Cyberattacks are nothing new. In 1988, Robert Tappan Morris unleashed what has become known as the "Morris worm," which was initially designed as a way to determine how big the internet was and highlight the weaknesses in computer systems. Unfortunately, Morris' code had some unintended consequences, resulting in one of the first computer worms distributed via the internet and essentially creating a massive denial-of-service attack (DoS attack) for thousands of devices. Fast forward to today, and you'll realize that while computer systems have changed considerably over the years, one thing that hasn't changed is the inherent risk of cyberattacks. Unfortunately, as society has become more and more dependent on computers and electronics in general, cyberattacks have a much more devastating impact on their victims than before. And while most headlines focus on the recent attacks of the Colonial pipeline and JBS' meat processing facility, the victim most targeted by cybercriminals is the K-12 education system.
So why is K-12 targeted so frequently when there are much more lucrative targets to choose from? When most people think of cybercriminals and hackers, they think of a person in a hoodie surrounded by computer screens as they hack into some large financial institution's mainframe and drain rich people's bank accounts. While I love a good hacker movie, what they portray couldn't be further from the truth. In reality, criminals in general almost always go after the most vulnerable and low-risk targets. That's why convenience stores are four times more likely to be robbed than banks. Criminals are after easy financial gain. When it comes to cybercrime, the easiest targets are the ones with the least amount of technological resources. K-12's limited funding makes them prime targets for cyberattacks, and the recent transition to remote learning has only made it more difficult for educational system administrators to keep their environments secure.
K-12 has notoriously had funding issues for years. If you have any friends or family in the education system, they often aren't shy to express their frustrations about the limited resources they're given, often providing classroom resources for their students out of their own pocket. The same is true for IT administrators in the education sector.
IT administrators often find themselves with the difficult task of requesting funding for systems that nobody sees. Nobody sees the firewalls that silently sit there protecting networks from intruders. People overlook the antivirus software running in the background on their computers, keeping their systems secure. Nobody sees the backup systems and terabytes of data drives in the server rooms that keep all of their data backed up in case of emergencies. Nobody goes into the closets containing thousands of dollars worth of switches, ensuring that everybody has network connectivity. Some even assume that sysadmins only have to really work when computers or networks crash and they overlook the countless hours spent ensuring that their systems don't crash in the first place.
Another roadblock often faced by K-12 sysadmins is that funding may be available to purchase additional systems and services, but that same funding can't be used to hire more personnel. The end result is an IT department often stretched too thin and unable to maintain systems properly. In addition, contractors will often be used to implement newly purchased systems, leaving staff not adequately trained to support them.
One of the most significant contributing factors in K-12 cyberattacks is the lack of training available for end-users. Inadequate training is almost always a direct result of limited IT staffing. As sysadmins are stretched thin, they no longer have the time to provide sufficient training for their end-users. This was especially true as schools transitioned to remote learning and many new systems were incorporated into teacher's and student's workflows.
As reported by k12cybersecure.com, there were 408 publicly disclosed K-12 cyber incidents in 2020, an increase of 18 percent over 2019. Compare that to the 122 publicized cybersecurity incidents of 2018, and you start to see how these attacks have dramatically increased over the last couple of years. This increase is partially attributed to the pandemic and the switch to remote learning as incidents almost tripled in the latter half of 2020. The FBI even emphasized the high likelihood of increased cyberattacks on K-12 as they transitioned to distance learning in June 2020.
k12cybersecure.com has broken down 2020's incidents into the following categories:=
Data Breach/Leak: 36%
Other incidents include unattributed malware, class and meeting invasions, email invasions, website and social media defacement, and a wide variety of related and/or low-frequency incidents.
It's important to note that while many of these cyberattacks are intended as a way to get financial gain from victims, not all of them serve this intended purpose. Some, such as class and meeting invasions, often serve as a way to disrupt and harass educators and students.
The impact of these cyberattacks can vary considerably, and it's challenging to quantify the effect of each one. Some incidents may be nothing more than a short disruption to a faculty meeting. Others could cripple school systems for weeks or even months. Other attacks, such as data leaks, could have lasting effects upon students and staff for years.
In April 2020, a zoom class hosted by a Utah elementary school was hacked, exposing up to 50 elementary-aged students to pornographic images and video. There was no financial gain intended in the attack, but the impact is non-the-less horrific and could be long-lasting for those children and parents.
In 2019, the Lyon County School District in Nevada suffered from a ransomware attack that took many systems, including their phone and email systems, offline for almost two months. IT staff worked diligently for weeks trying to restore services while other departments did what they could to ensure they could continue to provide for their community with limited resources. A ransom was eventually negotiated and paid in order to decrypt the data the ransomware had encrypted.
