Cyber Security Challenges Faced by the Education Industry
Recurring news items covering hacks against education facilities appear insubstantial on their own, but together highlight an ongoing trend: attacks against schools and other providers of primary, secondary and tertiary education are increasing. In this briefing, we will take a look at the cyber security challenges faced by educators and how the current threats are likely to develop over time.
Types of Attacks
Attacks against educational institutions commonly fall into the following 4 classes.
Attackers try to damage the organization’s reputation by either spreading false information on social media - sometimes through compromised social media accounts belonging to the organization - or by acquiring authentic yet damaging private communications which are then leaked. These attacks are usually carried out as forms of vengeance or retribution by someone close to the school.
Attackers try to prevent the organization from operating. Since many modern schools rely heavily on IT infrastructure such as laptops, smart whiteboards, internet access or, in some cases, online testing, even crude attacks that manage to disturb basic network connectivity may lead to classes being canceled. These attacks are usually performed using rudimentary tools found online by students themselves.
The manipulation of grades may happen either directly, by changing entries in a central grading database, or indirectly, e.g. by gaining access to tests beforehand or by tricking online test systems into accepting wrong answers as correct. The most common approach is for students to acquire the credentials of teachers through hardware or software keyloggers. However a wide variety of attacks fit this pattern including - in extreme cases - the employment of professional attackers to find weaknesses in the system that can then be abused.
This relatively modern attack vector affects schools issuing standard laptops to all students. To confirm that the laptops are only used for school purposes, student monitoring software is commonly installed on these machines. Such software allows an administrator to watch the screens and keystrokes and in many cases even enable the webcam of monitored systems. Criminal insiders, attackers who compromise the administrator account or attackers who find other vulnerabilities in such surveillance software thus have unrestricted access to all of a school's student’s files, communication, online behavior and may even enable the camera to observe their victims directly. Information and pictures gathered in this manner may be used directly or to thereupon perform blackmail.
What is the risk?
As we have pointed out in previous briefings, organizations get hacked when the value to hack them exceeds the cost of hacking them. It is important to note that “value” in this definition does not necessarily mean monetary value. In the case of a school, “getting better grades”, “not having to go to school this week”, “payback to teacher X” and “blackmailing hundreds of children” are all targets hard to define but very high value to their respective attackers.
The most frequent - albeit not most devastating - attacker for a school comes in the form of a student. While the technical abilities of students are on average lower than those of professional hackers, it is not uncommon for hackers in their mid-teens to have significant skills. Furthermore, students have a lot of insider information on a school's system that external attackers would not possess. In addition, students often possess a very high tolerance for risk created by juvenile penalty codes and naivety.
Because rogue administrators, as well as student hackers, attempt to access student information, educational institutions face an above average number of below average quality attacks.
Forecast and Mitigation
As classrooms become more and more dependent on IT and as the IT knowledge of the average student continues to increase, cyber attacks against educational institutions are forecast to rise for the foreseeable future.
While better security practices and more secure software play a part in mitigating this trend, it is up to the schools themselves to educate and train both staff and students to use the provided tools correctly, increase governance and audit protocols of their students, detect attacks if they happen, and reduce the number of human errors made.