Campuses are quiet, school buses gather dust in maintenance garages, and students visit swimming holes and flip burgers. But while teachers and students can soak in the solace of summer vacation, hackers are not taking a break.

School networks are still online and just as vulnerable in June and July as they are in January. However, there are some steps that MSPs can take during summer break to ensure their education clients are safe, secure, and ready when doors open again.

Over the years, schools have become an increasingly attractive target for purveyors of ransomware. This has caused schools to more frequently contact MSPs for IT assistance and protection.

One of the most eye-opening attacks on a school system occurred last November when the Baltimore County Public Schools, the largest school district in Maryland, was disrupted and shut-down for days by the Ryuk malware. It’s still not known whether the school paid the hackers any ransom. Still, public documents show the school system had to spend upwards of $8 million recovering from the attack, including shoring up their systems from future attacks.

The cost of this attack is still growing. A recent article in the Baltimore Sun details some of the expenses, which included:

More than $2 million to move computer applications to a cloud-based system and more than $1.4 million for a one-year license on Windows security software, the latter of which was purchased at the strong recommendation of the system’s cyber insurance carrier.

Smarter MSP, reached out to V.S. Subrahmanian, The Dartmouth College Distinguished Professor in Cybersecurity, Technology, and Society, and the Director – Institute for Security, Technology, and Society at Dartmouth College, to find out what steps can be taken to ward off hackers.

Reasons schools are targeted by hackers

“School districts have money (hence can pay ransoms), but rarely devote much of their budget to cybersecurity (and hence are vulnerable),” Subrahmanian says.

Schools are also attractive targets because of the vast troves of data that they house. For instance, schools have the addresses of the students who attend. Those addresses, Subrahmanian adds, serve as a proxy for income information. In addition, schools have information about friends, intelligence (grades), and health information. “This is valuable information for the attacker to have in the long run,” Subrahmanian notes.

Smarter MSP has spoken with dozens of cybersecurity experts who agree with Subrahmanian that hackers will act as “scavengers” and “hoarders.” If they find information that has potential value and don’t have a use for it at the moment, they’ll squirrel it away for possible future use. Few places have more raw data about a large collection of people than schools.

Once you move into higher education, colleges and universities, the same data attracts hackers, but other valuables do so too.

“A further attraction is the massive ongoing research programs that depend on smoothly functioning IT networks. Disruption of such programs would cause chaos amongst the researchers involved,” Subrahmanian points out. And few groups of people thrive more on chaos than hackers.

“Schools need a multi-layered defense,” advises Subrahmanian, who compares the school perimeter metaphorically to an onion. “Each layer of the onion should act as a kind of defense. More protective layers need to be added at every opportunity,” Subrahmanian says.

Using the summer break to strengthen cybersecurity defenses

During these summer months, when the halls are empty but the networks are still running, there are opportunities to fortify schools.

“Using the summer to alter the attack surface – e.g., by distributing the data they hold across multiple compartments so that a ransomware attack compromises only one or a few compartments, is a good strategy,” Subrahmanian recommends. Again, the cost of doing so is worthwhile in the long run.

“This does take time and effort and cost (as other systems that access the school’s data might need to be modified), but doing it step by step will provide dividends in the long run,” Subrahmanian states.

And these summer months can also be used to update the school’s action plan if an attack occurs. It’s one thing for an attack to occur during summer when the campus is quiet, but if it happens during the school year, learning can grind to a halt.

“Schools need a concrete game plan about what to do when a ransomware attack happens, so they are not left scrambling. They need a playbook, and they need to adapt the playbook as the attacker’s methods evolve,” advises Subrahmanian

While schools need a detailed action plan for handling an attack, there are some immediate steps Subrahmanian recommends that a school takes if it finds itself on the wrong end of a ransomware attack.

“The very first step is to shut down any systems that have any chance of being affected, so the portion of the network that is compromised is limited,” says Subrahmanian. At the same time, calls should be made to the FBI and the school’s incident response provider. And last, the school should backup any data that they still can.

While ransomware seems to have emerged as the biggest threat of 2021, schools have other targets on their back, especially higher education entities.

“Intellectual property theft from US universities is a major problem,” Subrahmanian adds. The prestige and success of the colleges have made them attractive targets.

“Because the US is the world leader in IP generation, and much of that has its birth in universities, malicious actors are interested in stealing US university IP, especially when it is in a nascent or partially developed form,” Subrahmanian concludes.

Photo:

Kevin Williams

Posted by Kevin Williams

Kevin Williams is a journalist based in Ohio. Williams has written for a variety of publications including the Washington Post, New York Times, USA Today, Wall Street Journal, National Geographic and others. He first wrote about the online world in its nascent stages for the now defunct “Online Access” Magazine in the mid-90s.

Leave a reply

Your email address will not be published. Required fields are marked *