Schools, including universities, are increasingly becoming cyberattack targets. Just this month, the Monroe-Woodbury school district in Orange County, NY had to delay the start of school due to cyberattacks. And this incident was only one of a handful of cyberattacks on New York state school districts this summer. One school system, Rockville Centre in Nassau County, paid a cyberattacker $88,000 after a ransomware attack shut down the district’s mainframe.
And New York is not alone. This summer, school districts in Oklahoma, New York, and Virginia have been victims of ransomware. The Louisiana governor declared a state of emergency after multiple ransomware attacks crippled several school districts, and schools in Flagstaff, AZ closed for two days this month last due to a ransomware attack.
The attacks don’t stop after grade 12 either. Two universities, Regis University in Denver, CO and Stevens Institute of Technology in Hoboken, NJ, were also targeted right before the start of this school year:
Anthony Carfora of the Lupinskie Center for Curriculum, Instruction and Technology said in an interview with CBS New York, “Ransomware is prolific right now and there’s more of it going on in government and education institutions than in private industry. We seem to be targets now.”
Schools’ appeal to cyberattackers stems, in part, from the fact that most don’t have robust cybersecurity systems or personnel and struggle to prevent and respond to attacks. They have the added challenge of needing to give their students and teachers the academic freedom to learn and explore and do research. This often requires a more lax security posture than the locked down environment of an enterprise. They also house a lot of sensitive data, and are heavily reliant on software.
Another wrinkle: the users of that software might find it worthwhile to take a look under the hood. Veracode co-founder Chris Wysopal notes that, “schools use a lot of applications, which put them at the mercy of their vendors to build secure software, and requires that they have a good coordinated disclosure process to respond to security researchers, who in their case are often going to be students.”
Just last month at DEF CON, a teenager presented on all the vulnerabilities he found over the past three years in his school’s educational software. Wired reported that the teen “found a series of common web bugs in [the software], including so-called SQL-injection and cross-site-scripting vulnerabilities … those bugs ultimately allowed access to a database that contained 24 categories of data, everything from phone numbers to discipline records, bus routes, and attendance records.”
After he reported the flaws to the two software companies, he got little to no response. That is, until he used one of the vulnerabilities to trigger a push notification saying “hello” to all users. The software companies responded, and one has stated that it’s working to improve its vulnerability disclosure program.
Beyond working with vendors to ensure the security of software they are purchasing, and developing robust vulnerability disclosure programs, Wysopal recommends that schools consider “separating the administration network, which has the sensitive data the school needs to operate, from the teaching or lab network, where this data isn’t needed.” In this way, the school can maintain the academic freedoms while compartmentalizing data to reduce risk.
Want more security news and best practices? Subscribe to our content.