K-12 school districts across the U.S. embraced distance learning in 2020 as a way to keep students and teachers safe from the raging COVID-19 virus. But that decision had profound cyber security implications, as a warning last week from the U.S. Government’s Cyber Security and Infrastructure Security Agency (CISA) made clear.
The alert, Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data, was released on December 10. In it, the government’s top cybersecurity agency warned school districts nation-wide that “malicious cyber actors are targeting kindergarten through twelfth grade (K-12) educational institutions, leading to ransomware attacks, the theft of data, and the disruption of distance learning services.” The attackers view the K-12 schools as “targets of opportunity,” CISA said, predicting the attacks should be expected to continue through the 2020 and 2021 academic year.
Ransomware: The Point of the Spear
Ransomware attacks are the point of the spear in the latest round of attacks - but by no means the only type of attack leveled at K-12 schools. Ransomware attacks on schools and other local and state government organizations aren’t new. In fact, such attacks have become commonplace. A 2018 ransomware attack hobbled Atlanta’s city government, while a 2019 ransomware attack crippled the City of Baltimore.
However, attackers have concentrated their attacks on school systems in recent months. CISA notes that ransomware attacks on K-12 school systems as a share of all cyber attacks reported to the Multi-State Information Sharing and Analysis Center (MS-ISAC), a cyber security clearing house for the states, jumped in 2020. In August and September, 57% of ransomware incidents reported to the MS-ISAC involved K-12 schools, compared to 28% of all reported ransomware incidents reported to the MS-ISAC from January through July. As if to underscore that point: an outbreak of ransomware hobbled Baltimore’s public schools in November, long after the city government had presumably recovered from the 2019 attack.
Distance Learning, Supply Chain Boost Cyber Risks
Why K-12 schools and why now? Like other critical public services, schools are susceptible to ransomware attacks and extortion. With many districts operating remotely either entirely or in part, attacks on critical school IT systems can bring learning to a halt. Districts also hold sensitive data on students. Cyber criminals have taken advantage of this: stealing data from compromised K-12 district IT systems and posting it online, putting pressure on districts to meet ransom demands.
The rapid shift to distance learning made necessary by COVID has also complicated the already difficult task of securing K-12 districts from attack. Remote learning platforms like Zoom and Google Meeting are susceptible to compromise or social engineering attacks that can harvest sensitive data, like student, teacher or administrator credentials.
Additionally, cyber attackers have taken an interest in vulnerable or exposed remote access tools like systems within K-12 environments that have Remote Desktop Protocol (RDP) enabled.
COVID has also greatly lengthened the software “supply chains” of K-12 districts, as so-called “Ed Tech” providers have rushed to the assistance of districts in need with software tools and services to facilitate distance learning. These third party providers can, themselves, become sources of compromise. That was the case with the K12 Inc. (now known as “Stride”), an online learning management platform provider that acknowledged it was the victim of a ransomware attack in early December.
Long Term: A Greater Focus on Cyber Risk
For the time being, CISA’s alert provides districts with a long list of security best practices, as well as malware signatures for some of the malicious software that is most commonly found in attacks on K-12 districts.
However, the long term fix for the K-12 space is for leadership and IT professionals working within the districts to make cyber risk assessment and security a driving principle of IT decision-making. Leadership at public schools need to invest in multi-factor authentication and make sure that software patching is rigorously maintained. IT leaders need to identify and weed out obsolete or unsupported platforms that can be the source of attacks. As more educational services migrate to the cloud, districts need a way to thoroughly assess the cyber risk of third party software and service providers. Districts should also assembled detailed business continuity plans in the event of an attack, including air-gapped and off-site data backups to ensure that district services and availability are not affected for long.
A Double Edged Sword
Cyber security is just one of the ways in which COVID has turned K-12 education on its head in 2020. However, as with other aspects of the pandemic, there may be long term benefits to the COVID pandemic if districts can use the experience of this year to both embrace new tools and approaches to learning, while sharpening their attention on the cyber risk that comes along with new and different technologies.
Some of the world’s most sophisticated firms use QOMPLX to help them do just that. QOMPLX’s technology is demonstrating real-world effectiveness against human directed ransomware tactics and lateral movement techniques in some of the largest and most security conscious organizations on the planet.
If you want to learn more about how QOMPLX can help you gain control over Active Directory and spot otherwise surreptitious lateral movement stages of attacks to avoid damaging attacks, contact our sales team now to set up a discussion with QOMPLX security practitioners.