The education sector has benefited significantly from digital transformation, enabling learning to take place anytime, anywhere. The advent of these remote learning capabilities, however, has also eroded the security perimeter, introducing a host of cyber-hygiene challenges. Schools are a prime target as they face budgetary cuts and insufficient cybersecurity awareness. So, how can we go about resolving this issue?
Understand the Rules and Their Limits
To build a comprehensive security program, it's essential that educational institutions understand the rules and regulations by which they must abide. Schools are uniquely positioned to face regulations that are specific to their industry. For example, the Family Education Rights and Privacy Act (FERPA) determines how student records are handled. The Children's Internet Protection Act (CIPA) demands that K-12 schools and libraries apply Internet filters to safeguard children from adult content and other potentially harmful information. There are also state-specific regulations, such as California's Student Online Personal Information Protection Act (SOPIPA).
Yet many of these regulations hardly provide guidance on how to balance compliance and security, leaving many schools in the lurch regarding how to prioritize and build. It is important to understand that these rules and regulations are built to ensure that schools are aware of their responsibilities and the consequences. They should help prioritize security controls put in place; disregarding these standards puts schools at greater risk of reputational damage, substantial fines, or a loss of funding from their governing bodies. However, it should not be the sole driver of their cybersecurity efforts.
According to Red Canary's annual "Threat Detection Report," the top three techniques that adversaries used to attack education organizations in 2019 were process injection, Windows admin shares, and scheduled tasks. The prevalence of these techniques doesn't seem to have been changed by the shift to remote learning due to COVID, and they still offer adversaries a way to infiltrate, spread, and remain within an environment, persisting on machines even when powered off. It's possible that the move to remote learning has made the initial attack vectors of phishing (targeting administrative credentials) and targeting Web-facing administrative protocols such as Remote Desktop Protocol (RDP) easier, as attackers leverage the pressure and chaos of transitioning a school to remote learning to their advantage.
These top three techniques continue to succeed, largely because they exploit legitimate features of the Windows operating system. Because these techniques rely heavily on trickery, they're more likely to remain unnoticed in a remote environment. Discovering these techniques requires a healthy dose of self-awareness and knowledge of what is legitimate activity and what is not. Maintaining a baseline of legitimate system activities and processes won't be easy, especially if you've made sacrifices to support your remote teachers and staff through local administrative privileges, adjustments to permitted software, and adjusted content controls. School technology staff should remain vigilant and still strive to understand their adversaries' techniques. Educational organizations can tackle these threats with mitigating security controls and improved cyber hygiene. With this knowledge, schools can re-evaluate their tools, technology, training, personnel, and processes to gauge if they are adequately prepared.
Build the Barricades: 5 Steps
Armed with intelligence about the regulations, threats, and shortcomings in their environment, schools can now work on building their defenses. Here are five key steps:
- Limit administrative access: Offering end users administrative privileges they don't need is tantamount to giving cybercriminals the keys to the kingdom. Schools should adhere to the principle of least privilege, restricting users' rights and permissions to their specific job duties.
- Administer security awareness training: Cybersecurity awareness training is key in helping end users identify cyber threats and manage them appropriately.
- Implement network segmentation: This breaks up the network into chunks that can be more easily managed and limits an adversary's visibility of your network and assets. Each of these segments should be protected with firewalls, and network traffic should be limited to these divisions as well. By restricting the ports and protocols that each system on the network is serving and restricting those services solely to the endpoints and networks that require them, the spread of an attack can be curbed significantly.
- Implement vulnerability management: Schools should conduct frequent inventory checks, stay abreast of the latest patch releases, and, if possible, adopt an automatic patch deployment schedule.
- Ensure visibility: Ideally, schools should employ tools which offer a deep analysis of their systems and automatically tackle threats as they appear.
In the end, we need to applaud the teachers and academic staff working hard to support students in these extraordinary times. This effort should not go to waste for lack of cybersecurity readiness. Fortunately, the foundations of achieving good cyber hygiene are not ground-breaking, nor are they unattainable. If academic organizations can check these boxes, they're positioning themselves in good stead against any future threats.