makes movie stars look great or gruesome, depending on the role. If you’re at the movies and you’re talking about the makeup, something probably went wrong. It’s only when they’re really good that they can fade away.
And sure, knowing you do good work is satisfying. And please don’t misunderstand, I’m not in this business for glory and adulation. I feel certain that almost no one goes into education for that. Still, what we do – those of us who build the bridges and apply the makeup of education IT – is not easy. Or free, unfortunately.
It can also be a marketing challenge. Wrap your head around this sales pitch. “What I do is so smooth and subtle that, once you start using it, you won’t notice it all.” Where do you sign, right?
I exaggerate. People do notice when they have to drive around a river instead of having a bridge to cross. But once it’s up, people don’t remember what it was like before. And people who’ve become used to driving around an obstacle, or not traveling at all, don’t know cool bridges are available.
Polluting my metaphors again, I think back to the talented make-up artist who probably has to go pitch new producers and directors by saying, “You probably didn’t notice me at all in this other movie, but …”
To tell you the truth, though, I’m not deterred by the education IT paradox. Solutions that work are always in demand. Bridges are easy to sell when people have to get somewhere. When people look at nearby towns and cities and say, “hey, how did you get that cool bridge?” the phone rings.
And the big education dynamics favor companies like ours. More and more people are studying online, and more schools are needing to invest in tools that make that reality easier and safer.
But as it does, I feel for others in education IT or in IT in general – on staff or on their own. I know that some of the best among us are the least seen. That’s what happens when we do our jobs well. And it can get old. It’s also not likely to change. I cannot see a future in which IT solutions have pretty construction plaques saying, “Built by Julie Carter at IT Solutions in 2019” or whatever. So, we’re just going to have to accept that as the way it is.
At the same time, we can take comfort in the real value we’re providing, unseen as it may be. Cynical types may say that gleaning value from the service you provide, regardless of recognition is cold comfort. I prefer to think of it as warm comfort. It can be easy to forget that IT is about making connections and helping people do great things, in our case, helping people learn. When we do that, we’re doing right, whether anyone notices or not.
At a time when schools systems are collecting more data than ever and implementing new technology to improve their classrooms, education leaders must act to better secure the personal information of their students, staff and stakeholders. Unfortunately, instead of bolstering security, reports are showing that the education industry ranks dead last in cyber security, pointing to low awareness, limited budgets and a lack of expertise, making many schools easy targets for cyber criminals.
growing threat against schools
Educational data is a valuable black-market commodity because student records often contain information such as birth dates, addresses, Social Security numbers and, in some cases, financial records. In fact, since 2016, K-12 institutions have been hit with more than 400 cyber security incidents, and in 2018 alone, there were 122 publicly-disclosed cyber security incidents impacting schools in 38 states, according to the K-12 Cybersecurity 2018 Year in Review report.
Additionally, in December 2018, a hacker stole the personal details for more than 500,000 staff and students from the San Diego Unified School District. And just a few weeks ago, Louisiana Governor John Bel Edwards issued a statewide emergency declaration in response to a cybersecurity incident that affected several school districts. That same month, Watertown city school district in New York was hit with a severe attack that prevented employees from logging into accounts or accessing files. The bottom line is, based on the treasure-trove of data educational organizations have access to, coupled with a lack of budget, awareness and protocol, schools are vulnerable to advanced cyber attacks, and criminals know it.
brings new risk
Fortunately, awareness is spreading. Technology chiefs indicated in the CoSN IT Leadership survey that cyber security is now one of their top priorities. Education leaders are also recognizing that these attacks not only have the potential to cause financial loss for schools, donors, students, and staff, but they can also erode trust in the educational institution itself. For students, it’s not just about their privacy and preventing identity theft, but also about their future academic and workplace careers. Ultimately the problem for school systems rests in constrained budgets, inadequate cyber security staffing, and in some cases, senior leaders who may not truly understand the threats they are facing. Out of 17 industries analyzed, education ranked last in cyber security, according to the 2018 Education Cybersecurity Report.
