Even before the 2020 academic year began, the global COVID-19 pandemic had already created a level of uncertainty for students over cancelled classes, as well as the health and safety of those returning to in-person learning.
Now, in addition to a potential healthcare crisis, students and faculty are faced with another dilemma: cybersecurity.
Over the last six weeks, a rash of ransomware and distributed denial of service (DDoS) attacks at schools, universities and other academic institutions have made local and sometimes national headlines.
In Connecticut, Hartford Public Schools cancelled its first day of online and in-person classes on Sept. 8 after a ransomware attack shut down parts of the district’s IT system, although classes resumed the next day. Other school districts in Alabama, Oklahoma and New York reported similar incidents on or around the first day of classes.
These ransomware and other cyber incidents followed a large-scale DDoS attack on Sept. 2 that affected classes and online learning for 200,000 students in the Miami-Dade school district in Florida. Later, police charged a 16-year-old junior with starting the attack and an investigation continues, officials said.
These types of incidents are not isolated to the U.S., either. On Aug. 30, classes were disrupted at Newcastle University in England following what the school called a “serious cyber incident” which affected networks and IT systems across the campus. Reports surfaced that the university suffered a ransomware attack linked to the DoppelPaymer gang.
Later, the U.K. National Cyber Security Centre issued a warning that noted a sharp rise in ransomware and other attacks aimed at universities throughout Britain.
While all these incidents appear separate, security experts are warning that increases in online learning, coupled with a slew of unsecured devices such as laptops, smartphones and tablets being hooked into networks all at once, is creating a ripe atmosphere for abuse.
“Cybersecurity is not unlike COVID-19. There is a certain prevalence of infected machines in the community. Yet, we have no comprehensive testing regimen to establish the baseline levels of infection across student machines,” Oliver Tavakoli, CTO of security firm Vectra, told Dice.
“In lieu of physically bringing students together in classrooms, we are electing to interconnect a bunch of machines, with unknown prevalence of infection, together via a variety of methods, such as video conferencing, shared docs, emails with attachments, which weren’t used in the past,” Tavakoli added. “The lesson to be learned is that when interconnecting communities for the first time without knowing the frequency of infection in said community, you will intermittently get exponential growth in outbreaks.”
Learning Hard Lessons
While it can be difficult to gather statistics about cybersecurity incidents at schools and universities both in the U.S. and elsewhere, Check Point Research recently published a study that offers some context.
In their report, the Check Point research team found that the number of attacks targeting the U.S. academic sector increased by about 30 percent between July and August, with cyber incidents topping out at about 600 known attacks per week. When looking at other sectors, attacks only increased 6.5 percent during that same time.
The Check Point analysts found similar increases in attacks targeting the academic sectors in Europe and Asia, although the mode of attack differed. In the U.S., schools and universities saw spikes in DDoS attacks, while Europe saw more ransomware. In Asia, it appeared hackers targeted vulnerable systems with known bugs to launch various attacks.
“Check Point found that in the last three months, there was a surge in hacker interest in topics related to education, research and going back to school,” according to the report.
While the Check Point report shows that these increases are happening, why schools, universities and other academic research organizations are sustaining more attacks remains a debate. While some point to a lack of resources for more robust cybersecurity protections, others note that the sudden shift to online learning has given opportunistic hackers and cybercriminals a large attack surface to target.
“In today’s environment, where schools are now operating remotely, they have meaningfully increased use of technology for teaching, learning and managing day-to-day operations,” Kashif Hafeez, a senior director at WhiteHat Security, told Dice. “This provides cybercriminals with new opportunities, significantly increasing the attack surface and schools have become more vulnerable to cyberattacks. This sudden and complete move to remote learning has opened up many new attack surfaces which school systems were simply not prepared to support and has left them vulnerable to a major security event.”
Jamie Hart, a cyber threat intelligence analyst at security firm Digital Shadows in San Francisco, noted that many types of attacks, especially ransomware, usually start with a spear-phishing email that allows hackers to gain a foothold in a network to start the first stage. Since many schools and universities are focused on issues related to COVID-19, these security slips could go unnoticed for long periods of time—until it’s too late.
“As many [malware] variants rely on spear-phishing attacks to gain access to a network, it is realistically possible that threat actors are targeting schools because they are back in session, and many are leveraging e-learning platforms in response to the risks of COVID-19,” Hart said. “As administrative staff and teachers focus on teaching, getting kids set up, and providing the necessary health procedures for COVID-19, threat actors may be exploiting fear and distractions to conduct successful attacks.”
Create A Cyber Curriculum
While staffing and budget remain serious issues for security pros in school districts and universities, Tom Pendergast, chief learning officer at MediaPro, notes that many of these organizations can improve their cybersecurity plans by working on some basics.
This includes training for staff, students and faculty to know how to spot and report phishing emails. In addition, Pendergast urges school districts and universities to invest in backup and disaster recovery programs, which can help minimize and mitigate some of the damage from a ransomware attack when data is encrypted.
“Why will ransomware bring some districts to their knees but not others? As COVID has shown us, the level of preparedness and acumen in all matters digital—from remote learning to basic cybersecurity—varies widely among school districts. In one, well-trained staff will bat away phishing emails and IT staff will have a strong backup and recovery plan in place. In another, ill-prepared chaos,” Pendergast told Dice.
Digital Shadows’ Hart also notes that some basic steps can help prevent or help recover from various cyber incidents. These include:
- Keep up-to-date software by staying on top of patches, and upgrade applications as they reach end-of-life support.
- Conduct regular security awareness training for employees. Training should include instructions on how to spot phishing emails, how to report suspicious emails, and when to be critical of links or attachments.
- Maintain an updated and practiced disaster recovery plan.
- Keep continuously updated backups that are kept offline or in separate secured servers.
- Ensure that Remote Desktop Protocol servers are secure by prohibiting open connections over the open internet, using complex passwords and multifactor authentication, limiting privileged access and minimizing the number of local administrator accounts, and using firewalls to restrict access.