The start of the school year — that is, right now — is an especially risky time, too, as staff are busy managing the flurry of enrollments, paperwork and other responsibilities. All these necessary distractions can make them less likely to recognize a phishing attempt or quickly detect a network intrusion, said Doug Levin, national director of the K12 Security Information eXchange (K12 SIX), a nonprofit that shares cyber threat intelligence and resources among K-12 organization members.
Risks abound year-round as well. Financial scammers use business email compromise (BEC) ploys to trick school faculty into sending them money, while identity fraudsters target their databases of faculty and student information. Student data is especially valuable for identity theft, because children are unlikely to detect the fraud in a timely manner, said Thomas Jones, chief information technology officer of Baltimore City Public Schools.
“[Student data] is probably the most valuable information on the planet. Because you have students who don’t check their credit score, they don’t know accounts have been opened, they don’t know all these things about themselves — so you can kind of run rampant for a month or two before any of it catches up with you,” Jones said.
Schools must manage risks from what can be tens of thousands of staff and children all visiting a lot of websites on the school network and on school devices at home, said Elvis Teah, executive director of IT infrastructure and security for Baltimore City Public Schools.
“A lot of the attacks we get have to do with our users being compromised versus us being hit directly … the major problem we have is users responding to phishing emails,” Teah said.
And, like all organizations these days, ransomware remains a continual threat.
Distributed denial-of-service, Zoombombed remote lessons and website defacement also join the list of attacks seen over the past few years, Levin said.
Adding to the challenges is the fact that districts are often working on limited resources. Baltimore Public Schoolsenrolled nearly 78,000 for the 2021-2022 school year, compared to smaller counterparts. But even a larger district tends to have little money to spare on cybersecurity initiatives.
“We’re as broke as the next school district is,” Jones said.
THIRD-PARTY BOOST?
Districts can supplement their defensive power by using services from cloud providers with deeper cyber resources, Jones said. But this won’t absolve districts of all cybersecurity work.
Issues easily arise if districts fail to properly adjust settings and configurations to meet their needs, warned Ben Dumke, information systems manager for Wisconsin’s Hortonville Area School District. He recounted the story of a district that recently dropped Google services, partially due to a misconfiguration incident that shared files among every single user — including letting students access teachers’ files.
Vendors also must be thoroughly vetted for security and data practices.
Schools cannot trust third-party security promises without real evidence backing them up, Teah said. His district requires prospective vendors to show SOC 2 certifications or otherwise demonstrate that an independent party has audited their security controls and they’ve cleared a certain level before conversations go forward.
“If you just reach out to a vendor and say, ‘Hey, how secure are you?,’ people sell themselves — they’re going to tell you every good thing, because they want you to buy the solution,” Teah said. “But once you begin to request an independent certification with respect to the kind of security controls to have, then it becomes a serious business.”
Jones said the district is also concerned with risks presented by vendor partners and subcontractors — and with those parties’ own partners and subcontractors, including the possibility that one of these may try to sell lucrative student and teacher data. The district is therefore looking to carefully craft its vendor contracts, including addressing how vendors disclose who they work with and evaluate their own partners.
CONSTANT VIGILANCE & USER MANAGEMENT
Social engineering is hard to combat, but districts can help by raising user awareness about the problems and by normalizing the practice of staff confirming suspicious emails by calling the purporting senders to verify, Dumke said.
And monitoring for unusual activity can help detect when something does go wrong, allowing the district to act early to contain the damage, said Jones. Other proactive steps can give early tipoffs, like cloud solutions that check if any users’ login details are for sale on the dark web, then automatically block the impacted accounts, Teah said.
STAYING INFORMED
Subscribing to updates from organizations like the Multi-State Information Sharing and Analysis Center (MS-ISAC) and Cybersecurity and Infrastructure Security Agency (CISA), joining K12 SIX and following cyber experts on Twitter can all help keep a district informed about threats, new patches and other intelligence, Dumke said.
He also has taken a hands-on approach to exploring how security configurations might work for his organization’s environment. This can be done relatively cheaply, he said: Roughly $1,000 can purchase a small PC suitable for running a virtual environment.
“[You can] use that to test out things in your environment, so you can learn how these things are going to work and what types of settings you can do,” Dumke said.
GitHub has resources for simulating and testing different scenarios, including MSLab offerings by Jaromir Kaspar, Dumke said.
“In basically running a PowerShell script, in about 2 minutes you can have an entire lab environment, server and clients set up and look at what Microsoft is recommending for security. And [you can] see how that works in your environment and see what the pros and cons would be, just to get up to speed and know what it is that you should be turning off and turning on,” he said.