In recent months, a number of high-profile cyberattacks have reverberated across critical aspects of the U.S. infrastructure ranging from petroleum and meat production to local water treatment facilities. Over the last year, these various groups proved virtually no organizations were off-limits; even healthcare facilities amid a global contagion. After a year of online learning, many schools and universities are headed back to the classroom this fall. As students return to in-person learning, could cybercriminals shift their efforts to vulnerable school systems?
“Cyber criminals are focusing on targets that they feel will provide the most probability of getting paid. They want to maximize the payout while minimizing the effort. Schools tend to fall into this category simply because they are under resourced with regards to security, but also highly motivated to minimize the impact of an attack simply by paying,” said Brian Bartholomew, principal security researcher at Kaspersky.
SEE: Security incident response policy (TechRepublic Premium)
What cybercriminals want: digital money
The primary objective for a ransomware attack is simple: money; lots of it. On average, ransomware payments surged 82% to $570,000 in the first six months of 2021, according to Unit 42’s Ransomware Threat Report.
In the aftermath of the Colonial Pipeline attack, the company paid Darkside hackers more than $4 million, according to a Wall Street Journal interview with the CEO. Following the JBS attack, the company paid the REvil group a whopping $11 million.
But hacking groups aren’t solely focusing on massive corporations with large coffers. According to a recent Kaspersky report, 41% of parents said their child’s school had experienced multiple cyberattacks and 55% said the school had suffered a single incident. After an attack, 72% of parents said they would want schools to pay the ransom, with their greatest worry being their child’s “sensitive data” being compromised.
“Threat actors have many motivations but the biggest reason to attack school systems is greed or the desire to profit from the attack by extorting schools via ransomware or the threat of attack,” said Bryan K. Fite, global account chief information security officer at BT Global.
“School attacks are also high-profile and can impact a lot of stakeholders (students and teachers), which can trigger some emotional imperatives that make the victim organizations more likely to pay,” Fite continued.
Remote learning and security vulnerabilities
Cybercriminal activity surged during the coronavirus pandemic as companies and schools shifted to remote operations. With employees and students logging on from their home networks using a mixed bag of personal and company devices, virtual operations also led to new potential security vulnerabilities.
Due to the shift to remote learning on short notice, Bartholomew said schools needed to “create in a matter of months the type of architecture that is usually planned out a year or more in advance.” For school systems, perhaps one of the main cybersecurity takeaways from this en masse switch is the regularity of cybercriminal opportunism.
“It was probably a tough lesson to learn that cybercriminals are all too willing to take advantage of a vulnerable situation, no matter what type of institution,” Bartholomew said.
Similar to most other organizations, Bartholomew explained that schools have a “wide array” of security vulnerabilities, noting that the accelerated switch to remote learning “provided the criminals more possibilities to gain the required access in.”
Although the delta variant is leading to surging cases around the country, many schools are currently planning to operate in person this fall. So, does this switch back to on-site learning reduce the cybersecurity risk or merely consolidate the risk into fewer areas?
“A decrease in the amount of schools online may correlate to a lessened risk, but schools should nevertheless be proactive in its security protection strategies,” Bartholomew said. “Cybercriminals are always going to be out there looking for targets. Returning to remote learning may have to happen at any moment, so schools are not going to want to be caught off-guard again.”
Assuming virtual learning modules are threat actors’ “primary attack vector,” Fite said “decommissioning those platforms would reduce the school’s attack surface,” albeit with caveats.
“It’s more likely that the systems will remain in place and active to support the school should distance learning need to be leveraged again,” Fite said. “If those platforms are not properly maintained, having them in place but not actively used could create some security blind spots.”
Proactive moves to shore up security
While the prospect of sustained in-person learning may be on shaky ground amid plateauing vaccination rates and surging caseloads, there are proactive strategies schools can implement to protect themselves against cyberattacks as well as contingency plans to hammer out in the event of a breach.
For example, Bartholomew said IT admins can regularly backup data and implement two-factor authentication as well as “tried and true recommendation to always promptly install available software updates.” He also recommended coordinating with organizations like MS-ISAC.
“If the unfortunate event happens and a school thinks it’s compromised, the best thing to do is coordinate with them, as well as follow the recommended steps and guidelines produced by CISA,” Bartholomew said, referring to the federal cybersecurity agency.
Jacob Olcott, vice president at BitSight Technologies, said the “education sector has been the worst-performing sector” from a cybersecurity perspective and has been so “for years,” adding that the comparatively lengthy amount of time it takes education organizations to patch vulnerabilities is one of the key factors. Citing BitSight analysis, Olcott said “organizations with poor patching performance are nearly seven times more at risk of a ransomware attack.”
SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)
Security training and outreach are popular proactive security strategies for companies and schools could implement a similar approach for staff and network users. However, 20% of schools do not provide parents and students with cybersecurity-related best practices, according to the Kaspersky survey.
“Your human stakeholders can be your biggest asset or biggest liability. So, educating users on how to stay safe and how to spot indications of fraud is very important,” Fite said.
Zero trust security has become an increasingly popular option for companies; especially in the age of remote work. By the end of 2022, nearly four in five organizations were planning to “adopt a zero-trust security initiative,” according to an Okta whitepaper published in June; comparatively, only 9% of companies said they had such a policy in place at the time.
In the months ahead, Fite said a zero trust security approach for schools is “worth considering.”
“Assume your stakeholders are operating in a hostile environment (like the internet) and design security controls that make it easy to do the right thing (be secure) and hard to do the wrong thing,” Fite said.