IT environments at primary and secondary schools are complex and full of security gaps, leaving them more vulnerable to attacks such as ransomware and crypto-miners, according to an analysis of 1,200 schools in the US and Canada.
The analysis, conducted by managed security services provider Absolute and released this week, found that the typical school in North America has to manage hundreds of versions of applications across dozens of operating-system builds. Overall, the company found more than 250 versions of major OSes — such as Windows, Mac, Linux, and ChromeOS — and 137,000 unique versions of applications installed on devices managed by the 1,200 schools.
School districts' IT teams are hard-pressed to manage such complex environments, says Josh Mayfield, director of security strategy at Absolute. Ransomware attacks against US school systems surged by more than 30% in 2019, driven in part by the difficulty that overworked IT teams have in securing the complex environments, he says.
"The amount of tech complexity in K-12 environments is overwhelming, as their attack surfaces have grown by several orders of magnitude," he says. "In this new reality, there are too many tangles and limited visibility, leaving gaps open to exploit and space for attackers to camp out, which has set the stage for ransomware."
With knowledgeable security professionals in short supply and technology proliferating in school systems, the cybersecurity picture for schools continue to grow darker. In the first nine months of 2019, the number of security incidents at K-12 schools jumped to 160, exceeding the number of incidents in all of 2018 by 30%, according to Absolute's accounting of public data.
Schools are now the second largest group of victims, behind municipalities, according to cloud security services firm Armor.
"Due to the volume of device types, operating systems, and applications, managing and patching devices is a huge challenge," Absolute's report stated. "The potential impact of this cannot be overstated."
The education sector has always been hard-pressed to protect its networks and systems. School districts' reliance on public funds means low salaries for IT and IT security workers. Education also relies on the open sharing of information, making stringent security measures not generally possible.
Little wonder, then, that the educational sector as a whole has received failing grades from ratings firms.
Most school districts — 53% — rely on the default patch management and client controls that ship with the chosen devices and operating systems. But such utilities and controls have a 56% failure rate, with more than a third of devices requiring at least one repair a month, Absolute found.
"Each time that situation arises ... it means that the agent not only failed, but that it failed repeatedly due to ... complexity and decay ... with other tools foreclosing access to machine resources," Mayfield says.
Rather than add security, each layer of security often added complexity to the detriment of the overall security of the organization, Absolute stated in the report.
"[E]very additional security tool only increases the probability of failure as agents and controls conflict with one another on the endpoint," the report stated.
Students also cause significant complexities for IT administrators and security teams. Unlike workers who have an incentive to follow the rules of IT security, students are often incentivized to get around controls and are often more tech-savvy than teachers.
The report found that 42% of students use virtual private networking (VPN) software or Web proxies to get around security controls. Absolute found 319 such applications and services across the 1,200 schools in its dataset.
"Even if K-12 organizations accounted for the complexity and bolted on maximum strength defenses, they still are left with rogue students swinging open the door to attack and industrious users who simply disable controls," Mayfield says.
Students often do not understand the consequences — or are not concerned — when they circumvent security measures. Yet more education is not the answer, he says.
"Turn it into a game. Teach them what attackers do, test them on practical examples, and give each of them a sense of achievement when they win," Mayfield says. "Let them know what villains may try to do, and challenge them to step up and help stop them. Make them the hero of the cyber-resilience story."