These are just a couple of examples of the hundreds of attacks occurring each year to our K-12 schools. While the return to in-person learning may significantly reduce class and meeting invasions, the other categories of incidents will likely increase in the future.
Cyberattacks are becoming more elaborate and sophisticated, but that doesn't mean there's nothing we can do to better safeguard our schools. Even though attacks are becoming more complex, many of the solutions remain the same. Often, just practicing the fundamentals of computer security are enough to deter most attacks. Here's a list of the most common things we can do to keep our environment safe and secure.
Patching: One of the simplest ways to keep your environment safe is to ensure you're deploying updates regularly. Updates come in many shapes and sizes. This includes updates for operating systems, software packages, and firmware updates for physical devices. Here are a few tips to help you with patching.
Develop a patch management policy: A good patch management policy should guide how you deploy patches in your environment. It should also cover things such as how to patch critical devices. This may include only deploying security updates or updates that have thoroughly been tested to essential devices.
Use a deployment tool: Depending on the size of your environment, deploying patches could be a daunting task. If you have a larger environment, consider using a deployment tool to ensure you get all of your devices patched on time. I may sound biased, but I highly recommend PDQ Deploy and PDQ Inventory. These applications are very easy to integrate into your existing environment. With Deploy and Inventory, you'll be deploying patches to hundreds or even thousands of machines with just a few clicks.
Stay informed: Make sure you know when a vulnerability has been discovered so you can get the patches deployed to your devices. There are many blogs, news sites, and social media groups you can follow to ensure you stay informed about the latest security events. We cover many of these critical vulnerabilities as well as non-critical updates on our blog at PDQ.com/blog. Bleepingcomputer.com is another good source of information about security events. You can also track vulnerabilities using the NIST NVD (National Institute of Standards and Technology National Vulnerability Database… whew)
Training: Many attacks are attributed to a lack of training. Ensure your end-users know what threats to look out for and how to avoid them. Many threats, especially those targeting users with deceptive/phishing e-mails, can be avoided when users know what to look for. Additionally, there are many training resources available online when in-person training is not an option.
End-Of-Life (EOL): Computers systems are constantly evolving. The internet and the applications we use today look nothing like what we used 15 years ago. Many systems eventually become deprecated and lose support. When systems become obsolete and lose support, this is known as reaching their end-of-life. End-of-life systems no longer receive security updates, making them a high-priority target for cyberattacks. Unless these systems are absolutely essential, ensure they are removed from your environment. If the system is critical, ensure that the device it runs on is set to the highest security standards while you work on transitioning to a replacement system.
Firewalls: Make sure your firewalls are correctly configured to keep intruders out of your network. Also, ensure that your firewalls and other networking equipment are up to date with their latest firmware updates.
Password Management: Ensure a proper password management policy is in place and followed. Password should be required to change regularly. Avoid giving end-users administrative access. Sysadmins should use separate logins for administrative work. Password should not be re-used for multiple systems, and passwords should never be shared. Ensure complex passwords are required. Use a password management system to ease the burden on users.
2FA (Two Factor Authentication): Most systems now have an option to enable 2FA or multi-factor authentication. Use this authentication method whenever possible. 2FA will drastically limit what a cybercriminal can do if they obtain a password.
Backups: Backup, backup, backup. Make sure that your critical data and systems are backed up regularly. Having a good backup can turn a nightmare situation into a mild annoyance. If possible, have multiple backups, both onsite and offsite. Ensure that backups cannot be compromised if an on-site system becomes compromised. The last thing you want is your data and your backups to become encrypted by ransomware.
Audits & Pen Tests: Systems should be regularly audited and penetration testing performed to ensure there are no vulnerabilities in your environment. While I don't know anybody that enjoys being audited, you'll enjoy it a whole lot more than trying to recover from a cyberattack.
Unfortunately, as the world grows more dependent on technology, we become more susceptible to cyberattacks. The recent pipeline and food supply attacks are a stark example of the chaos that these types of incidents can cause. Sadly, it's our children and teachers who are suffering from the brunt of these attacks. As system administrators, we need to stay vigilant in safeguarding our environments to the best of our ability. It may not be easy, and our efforts may often go unnoticed, but it is worth it.
Check out THE STATE OF K-12 CYBERSECURITY: 2020 YEAR IN REVIEW report provided by k12cybersecure.com. Their efforts to highlight the attacks on the K-12 education system are commendable and should be supported.
If you are interested in more learning more information regarding the state of K-12 cybersecurity, PDQ.com is hosting a K-12 Cybersecurity Webinar event on June 16, 2021. Join us as our panel of experts discuss emerging cybersecurity threats for K-12, personal experiences dealing with cybersecurity attacks, and how schools can best protect themselves from cybersecurity threats. Click here to register and learn more.