Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

9/2/2020
02:00 PM
Jeff Wilbur
Jeff Wilbur
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

Don't Forget Cybersecurity on Your Back-to-School List

School systems don't seem like attractive targets, but they house lots of sensitive data, such as contact information, grades, health records, and more.

Schools are starting to reopen around the country – some physically, some virtually, and some a hybrid of the two. As a result, the remote learning requirement that was thrust upon schools when the pandemic forced closures earlier this year has reemerged. Presumably, lessons learned during the chaotic transition in the spring can be applied to make fall run more smoothly. But one item is critical to consider during this back to school season: Cybersecurity.

Before examining cybersecurity needs in school systems, it's important to understand what's at stake. On the surface, school systems don't appear to be an attractive target, but they contain a significant amount of highly sensitive information, such as contact information, grades, health records, counselor interactions, and possibly parents' financial records. In light of COVID-19 and increased remote connections, there is now even more data – including health status, contact tracing, and recordings of student participation online – housed in systems and therefore more privacy concerns than ever.

Related Content:

COVID-19: Latest Security News & Commentary

Higher Education CISOs Share COVID-19 Response Stories

In recent years, schools have also seen an increase in debilitating ransomware attacks, even prompting an FBI alert this summer highlighting increased abuse of the Remote Desktop Protocol (RDP) to plant ransomware on school systems.

The security challenges are amplified by the move to more online learning and administration, specifically:

  • Systems that were designed to be accessed on internal networks now need remote access.
  • A wide variety of devices that were never connected to the school's network now need regular access to services.
  • The type of access needed has expanded well beyond posting of class assignments online. It now includes everything from live classrooms to access to administrative tools and health services.

These additional requirements significantly expand the attack surface, compounding the risks. This brings a largely un-cybersecurity educated set of users into play, placing additional stress on school IT staff who are already typically stretched thin.

So, who is responsible to ensure that these systems and their users are safe? In this case, all layers of the ecosystem – vendors, school districts, and students/parents – have a role to play.

Vendors need to recognize the shift to remote use and provide appropriate built-in security.

School district staff need to choose tools that have appropriate security controls and establish strong cybersecurity practices for staff and students.

Students (and their parents) need to protect themselves and the school's systems by practicing strong cyber hygiene.

Here are some practical guidelines for each group.

Vendors Need to Raise the Security Bar
To cover the full range of needs, there are many applications and websites for school district staff to consider – most of these apps, websites, and software products are developed primarily to deliver certain capabilities and levels of functionality and may not incorporate strong security practices. These include limiting access by type of account, encrypting communication and data at rest, offering multi-factor authentication (MFA) to limit illicit access, and securing data on hosted cloud platforms.

As usage continues to increase, vendors need to bolster the security of their products to prevent breaches and disruption of their services.

School Staff: The Critical Role
School district staff has the most critical role to play in ensuring proper levels of cybersecurity, as they're responsible for making the choices regarding what tools to offer students and parents, as well as setting up the networks for teachers, students/parents, and administrators.

As with any enterprise, school district staff need to follow strong cybersecurity practices. In March, the Consortium for School Networking (CoSN) issued Cybersecurity Considerations in a COVID-19 World to provide guidance to staff on how to best protect their networks and users. The recommended best practices include guidelines related to classroom supervision, layered permissions, Web content filtering, encrypting data, and protecting devices.

In addition to adhering to CoSN's guidelines, staff should carefully select which online learning tools to use, make cybersecurity part of the decision-making criteria when selecting digital tools, and not hesitate to demand stronger security capabilities from existing vendors.

Students and Parents: Empowering End Users
It's critical that students and parents take concrete steps to empower themselves to be safer when engaging in remote learning online, as failure to properly secure their access can have negative side effects on both the school systems and systems used in their household, which likely include corporate systems in our new work-at-home world.

Though students and parents are at the mercy of the choice of tools made by the school, they can still practice good cyber hygiene by using strong passwords, enabling multi-factor authentication, changing default passwords on devices in the home to prevent illicit access, exercising care in sites they visit, and choosing strongly encrypted services for their personal use.

Given the massive increase in video conferencing use since the start of the pandemic, it's also important for students and parents to make smart choices regarding those services. Mozilla released a guide to videoconferencing services, assessing them against minimum security guidelines, as part of their "*privacy not included" series. This is a valuable resource for students and parents.

Back to school 2020 will certainly be unique, as schools scramble to figure out how to provide education in the context of an ever-shifting coronavirus backdrop. With a continued shift to online learning, maintaining a strong focus on cybersecurity is more important than ever.

Jeff Wilbur is Senior Director, Online Trust at the Internet Society, where he has focused on security and privacy best practices for enterprises and IoT and speaks regularly on issues related to online trust. He has over 35 years of experience in high technology, all focused ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BeSecureBeConnected
100%
0%
BeSecureBeConnected,
User Rank: Author
9/23/2020 | 5:03:08 PM
Remember to factor in user productivity
Good article, remember to consider user productivity impact while implementing security controls.  For example, web content filtering by itself may overblock websites that are needed in the classroom.  Enhancing a filter with newer approaches, like browser isolation, lets users safely browse to a website that may have been blocked simply because it was new.  Security is important, but it doesn't have to be overly difficult for our already stressed-out teachers, students, and staff.
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-30481
PUBLISHED: 2021-04-10
Valve Steam through 2021-04-10, when a Source engine game is installed, allows remote authenticated users to execute arbitrary code because of a buffer overflow that occurs for a Steam invite after one click.
CVE-2021-20020
PUBLISHED: 2021-04-10
A command execution vulnerability in SonicWall GMS 9.3 allows a remote unauthenticated attacker to locally escalate privilege to root.
CVE-2021-30480
PUBLISHED: 2021-04-09
Zoom Chat through 2021-04-09 on Windows and macOS allows certain remote authenticated attackers to execute arbitrary code without user interaction. An attacker must be within the same organization, or an external party who has been accepted as a contact. NOTE: this is specific to the Zoom Chat softw...
CVE-2021-21194
PUBLISHED: 2021-04-09
Use after free in screen sharing in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2021-21195
PUBLISHED: 2021-04-09
Use after free in V8 in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.