When you think about cybercrime targets, your mind probably goes to some of the typical organizations; financial institutions, retailers, government agencies, etc. However, since online learning has taken hold over the past year, we’re starting to see the platforms and infrastructure designed to facilitate learning from home come under attack with increasing frequency, just like all other systems and websites. There has been a noticeable increase in cyberattacks on all systems, and online learning platforms are no exception. Whether it’s Google Classroom, Canvas, Schoology or one of the other learning management systems (LMS) that educators are using, malicious actors are finding ways (e.g. ransomware or DDOS attacks) to disrupt remote learning. Their goals are to steal personal data where possible, or in some cases, to build their names and cause fear and disruption to the society. 

With so many students across the country now using elements of online learning, it’s more important than ever for administrators to ensure the security of the platforms these students and teachers rely on.

You may be wondering – “why would cybercriminals target educational environments?”. Unfortunately, it’s the fact that so many would ask this question that makes it such an attractive target. Too many people have the point of view that, just because their platform doesn’t hold financial details or state secrets, it won’t be targeted. That’s simply not true. The fact is that all data has value to someone, and unfortunately some LMS’s will be constructed in such a way that large amounts of student data can be harvested from them. Not everyone follows security and password best practices. Cybercriminals can take advantage of human weaknesses in one place and use them in other places where they can get financial or other gains. Email addresses, real names, real addresses, phone numbers, date of birth, etc., all are valuable information for cybercriminals. They can build their database with this personal information and use them in future attacks. This is why practicing good cybersecurity habits as users and as administrators is critical for all of us for all systems we use.

Asking the Right Questions

Cybercriminals have various tools they use to detect easy-to-exploit vulnerabilities, like commonly found cross site scripting and SQL Injection. This is true not just for online educational systems, but for all websites. When choosing a cloud-based online education system, it is critical to conduct a thorough security analysis of the service before deciding to use it.  Ask the vendor what security measures they have taken to ensure that their applications are built securely.

Do they have a static code analyzer as part of their development process? Have they had any external parties pentest their website? What is their vulnerability disclosure and response process? Do they have MFA (Multi-Factor Authentication) implemented for user registration and login? Answers to these questions will give you some idea how important security is to the vendor, which will reflect in the security posture of their software product. At Offensive Security, for instance, our technical and security team asks vendors to fill out a detailed security questionnaire before we buy any third-party software solution so that we can assess how secure the software tool is.

In addition to security, data privacy must be a priority. This is especially true for education software, as so much personal information is collected. You’ll need to understand what data the tool collects, where the data is stored, who they share such data with, and what their data retention policy is.

A Security Mindset, Common Sense and Teamwork

Once you’ve selected an LMS that’s securely built with a strong data privacy policy, best practices for ensuring that the learning environment remains secure are similar to any other cloud tool. Make sure you create a strong password. Make sure you store your password securely and turn on MFA if it is available, or pick a tool that has MFA as a default option. If you notice something that is abnormal, report to your administrator and check.

At the end of the day, security is really a mindset – and that’s especially important if you’re in an industry like education where the vast majority of users don’t see themselves as potential targets. As a school administrator, you need to step back and think about your network, your setup, your users, etc. It’s important to try and get a sense how your network and systems can be hacked, what the likely ways are that your users may make a mistake that leads to a data breach. Based on that assessment, you can come up with a plan to improve the situation.

At the same time, the burden shouldn’t fall solely to administrators; it’s a group effort. Every user needs to be paranoid about security, about being hacked, and always asking whether what he/she sees and experiences seems normal. If we practice this kind of habit, educational institutions and their users can go a long way in protecting against cyberattacks. The reality is that breaches and attacks can happen to anyone. But if we do our job well, we reduce the chance of that happening, and if it does happen, we can mitigate the issue faster and better.  Unfortunately, there is no silver bullet when it comes to cybersecurity. But if you do enough of the little things well, from due diligence to encouraging a security-first mindset across your users, you’ll be putting yourself and the students relying on you in a better position to learn in a safe and secure online environment.