Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

9/2/2020
02:00 PM
Jeff Wilbur
Jeff Wilbur
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

Don't Forget Cybersecurity on Your Back-to-School List

School systems don't seem like attractive targets, but they house lots of sensitive data, such as contact information, grades, health records, and more.

Schools are starting to reopen around the country – some physically, some virtually, and some a hybrid of the two. As a result, the remote learning requirement that was thrust upon schools when the pandemic forced closures earlier this year has reemerged. Presumably, lessons learned during the chaotic transition in the spring can be applied to make fall run more smoothly. But one item is critical to consider during this back to school season: Cybersecurity.

Before examining cybersecurity needs in school systems, it's important to understand what's at stake. On the surface, school systems don't appear to be an attractive target, but they contain a significant amount of highly sensitive information, such as contact information, grades, health records, counselor interactions, and possibly parents' financial records. In light of COVID-19 and increased remote connections, there is now even more data – including health status, contact tracing, and recordings of student participation online – housed in systems and therefore more privacy concerns than ever.

Related Content:

COVID-19: Latest Security News & Commentary

Higher Education CISOs Share COVID-19 Response Stories

In recent years, schools have also seen an increase in debilitating ransomware attacks, even prompting an FBI alert this summer highlighting increased abuse of the Remote Desktop Protocol (RDP) to plant ransomware on school systems.

The security challenges are amplified by the move to more online learning and administration, specifically:

  • Systems that were designed to be accessed on internal networks now need remote access.
  • A wide variety of devices that were never connected to the school's network now need regular access to services.
  • The type of access needed has expanded well beyond posting of class assignments online. It now includes everything from live classrooms to access to administrative tools and health services.

These additional requirements significantly expand the attack surface, compounding the risks. This brings a largely un-cybersecurity educated set of users into play, placing additional stress on school IT staff who are already typically stretched thin.

So, who is responsible to ensure that these systems and their users are safe? In this case, all layers of the ecosystem – vendors, school districts, and students/parents – have a role to play.

Vendors need to recognize the shift to remote use and provide appropriate built-in security.

School district staff need to choose tools that have appropriate security controls and establish strong cybersecurity practices for staff and students.

Students (and their parents) need to protect themselves and the school's systems by practicing strong cyber hygiene.

Here are some practical guidelines for each group.

Vendors Need to Raise the Security Bar
To cover the full range of needs, there are many applications and websites for school district staff to consider – most of these apps, websites, and software products are developed primarily to deliver certain capabilities and levels of functionality and may not incorporate strong security practices. These include limiting access by type of account, encrypting communication and data at rest, offering multi-factor authentication (MFA) to limit illicit access, and securing data on hosted cloud platforms.

As usage continues to increase, vendors need to bolster the security of their products to prevent breaches and disruption of their services.

School Staff: The Critical Role
School district staff has the most critical role to play in ensuring proper levels of cybersecurity, as they're responsible for making the choices regarding what tools to offer students and parents, as well as setting up the networks for teachers, students/parents, and administrators.

As with any enterprise, school district staff need to follow strong cybersecurity practices. In March, the Consortium for School Networking (CoSN) issued Cybersecurity Considerations in a COVID-19 World to provide guidance to staff on how to best protect their networks and users. The recommended best practices include guidelines related to classroom supervision, layered permissions, Web content filtering, encrypting data, and protecting devices.

In addition to adhering to CoSN's guidelines, staff should carefully select which online learning tools to use, make cybersecurity part of the decision-making criteria when selecting digital tools, and not hesitate to demand stronger security capabilities from existing vendors.

Students and Parents: Empowering End Users
It's critical that students and parents take concrete steps to empower themselves to be safer when engaging in remote learning online, as failure to properly secure their access can have negative side effects on both the school systems and systems used in their household, which likely include corporate systems in our new work-at-home world.

Though students and parents are at the mercy of the choice of tools made by the school, they can still practice good cyber hygiene by using strong passwords, enabling multi-factor authentication, changing default passwords on devices in the home to prevent illicit access, exercising care in sites they visit, and choosing strongly encrypted services for their personal use.

Given the massive increase in video conferencing use since the start of the pandemic, it's also important for students and parents to make smart choices regarding those services. Mozilla released a guide to videoconferencing services, assessing them against minimum security guidelines, as part of their "*privacy not included" series. This is a valuable resource for students and parents.

Back to school 2020 will certainly be unique, as schools scramble to figure out how to provide education in the context of an ever-shifting coronavirus backdrop. With a continued shift to online learning, maintaining a strong focus on cybersecurity is more important than ever.

Jeff Wilbur is Senior Director, Online Trust at the Internet Society, where he has focused on security and privacy best practices for enterprises and IoT and speaks regularly on issues related to online trust. He has over 35 years of experience in high technology, all focused ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BeSecureBeConnected
100%
0%
BeSecureBeConnected,
User Rank: Author
9/23/2020 | 5:03:08 PM
Remember to factor in user productivity
Good article, remember to consider user productivity impact while implementing security controls.  For example, web content filtering by itself may overblock websites that are needed in the classroom.  Enhancing a filter with newer approaches, like browser isolation, lets users safely browse to a website that may have been blocked simply because it was new.  Security is important, but it doesn't have to be overly difficult for our already stressed-out teachers, students, and staff.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24847
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
CVE-2020-24848
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
CVE-2020-5990
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
CVE-2020-25483
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
CVE-2020-5977
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.