Threat Spotlight: Cyberattacks against schools
A new school year is underway, and cyberattacks against schools are increasing dramatically. This year has already seen almost as many incidents as the previous two years combined, according to Barracuda analysis of data compiled by the K-12 Cybersecurity Resource Center (K-12 CRC), which has been tracking reported attacks against U.S. schools since 2016. There have been 301 attacks against schools so far in 2019, compared to 124 in 2018 and 218 in 2017.
This only accounts for the reported cases, however, and it's highly likely that additional cases exist that went either unreported or even undetected, especially as stealthier malware that seeks to steal information, participate in botnets, or mine cryptocurrency is on the rise.
The National Cyber Security Centre (NCSC) recently published a report compiling cybersecurity-related findings from 430 schools across the UK. It found that 83% had experienced at least one cybersecurity incident, even though 98% of the schools had antivirus solutions and 99% had some sort of firewall protection.
Using a single source of open threat intelligence data and a list of all known websites belonging to U.S. and UK schools, Barracuda researchers found 234 unique malware samples that attempted to connect to U.S. or UK school domain names. We also found 123 IPs associated with the same set of schools that had negative reputation, which could point to additional malicious activity, in addition to disrupting activity at the school due to emails and web pages being blocked.
Cyberattacks Against Schools — The most common threats targeting schools are data breaches (31%), malware (23%), phishing (13%), network or school infrastructure hacks(10%), and denial-of-service attacks (4%), based our analysis of the 708 incidents reported to the K-12 Cybersecurity Resource Center since 2016. The remainder of the incidents were made up of accidental disclosure of data (16%) and other incidents (3%).
Many school districts only have one or two IT personnel to service the district, let alone any dedicated cybersecurity staff. Plus, the steady increase in school-issued devices in recent years drastically expands the attack surface along with the number of systems that need to be secured.
This makes schools largely a target of opportunity as well as subject to the massive campaigns spreading scams and malware indiscriminately. Lowered security postures due to budget constraints, combined with a large user base of minors who don’t have the critical-thinking skills to properly assess potential attacks, makes both types of attacks more effective, unfortunately.
Phishing, which attempts to steal information, scam people for money, and distribute a variety of malware, represented 13% of the incidents reported at the K-12 Cybersecurity Resource Center. But, its prevalence is significantly higher because phishing is unlikely to be reported in a school setting unless an incident occurs as a result or the campaign is large enough to warrant attention.
This hypothesis is bolstered by the National Cyber Security Centre report, with 69% of the UK schools reporting that they had seen phishing attempts, and 20% reporting that they had received phishing emails impersonating school emails.
In the U.S., 5% of the phishing incidents reported to K-12 Cybersecurity Resource Center were W-2 phishing scams. A large portion of that (4%) were part of a W-2 phishing campaign in 2017, but incidents were reported all four years, showing that this is a repeated attack, targeting schools during tax season. Phishing in which money was scammed from the school or district also made up 4% of the total attacks, costing individuals or districts thousands of dollars per incident.
Most of the malware incidents reported to the K-12 Cybersecurity Resource Center related to infections rather than attempts, so there were undoubtedly many attempts that were not reported or were caught by security software. 17% of incidents reported to K-12 CRC specifically related to ransomware, while 6% were other types of malware. In comparison, the NCSC report showed that 30% of UK schools had been successfully infected by malware.
The incidents where malware successfully infected school computers in both countries, at the very least, resulted in downtime while the infection was contained. However, malware seeking to stay invisible could potentially go undetected and not be caught or reported. The increase in school-provided devices could potentially bring infections into the network that were obtained while the device was connected to other networks with fewer security measures than the schools.
Users inadvertently infecting the school network with malware or leaking data qualify as an unwitting insider threat, and this is certainly a risk to school networks. However, malicious insider threats—where a user willfully compromises the network—are also an increased risk to schools. As tools and information related to hacking become more easily available, the risk of students attacking the school network is also increasing, whether they’re attempting to change grades, gain the respect of their peers, or simply to bypass a security measure that annoys them.
The NCSC report shows that 21% of schools had detected unauthorized use of computers, networks, or servers by students. In comparison, 6% of incidents from the K-12 CRC dataset were known to have been carried out by students, but this only represents incidents when the student was caught and the incident was reported as many reported incidents had not identified a perpetrator.
Attacks on the network from the outside are also a risk to school infrastructure. Massive scans for vulnerabilities are a constant occurrence, and with most schools having a smaller security budget than they need, it's likely vulnerabilities will eventually be discovered and exploited. Whether looking at the network itself or school and district websites, it's doubtful that comprehensive perimeter protection is widespread among schools. This could potentially lead to data breaches and/or malware being hosted from the school website.
From the K-12 CRC data set, 4% of incidents were denial-of-service attacks against the network, 31% were data breaches, and 11% were hacks against the network or other school infrastructure, such as email, websites, or social media accounts. In comparison, the NCSC reported 4% of UK school suffered unauthorized external access, 11% had attacks against the school website and/or online services, and 3% had leaked confidential information.
How schools can protect against the threat
The only way for schools to truly protect against cyberattacks is a complete security portfolio including perimeter security, internal network security, incident response capabilities, and a knowledgeable security staff to configure these solutions and handle incidents.
1. Perimeter security
Perimeter security generally consists of network firewalls, web filters, email protection, and application firewalls. While affordable and easy-to-configure solutions are available, obtaining the budget for a full security portfolio can prove difficult for many school districts, and without all areas covered, attack vectors will undoubtedly still exist.
2. Internal network security
While internal security such as intrusion detection, data backup, and anti-malware solutions are important for catching any breaches in perimeter security, the additional risk of insider threats that schools face make these measures even more critical. While Windows Defender offers decent anti-malware protection these days, upgrading existing machines to Windows 10 to take advantage of this feature can be costly and is often overlooked by many organizations. Regardless of the software being used, though, keeping up with security patches is critical because it helps patch exploits that can potentially be leveraged by attackers.
3. Incident response capabilities
In the event of an incident, intrusion detection and incident response solutions both assist in discovering incidents and helping security staff isolate and remediate them. Data backup as part of internal network security can also assist during an incident if data is corrupted, encrypted, or deleted.
4. Knowledgeable staff
Maintaining a capable IT security staff is challenging for many school districts because IT staffing needs often compete with other much needed positions, such as additional teachers to keep up with enrollment rates. Without this staff, though, it can be difficult to patch systems and respond to potential incidents or even properly configure security solutions to maximize their benefit.