Most schools are accustomed to putting student education at the forefront, and while they may also devote energy and resources to physical security, it can be easy to overlook the modern threats lurking in connected systems. Behind the promise and excitement of smart boards, smart TVs, laptops, tablets, and IoT devices, criminals are waiting to exploit vulnerabilities.
One major issue is the large number of staff and administrative users with personal and school devices that expands the attack surface. Many schools now have students utilizing their own laptops during school hours, bringing more points of vulnerability into the school. For example, students or faculty could be working remotely on an unsecured Wi-Fi network, opening the possibility of an attacker gaining access to a school’s system. Many also use apps such as Office 365, Dropbox, GSuite and Slack to communicate and collaborate on projects. While these apps do offer some security, they are often no match for the advanced cyber threats that are changing daily. If a student were to unknowingly share a document infested with malware to Dropbox, it could compromise the entire system.
several actions that educators should take to mitigate cyber risks. One place
to start is with a simple risk assessment to identify vulnerabilities. This
could include an inventory of all devices and connections in the system,
including BYODs, along with apps and software. During this assessment,
questions should be asked such as “How is the technology being used?” and “What
processes and protocols are in place?” Comprehensive risk assessments can often
reveal several simple ways a school can improve its security.
Other cost-effective steps that leaders should take include:
a cybersecurity plan that covers the management of networks, maintenance of
equipment, establishment of policies and how human practices and solutions will
protect the data.
endpoint security, application security and processes for ensuring patches and
strong password and protection on all devices.
visitors from using the WiFi.
Additionally, schools, much like enterprises, should have a system to backup data and a plan for recovery should an attack occur. For it is slowness or lack of preparedness that often leads to the most serious disruption.
Finally, as human awareness is a critical component of cyber security, students, faculty and staff should be educated on cyber security issues, how to reduce the risks and what procedures to follow in the event of a breach. For all employees, such training should occur before every school year and for students, computer security literacy should begin as early as the third grade. While cyber security risks will always be a reality in today’s digitally-connected environment, school-wide awareness, planning, and education can reduce many of your vulnerabilities lowering their risk and better protecting the sensitive data of their students and faculty.
Academic institutions face many challenges due to how the ever-changing nature of technology affects the management and distribution of licenses. No longer can schools afford to leverage traditional models to ensure their students, faculty, and staff are equipped with the right technology to succeed. Innovative and scalable new IT solutions must be developed to create the backbone for academic success and greater user experiences. This includes such things as exploring sustainable licensing criteria, centralized funding models, and risk reduction initiatives.
at higher educational institutions need the freedom to choose the tools they
use to teach. But when resource procurement is decentralized, there is no
visibility into what tools are being ordered, in what quantity, from which
vendors, and at what price. This makes it impossible for institutions to
optimize their budgets and ensure compliance with all laws, terms, and
crucial for institutions to develop enforceable and sustainable licensing
criteria that include clear guidelines around what products their faculty can
license, in what quantities, and from which vendors. Organizations can
accomplish this by giving faculty more visibility into what resources are
available and what terms and conditions they come with; or by establishing a
request-and-approval process for faculty wanting to adopt resources their
school has not already licensed.
University of Utah did both, setting up a secure, centralized repository
containing all assets available to faculty. Educators have self-serve access to
all resources the school has already licensed, and requests for new assets can
be submitted directly through the repository and are visible to other users who
may need the same resources. By ensuring faculty are aware of what’s available
and what’s been requested, and by requiring them to get approval for new
resources, the university has established a more efficient and less risky way
for educators to select their teaching tools.
ideal world, all software would be procured and funded centrally at the
enterprise level, ensuring that compliance requirements are met, and that the
lowest prices are secured. Unfortunately, central funding models can be too
rigid for many institutions as they often require that a certain level of
demand for a product before any licenses are ordered. This can result in
frustrating waits for faculty and students who need resources that aren’t in
high demand. Alternatively, these models may result in institutions
over-ordering certain products and losing money on unused licenses. So
institutions often allow individual departments, or even individual faculty, to
handle the procurement of their own resources.
