K-12 Cybersecurity Focus: Actionable Advice for Enhancing Cybersecurity at K-12 Schools
In December 2020, the Federal Bureau of Investigation (FBI), Multi-State Information Sharing and Analysis Center (MS-ISAC), and United States Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory titled Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data. This bulletin outlined the scope and complexity of cybersecurity dangers facing America's K-12 schools, colleges, and universities. It corroborated information culled from technology industry insights such as Microsoft's Global Cyber Threat Activity Tracker. 2020 was an active year for targets against classrooms, students, administrators, and municipal governments. In a single month-long period, between July and August 2020, Microsoft analyzed over eight million separate incidents of malware deployed against K-12 schools. However, cybercriminals used a wide variety of methods and attack vectors to target schools with ransomware requests, attempts to cause data breaches, and defraud educational service providers of hard-fought institutional funds. Ransomware has emerged as one of the premier crimeware-as-a-service (CAAS) tools deployed by organizations to harm K-12 schools. In these attacks, hackers gain access to the school's sensitive data and administrative access and then demand a hefty ransom sum be paid out to decrypt data and return access to its rightful owners successfully. According to data collected by the MS-ISA, during the beginning of the 2020 school year, the percentage of reported ransomware incidents against K-12 schools increased. During August and September, 57% of ransomware incidents reported involved K-12 schools, compared to 28% of all reported ransomware incidents from January through July. Based on third-party data and victim self-reports, the five most common ransomware variants between January and September 2020 against schools were Ryuk, Maze, Nefilim, AKO, and Sodinokibi/REvil. During the first quarter of 2021, new malware variants such as Zeus and Shlayer were also found to be among the most commonly deployed tools used by hackers to attempt to complete cyber exploitation campaigns against K-12 schools:
- Zeus is a Trojan with several variants targeting Microsoft Windows operating systems. Cyber actors use Zeus to infect machines and send stolen information to command-and-control servers.
- Shlayer is a Trojan downloader and dropper for MacOS malware. It is primarily distributed through malicious websites, hijacked domains, and malicious advertising posing as a fake Adobe Flash updater.
Cybersecurity at K-12 School Systems: What Teachers Should KnowCybersecurity best practices for teachers should not remain in the confines of the classroom, especially given that so many teachers use personal devices and conduct school business from home. K-12 school districts must develop cybersecurity policies and practices that reflect the reality teachers are facing. That means teachers need to receive training on being more cyber resilient and be digitally aware inside classroom spaces and on the go.
Cyber Threats that K-12 Teachers Need to KnowTo be able to respond to cybersecurity threats, teachers need to develop a culture of lifetime learning. This area of information technology is constantly evolving, and it requires consistent due diligence to remain up to speed with evolving cybersecurity threats.
- Phishing: K-12 schools are particularly vulnerable to the social engineering tactics used to get teachers to provide access to hackers by playing on their emotions, getting them to click seemingly innocuous links, and compromise security by unknowingly providing criminals access to sensitive data streams.
- Distributed Denial-of-Service (DDoS): DDoS attacks can bring school resources and systems to a grinding halt, making it impossible for students to access educational materials and resources connected to their in-person or distance learning plans.
- Data Breach: These attacks are particularly devastating for schools to handle because of the significant privacy concerns connected to having valuable research data or information about students fall into the wrong hands.
- Ransomware: In 2021, ransomware attacks are being carried out every 11 seconds and frequently cost millions of wasted educational funds to resolve.
- IoT Vulnerabilities: The IoT (Internet of Things) means connecting everything from printers to cameras, traffic lights to calculators. A compromise could occur on these devices with the right know-how.
Actionable Cybersecurity Advice for TeachersThe first step towards understanding the problem is enacting the right solution. The following insights can help K-12 teachers develop greater cyber resilience and practices around ensuring data security:
- Use Encryption: Hackers attempt to gain access to data at schools because it is freely available. Classroom records and data with encryption cannot easily be compromised, and it's a great way to deter criminal activities.
- Follow Your District's Cybersecurity Best Practices: Human error is the leading cause of cyber-attacks in far too many cases. Meaning, it wasn't a matter of not having cybersecurity tools and practices to lean on but more about not doing what one should do in a given situation.
- Be Responsible for Your Devices: Always log into and out of computers and educational platforms as soon as you finish using them, always create original and challenging to guess keywords, lock your classrooms, and ensure your personal devices are not vulnerable to intrusion.
- Backup Important Data Frequently: Ransomware attacks are on the rise and frequently compromise sensitive data. However, this is not as severe a problem if you are already backing up your files regularly.
Cybersecurity at Home: What K-12 Parents Should KnowWhen students are at school, they are more likely to receive protection from information security protocols restricting access to dangerous websites, materials, and platforms. Because so many students are involved with varying degrees of distance learning these days, it is pragmatic for parents to consider implementing enhanced cybersecurity resources at home to create a safer home environment for learning.
