Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

9/2/2020
02:00 PM
Jeff Wilbur
Jeff Wilbur
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

Don't Forget Cybersecurity on Your Back-to-School List

School systems don't seem like attractive targets, but they house lots of sensitive data, such as contact information, grades, health records, and more.

Schools are starting to reopen around the country – some physically, some virtually, and some a hybrid of the two. As a result, the remote learning requirement that was thrust upon schools when the pandemic forced closures earlier this year has reemerged. Presumably, lessons learned during the chaotic transition in the spring can be applied to make fall run more smoothly. But one item is critical to consider during this back to school season: Cybersecurity.

Before examining cybersecurity needs in school systems, it's important to understand what's at stake. On the surface, school systems don't appear to be an attractive target, but they contain a significant amount of highly sensitive information, such as contact information, grades, health records, counselor interactions, and possibly parents' financial records. In light of COVID-19 and increased remote connections, there is now even more data – including health status, contact tracing, and recordings of student participation online – housed in systems and therefore more privacy concerns than ever.

Related Content:

COVID-19: Latest Security News & Commentary

Higher Education CISOs Share COVID-19 Response Stories

In recent years, schools have also seen an increase in debilitating ransomware attacks, even prompting an FBI alert this summer highlighting increased abuse of the Remote Desktop Protocol (RDP) to plant ransomware on school systems.

The security challenges are amplified by the move to more online learning and administration, specifically:

  • Systems that were designed to be accessed on internal networks now need remote access.
  • A wide variety of devices that were never connected to the school's network now need regular access to services.
  • The type of access needed has expanded well beyond posting of class assignments online. It now includes everything from live classrooms to access to administrative tools and health services.

These additional requirements significantly expand the attack surface, compounding the risks. This brings a largely un-cybersecurity educated set of users into play, placing additional stress on school IT staff who are already typically stretched thin.

So, who is responsible to ensure that these systems and their users are safe? In this case, all layers of the ecosystem – vendors, school districts, and students/parents – have a role to play.

Vendors need to recognize the shift to remote use and provide appropriate built-in security.

School district staff need to choose tools that have appropriate security controls and establish strong cybersecurity practices for staff and students.

Students (and their parents) need to protect themselves and the school's systems by practicing strong cyber hygiene.

Here are some practical guidelines for each group.

Vendors Need to Raise the Security Bar
To cover the full range of needs, there are many applications and websites for school district staff to consider – most of these apps, websites, and software products are developed primarily to deliver certain capabilities and levels of functionality and may not incorporate strong security practices. These include limiting access by type of account, encrypting communication and data at rest, offering multi-factor authentication (MFA) to limit illicit access, and securing data on hosted cloud platforms.

As usage continues to increase, vendors need to bolster the security of their products to prevent breaches and disruption of their services.

School Staff: The Critical Role
School district staff has the most critical role to play in ensuring proper levels of cybersecurity, as they're responsible for making the choices regarding what tools to offer students and parents, as well as setting up the networks for teachers, students/parents, and administrators.

As with any enterprise, school district staff need to follow strong cybersecurity practices. In March, the Consortium for School Networking (CoSN) issued Cybersecurity Considerations in a COVID-19 World to provide guidance to staff on how to best protect their networks and users. The recommended best practices include guidelines related to classroom supervision, layered permissions, Web content filtering, encrypting data, and protecting devices.

In addition to adhering to CoSN's guidelines, staff should carefully select which online learning tools to use, make cybersecurity part of the decision-making criteria when selecting digital tools, and not hesitate to demand stronger security capabilities from existing vendors.

Students and Parents: Empowering End Users
It's critical that students and parents take concrete steps to empower themselves to be safer when engaging in remote learning online, as failure to properly secure their access can have negative side effects on both the school systems and systems used in their household, which likely include corporate systems in our new work-at-home world.

Though students and parents are at the mercy of the choice of tools made by the school, they can still practice good cyber hygiene by using strong passwords, enabling multi-factor authentication, changing default passwords on devices in the home to prevent illicit access, exercising care in sites they visit, and choosing strongly encrypted services for their personal use.

Given the massive increase in video conferencing use since the start of the pandemic, it's also important for students and parents to make smart choices regarding those services. Mozilla released a guide to videoconferencing services, assessing them against minimum security guidelines, as part of their "*privacy not included" series. This is a valuable resource for students and parents.

Back to school 2020 will certainly be unique, as schools scramble to figure out how to provide education in the context of an ever-shifting coronavirus backdrop. With a continued shift to online learning, maintaining a strong focus on cybersecurity is more important than ever.

Jeff Wilbur is Senior Director, Online Trust at the Internet Society, where he has focused on security and privacy best practices for enterprises and IoT and speaks regularly on issues related to online trust. He has over 35 years of experience in high technology, all focused ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BeSecureBeConnected
100%
0%
BeSecureBeConnected,
User Rank: Author
9/23/2020 | 5:03:08 PM
Remember to factor in user productivity
Good article, remember to consider user productivity impact while implementing security controls.  For example, web content filtering by itself may overblock websites that are needed in the classroom.  Enhancing a filter with newer approaches, like browser isolation, lets users safely browse to a website that may have been blocked simply because it was new.  Security is important, but it doesn't have to be overly difficult for our already stressed-out teachers, students, and staff.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Malware Attacks Declined But Became More Evasive in Q2
Jai Vijayan, Contributing Writer,  9/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15216
PUBLISHED: 2020-09-29
In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revisio...
CVE-2020-4607
PUBLISHED: 2020-09-29
IBM Security Secret Server (IBM Security Verify Privilege Vault Remote 1.2 ) could allow a local user to bypass security restrictions due to improper input validation. IBM X-Force ID: 184884.
CVE-2020-24565
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25770
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25771
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...