The start of a school year brings new opportunities, new challenges, and unfortunately, new risks. Increasingly, these emerging risks begin in the cyber domain and target school districts. To prevent a successful cyberattack against your district, it is imperative that leadership and staff stay informed. Let’s examine five of the most significant new threats you need to know about and identify methods for anticipating these risks.
1. COVID-19 cyber threats
The novel coronavirus outbreak has had a massive impact on education, and at the same time, it has created new ways for cybercriminals to breach your district's digital defenses. As you enter this unusual school year, watch out for cybercriminals looking to exploit the virus with scams and security compromises.
Unfortunately, when people feel uneasy and insecure, hackers feel empowered. Events like the COVID-19 pandemic provide an opportunity for cybercriminals to use fear to socially engineer people into giving up sensitive information. There are a number of cyberscams associated with the virus circulating on the internet, and many staff members in districts have reported seeing them. Please see our detailed article on these scams for more information.
‘Zoom Bombing’ is the act of exploiting security vulnerabilities or improper configurations in remote collaboration software. Don’t let the name fool you, this activity is not limited to users of Zoom – nearly all the major collaboration platforms have been impacted by this type of activity. Though this method of attack is usually used for disruption or digital vandalism, sensitive information could be in danger if your users are sharing it in their conversations. We have an extensive write-up on this activity in a prior InsideRM article.
2. Grade hacking
Grade hacking is the act of modifying official grades using digital methods. We have seen isolated instances of students changing grades by accessing staff computer terminals that had administrative privileges or grading system access. However, it appears grade hacking is becoming a systematic and ongoing threat.
Researchers with Kaspersky, a global cybersecurity company, recently discovered an internet marketplace full of services offering “grade hacking for hire,” as well as a list of bugs in the most commonly used school information systems.
What can you do?
Here are some recommended prevention techniques from Kaspersky:
Introduce multiple forms of user authentication for information systems, especially for web-based systems that might provide access to student records, grades, and assessments. Set strong and appropriate access controls so it is not easy for a hacker to move through the system.
- Provide security awareness training for staff, explaining how to implement and use passwords.
- Maintain separate and secure wireless networks—one for staff, one for students, and another one for visitors if you need it.
- Enforce a policy that requires network users to create strong passwords and frequently change them. Encourage everyone to keep their login credentials confidential at all times.
- Use a reliable security solution for comprehensive protection.
3. Third-party vendor issues
In May 2019, a report surfaced describing a massive data breach from Total Registration. The company is a third-party vendor used by school districts to register students for the AP and PSAT exams. The report noted that Total Registration exposed students’ first and last names, student ID numbers, and email and home addresses, as well as parents’ names, telephone numbers, and email addresses. So far, 20 school districts across 12 states, including Texas, have disclosed their data loss.
Third-party vendors are often a great help to districts with limited information technology (IT) resources. They can assist with infrastructure upgrades, deployment of new software platforms, and even student data management. However, it is important to make sure vendors follow appropriate security procedures to protect your sensitive data.
What can you do?
Here are some tips to help you securely manage your third-party vendor relationships:
- Use a reputable vendor with positive reviews and a lengthy history of working with school districts.
- Ensure the vendor is aware of state regulatory standards that may apply to sensitive information the district maintains. Those standards include the Health Insurance Portability and Accountability Act and the Family Educational Rights and Privacy Act.
- Inform the vendor of your local acceptable use policy and the types of sensitive student and staff information stored in your systems.
- Use resources such as Privacy Rights Clearinghouse, Krebs on Security, and DataBreaches.net to see if the vendor has experienced a data breach in the past with other customers.
4. Unpatched servers
Two years ago, a piece of ransomware called “WannaCry” infected over 200,000 computers across 150 countries. Ransomware locks or encrypts computer systems, files, or data, or steals data in demand for payment. The cybercriminals behind WannaCry exploited a vulnerability in the Microsoft Windows operating system. Microsoft responded by releasing patches that helped address the issue. However, a recent audit determined that hundreds, possibly thousands, of school district servers remain unpatched. It is imperative to update your systems routinely to reduce common vulnerabilities.
What can you do?
- Speak with your IT team regularly regarding your patching and updating protocols.
- Ensure that routine backups are run and that the backup system is functioning properly.
- Confirm with your IT team that the Microsoft Windows file-sharing protocol, known as Server Message Block 1 is patched or upgraded to versions 2 or 3 on your system.
5. Business email compromise/fraudulent instruction
Business Email Compromise is when highly sophisticated emails are crafted to appear to come from legitimate companies or third-party vendors affiliated with a school district. These emails may request sensitive information such as tax forms or social security numbers. Fraudulent Instruction is the transfer of funds by an employee, outside of an organization to a third party, as a result of deceptive information provided by a criminal purporting to be someone else, typically a vendor, client or authorized employee.
These types of attacks are usually preceded by significant observation and research which allow cybercriminals to pretend to be legitimate business partners. In some cases, hackers even infiltrate a company and send a “legitimate” email from within a partner organization. We have seen a significant increase in these sorts of attacks directed at the education sector. In April 2019, a fraudulent instruction attack cost Scott County Schools in Kentucky $3.7 million, and millions of dollars were similarly stolen from Texas districts as well.
What can you do?
- Begin using a system of checks and balances so that no single employee has the authority to change third-party financial information such as routing and account numbers without secondary authorization.
- Train your staff on common social engineering tactics such as spoofing, phishing, and spamming.
- Implement a policy that requires confirmation by a different method than the request is made when vendors, contractors, or other external partners request a change in financial information. For example, if a contractor requests a routing number change in an email, make a phone call to an established point of contact to confirm the request is legitimate.
- Encourage staff, especially accounting staff, to think twice, then three times before complying with potentially suspicious financial requests.
Expert help from the Fund
The TASB Risk Management Fund provides cybersecurity and data privacy coverage, guidance, and resources to members of the Property and Liability programs. To report a Privacy & Information Security claim, members should call the Fund at 855.295.8344. For more information about cybersecurity or to request guidance on this topic, contact TASB Privacy and Cyber Risk Consultant Lucas Anderson at firstname.lastname@example.org or 512.505.2893.
Editor's note: This article was originally published in August 2019. It has since been updated for accuracy and comprehensiveness.