As the COVID-19 pandemic rages, the cyber community has rightly focused on protecting the health care industry from malicious hackers but education is at risk, too, as recently homebound students attend school in record numbers via online edtech platforms, e-learning environments and video conferencing.
In a public service announcement this month, the FBI’s Internet Crime Complaint Center (IC3) warned that attackers could take advantage of COVID-19 by increasingly targeting virtual environments, including those utilized by school districts.
“Today's rapid incorporation of education technology (edtech) and online learning could have privacy and safety implications if students' online activity is not closely monitored,” the PSA states. “… [P]arents and caretakers should be aware of new technology issued to children who do not already have a foundation for online safety. Children may not recognize the dangers of visiting unknown websites or communicating with strangers online.”
The PSA came on the heels of a separate FBI Boston Division press release warning that malicious actors nationwide have been hijacking video teleconference calls (aka Zoom-bombing) in order to deliver offensive or threatening content. This warning cited two incidents involving two Massachusetts schools – one where an unauthorized party interrupted a lesson to shout a profanity and yell out a teacher’s home address, and another where an unidentified person showed off swastika tattoos.
Some districts have already reacted to this trend by pulling the plug on Zoom. This past weekend, the New York City Department of Education – which is responsible for 1.1 million students – announced it is directing its schools to steer clear of Zoom and instead use alternate applications.
“Our goal is to get more classrooms videoconferencing on a safe and secure platform,” said NYC Schools Chancellor Richard Carranza said in a series of tweets this past weekend, noting that educators are being trained on Microsoft Teams and giving tacit approval to Google Meet. “We know the transition away from Zoom will take time for many educators and we will support them. We know maintaining continuity of teaching means it won’t happen overnight.”
Cybersecurity experts are echoing NYC Schools’ concerns, stressing that districts – already a major target of ransomware infections and extortion threats over the last few years – must take precautions so that the table hasn’t been set for a fresh wave of attacks.
“In many cases, school districts are circumventing what privacy and cybersecurity controls they may have implemented in the rush to offer online learning to students who won't be returning to school for weeks or months,” said Douglas Levin, founder and president of EdTech Strategies, LLC, which operates the K-12 Cybersecurity Resource Center.
That leads to multiple security risks, he continued, including: an over-reliance on digital platforms that may contain exploitable security vulnerabilities; the use of online services and applications without proper training first or even vetting their privacy controls; and the existence of insecure remote access protocols that could result in a digital hijacking.
Consequently, concluded Levin, “I expect that we'll see an acceleration of the trends that I've observed for a few years regarding school – and school vendor – cybersecurity incidents: more data breaches, more business email compromise and successful phishing attacks, and more ransomware outbreaks. Given that the education sector has lagged behind others in terms of the maturity of their cybersecurity risk management practices, the rapid shift to online learning brought about the pandemic is all but guaranteed to increase the threats they are facing and incidents they will experience.”
The threat posed to educational institutions has its own unique dynamics, according to Brandon Dixon, VP of strategy at RiskIQ. “E-learning and virtual classrooms are not as likely to contain sensitive information, unlike a financial institution or traditional business,” he told SC Media. “However, their use results in a connection between an organization and a provider, therefore creating a relationship that could be exploited.”
“Unfortunately, much of the risk in adopting technology quickly comes at the cost of the user,” he added. Precisely how users are victimized depends on if exploitable software is local to the client or based in the cloud, but the end result could be attackers gaining unauthorized access, leaking data, or using stolen student data to phish individuals users.
To understand what’s potentially at stake, the FBI’s PSA reminded the public of a series of incidents in late 2017, during which “cyber actors exploited school information technology (IT) systems by hacking into multiple school district servers across the United States. They accessed student contact information, education plans, homework assignments, medical records, and counselor reports, and then used that information to contact, extort and threaten students with physical violence and release of their personal information.”
In some cases, they even publicly posted students’ information online in an attempt to intimidate district members and blackmail school administrators. Though it didn’t cite any specific examples, the PSA appears to be referring to a spate of extortion attacks perpetrated by an individual or group called TheDarkOverlord.
Experts think districts should act quickly to remedy any potential issues.
“While I am sympathetic regarding the need for school districts to pivot rapidly to online learning, to the degree that IT staff begin to settle into a new normal routine they should look to reinstitute what privacy and security controls they may have temporarily set aside,” says Levin. “This is especially true for the most sensitive IT systems school districts manage, such as the student information system, payroll/accounting, and HR systems.” Moreover, districts must continue to train teachers, students and families about online scams and phishing.
Dixon, meanwhile, recommends that educational institutions minimize private information contained within e-learning platforms, opt for a software-as-a-service solution over a local client, block third-party providers from direct access, and audit vendors and their security documentation.