Recently, the Federal Bureau of Investigation (FBI) warned schools about an increase in ransomware attacks during the pandemic, with attackers exploiting Remote Desktop Protocol (RDP) connections that allow school employees to log in to district servers remotely.
While the FBI’s alert is worrisome in its own right, it’s not the issue that keeps K-12 cyber security expert Doug Levin up at night.
Levin, a former director of the State Educational Technology Directors Association who now heads the consulting firm EdTech Strategies, is more concerned about what happens when millions of devices that have been removed from the protection of school district firewalls for five months are reconnected to district networks in August.
“Unless students, teachers, and administrators are IT experts, it’s not out of the realm of possibility that they have had malware introduced to their device,” Levin says. “We have seen a spike in the number of COVID-related phishing scams, and malware can be introduced through the sites that users have visited, the links they have clicked on, or the material they’ve downloaded — and also through home routers that aren’t very secure. If you got your router from Best Buy or the cable company, you might not have changed the settings on it. Bad guys know that, and they look for devices they can compromise.”
He adds: “What I worry about is that when all those devices are reintroduced to school district networks, they’ll pass along malware or ransomware.”
Remote learning’s IT security challenges
The sudden shift to remote learning this past spring brought many challenges, including how to keep devices and networks secure.
While K-12 leaders grappled with immediate priorities such as how to deliver high-quality instruction remotely, how to reach and engage every student online, and how to answer stakeholders’ technical questions, it would have been easy for leaders to overlook cyber security — or at least not give this issue the full attention it deserved.
Learning and working remotely raises a few different cyber security challenges, Levin says, depending on how a school system has set up its IT infrastructure. “A lot of this depends on what tools schools were using and how prepared they were to go fully virtual,” he explains.
If school and district personnel have been logging in from home to applications hosted locally on school district servers, those connections need to be secure so that hackers can’t gain entry into district networks. “In the best of circumstances, schools have deployed virtual private networks [VPNs] to protect these connections and ensure that only authorized users could access local servers,” Levin says.
School employees using RDP connections to log in to local district servers from home is the scenario the FBI warned about in June. The agency observed that “cyber actors are likely to increase targeting of K-12 schools during the COVID-19 pandemic, because they represent an opportunistic target as more of these institutions transition to distance learning,” ZDNet reports.
A growing number of school systems are using cloud-based applications instead of hosting software on local servers. In these cases, students and employees have been accessing software directly from the cloud instead of logging in to district servers. “In general, their security posture remains largely unchanged,” Levin says.
However, in the rush to pivot to remote learning nearly overnight, many schools and individual teachers “have chosen to use new apps and services they have not fully tested or vetted,” he says. These cloud-based apps and services might not be very secure and may be susceptible to breaches.
That’s partly what happened with Zoom earlier this spring. “We have a new word in our vocabulary, Zoom-bombing, that didn’t exist before COVID,” Levin says. “The challenge there was that the user authentication that allowed the meeting host to control who could get in and share information was not designed with the needs of K-12 in mind. That created all sorts of problems,” until the programmers behind the application improved Zoom’s authentication protocols.
Three tips for success
As K-12 leaders prepare for a new school year, Levin offers the following cyber security advice:
Before reconnecting devices to your network, thoroughly scan them and remove any malware.
School IT personnel tend to trust the devices that are on their network, Levin says, noting: “Their security posture is more focused on preventing external hackers from trying to get in.” In this case, he says, “I think it would be very wise for school districts not to trust these devices that are coming back onto networks after many months. Make sure they’re clean before reconnecting them.”
Take a step back and carefully evaluate the applications you’re using.
If students and staff will be learning and working remotely again this year, make sure their devices are equipped with malware protection. Also, carefully evaluate the apps and services that teachers, staff, and students will be using to make sure they are secure, and provide a list of acceptable apps that stakeholders should use.
“There has been a lot of attention on student data privacy, but it’s important that people don’t conflate privacy and security,” Levin says. “The review process that schools use certainly has to focus on student data privacy, but schools should also be looking for evidence of good cyber security practices. If there’s a security breach, will the vendor tell the school? Have they undergone a security audit? Are they in compliance with industry-leading standards?”
Levin recommends that K-12 leaders use this list of questions from the Electronic Frontier Foundation to evaluate the security of application providers.
Teach students and staff how — and why — to use cyber security best practices.
“Provide advice on how remote learners and workers can practice good cyber hygiene, such as segregating personal work from schoolwork on their device and using unique passwords for each application,” Levin says. “Students and staff should also know how to recognize phishing scams and how to report them when they see them.”