Hackers have been exploiting weaknesses in school networks as campuses reopen in varying degrees during the pandemic. Schools of all sizes, though, are finding out what a threat hackers can pose to the educational process.

The superintendent of the Valparaiso Community School system in Indiana describes the impact on their remote learning that hackers are inflicting:

“For example, he said students will be logged into their classroom and get part of a lesson, only to have the connection fail a few minutes later — causing students to miss key material and forcing teachers repeat the lesson when the connection is reestablished.

The issue has been frustrating for students and parents and forced the school to find outside help in building a stronger perimeter.

Risks from the coronavirus are real, and the same holds true for computer viruses

Last week we explored the threat that hackers pose during this unusual back-to-school season when millions of students are working remotely. This week, we continue the conversation about school cybersecurity with University of Denver professor and security expert Nate Evans, who says the cybersecurity situation is more nuanced depending on the network architecture’s complexity and maturity.

The conventional wisdom is that student data and records are more vulnerable because of the numerous additional attack vectors that the typical home environment offers. School IT professionals and outside MSPs managing campus networks have suddenly found themselves monitoring dispersed students, many of whom are working from less than secure devices.

“If employees are able to download sensitive student data to their personal computers or devices, then that data would potentially be more at risk than if it were only accessible while physically on-campus,” Evans advises.

He said the primary issue is whether data and computers are exposed to networks or attacks they wouldn’t usually be prone to, as could be the case for home networks.

“If proper access controls are in place, then it should be just as safe as if accessed from the office,” Evans adds, pointing out that such controls could include strong passwords and multi-factor authentication coupled with VPN-only access to such data.

But even those safeguards have holes because “this assumes there are policies in place to prevent employees from mishandling data,” Evans notes, like downloading it unencrypted to their computer. The safety factor also assumes that employees will follow best practices and policies and not do anything they shouldn’t.

MSPs must educate faculty about data best practices

To tamp down on school-related data vulnerability, Evans says that measures should be put in place so that employees only have access to the data they need for their jobs and are trained in appropriate data handling and security techniques.

Another nuance in Evans’s analysis is that students in remote learning situations might actually protect school networks in some ways. Instead of bringing “dirty” BYOD devices onto campus and potentially infecting the school’s system, everything is just done from home. Still, Evans advises, home networks may provide entry points to attackers because presumably, the school network will block incoming attacks and known threats to some degree.

“When students are at home, they are exposed to other devices connected to the same home network (for instance, grandpa’s malware riddled Windows 7 PC or the Internet-connected refrigerator), and don’t have an IT department to try to protect them,” Evans says. So, assuming a student’s computer gets infected with malware, the school itself will only be at risk when the student connects to the school network again.

Evans adds that this risk occurs when students return to campus at some point, or if they use a low-level connection (such as a VPN) to connect virtually. Connections via Zoom, Webex or CMS platforms are made at the application layer, and as such are less vulnerable to malware spreading, Evans says.

Standard measures to implement

Evans recommends some standard best practices that MSPs and IT professionals should follow to ensure a safe-back-to-remote school cyber environment. Among them are:

    • Keep operating system software up to date (Windows update, Apple software update)
    • Install some form of anti-malware software (Windows defender, McAfee, ClamAV, etc.) In many cases, there are free versions that work just fine
    • Use firewall software on computers, and don’t allow incoming connections
    • Disable unneeded services on Wifi routers or modems, like UPNP
    • Use a non-administrative account on your computer for daily use
    • Monitor devices on your home network (usually you can see this via web interface for your Wifi access point or modem). Disallow unknown devices from connecting
    • Make sure you have a non-default password for your Wifi network
    • Set your wireless network security to WPA2 (not WEP!)
    • Don’t install software from untrusted sources
    • Don’t click links/attachments in emails from unknown recipients (or anyone unless you expected the link/file)
    • Enable multi-factor (usually 2-factor) authentication for any websites/apps that support it
    • Never re-use passwords across sites/apps
    • Use a password manager (1Password, LastPass, etc.) with a strong master password

None of the above will do the trick if users aren’t informed and educated about the risks of opening unknown attachments and falling for social engineering scams. Therefore, as students and teachers adapt to the new normal, MSPs will have to do so as well. For the foreseeable future, school will be from home and that brings with it pros and cons to be leveraged and mitigated.

Photo: smolaw / Shutterstock

Kevin Williams

Posted by Kevin Williams

Kevin Williams is a journalist based in Ohio. Williams has written for a variety of publications including the Washington Post, New York Times, USA Today, Wall Street Journal, National Geographic and others. He first wrote about the online world in its nascent stages for the now defunct “Online Access” Magazine in the mid-90s.

Leave a reply

Your email address will not be published. Required fields are marked *