Teaching the education sector about the risk of security vulnerabilities
Despite not being a capital-rich sector, education has become a popular target of callous criminals. Gangs are increasingly intent on attacking systems to interrupt the vital delivery of learning, along with trying to extort payments from the education sector and steal personal and financial data.
Continued budgetary constraints facing the education sector means that schools, colleges and universities alike lack recent security measures such as anti-data exfiltration and are operating on outdated, unsecured technologies that can be easily infiltrated.
Moreover, educators store a considerable amount of personal and financial information for staff and students, which can be leveraged for identity theft, extortion or sold to other criminal gangs on the dark web for profit. This makes the education sector an attractive target for disruptive attacks.
Cyberattacks in this sector mainly impact teachers and students – but they have the least control in stopping them. Cyberattacks occur due to security weaknesses in the products and systems supplied by EdTech providers.
How are EdTech providers responsible for attacks on educators?
Modern education relies heavily on various different software platforms and tools; hence attackers have many opportunities to orchestrate their strikes. Many attacks are facilitated by EdTech developers not taking sufficient care to secure the products and systems they are supplying.
For example, late last year, Rapid7 cloud security researchers found vulnerabilities involving cached credentials in education technology provider Cengage. The platform is predominantly used in the USA in primary and higher education environments, offering digital products, including homework tools, e-Textbooks, and online learning platforms (such as WebAssign).
Rapid7 discovered vulnerabilities that allow a malicious actor to read and alter a student’s personal information by accessing the target’s browser session or the network proxy logs. While not yet confirmed, the same vulnerability could be exploited to hijack the administrator’s or instructor’s sessions.
Another vulnerability of the signature verification allows an authenticated attacker to assume other users’ sessions. This could include students, administrators as well as instructors.
When software vulnerabilities enable cybercriminals to access core systems or personal accounts, even a small oversight by EdTech developers can lead to high prices for staff and students.
Impact of an attack on the education sector
Cyberattacks in education can have wide ranging impacts on staff and students. Ransomware attacks are particularly prevalent, with attackers locking down systems and halting the delivery of services and learning for students. Hackers suspend access to systems which would otherwise aid lecturers in delivering slides, help students access supporting resources and submit assignments, which only exist in digital format on a school’s network. Some attacks have resulted in widespread internet failure.
In an example of the worst-case scenario, Illinois’ Lincoln College was forced to shut down in May 2022 due to a ransomware attack. The college struggled financially after the COVID-19 pandemic, but the malware attack was the final straw. The attack on the college that took place in December 2021 disintegrated admission activities and obstructed institutional data that blurred the enrolment projections for the Autumn term of 2022. Moreover, the systems required for retention, recruitment and fundraising efforts were out of service. There was no way for the college to build back up, following this attack.
We have seen cyberattacks disrupting schools in the UK as well. The attack on the University of Portsmouth shut down its IT systems and forced the authorities to close the campus partially. This delayed the start of the new term and added an extra challenge for the students already tackling the obstacles put forth by the pandemic. Additionally, attacks on primary schools have an even more significant impact on the parents of the students, with working parents scrambling to find childcare. An attack on the education sector might have implications for the parents’ industries as well. It underlines the far-reaching effects of ransomware and highlights the need for EdTech developers to secure their products.
Securing the education sector from attacks
EdTech developers bear a high level of responsibility in helping the sector. The technology supplied to schools, colleges, universities, and other educational institutes must be updated frequently, and the patches to vulnerabilities need to be deployed swiftly.
Alongside this, better processes must be established to report vulnerabilities and release patches promptly. There must be strong communication between tech developers and educational institutes about the availability of these patches.
Education administrators must ask technology vendors about dealing with vulnerabilities and reporting them when these vulnerabilities are found. They should ask about the patch cycles and the procedure to secure software development. Additionally, if an enterprise has published a Vulnerability Disclosure Program (VDP), it is a good sign that the EdTech company has a more modern and robust product security program.
Securing educational institutes poses a unique set of challenges, with their tight budgets and the need to balance security concepts like firewalls with academic freedom. Students themselves can pose a threat in many cases as they patiently test out budding hacking skills on their own networks.
EdTech providers and education providers must work together to understand secure network design and the importance of transparent vulnerability reporting processes.
The best security practices educators should be following
Education institutions are also responsible for improving their security by following best practices, such as network segregation. This divides a company’s network into microsegments, while each segment is isolated. Users must constantly validate their identities and access privileges to access each area. In the event of a breach, the adversaries will be restricted to a single segment, thereby reducing the attack’s impact.
It is also essential to remind education providers about good cyber hygiene practices. Basic cyber security knowledge, and appropriate information about shared computer use and password length, can positively impact educational establishments. To protect educational institutes from devastating attacks, they must be reminded of complex passwords and the importance of locked shared workstations. This can safeguard a network from attacks and help an institute prevent attacks in the long run.
As cyberattacks on educational institutes become more frequent, it is essential for EdTech providers and education providers to work together and take immediate steps to prevent an attack. An organisation can stay ahead of cybercriminals by continuously addressing the basics and carrying out good cyber hygiene practices. With outdated tech and poor security practices, an institute is at risk of an attack that might have profound financial implications and even cause it to shut down.
By Tod Beardsley, Director of Research at Rapid7
Responses