In September 2020, security researchers discovered a document with names, social security numbers, addresses and grades in an underground forum. Closer inspection led researchers to believe that the sensitive data belonged to students and teachers, and had been swiped by cybercriminals in an August 2020 ransomware attack on the Clark County School District.
The fallout from the cyberattack on the largest school district in Nevada - and fifth largest in the U.S. - is part of a wave of phishing and ransomware attacks against the education sector that has intensified over the past year. With the sensitivity of children’s personal data added into the mix, government officials are taking note: President Joe Biden last week signed into law the K–12 Cybersecurity Act of 2021 in an effort to scope out resources needed to bolster the cybersecurity of school districts.
But security experts warn that implementing even basic cybersecurity controls will be tough for school districts that are handcuffed by budgetary setbacks and IT teams that are spread too thin.
“Folks in the education sector never considered that they’d be a target,” said Doug Levin, national director for the K12 Security Information Exchange. “There aren’t minimum security requirements for school districts, it’s an unregulated sector. Unfortunately this is an issue that will continue to plague us until the sector sees cybersecurity risks in a more realistic light. They need to have a plan and mitigations in place.”
Schools: A ‘Soft Target’
School districts are sitting on a treasure trove of digitally managed data for both students and school staff - including sensitive medical information, records about law enforcement interactions, addresses or even social security numbers.
Cybercriminals like the ones behind the Clark County School District cyberattack are taking note. Last year, government officials warned in a joint cybersecurity advisory that 57 percent of reported ransomware incidents involved K-12 schools in August and September 2020 - a sharp spike up from 28 percent of all reported ransomware attacks from January through July 2020.
With underage students' data in the mix, the impact of these attacks hits especially hard. After a recent ransomware attack against the Allen Independent School District in Texas, for instance, cybercriminals reportedly reached out directly to parents and threatened to publish their children's personal data online if the school district failed to pay a ransom. In 2020, a data breach against a public school in Toledo, Ohio led to one elementary school parent reportedly discovering that his son was a victim of fraud, after receiving messages that the son had been denied for a car loan and for a credit card.
“These records are valuable to identity thieves and other criminals because they are complete profiles of an individual, and the individual in question probably has no credit history,” according to a Barracuda report. “Student identities are a blank slate when it comes to financial scams.”
Cybercriminals Cashing In
Levin said that he previously observed school districts being “incidental targets” of cyberattacks - however, more evidence in recent years is pointing to threat actors researching and targeting specific school districts with specially crafted spear-phishing emails, business email compromise (BEC) schemes and ransomware attacks.
Overall, the U.S. education sector generates a market size of nearly $806 billion, with some local schools making up half of their local government tax base. A school district of a decent size may have a ten- or hundred-million dollar budget or more annually, he said.
For cybercriminals, that’s a lucrative target. In August, the Judson Independent School District in Texas, for instance, acknowledged that it had paid ransomware attackers a nearly $550,000 ransom payment.
“What criminals are after is money, and while you may not think of school districts as wealthy, they actually manage quite large budgets,” said Levin.
School Security Challenges
The COVID-19 pandemic brought classrooms to a virtual format, but in-person schools have already become incredibly reliant on technology over the years - from the bus routing software that’s used for transportation, all the way to point-of-sale systems used in cafeterias.
“Forced acceleration of the digital transformation has left security struggling to keep up,” said Zach Jones, senior director of detection research at NTT Application Security. “More day-to-day ‘serious’ activities online mean more opportunities for attackers.”
Jones, who tracks top application vulnerabilities in the education space, said that the biggest technical security errors aren’t much different from other sectors. In particular, applications used by schools have been susceptible to issues like insufficient authentication, URL redirect abuse and brute force attacks, he said.
Beyond these technical errors, the top security challenges facing school districts stem from a lack of expertise around basic cybersecurity hygiene, said Jones, such as limiting internet exposed services like Remote Desktop Protocol (RDP), the implementation of multi-factor authentication (MFA) and the management and protection of sensitive data. Another challenge is a lack of funding for schools to designate toward tackling security priorities like patch management, he said.
“Even when outsourcing internet facing capabilities to professional developers there is little ability to independently conduct robust security assessments of the software they deliver, meaning administrators and boards making these contracts and internal IT administrators managing the software and infrastructure are simply trusting that security is included in the deal,” he said. “That’s an especially difficult position to be in.”
What’s Ahead for Education Security
Public school districts can take various steps to improve their security posture, including ones focused around sanitizing network traffic to and from the internet, safeguarding end user devices and maintaining regular patching schedules.
Looking ahead, Levin said he is encouraged by the recently passed K-12 Cybersecurity Act. This new law directs the Cybersecurity and Infrastructure Security Agency (CISA) to work with teachers, school administrators and private sector firms to develop recommendations and an online toolkit that can help schools improve their security - from securing student data to security challenges with remote learning.
“My hope with this study is that it goes deeper not just into the types of threats and issues that school districts are facing, but also why it is that school districts are having challenges in responding,” said Levin.