It’s Time for K12 to Raise the B.A.R in Cybersecurity

Imagine the horror of receiving an anonymous text message saying “Your child still looks so innocent. Don’t let your child go outside.” This happened to one parent in Des Moines due to an attacker group called ‘Dark Overlord’ breaching the Johnston Community School District in the beginning of October.

Tragically this is not an isolated incident, but a recurring trend. Across the US, attackers have been sending death threats to hundreds of thousands of students, stating that unless they received a ransom in online currency Bitcoin they would release those students’ sensitive personal information. In response to these threats, school districts cancelled school for up to a week.

According to Verizon’s 2017 Data Breach Investigations Report (DBIR), there were a total of 455 reported cybersecurity incidents in the education sector last year, a number that has been increasing over the years. Furthermore, the U.S. Department of Education issued a Cyber Advisory Alert on October 16, 2017, stating that K-12 school systems are facing a “new threat where the criminals are seeking to extort money from school districts and other educational institutions on the threat of releasing sensitive data from student records. In some cases, this has included threats of violence, shaming, or bullying children unless payment is received.”

In the beginning of 2017, the IRS released a trend alert on attackers targeting W-2s of school staff via phishing emails; however, it became noticeable that students’ personal information became a better money target later on in the year. The two common desires for attackers are to receive a Bitcoin ransom or collect Social Security numbers to sell on the dark web. Attackers are after students’ identities, such as name, date of birth, social security number, and home address, because students represent a clean slate with little or no credit history. According to the Miami Herald, “on the dark web, these Social Security numbers sell for $25 to $35 a piece, Sanchez said. The information from just one school could easily be worth more than $10,000.”

Additionally, school district systems are being attacked because they enable easier access into government networks. Michael Kaiser, the Executive Director of the National Cyber Security Alliance, recently said “a school district network most likely is attached to other networks in the town or city, state or federal, depending on how the network is setup.”

Given the severity of this situation, why are school systems so easy to access?

At times, student networks are not completely separate from staff and administrative networks, and free wifi around the school buildings and students using the wifi provides thousands of opportunities for attackers to gain access to a school network, especially when students download free, infected apps on their phones. It only takes a click on one email infected with malware to collect login information from a system administrator who has access to the networks to breach an entire school system. The other issue stems from not having the budget to hire a bigger cybersecurity team and pay for necessary resources, such as software and replacing old operating systems to protect school networks.

So what are the foundational practices that school districts must employ to protect student and staff data? Ben Tomhave, principal at Falcon’s View Consulting, suggests that schools need to seek opportunities to reduce their threat profile as much as possible. For example, offloading as much data as possible to reputable vendors can increase data protection and safety; implementing strict network segregation to ensure that students do not have access to staff, administrator, and administrative systems;making sure that students, staff, and administration are aware of phishing, ransomware, and related attacks; and, implementing a routine vulnerability scanning and remediation schedule that also prioritizes the latest vulnerabilities and risks. It’s time for K12 to raise the B.A.R in cybersecurity measures by:

1. Basic security hygiene, such as routine patching and strictly segregating all networks, including wifi.
2. Aware of phishing attacks, of threats to the data and environments, and of the environment in general. As well as, monitoring and detection.
3. Routine vulnerability management and scan for patches

Also, be sure to have an incident response plan in place and exercised for when bad things happen. Such a plan may include procedures for how to contact local law enforcement and alert privacyTA@ed.gov. Visit the U.S. Depart of Education Privacy Technical Assistance Center and FIRST websites for training and guidance on how to respond and recover from cyber attacks.

Much can and should be done to raise the bar on cybersecurity practices, despite constrained budgets. Focusing on fundamental practices may not be easy, but can be pursued without breaking the bank. Strict network segregation coupled with an awareness program, vulnerability management capability, and other basic security hygiene practices will help make schools a harder target for attackers.

Learn more about me @ ChloeMessdaghi.com