Cybersecurity Threats that K-12 Parents Should Know AboutMost parents are concerned about their children's safety and security, yet many do not put enough time and effort into securing online environments where their kids spend time. As a parent, you must be upfront with young people about cyber threats and put firm boundaries and practices in place to ensure safety against:
- Predatory Individuals and Organizations Online: The pandemic and lockdowns have given many people way too much time to focus on committing crimes against young people. It's a parent's responsibility to know what online platforms and communities their kids are a part of, whom they communicate with, and their online activities.
- Hidden Malware Platforms: Many criminal organizations hide malware programs inside websites and games geared towards young people. Parents must use methods to scan their family's digital devices for incoming threats from malicious programs.
- Efforts to Steal Identity: Many recent cyberattacks against schools have led to severe identity theft crimes being carried out, such as having kindergarten students enrolled in fraudulent loan applications.
- Online Bullying and Harassment: As young people venture into the online world, they must remember to bring the friendly and good-natured attitudes they bring into the classroom. Parents need to teach children how to be good citizens online and how not to be victimized by bullies, harassers, and trolls.
Actionable Cybersecurity Advice for K-12 ParentsAs your child's parent, you are their best protection against online threats like those mentioned above. Here are five steps to follow with your child today:
- Teach Your Family Password Best-Practices: Young children frequently use smartphones, tablets, and many different platforms requiring identity verification. Teach your family the best practices around passwords by ensuring they are not using the same simple passwords repeatedly. Change passwords often. Check what programs have access to data frequently and update permissions and passwords regularly.
- Be Proactive About Online Safety: The first step towards countering problems is developing awareness about vulnerabilities. That means if you haven't spent much time talking to your kids about online best practices, today is the perfect time to start. Observe what your kids are doing, ask them about what they are doing, and provide them the resources and information necessary to make the healthiest and best choices.
- Do Not Give Out Location Details Freely: Disable services that update your children's location in real-time. Be wary of geotagging services for pictures. Be cautious about allowing your children to live stream while on the go and using platforms that make it easy for them to be tracked by predators.
- Secure Your Home Wi-Fi: Your network needs to be secure to ensure that outside intruders cannot compromise your family's data. Do not skip out on security features as a way of simplifying things. Simple and easy is what leads to serious criminal activity.
- Take Advantage of Parental Controls: In 2021, many devices, platforms, and online resources have parental controls already built into their user interfaces. The question is, are you using them?
Cybersecurity at K-12 Schools: What Students Need to KnowCyber threat actors are highly motivated to attack K-12 students in their classrooms, at home, and while they are on the go. The following types of cybercrime are on the rise against students in the United States:
K-12 Cybersecurity Threats for Students
- Theft of Sensitive Personal Data: Students' academic records, medical history, and financial information are valuable to criminals. Students must understand that their information is a commodity that many criminals are interested in stealing and using for malicious purposes.
- Malware on Smartphones and Tablets: Online health and safety is not restricted to what happens on a computer. Students need to develop better practices for how they use mobile devices to be able to protect against malware.
- The Dangers of Social Media: From stranger danger to being an attack vector for phishing scams, social media is where many cyberattacks against students occur. That doesn't mean avoiding all social networks but instead, develop safer practices for using them.
- Remote Access Vulnerabilities: In the last year, there have been many cases of Zoom cameras being hijacked and hackers gaining access to classroom settings during class sessions. Students need to know how to prevent remote access to cameras and other devices that cybercriminals can control from long distances away.
- Social Manipulation: Many scams and crimes committed against students are perpetrated by manipulating students into believing their sensitive information such as grades or nude pictures could leak online. Students need to be aware of laws against cyber-harassment and when it's the right time to contact authorities if an uncomfortable situation goes too far.
Actionable Cybersecurity Advice for K-12 StudentsYoung people can be more cyber resilient and ready to counter threats in the digital environment by adopting the following techniques:
- Safeguard Data: Your student records, address, telephone number, financial information, and other data from the way you use apps are sensitive and should be protected. Take your data seriously and take steps towards protecting it against exploitation.
- Invest in Cybersecurity: Students must have anti-virus and anti-malware tools installed and running up-to-date software versions on their computers, tablets, and phones.
- Be Vigilant About the Unknown: If an email looks suspicious or someone randomly drops a strange-looking link in a chat, be extremely cautious about clicking these things. If you are unsure, be sure to wait and find out more before clicking unknown links.
- Develop a Culture of Continuous Improvement: Developing cyber resilience is a lifelong endeavor and requires consistent practice and effort. Take the time to educate yourself and stay up to date about cybersecurity best practices.