The start of a school year brings new opportunities, new challenges, and unfortunately, new risks. Increasingly, these emerging risks begin in the cyber domain and target school districts. To prevent a successful cyberattack against your district, it is imperative that leadership and staff stay informed. Let’s examine four of the most significant new threats you need to know about and identify methods for anticipating these risks.
1. Grade Hacking
Grade hacking is the act of modifying official grades using digital methods. We have seen isolated instances of students changing grades by accessing staff computer terminals that had administrative privileges or grading system access. However, it appears grade hacking is becoming a systematic and ongoing threat.
Researchers with Kaspersky, a global cybersecurity company, recently discovered an internet marketplace full of services offering “grade hacking for hire,” as well as a list of bugs in the most commonly used school information systems.
What can you do?
Here are some recommended prevention techniques from Kaspersky:
Introduce multiple forms of user authentication for information systems, especially for web-based systems that might provide access to student records, grades, and assessments. Set strong and appropriate access controls so it is not easy for a hacker to move through the system.
- Provide security awareness training for staff, explaining how to implement and use passwords.
- Maintain separate and secure wireless networks—one for staff, one for students, and another one for visitors if you need it.
- Enforce a policy that requires network users to create strong passwords and frequently change them. Encourage everyone to keep their login credentials confidential at all times.
- Use a reliable security solution for comprehensive protection.
2. Third-Party Vendor Issues
In May 2019, a report surfaced describing a massive data breach from Total Registration. The company is a third-party vendor used by school districts to register students for the AP and PSAT exams. The report noted that Total Registration exposed students’ first and last names, student ID numbers, and email and home addresses, as well as parents’ names, telephone numbers, and email addresses. So far, 20 school districts across 12 states, including Texas, have disclosed their data loss.
Third-party vendors are often a great help to districts with limited information technology (IT) resources. They can assist with infrastructure upgrades, deployment of new software platforms, and even student data management. However, it is important to make sure vendors follow appropriate security procedures to protect your sensitive data.
What can you do?
Here are some tips to help you securely manage your third-party vendor relationships:
- Use a reputable vendor with positive reviews and a lengthy history of working with school districts.
- Ensure the vendor is aware of state regulatory standards that may apply to sensitive information the district maintains. Those standards include the Health Insurance Portability and Accountability Act and the Family Educational Rights and Privacy Act.
- Inform the vendor of your local acceptable use policy and the types of sensitive student and staff information stored in your systems.
- Use resources such as Privacy Rights Clearinghouse, Krebs on Security, and DataBreaches.net to see if the vendor has experienced a data breach in the past with other customers.
3. Unpatched Servers
Two years ago, a piece of ransomware called “WannaCry” infected over 200,000 computers across 150 countries. Ransomware locks or encrypts computer systems, files, or data, or steals data in demand for payment. The cybercriminals behind WannaCry exploited a vulnerability in the Microsoft Windows operating system. Microsoft responded by releasing patches that helped address the issue. However, a recent audit determined that hundreds, possibly thousands, of school district servers remain unpatched. It is imperative to update your systems routinely to reduce common vulnerabilities.
What can you do?
- Speak with your IT team regularly regarding your patching and updating protocols.
- Ensure that routine backups are run and that the backup system is functioning properly.
- Confirm with your IT team that the Microsoft Windows file-sharing protocol, known as Server Message Block 1 is patched or upgraded to versions 2 or 3 on your system.
4. Business Email Compromise
Business Email Compromise is when highly sophisticated emails are crafted to appear to come from legitimate companies or third-party vendors affiliated with a school district. These emails either request a change in an existing account routing number or an immediate payment to an account number provided in the email. These attacks are usually preceded by significant observation and research which allow cybercriminals to pretend to be legitimate business partners. In some cases, hackers even infiltrate a company and send a “legitimate” email from within a partner organization. In April 2019, this type of attack cost Scott County Schools in Kentucky $3.7 million.
What can you do?
- Begin using a system of checks and balances so that no single employee has the authority to change third-party financial information such as routing and account numbers without secondary authorization.
- Train your staff on common social engineering tactics such as spoofing, phishing, and spamming.
- Implement a policy that requires confirmation by a different method than the request is made when vendors, contractors, or other external partners request a change in financial information. For example, if a contractor requests a routing number change in an email, make a phone call to an established point of contact to confirm the request is legitimate.
- Encourage staff, especially accounting staff, to think twice, then three times before complying with potentially suspicious financial requests.
Expert Help from the Fund
The TASB Risk Management Fund provides cybersecurity and data privacy coverage, guidance, and resources to members of the Property and Liability programs. To report a Privacy & Information Security claim, members should call the Fund at 855.295.8344. For more information about cybersecurity or to request guidance on this topic, contact TASB Privacy and Cyber Risk Consultant Lucas Anderson at firstname.lastname@example.org or 512.505.2893.