A new, disturbing pattern has cropped back up that is reminiscent of some nasty behavior from the early days of Internet nefarious exploits: targeting schools and students and the innocent. Ransomware attacks have been making headlines in recent months—particularly as a threat to K-12. Both Roseburg (OR )Public Schools and Leominster (MA) Public Schools were two of the latest victims of cyber-abuse.
A history of hacking
21 years ago, I got a call at my first internet security startup company (Signal 9 Solutions, later acquired by McAfee) asking for help; a woman’s son had cognitive challenges and disabilities, and she thought he was the victim of hacking. She had seen a news piece about cyberhacking, and she thought this might be a case.
At the time, we focused on enterprise sales and cryptographic solutions, but we had accidentally invented the personal firewall for telecommuting, put a beta version of this new standalone personal firewall on our website, and started a forum talking about it.
I decided to look into it, and I’m glad I did. Not only did I find some great people and ultimately help a lot of them, but I also found a nasty training ground for hackers cutting their teeth. In those days, there was a tacit credo among those of us who knew how to hack: We didn’t go after bystanders or those who didn’t know what they were doing. Even in those days, nation states and criminals were doing bad things online, but amongst most of us the creed was important. Harry Potter wasn’t a thing then, but the message today would translate as “Don’t use magic to harm muggles.”
And sure enough, that’s what we found: silent victims who couldn’t speak for themselves or understand why a computer was behaving so unpredictably. Script kiddies and wannabe hackers were plying their trade in the least risky and most vile of places.
And this continues today.
The current state of hacking
Recently, there has been a rash of attacks on K-12. The reasons are simple and straightforward. These are not attacks for big dollars, generally, because most students and most schools don’t have much money. Sometimes, it’s attempted identity theft, pedophiles, or trolling. Sometimes it’s even accidental (a school or student group is targeted as an afterthought).
And sometimes it’s the old specter of cowardly script kiddies and wannabes looking to test out their infrastructure, malware, or scheme somewhere that can’t defend itself or even draw much attention.
How to protect yourself
There are some critical things all institutions should do, even with limited resources. Naturally budget and talent are questions, and there are some cool new initiatives and companies like Sightline Security, an organization missioned to help non-profit organizations identify, measure, prioritize, and improve their current state of information security, but it doesn’t take a security department to start building resilience and hardening systems and services.