Over the past year and a half, school administrators, teachers, and IT support staff have been working in an unprecedented threat environment, wherein the pandemic and cyberattacks resulted in closures for both in-person and online schools.
School budgets have been set for the 2021/2022 school year, policies and procedures have been updated, staffing levels have been established, and security solutions have been deployed into this dynamic environment. This article considers adjustments that can be made to deployed controls so that children and school staff remain safe in both hybrid and remote learning environments.
Cyberattacks that degrade or deny the availability of learning systems are the primary technical risk to schools. As many school districts have moved their infrastructure to hosted services on the cloud, classic distributed denial of service (DDOS) attacks pose a reduced risk, as reputable cloud vendors have deployed effective mitigation technologies that benefit all their platform customers, including schools. DDOS attacks are also less likely due to the current economic incentives for threat actors. Wiper attacks, such as NotPetya, similarly lack a financial incentive for threat actors targeting schools.
As such, ransomware attacks that encrypt and potentially exfiltrate either learning systems or student data remain the top risk.
There are three best practices that security professionals supporting schools can follow to help make the school year uneventful in their district: defending user identities, patching endpoints, and running quarterly tabletop exercises.
Defending User Identities Via Multifactor Authentication
User identities are one of the most effective lines of defense in modern cybersecurity, as a compromised account can be used to steal a user’s data, as well as provide a pivot point for threat actors.
Defensive adjustments are separated by those schools that have deployed multifactor authentication (MFA) and those that have not.
Schools that are not currently using MFA for student and staff accounts are at the highest risk of account compromise, whether from automated credential stuffing attacks or credential-harvesting phishing attacks. There are just over 600 million unique passwords currently available to security researchers and threat actors. It is quite likely that one or more student or staff passwords are at risk of being compromised unless a school has previously deployed technical controls to prevent the utilization of those that have appeared in breaches.
To prevent this risk from contributing to a breach, schools should first modify the password change process for end users so that the new password supplied by the end user is checked against a list of known compromised credentials.
Next, schools should audit their password stores for accounts where the passwords in question have appeared in a prior breach and force those end users – whether they be students or staff – to change their login credentials upon their next login to the affected system.
Finally, schools should consider a quarterly exercise to re-audit their password stores, as the number of compromised passwords only continues to increase – a password that was “safe” three months ago may no longer be secure.
On the surface of things, schools that have deployed MFA appear to be at a reduced risk of compromised user identities, which ignores the unfortunate tendency of users to click-through and approve MFA requests that appear unexpectedly on their mobile devices.
Geography is an advantage that schools have when compared to modern businesses, as most individual students should be connecting from the same IP address and device daily, compared to business employees who may have multiple devices and connect from multiple locations.
As such, schools should configure MFA to prompt when users are connecting from a different location or different device. If the school’s authentication provider supports it, they should additionally block authentication attempts from outside the country, from known proxies, and Tor exit nodes.
Administrative users accessing critical school systems should always be prompted for MFA.
Patching Endpoints and Bring Your Own Device Policies
Patching endpoints is another critical line of defense, as a compromised endpoint may either be affected by ransomware or be used as a lateral movement point by threat actors.
The move to software as a service (SaaS) has generally reduced the number of software packages installed on school endpoints, which has increased the reliance on web browsers. Thankfully, the primary web browsers all provide automated and seamless updates, with a catch: the end users need to restart their browser to receive the software updates. School districts that have provided students with devices should be able to require that the device reboot periodically, such as to install software updates.
Those schools with Bring Your Own Device (BYOD) policies should consider having teachers in remote or hybrid learning environments give students time at least once a month to reboot their computers to ensure that their endpoint devices will be generally updated patched against technical attacks.
Finally, schools should consider a quarterly or biannual cybersecurity tabletop exercise as part of a scheduled teacher workday.
An effective tabletop exercise incorporates all parts of the organization, from the IT team to the school principal, district administrator, communications, and counsel. The intent of a tabletop is to identify and close gaps in a school’s cyber incident response procedures. Often, those gaps include how facts are distributed and understood throughout the organization and how various departments work together based on their understanding of those facts.
Testing how a school administrator will declare a breach and how that declaration may drive communication to parents and students is a worthwhile exercise, particularly when the school administrator is working with incomplete information, which is always the case with fast-moving incidents. Ideally, schools should test those organizational information flows prior to a significant incident so that they have worked through the motions as a team before an incident occurs.
A hotwash at the end of the tabletop exercise can also help schools identify process and communications improvements.
These best practices will mitigate the main cyber risks to schools in the 2021/2022 school year without requiring the deployment of new software or requiring new expenses.
Looking ahead, security and IT professionals supporting schools should plan on aligning their policies, procedures and technical controls to a cybersecurity framework appropriate to the size and complexity of their organization.
The use of a formal framework will help schools to effectively identify and mitigate gaps in security as they plan for school budget cycles.
Although the future of remote and hybrid learning is uncertain, we can expect that profit-motivated threat actors will continue to attack those schools that have not deployed effective and appropriate defenses.