Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

10/4/2019
11:15 AM
50%
50%

Complex Environments Cause Schools to Struggle for Passing Security Grade

As ransomware attacks surge against school systems, an analysis of 1,200 K-12 institutions in North America shows complex environments and conflicting security controls.

IT environments at primary and secondary schools are complex and full of security gaps, leaving them more vulnerable to attacks such as ransomware and crypto-miners, according to an analysis of 1,200 schools in the US and Canada.

The analysis, conducted by managed security services provider Absolute and released this week, found that the typical school in North America has to manage hundreds of versions of applications across dozens of operating-system builds. Overall, the company found more than 250 versions of major OSes — such as Windows, Mac, Linux, and ChromeOS — and 137,000 unique versions of applications installed on devices managed by the 1,200 schools. 

School districts' IT teams are hard-pressed to manage such complex environments, says Josh Mayfield, director of security strategy at Absolute. Ransomware attacks against US school systems surged by more than 30% in 2019, driven in part by the difficulty that overworked IT teams have in securing the complex environments, he says.

"The amount of tech complexity in K-12 environments is overwhelming, as their attack surfaces have grown by several orders of magnitude," he says. "In this new reality, there are too many tangles and limited visibility, leaving gaps open to exploit and space for attackers to camp out, which has set the stage for ransomware."

With knowledgeable security professionals in short supply and technology proliferating in school systems, the cybersecurity picture for schools continue to grow darker. In the first nine months of 2019, the number of security incidents at K-12 schools jumped to 160, exceeding the number of incidents in all of 2018 by 30%, according to Absolute's accounting of public data. 

Schools are now the second largest group of victims, behind municipalities, according to cloud security services firm Armor.

"Due to the volume of device types, operating systems, and applications, managing and patching devices is a huge challenge," Absolute's report stated. "The potential impact of this cannot be overstated."

The education sector has always been hard-pressed to protect its networks and systems. School districts' reliance on public funds means low salaries for IT and IT security workers. Education also relies on the open sharing of information, making stringent security measures not generally possible. 

Little wonder, then, that the educational sector as a whole has received failing grades from ratings firms.

Most school districts — 53% — rely on the default patch management and client controls that ship with the chosen devices and operating systems. But such utilities and controls have a 56% failure rate, with more than a third of devices requiring at least one repair a month, Absolute found.

"Each time that situation arises ... it means that the agent not only failed, but that it failed repeatedly due to ... complexity and decay ... with other tools foreclosing access to machine resources," Mayfield says.

Rather than add security, each layer of security often added complexity to the detriment of the overall security of the organization, Absolute stated in the report. 

"[E]very additional security tool only increases the probability of failure as agents and controls conflict with one another on the endpoint," the report stated.

Students also cause significant complexities for IT administrators and security teams. Unlike workers who have an incentive to follow the rules of IT security, students are often incentivized to get around controls and are often more tech-savvy than teachers.

The report found that 42% of students use virtual private networking (VPN) software or Web proxies to get around security controls. Absolute found 319 such applications and services across the 1,200 schools in its dataset. 

"Even if K-12 organizations accounted for the complexity and bolted on maximum strength defenses, they still are left with rogue students swinging open the door to attack and industrious users who simply disable controls," Mayfield says. 

Students often do not understand the consequences — or are not concerned — when they circumvent security measures. Yet more education is not the answer, he says.

"Turn it into a game. Teach them what attackers do, test them on practical examples, and give each of them a sense of achievement when they win," Mayfield says. "Let them know what villains may try to do, and challenge them to step up and help stop them. Make them the hero of the cyber-resilience story."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "How the City of Angels Is Tackling Cyber Devilry"

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
US Counterintelligence Director & Fmr. Europol Leader Talk Election Security
Kelly Sheridan, Staff Editor, Dark Reading,  10/16/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5790
PUBLISHED: 2020-10-20
Cross-site request forgery in Nagios XI 5.7.3 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link.
CVE-2020-5791
PUBLISHED: 2020-10-20
Improper neutralization of special elements used in an OS command in Nagios XI 5.7.3 allows a remote, authenticated admin user to execute operating system commands with the privileges of the apache user.
CVE-2020-5792
PUBLISHED: 2020-10-20
Improper neutralization of argument delimiters in a command in Nagios XI 5.7.3 allows a remote, authenticated admin user to write to arbitrary files and ultimately execute code with the privileges of the apache user.
CVE-2020-25157
PUBLISHED: 2020-10-20
The R-SeeNet webpage (1.5.1 through 2.4.10) suffers from SQL injection, which allows a remote attacker to invoke queries on the database and retrieve sensitive information.
CVE-2020-25648
PUBLISHED: 2020-10-20
A flaw was found in the way NSS handled CCS (ChangeCipherSpec) messages in TLS 1.3. This flaw allows a remote attacker to send multiple CCS messages, causing a denial of service for servers compiled with the NSS library. The highest threat from this vulnerability is to system availability. This flaw...