counter this, Queen’s University explored the option of implementing a
cost-recovery plan. Under their model, software would be procured centrally at
very high volumes to get the best pricing available. The school could then
‘sell’ licenses to individual end users for far below the equivalent retail
price or other volume-license/academic pricing. These chargebacks, combined
with the savings the school sees by purchasing in bulk, would save Queen’s a
significant amount compared to the cost of ordering licenses on an as-needed
licensing is complex, and with complexity comes risk. Institutions are
responsible for ensuring compliance with all terms and conditions attached to
every piece of software they license, from campus-wide essentials to niche
products used by a single faculty member. This is already an uphill battle. As
vendors transition their products to the cloud, move to time-based delivery
models and inflexible clickwrap agreements (which are often updated without
notice), software management and distribution will become even more complicated
– and riskier.
teams need visibility into what software is being purchased, installed, and
used at their institutions. They must ensure that the number of licenses
installed does not exceed the quantity purchased. All stakeholders should
clearly understand all usage rights and restrictions attached to every product
they use, and comply with them diligently. Procurement and IT teams need to vet
service agreements against their own legal, privacy, accessibility, and
computing policies, as well as applicable laws.
reduction must be a core priority in any college or university’s software
licensing strategy. Aggregated and centralized management of software licenses
can help with this by reducing the overall level of risk to schools through
visibility and education.
K-12 and higher education entities require different perspectives on their IT strategy compared to IT strategies for corporate campuses. However, there are common themes and major technology trends that create similar IT challenges for both.
The proliferation of personal internet
connected devices (primarily in the form of cell phones and other gadgets) and
new web applications have caused various tectonic shifts that require similar
fundamental changes in the security posture and campus connectivity strategies.
Corporations have tried to resist the use of personal connected devices within the office network environments and have tried to block the use of other unauthorized web applications even when used to serve some business need. This was an unfruitful strategy and the hidden shadow IT, as it is sometimes called, won this grassroots driven trend. For example, employees started using the freely available file sharing apps (such as Dropbox, Google Drive, etc.) when their corporate offered alternative lacked in features and ease-of-use.
Similarly, employees continued to use their personal cell phones for business use cases when it was more convenient. Corporate IT had no choice but to embrace the fact that their employees would bring their own devices and in some cases adopt their preferred applications to solve their specific needs. This set of challenges also goes the other way with corporate provided connected devices finding their uses in personal use cases such as corporate provided laptops being used at homes.
The solution for corporations is to modify their security posture and rethink their connectivity architectures to be able to support the new reality. These changing trends have meant a shift towards a no-trust security posture versus solely relying on a on premise-based firewalling approach. It also meant starting to adopt software defined network architectures, namely, SD-WAN (Software Defined Wide Area Networking), for managing and controlling bandwidth in their campuses.
Educational entities are in a similar situation
when it comes to the proliferation of connected devices and the use of student-driven
applications that can stress the wide area network bandwidth if not properly planned
for. Therefore, it makes sense to look at some of the corporate solutions to
these very same challenges to figure out how to handle the changing security
environment and the increased pressures on bandwidth requirements.
Educational entities and campuses should also
modify their security posture to have a zero-trust model whereby it is
understood that solely protecting the perimeter of the network, although
certainly required, is not enough for a completely secure network design. Unauthorized
and uncontrolled devices (such as personal cell phones) will be present with
all of their malware that may have collected over time and can create a threat
from the inside of the network. Short of keeping these devices off of the
network (which we know is not a practical solution) the next best option is to
carve out and segregate the bandwidth available for such devices out of the
network that the institution uses. By definition, all the sensitive data and
resources will therefore be isolated and protected from any potential malware
that may be on the personal devices.
This approach, which can be achieved with
modern cognitive networking solutions in a highly cost-effective manner, will
also provide the much-needed control of WAN bandwidth usage for both networks.
Once a software-defined approach is adopted, IT
teams can take advantage of various other features that these modern technologies
offer depending on the needs of their networks. For example, multi-WAN
aggregation for additional capacity, adding premises-based or cloud-delivered
UTM (unified threat management) security solutions and various others are some
of the features that can be leveraged.
Even though at a high level corporate networks
and networks of educational institutions are highly different with respect to
their role, the important commonalities in the challenges both environments
face allows both IT teams to learn and adopt solutions that the other has tried