School is in Session
What COVID-19 taught educational institutions about cybersecurity
- By Wayne Dorris
- December 01, 2021
When lockdowns began in March of 2020, educators scrambled to adjust to the new reality. In a reactive mode, universities, colleges, and K-12 districts quickly instituted policies and embraced platforms without a thorough cybersecurity vetting process. They were ill prepared for the BYOD free for all that began logging into their networks combined with the widespread use of unsecured or poorly secured home wireless connections.
Not surprisingly, 2020 attacks on K-12 were up 18% over the previous year and ransomware attacks on colleges doubled during that same period. The education sector already ranked in last place for cyber safety before the pandemic; 2020 only made things worse.
Now, with more than a year of remote learning under our belts and hybrid models probably here to stay in some capacity, what lessons have educational institutions learned about better securing their networks? What potential vulnerabilities lie ahead?
Increasing VPN Capacity
VPNs can keep communications secure by creating an encrypted “tunnel” through which all data travels. Pre-pandemic, if a school had a VPN set up, it was not designed with enough bandwidth for the volume of traffic created by an entirely remote student body.
To accommodate the flood in traffic, schools relied on a split-tunneling feature of VNPs, which sent traffic to and from the school’s network through the encrypted pipe but excluded everything else. Web surfing and other connections, open and accessible at the same time, as school-hosted applications on personal devices, were insecure and vulnerable to hackers. Fortunately, many school IT departments have sufficiently increased their VPN capacity to eliminate the need for split tunneling.
One hundred percent remote learning is hopefully behind us, but networks must be prepared for any future conditions that could require its temporary return. For example, remote days may be the new snow days. Complete 100% VPN access, without split tunneling, will help keep networks and personal PCs safe.
IT departments are accustomed to establishing strict security policies for their own networks. However, schools now use the cloud to host all sorts of applications, extending IT departments' supervisory responsibilities to those environments. The security policies for Google, AWS, Azure, and other host environments must align with those of the institutions that rely on them.
Cloud applications are vetted carefully as well. In 2020, we saw what happens when they're not. For example, widespread use of Zoom early in the pandemic led to cyberattacks, data leaks and unwelcome "zoom bombers." (The platform subsequently introduced new security features.)
Before a cloud solution is endorsed for widespread use by educational institutions, whether it will be used remotely or in the classroom, IT departments must first vet it thoroughly for cybersecurity risks.
The Human Firewall
The trusting culture prevalent in educational communities makes their human firewalls far more porous than those in another environment do. Phishing is rampant and a big problem. Some emails are opened that should not be, and dangerous links are clicked on, providing an entrée for ransomware attacks. Other unsafe behaviors also persist. Students share passwords with their friends and roommates. Maybe, they innocently set up accounts on sham websites using the same credentials they use for accessing the school's network.
Breaking these bad habits requires consistent, engaging education. There are many turnkey resources available to help. For example, gamified learning modules that challenge participants to spot the phishing email from among the "real" ones are both fun and effective.
Educational messaging must also train staff, students and the parents of younger students on the importance of immediately reporting their actions when they believe they have made an error in judgment. They should know whom to contact and how. Everyone must understand that self-reporting will not result in punishment. The sooner IT knows of a problem, the sooner it can mitigate the threat. By contrast, the consequences of not reporting such an event can cause widespread harm.
Multi-factor or two-factor authentication (2FA) serves two purposes. First, it dramatically increases the likelihood that the person entering a username and password is who they claim to be. Secondly, if a user receives a text with a 2FA code when they are not trying to log in, they become aware that their password and credentials have been compromised, and IT should be alerted immediately.
2FA should be the norm at the university level whenever signing into network applications, whether on-campus or remotely. It is reasonable to assume that all faculty members and students own a cellphone; 2FA is not an overly burdensome expectation.
For K-12, 2FA certainly makes sense for any remote access to network resources, including homework portals and collaborative work sites. Most junior high and high school students have phones. For elementary school, parents or a caregiver would likely have to assist with 2FA.
Protecting Research Data
Research projects conducted on Higher Ed campuses, often in conjunction with military, medical, technology and corporate partners, are prime targets for bad actors seeking to exploit the data for nefarious purposes. Prior to the pandemic, laboratory computers were on closed networks that could only be accessed from within physically secure facilities. However, the pandemic necessitated some researchers to have remote access, opening the door to attacks.
The use of VPNs and multi-factor authentication were useful in these situations, but even more effective has been the implementation of Zero-Trust Architecture. Zero Trust requires users to continuously re-verify and re-authenticate their identity as they interact with network applications and resources. Zero Trust can feel burdensome for the researchers, but its use is gaining traction. Its inconvenience is a small price to pay compared to the cost of compromised data, and new technologies are coming to market that make Zero Trust seamless for those who must use it.
Managing Covid Data
The next great IT challenge for schools and universities will be addressing the evolving requirements for managing health care data. In the past, students provided proof of vaccination and medical records at the beginning of the school year. After that, few updates were necessary.
COVID has made managing health card data much more complicated. At many colleges and universities, students and faculty must provide proof of vaccination. At others, there is also the option to decline vaccination but undergo frequent testing. For K-12, updated records are necessary as students become eligible for the vaccine and/or their parents decide to proceed with vaccinating them.
Cases of COVID must be reported, contact tracing enforced and quarantine policies observed, which vary depending on the exposed individuals' vaccination status. Parents must be notified of any exposure risk to their child, while administrators protect the identity of the infected.
That is a lot to keep track of, and schools must have highly secure, fully encrypted platforms for maintaining this sensitive information. As mentioned previously, 2FA is an invaluable step toward verifying the identity of anyone submitting records, as well as administrators seeking reporting data.
No conversation about school cybersecurity would be complete without mentioning its inextricable link to physical security. The same cybersafety precautions that apply for remote learning are relevant for physical security equipment.
Security professionals are generally mindful of installation best practices for video and access control systems, but sometimes security measures for intercom systems are overlooked. During the past year, minimally occupied campus buildings relied heavily on intercoms for staff to communicate with and buzz in visitors, maintenance workers, and delivery staff. Unencrypted audio communication over the network is a potential vulnerability, just like video and data. After all the work IT departments have put into hardening remote learning, it would be a travesty to suffer a network cross-breach from a haphazardly installed intercom.
Students’ 2020 transcripts will be forever marked with an asterisk, indicating the challenges brought about by nearly a year of completely remote classrooms. The pandemic’s influence on students’ grades are not the only ones we should care. Let’s hope in 2021, IT departments earn straight A’s for all the cybersecurity lessons learned.
This article originally appeared in the November / December 2021 issue of Campus Security & Life Safety.