Protecting Your School from Cyber Threats Facing Distance Learning
By Mark Orchison - September 29, 2020
Most schools have tried their hand at variations of distance learning, from delivering lessons via virtual learning environments (VLEs) to presenting school assemblies via video conferencing platforms such as Zoom. Data Privacy and safeguarding issues relating to the use of technology have been well documented, revealing the plethora of risks. In this blog 9ine’s Founder and Manager Director, Mark Orchison, explores the most common cyber threats facing schools in the new academic year.
Cyber actors and criminals seek a gain from their cyber activities. This could be as simple as an ego driven desire to demonstrate to themselves how good their cyber skills are, through to the online ‘street cred’ gained through larger attacks, all the way through to achieving financial gain. Where there is a potential financial gain, the motivation to find entrepreneurial ways to steal funds by committing cyber crimes is always present.
The FBI and Interpol have both reported an increase in digital crime; the FBI reported crime increased by 75% since the beginning of the pandemic. Jurgen Stock, of Interpol, reports “Cyber-criminals are developing and boosting attacks at an alarming pace… exploiting fear and uncertainty caused by the unstable social and economic situation created by covid-19.” What is certain though is a heightened need to understand the means and tactics deployed by cyber criminals.
In readiness for the 2020/21 academic year, most schools are preparing to provide a hybrid of on site/campus and distance learning. Many of 9ine’s client schools are preparing to have teachers in class, with cameras used to provide access to the lessons for those students unable to attend. This method allows schools to continue to operate and provide education services. It also means that fee-paying schools can demonstrate that access to online education services are comparable to those on-site, and therefore, can justify charging standard tuition fees, or as close to, in order to maintain income streams.
In the current circumstances any disruption in the ability to operate may give rise to fee discounts or the loss of current and/or prospective families - not only in this academic year, but in the future when prospective families are likely to be more attracted to schools that can demonstrate an effective distance learning plan.
“The increased online dependency for people around the world, is also creating new opportunities, with many businesses and individuals not ensuring their cyber defences are up to date.” - Interpol, 4th August 2020
In the economics of international and independent education, students have a value. The higher the enrolment number you have, the more resources you will have available to you. Cyber criminals know this. They understand the commercial relationship between a school and the families that enrol. Many schools have suffered the consequences of fee fraud - where parents are directed to pay for discounted tuition fees upfront where the cyber criminal has access to the fee payers bank details and is using the school as a trojan horse in which to pay tuition twice, then attempting to claim a refund from the school by taking on the identity of the fee-paying parent.
Register for a free 14-day trial of the 9ine App and transform the way you manage data privacy and protection.
“Education leaders need to ask themselves this question. How long would it take a criminal hacker to compromise and take control of my computer systems or data? It takes 9ine’s ethical hackers less than 4 man-hours of effort to significantly compromise a school IT system. Schools are seen as easy targets by criminals - they need to audit their security defences and have confidence they are less likely to be a victim”
The presence of having students and staff in a physical building limits the opportunity for other types of attacks. Having students and staff on a school network, using a school internet connection, often on a school managed device, means there are inherent protections: the network firewall, network monitoring, email scanning, virus protection and the forced push of security updates to devices and other management controls. However, in the new world of hybrid in classroom/distance learning models many of these protections are removed. Add to this the financial and reputational need for schools to maintain the distance learning operating model and you start baking a very tasty cake of which cyber criminals want a slice!
We forecast a significant increase in cyber disruption to fee-paying schools over the course of the 2020/21 academic year. Cyber attackers have the financial motivation to cause disruption and fee paying schools have the financial motivation to pay off the attacker to rid themselves of the disruption; two willing parties happy to do business together! Furthermore, if you’re not willing to pay, many organised cyber criminals have invested in PR infrastructure to publicise their activity with a view to place maximum pressure on the organisations whose systems and data they have compromised.
In a distance learning environment there are a range of risks that need to be identified and managed. If you are under a privacy regulation such as the GDPR you are legally required to identify these risks and put in place mitigating actions to reduce the risk of occurrence. This is because a cyber attack is, in many cases, a data protection breach.
The following scenario is one which we have often seen targeted at administrative or academic staff. Many schools have reduced the likelihood of this type of attack by providing cyber training to all staff. Whilst the target in the example is a student, a similar attack is still also likely for members of staff.
Attacker Objective: To identify weaknesses in school network security and pounce from the student device onto an organisationally owned device within the school network. To escalate privileges to gain access to personal data or critical systems. Ransom the for return of personal data or gain access back to critical systems which have been locked or encrypted.
To use the school’s website to gain information about its approach to distance learning.
To then call the school pretending to be a prospective family member to identify which year groups are distance learning or whether there are particular student types.
Using social engineering (searching for students associated with a particular school on the internet) to identify a student or group of students.
Create a social media profile pretending to be another student in the school.
Contact the target student with the fake profile.
Gain trust and identify if they are distance learning.
If they aren’t distance learning, manipulate the conversation to trick them into telling you which students are so that they can be targeted.
Through the trusted (albeit false) relationship, the attacker sends the target an attachment that will allow their device to be compromised with malware.
Having malware on the target machine allows the attacker to do a number of things:
Wait until the target student takes their device to the school and joins the school network so that they can search the network for vulnerabilities; or identify other devices connected to the network which can be compromised and lead to higher levels of access.
Identify friends or teachers of the student who are in school and using the victim’s device, send malware in an attachment via email or chat such as MS Teams or Google Meet. Gain access through tactics in point 1.
In the instance of this scenario, the success of the tactics is dependent on the security controls of the school. The following would limit the risk of the attacker being successful:
School network configured to ensure that only students can connect to a student wireless service set identifier (SID). Each SSID is segregated and the network is segmented via virtual local area networks (VLANS).
The school has a list of all network assets and the IT team can validate every active component with a password, and has a differentiated and complex password.
Every network device and all computers have regular and documented security patches applied.
Administrator access for staff devices is disabled and staff are not allowed to install their own locally run applications.
To mitigate this scenario ask your school's IT team to explain the degree to which steps 1 through to 4 are in place. Wargaming these types of scenarios at a leadership level will support your school in protecting itself from attack. 9ine’s Cyber Training Card Game Go Phish has been designed to support schools in managing their cyber risk.
Many schools using 9ine’s GRC technology undertake regular Security & Systems Cyber Testing. This includes comprehensive analysis of risk, vulnerability and penetration testing. Once complete, Task Management enables the IT team to structure, plan and action the tasks required to mitigate cyber risk. Not only is this good governance, but provides those responsible for Strategy & Accountability evidence that security measures are taking place. Contact firstname.lastname@example.org to arrange cyber training using Go-Phish with your staff or to learn more on our Security & Systems services.
ABOUT THE AUTHOR:
Mark Orchison is Founder and Managing Director of 9ine. He is an experienced management consultant with expertise in data protection, cyber security, technology, project and programme management in education. Mark began his career with Sun Microsystems before moving into management consultancy, where he was the technical consultancy lead for overseeing technology systems for new build schools. Since 2009, Mark has led 9ine in becoming the leading independent K-12 technology and compliance consultancy in the UK. Mark now leads a team of twenty multi-disciplinary and specialist consultants in-house, with a client base expanding across Africa, Middle-East, Russia, India, Asia and the Americas.