The Rialto Unified School District and College of the Desert in California have seen their systems hit by malware attacks this month. Rialto Unified had to suspend its distance learning program and collect any devices that were infected. The district hopes have classes back online for pre-kindergarten through eighth grade as early as Monday, Aug. 31, but high school classes will remain offline while devices are examined and exchanged.
The San Bernardino City Unified School District faced a scary incident last October, as it was the target of a ransomware attack.
A number of other school districts, colleges and universities across the nation have been the targets of ransomware and malware attacks in recent months. The University of Utah and University of California, San Francisco even paid ransoms of $457,000 and $1.14 million, respectively, to get systems back online and have any stolen data recovered.
There is no data to indicate academic institutions are being targeted more since distance learning became a way of life during the coronavirus pandemic, but cybersecurity experts said they are not surprised to hear about attacks occurring.
“The fact is many of these systems can be very vulnerable,” said Jared Phipps, a vice president at SentinelOne, which specializes in endpoint security. “Distance learning forced institutions to open up their systems even more. There was this rush to start education at home and not enough time and attention paid to security.”
More digital devices (endpoints) are being used to execute distance learning, putting institutions at greater risk.
“Many of these devices would not exist if not for distance learning,” said Zhiyun Qian, an associate professor in UC Riverside’s computer science and engineering department. “Each one potentially is a way into a system.”
Tony Coulson, a professor and director of the cybersecurity center at Cal State San Bernardino, said institutions below the college level are the ones most vulnerable to a breach.
“It’s just a matter of economics in those cases,” Coulson said. “Launching a cyberattack is cheap, but it can take millions of dollars to prevent them or recover from them. There are multi-billion-dollar corporations that spend millions of dollars when it comes to cybersecurity, and some still get attacked. Many school districts just don’t have the resources, whether budgetary or personnel, to handle a sophisticated attack.”
Government agencies and high-profile businesses tend to be the most common targets of cybercriminals because attacks can be highly profitable. So what’s to gain by attacking an academic institution? Qian said colleges and universities can be a prime target for hackers because of research programs. Student records and financial transactions often are at risk during ransomware attacks, and some institutions might be willing to pay the ransom to recover that data rather than foot the bill from any lawsuits that happen down the road.
“The attacks can be disruptive,” Phipps said. “If you decide not to pay and did have any backup servers in place, it can take several months to rebuild a system and get everything back up and running. Now think about that happening with education, especially during this time of distance learning. An attack like that brings everything to a screeching halt.”
Many institutions have put more focus on cybersecurity in recent years. The Jurupa Valley Unified School District has been a one-to-one program for about six years, meaning every student has been equipped with an electronic device. The district’s information technology team has put several layers of protection in place to lower the risk of an attack, including filters, firewalls and two-factor authentication.
“One of the most important thing about cybersecurity is knowing attacks can happen,” superintendent Elliott Duchon said. “There is nothing you can do to be 100-percent protected. We’ve dealt with various incidents over the years and it’s a constant worry… At the same time, we try to put as much effort into trying to build the strongest system we can.”
How much has changed in the world of cybersecurity since Jurupa Valley Unified started that one-to-one program?
“Five or six years ago, when we were talking to our insurance company, we never even considered cybersecurity liability,” business manager Paula Ford said. “It’s become a standard part of liability insurance for schools because it’s more prevalent now.”
University of Redlands has been ramping up cybersecurity measures since distance learning started during the spring, chief technology officer Chris Kincaid said. Kincaid said his department was reorganized to allow more staff to focus solely on network security. The department also received grant funding to train additional interns who will assist with various tasks inside the department.
The Laguna Beach Unified School District also added more layers of protection to its system and digital devices before the school year started. The district conducted an extensive security review provided by the Orange County Department of Education. This included a real-time testing to expose any vulnerabilities, chief technology office Michael Morrison said.
What advice do cybersecurity experts have for institutions that are underfunded or understaffed in this department?
One important steps is basic user education, Coulson said.
“No matter what the company, organization or institution is, the biggest threat to security is the end user,” Coulson said. “If you can control the end point, you have a lot more control over your system. So the risk is higher when there are more devices in the hands of students who might not be able to spot a phishing email or something even more harmful.
“We need to educate people what to look for and report any suspicious activity. If you have to think twice about clicking on something, it’s probably a good idea not to. Taking a step back at that moment actually is a step forward for security.”
Coulson, Qian and Phipps all are in agreement that adding additional layers of security is important. These can include two-factor authentication when logging on or filters that restrict access to potentially-harmful websites. Having back-up systems in place, especially ones that are offline and have immutable files, can also help institutions recover quicker after an attack. And vigilance is important, too, which is why IT departments are extremely valuable.
“Cybersecurity is an insurance policy investment,” Qian said. “You don’t know when you are going to get paid back on that investment, but it can be a disaster if you don’t make that investment.”
©2020 the San Bernardino County Sun (San Bernardino, Calif.). Distributed by Tribune Content Agency, LLC.