The Education Sector and the Increasing Threat from Cybercrime
Last September, just when teachers, parents and children across the nation were looking forward to the beginning of the school year, parents in New York’s Orange County received an unwelcome announcement. The superintendent of Monroe-Woodbury school district had been forced to inform them that the school would remain closed as a result of a cyber attack that had disrupted the district’s computer systems.
Monroe-Woodbury is just one of the many schools and educational institutions in the United States and throughout the world whose operations have been disrupted by cyber criminals. Earlier, in the summer, Rockville and Mineola school districts were targeted with Ryuk ransomware. In all, over 500 attacks against US public schools have been reported in 2019 to date.
How Does Cybercrime Affect Education?
According to a recent report, the education sector was the most affected of all U.S. business sectors in 2018 and the first half of 2019. Threats range from nuisance adware to serious malware like trojans, backdoors and, of course, ransomware – a malicious file that encrypts system files and information on endpoints and servers. Schools hit by ransomware attacks are denied access to vital information until they pay a ransom in crypto currency (most often Bitcoin).
Apart from the direct financial damage caused by this kind of attack (one Long Island school paid about $100,000 to release its systems in August, and Rockville Centre School District paid $ 88,000 that month), the inability to access computer systems paralyses the academic institution. The cost of the damage only accelerates the longer the school is unable to send emails, record working hours or allocate classrooms and study resources, including school computers and Internet access necessary for many learning activities.
Schools that refuse to pay can be incapacitated for extended periods of time – like Walcott County, Connecticut, which suffered a ransomware attack three months ago and was locked out of its affected devices until early September, when the ransom payment was finally approved by the county board.
The now-infamous Emotet malware has also been striking schools, with attackers using spearphishing to infect systems with the malware trojan. As many services are now entirely computerized, this can even affect infrastructure like heating and cooling, cafeteria services and security systems. The K-12 Cyber Incidents map provides a graphic overview of just how widespread the problem is.
It’s not only schools that are being targeted either. Higher education institutions are also vulnerable to cyber attacks. A number of US universities and colleges have suffered from ransomware attacks, information leaks, and email hacking in the past year. Unlike schools, universities and academic institutes are also being targeted by more sophisticated attackers interested in stealing the intellectual property (IP) and research data produced there.
In one such sophisticated attack, hackers exploited a weakness in the ERP system used by many US universities, Ellucian Banner. Approximately 62 universities were attacked and the threat actors gained access to student registration systems, financial data and personal information. Fortunately in this case, the breach was quickly identified by the US Department of Education, which limited the impact of the incident.
The situation in other parts of the world is as bad. In Australia the head of the local intelligence agency was recruited to inform universities about cyber threats and ways of prevention. This was one of the initiatives put in place after an extremely sophisticated threat actor compromised ANU and persisted within the university’s network for months at a time.
In the UK in April of this year penetration testing conducted by JISC, the government agency that provides many computerized services to UK academic bodies, tested the defenses of over 50 British universities. The results were unflattering: the pen testers scored 100% success rate, gaining access to every single system they tested. Defense systems were bypassed in as little as an hour in some cases, with the ethical hackers easily able to gain access to information such as research data, financial systems as well as staff and student personal information.
Why Are Schools, Colleges Targeted by Cyber Criminals?
It is no coincidence that schools are among the most attacked. Schools manage substantial sums of money, store personal information for students and teachers and connect with a large number of external bodies and providers and, of course, parents, who primarily communicate with the school via email. This means that the school has a very large attack surface.
Coupled with enticing rewards is the fact that students make for easy victims of phishing scams. Students’ lack of experience combined with a tendency to use simple passwords across multiple services makes them prone to credential harvesting and password-spraying attacks. In one incident this past September, over 3000 Kent State student emails were hacked in this way. In addition, the awareness of parents, teachers and faculty regarding cyber risks is often much lower in education than in other sectors.
Also see: 7 Ways Hackers Steal Your Passwords
Further exacerbating the security situation is that educational establishments typically have a limited number of staff dedicated to security. Unlike banks, schools typically do not have dedicated information security personnel who are engaged in 24/7 protection.
How Can Schools Defend Against Cybercrime?
In the absence of the kind of dedicated resources typically found in other sectors such as SOC teams an in-house red teamers or penetration testers, the defense systems installed in educational organizations carry a greater burden and must deal effectively with threats. A solution that can autonomously detect and respond to attacks can help mitigate the lack of human resources so that only in the event of a particularly severe attack is the intervention of professionals required.
In the case of ransomware, the source of the attack is most likely to be contained in an infected file sent via email. In such cases, the EDR protection system must identify the file as soon as it tries to install itself on the endpoint, disable it and delete it from this and all other endpoints across the organization. This will prevent the attack at the infection phase and prevent the loss of services in the educational institution. Similarly, a solution that can rollback a device to a healthful state, including decrypting encrypted files, should be high on the institution’s security shopping list.
Perhaps Schools Are Also The Beginning of the Solution?
As we’ve seen, schools and academia are in the crosshairs of cyber criminals, and will continue to be so for the foreseeable future. But educational institutions can also offer some hope of future relief. Policy makers understand that cyber education should start at an early age, and that educating young people about cybersecurity could lead to them, one day, becoming cybersecurity professionals, so badly needed in the industry nowadays.
Northport High School, for example, are leading the way in offering classes in topics such as network concepts, security concepts, identifying threats and cryptography. The school also offers the after-hours CyberPatriot program, which aims to inspire K-12 students towards careers in cybersecurity.
Similar programs across the US and UK could eventually improve individual’s resilience and have an adverse effect on the explosion of cybercrime. It would also generate young adults who are proficient in cybersecurity and will naturally be inclined to join the industry upon graduation.
Educational authorities are also becoming increasingly awaren of the need for greater funding to train educational staff in areas such as email security, USB device safety and phishing awareness. In Massachusetts, for example, $250,000 has been earmarked to provide cybersecurity awareness training to over 42,000 school employees in 94 municipalities.
Conclusion
The importance of protecting our education system from cyber crime cannot be overstated. Not only do schools, colleges and universities provide vital services to our society and economy, they are rich treasure troves of sensitive data. From personal information like birth records, educational history, social security numbers and financial data to intellectual property and cutting-edge research, the data held by these organizations is among the most useful to cyber criminals and advanced threat actors. And yet, these storehouses of precious data are perhaps among the least well-defended and under-funded in terms of cybersecurity. As a result, it’s imperative that administrators and policy makers address these shortcomings as a matter of urgency.
If you’d like to see how SentinelOne can help secure your institution with an easy-to-use, automated security solution, contact us or request a free demo.
Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.
Read more about Cyber Security
- YARA Hunting for Code Reuse: DoppelPaymer Ransomware & Dridex Families
- Privilege Escalation | macOS Malware & The Path to Root Part 2
- The Quest for Visibility & Hunting Comes with an Unseen Opportunity Cost
- What is Mimikatz? (And Why Is It So Dangerous?)
- Meet the Client Workshop | What Can We Learn From A Security Executive?
- Ransomware Attacks: To Pay or Not To Pay? Let’s Discuss
- The Good, The Bad and The Ugly in Cybersecurity
Leave a Reply
Want to join the discussion?Feel free to contribute!