Common Attack Types in the Education Sector
Data breaches: The main reason data breaches happen is due to human error, either by stolen or weak credentials or through social engineering tactics. A data breach happens when an unauthorized person gets access to protected information such as dates of birth, Social Security numbers, banking information, and medical records. Data breaches can have a devastating impact on students, teachers, and staff. Phishing: Attackers go to great lengths to ensure that their emails appear as legitimate as possible, for a phishing attack to be successful. These emails most contain links that direct target recipients to an attacker-controlled website that delivers malware or steals user credentials. Such an attack can lead to more sophisticated attacks such data breaches, malware or ransomware attacks. Ransomware attacks: A ransomware attacks is financially motivated. It generally aim to damage and steal from a information system or server by targeting vulnerabilities within the network. Furthermore, the use of external devices and the absence of anti-virus software protection facilitates the task of the hacker. Such attacks can cause a lot of damage to schools because they disrupt key computer systems and school operations, and, more importantly, put at risk student data and safety. Ransomware is often spread through phishing emails that contain malicious attachments. Business email compromise (BEC) scams: Involving the use of email to scam school business officials and staff members out of sensitive information and large amounts of money, including by issuing fake invoices to districts, by redirecting authorized electronic payments to bank accounts controlled by criminals, and by stealing W-2 tax information of district employees. Denial of service (DoS) attacks: Intended to make school IT resources unavailable to students and staff by temporarily disrupting their normal functioning. Website and social media defacement: Involving unauthorized changes such as posting inappropriate language and images to a school website or official social media account. Online class and school meeting disruption: Involves unauthorized access to online classes and meetings for the purpose of disruption. Invaders usually share hate speech, sharing via shocking images, sounds, and videos and threats of violence. Despite the attention drawn to these incidents and availability of advice on how to defend against them school districts continued to fall prey to these incidents. Email compromises: Involving the compromise of a school district’s email systems by unauthorized individuals for the purpose of bulk sharing of or links to disturbing images, videos, hate speech, and/or threats of violence to members of the school community.Recommendations
At minimum, the education sector is advised to implement the following to strengthen cyber resiliency:- Consider cyber insurance: Cybersecurity insurance protects businesses against computer-related crimes and losses. This can include targeted attacks, such as malware and phishing, as well as the occasional misplaced laptop containing confidential material.
- Patching and updating: Staff must install critical updates as soon as they are available. Install and regularly update anti-virus and anti-malware software on all hosts. Disable unused remote access/RDP ports and monitor remote access/RDP logs.
- Create backups: Regularly back up data, air gap, and password-protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
- Use strong passwords: Use at least 12 characters, with a mix of numbers, symbols, and capital letters in the middle of the password. Never use the same password for more than one account or for personal and business accounts. Consider using a password manager, an easy-to-access application that stores all valuable password information in one place. Do not share passwords on the phone, in texts, or by email. Implement the shortest acceptable time frame for password changes.
- Enable MFA: Use multi-factor authentication (MFA) where possible. Also known as two-factor or two-step verification, this security feature requires the combination of at least two of three factors – something you know, something you have, or something you are. Oftentimes, MFA will use a password and either a code or biometric to fulfill MFA requirements to log in to an account. MFA protects accounts even if a password is compromised.
- Ensure physical security of devices: Do not leave laptops, phones, or other devices unattended in public or even in a locked car. They may contain sensitive information and should be protected against falling into the wrong hands. Turn on device encryption to encrypt all data on each device and reduce the risk to sensitive information in case the device is stolen or misplaced.
- Think before clicking or sharing information: Every time someone asks for business information, whether in an email, text, phone call, or web form, think about whether the request is trustworthy. Scammers will say or do anything to get account numbers, credit card numbers, Social Security numbers, or other sensitive information. Scammers will rush, pressure, or threaten to get targets to give up company information. Do not click any links in emails, as this can lead to credential compromise or malware installation.
- Only give sensitive information over encrypted websites: If a company is banking or buying online, stick to sites that use encryption to protect information as it travels from a computer to the server. Look for “https” at the beginning of the web address in the browser’s address bar, as well as on every page of the site being visited – not just the login page.
- Secure wireless networks: Unsecured routers could easily allow strangers to gain access to sensitive personal or financial information on devices. Users are advised to change their router’s name and password from the default to something unique that only they know. Keep router software up to date and turn off any “remote management” features, which hackers can use to get into the network. Once router setup is complete, log out as administrator to lessen the risk of someone gaining control of the account. Only use secure networks and avoid public Wi-Fi networks. Consider installing and using a virtual private network.
- Segregation of duties and minimum privileges: Staff must have discrete credentials and relevant privileges based on their job descriptions and needs. The Principle of Least Privilege must be implemented on all accounts and require administrator credentials to install software.
- Catalog and reduce system dependencies: Critical systems dependencies, such as third-party vendors and processes, should be identified and minimized where possible.
- Encryption: Devices should implement end-to-end encryption and include embedded security in their processes. In some cases, certificate pinning (SSL pinning) must be required to avoid spoofed devices, and this includes protection from side channel attacks that can compromise encryption keys.
- Employee training and awareness: All employees working on critical systems must have proper training or certifications to support the elevated threat level of their positions. Human error and phishing attacks are most effectively avoided through proper employee awareness rather than technical means.
- Trusted procurement procedures: Commercial off-the-shelf hardware and software IT products that are ready-made and available for purchase by the general public must follow strict procurement procedures that only allow installing to certified devices that follow strict security standards.
- Vulnerability management: All organizations are encouraged to implement vulnerability management policies that include vulnerability assessments, a patch management plan, and penetration testing audits, where feasible, on a regular basis to maintain an understanding of an organization’s risk posture.
- Network segmentation: All facilities must deploy proper network segmentation, with DMZ configured and network isolation to protect critical systems. Whenever possible, any industrial control systems should not share the same network with internet-accessible devices.
- Cybersecurity plans: Implement various cybersecurity plans, including continuity of operations plans (COOPs), incident response, disaster recovery, and a data backup plan in which multiple data copies are kept in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud). Establish, test, and update all cybersecurity plans at regular intervals.
- External email tags: Consider adding an email banner to messages originating outside the organization and disabling hyperlinks in email sent from external accounts.
