Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

10/4/2019
11:15 AM
50%
50%

Complex Environments Cause Schools to Struggle for Passing Security Grade

As ransomware attacks surge against school systems, an analysis of 1,200 K-12 institutions in North America shows complex environments and conflicting security controls.

IT environments at primary and secondary schools are complex and full of security gaps, leaving them more vulnerable to attacks such as ransomware and crypto-miners, according to an analysis of 1,200 schools in the US and Canada.

The analysis, conducted by managed security services provider Absolute and released this week, found that the typical school in North America has to manage hundreds of versions of applications across dozens of operating-system builds. Overall, the company found more than 250 versions of major OSes — such as Windows, Mac, Linux, and ChromeOS — and 137,000 unique versions of applications installed on devices managed by the 1,200 schools. 

School districts' IT teams are hard-pressed to manage such complex environments, says Josh Mayfield, director of security strategy at Absolute. Ransomware attacks against US school systems surged by more than 30% in 2019, driven in part by the difficulty that overworked IT teams have in securing the complex environments, he says.

"The amount of tech complexity in K-12 environments is overwhelming, as their attack surfaces have grown by several orders of magnitude," he says. "In this new reality, there are too many tangles and limited visibility, leaving gaps open to exploit and space for attackers to camp out, which has set the stage for ransomware."

With knowledgeable security professionals in short supply and technology proliferating in school systems, the cybersecurity picture for schools continue to grow darker. In the first nine months of 2019, the number of security incidents at K-12 schools jumped to 160, exceeding the number of incidents in all of 2018 by 30%, according to Absolute's accounting of public data. 

Schools are now the second largest group of victims, behind municipalities, according to cloud security services firm Armor.

"Due to the volume of device types, operating systems, and applications, managing and patching devices is a huge challenge," Absolute's report stated. "The potential impact of this cannot be overstated."

The education sector has always been hard-pressed to protect its networks and systems. School districts' reliance on public funds means low salaries for IT and IT security workers. Education also relies on the open sharing of information, making stringent security measures not generally possible. 

Little wonder, then, that the educational sector as a whole has received failing grades from ratings firms.

Most school districts — 53% — rely on the default patch management and client controls that ship with the chosen devices and operating systems. But such utilities and controls have a 56% failure rate, with more than a third of devices requiring at least one repair a month, Absolute found.

"Each time that situation arises ... it means that the agent not only failed, but that it failed repeatedly due to ... complexity and decay ... with other tools foreclosing access to machine resources," Mayfield says.

Rather than add security, each layer of security often added complexity to the detriment of the overall security of the organization, Absolute stated in the report. 

"[E]very additional security tool only increases the probability of failure as agents and controls conflict with one another on the endpoint," the report stated.

Students also cause significant complexities for IT administrators and security teams. Unlike workers who have an incentive to follow the rules of IT security, students are often incentivized to get around controls and are often more tech-savvy than teachers.

The report found that 42% of students use virtual private networking (VPN) software or Web proxies to get around security controls. Absolute found 319 such applications and services across the 1,200 schools in its dataset. 

"Even if K-12 organizations accounted for the complexity and bolted on maximum strength defenses, they still are left with rogue students swinging open the door to attack and industrious users who simply disable controls," Mayfield says. 

Students often do not understand the consequences — or are not concerned — when they circumvent security measures. Yet more education is not the answer, he says.

"Turn it into a game. Teach them what attackers do, test them on practical examples, and give each of them a sense of achievement when they win," Mayfield says. "Let them know what villains may try to do, and challenge them to step up and help stop them. Make them the hero of the cyber-resilience story."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "How the City of Angels Is Tackling Cyber Devilry"

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19040
PUBLISHED: 2019-11-17
KairosDB through 1.2.2 has XSS in view.html because of showErrorMessage in js/graph.js, as demonstrated by view.html?q= with a '"sampling":{"value":"<script>' substring.
CVE-2019-19041
PUBLISHED: 2019-11-17
An issue was discovered in Xorux Lpar2RRD 6.11 and Stor2RRD 2.61, as distributed in Xorux 2.41. They do not correctly verify the integrity of an upgrade package before processing it. As a result, official upgrade packages can be modified to inject an arbitrary Bash script that will be executed by th...
CVE-2019-19012
PUBLISHED: 2019-11-17
An integer overflow in the search_in_range function in regexec.c in Oniguruma 6.x before 6.9.4_rc2 leads to an out-of-bounds read, in which the offset of this read is under the control of an attacker. (This only affects the 32-bit compiled version). Remote attackers can cause a denial-of-service or ...
CVE-2019-19022
PUBLISHED: 2019-11-17
iTerm2 through 3.3.6 has potentially insufficient documentation about the presence of search history in com.googlecode.iterm2.plist, which might allow remote attackers to obtain sensitive information, as demonstrated by searching for the NoSyncSearchHistory string in .plist files within public Git r...
CVE-2019-19035
PUBLISHED: 2019-11-17
jhead 3.03 is affected by: heap-based buffer over-read. The impact is: Denial of service. The component is: ReadJpegSections and process_SOFn in jpgfile.c. The attack vector is: Open a specially crafted JPEG file.