Hackers See Value In Stealing Children’s School Records
Young male student preparing for the test listening online lessons on headphones
Milan Kostic | Istock | Getty Images
The education community — students, teachers, parents, staff and those connected to all of them — are barraged with threats to their physical safety. Now, they’re also increasingly dealing with the kind of threats that don’t take lives but impact them nonetheless.
“Our school’s digital doors are rattled, pinged, probed and prodded thousands of times each day by well-resourced adversaries from all over the globe,” said Charlie Reisinger, chief information officer of Penn Manor School District in Lancaster County, Penn. and a professor in Millersville University of Pennsylvania’s IT program.
In the U.S., 1,981 schools across 45 districts fell victim to cybersecurity attacks in 2022, almost doubling the previous year’s incidents, according to an Emsisoft report based on aggregated publicly available data.
Schools are “definitely not funded enough to support cyber warfare,” said Josh Heller, supervisor of information security engineering at Digi International.
Penn Manor School District has 5,500 students who collectively generate more than two million individual data points in the core student management system alone.
Going after a student’s spotless credit
Cybercriminals seeking ransom payouts or identity thieves going after a student’s spotless credit can gain access to identifying information, assessments, assignments, grades, homework, health records, attendance history, discipline records, special education records, home communications and more.
“Imagine being 18 and hearing that your credit was already ruined by a criminal who stole your personal information while you were in fourth grade,” Reisinger said in testimony to the U.S. Senate on behalf of the Pennsylvania School Boards Association regarding student data privacy and protection in October 2022. In addition to the obvious financial implications of an unbeknownst stolen identity at a young age, the socio-emotional impact of it all, as Heller calls it, cannot be ignored.
Meanwhile, the sheer volume of both people and devices in any standard modern educational setting generates more permutations for human failure.
Warren Young, vice president of education at Absolute Software, says these devices often find themselves in a state of loss, whether teachers or students lose them, take them when they leave, or remove essential security features from the devices. “You cannot secure what you cannot see,” Young said.
Heller says phishing attacks and the exploitation of known vulnerabilities for purposes such as ransom are of primary concern. Ransomware’s costs are multifold, including lost productivity from downtime, recovery efforts and paid ransoms. “Really, the largest cost,” said Young, “is that your students aren’t learning.”
Even when networks aren’t down, every extra phishing simulation, multi-factor authentication (MFA) step and password requirement, while necessary, comes at the cost of that learning time.
Cybersecurity attackers may have the motive, speed and velocity to retain an upper hand, but the myriad influences in the education sector do not sit idly by.
Federal funding and regulations for school cybersecurity are the most potent weapons against cyber attacks. “All eyes are really on the government for this one,” said Heller. Opportunities include expanding funding through avenues like the Department of Homeland Security’s State and Local Cybersecurity Grant Program and regulating through means like California’s Age-Appropriate Design Code Act and cybersecurity awareness initiatives.
Bridging the cyber talent gap with partnerships
Reisinger says schools can also address the cyber talent gap (which largely results from wages that can’t compete with big tech) by instating cyber partnerships between public schools and local university programs. “This could take the form of internships, job knowledge exchanges, apprenticeships and other practical, skills-focused initiatives to create a pipeline of talent for both schools and businesses,” Reisinger said.
Young says it’s crucial to audit the data that exists on devices and ensure it’s in an encrypted state. He added, “Should something happen with that device, can you remove that data off of that machine to make sure none of it can be accessed?”
Additionally, Heller says responsible vendor disclosure through the U.S. Cyber & Infrastructure Security Agency can help put government funding to use. “We shouldn’t allow vendors to leave customers vulnerable,” he said. The government also has the NIST National Vulnerability database that helps keep information teams up to date so they can protect against the latest attacks. However, bad actors can access this information for nefarious purposes, so keeping that information stealth for those who need it would be more beneficial.
For school districts, it’s imperative to understand indicators of compromise. According to the IBM Data Breach Action Guide 2022, it takes businesses an average of 207 days to identify a breach and another 70 days to contain it. Knowing when a disaster has occurred sooner can help schools resolve the issue with less pain.
From there, having an incident response team to immediately launch a disaster recovery plan will help protect critical assets and the community those assets impact.
On a seemingly simpler side, Heller said, “If you don’t have multi-factor authentication, you’re toast.”
He advises moving away from methods like SMS confirmation, which can be intercepted through Bluetooth, and says that physical hardware security tokens would be safer. Of course, as Young said, “Some of the time we’re talking about kids as young as five and six years old with technology in their hands.” In these cases, lost technology is a real threat, and the most secure solution is not necessarily the one that makes the most sense. This paradox is yet another mountain that school information security teams must climb.
Whatever the risks and solutions, cybersecurity in schools is imperative because cyber attacks are inevitable. “There’s a desire to be disruptive, so we have to understand, how do we mitigate?” Heller said.
Fortunately, the industry is a largely non-competitive field, Young says, and a blend of communal ideation, layered security and cyber hygiene could make a difference for the schools that shape our world.
READ MORE HERE