Carefully allocating limited resources lets districts get the best bang for the buck.
By Saryu Nayyar, CEO, Gurucul
While we read about a lot of high profile cyberattacks against large organizations, and even sophisticated long-term attacks by State actors against well respected security companies, the reality is that cybercriminals are more likely to go after “low hanging fruit” before they engage with a high profile, well defended, target. The “target of opportunity” mentality is easy to understand. While the reward from a soft target won’t net as much as the potential payout from a large organization, the effort is low, the risk is lower, which makes the risk vs reward equation favor the softer target. From the attacker’s perspective, it’s a no brainer.
Unfortunately, that target of opportunity approach has led to organizations in K-12 Education becoming a common victim of ransomware, data theft, and other harassment. The increased activity against Education is what led the US Cybersecurity and Infrastructure Security Agency (CISA), the Multi-State Information Sharing and Analysis Center (MS-ISAC) and the Federal Bureau of Investigation (FBI) to release a Cybersecurity advisory on December 10th, 2020.
Considering public K-12 education in the United States is famously under-resourced, it’s no wonder they are an easy target for cyberattacks. School districts frequently lack the budget and resources needed to adequately secure their environments. Many districts have a limited IT team who covers district offices, student use equipment, and schools, with only a few people on staff. In many cases they don’t have the budget to include a dedicated Information Security asset and, at best, add InfoSec to the stack of responsibilities their team has. That is, if they haven’t outsourced their entire IT infrastructure to a Managed Service Provider (MSP) who may, or may not, have it in their contract to handle the added burden of managing the district’s cybersecurity. This all combines to leave school districts especially vulnerable to a range of attacks.
Some of these attacks are, on some level, understandable if not forgivable. “Zoom-bombing” a class, while disruptive, may be nothing more than a prank staged by a student, sibling, or school rival. It’s the kind of stunt some of us would have likely considered during our own school days. A DDoS, again, may be a poorly conceived student prank rather than part of a criminal effort to disrupt the school’s operations.
The CISA alert covers attacks that are much more intrusive and damaging than simple pranks or minor disruptions. Attackers have dropped malware into school environments to disrupt systems, steal personal information for sale or extortion, and they have used ransomware against districts and even individual students.
With the state of Public Education budgets in the United States and the stresses brought on by the shift to distance learning amidst a global pandemic, cybercriminal attacks against K-12 organizations count as kicking someone while they’re down. Not that it’s unexpected. After all, we can’t exactly expect ethical behavior from people who are making a living from openly criminal pursuits. What we can do, is try and help educational organizations defend themselves during these extraordinary times.
With restricted budgets, educational institutions need to carefully allocate their limited resources to get the best bang for the buck. Whether they are using a dedicated IT organization in their district or school, are relying on SaaS services, or an MSP, the situation is the same. They need to meet their operational requirements first and foremost, providing the best education possible to their students, while still maintaining adequate security.
It’s a daunting challenge, but the CISA alert has some solid advice on best practices to stay secure against these attacks.
The obvious suggestions of keeping patches up to date, making sure systems are configured according to industry best practices, enabling Multi-Factor Authentication, auditing user accounts and systems, and the rest, are simply the start. Of course, organizations should already be doing all this. That we need to remind people in the alert speaks more to districts having limited resources than it does to them having a lack of knowledge, will, or intent.
Perhaps the most effective way to use limited resources in K-12 Education is through user awareness and improved user training. After all, who better to educate people on how to best deal with social engineering, phishing, and other basic user security concepts, than professional educators? While Teachers are already over-worked, under paid, and under-appreciated, they are also well positioned to become an effective part of the solution rather than part of the threat surface. They can also effectively relay security awareness on to their students who may be at risk as social engineering and phishing targets themselves.
There is an old saying about knowing being half the battle, and in this case a lack of knowledge is a serious issue. Where adding technical solutions to the security stack can be beyond the resources of a stressed school district, improving user education and training is a reasonably cost effective and rapid way to improve K-12 security.
About the Author
Saryu Nayyar is the CEO of Gurucul. She is an internationally recognized cybersecurity expert, author and speaker with more than 15 years of experience in the information security, identity and access management, IT risk and compliance, and security risk management sectors. She was named EY Entrepreneurial Winning Women in 2017. She has held leadership roles in security products and services strategy at Oracle, Simeio, Sun Microsystems, Vaau (acquired by Sun) and Disney, and held senior positions in the technology security and risk management practice of Ernst & Young. She is passionate about building disruptive technologies and has several patents pending for behavior analytics, anomaly detection and dynamic risk scoring inventions.
Saryu can be reached on Twitter at @Gurucul and at https://gurucul.com/