Recently, the Federal Bureau of Investigation (FBI) warned schools about an increase in ransomware attacks during the pandemic, with attackers exploiting Remote Desktop Protocol (RDP) connections that allow school employees to log in to district servers remotely.
While the FBI’s alert is worrisome in its own right, it’s not the issue that keeps K-12 cyber security expert Doug Levin up at night.
Levin, a former director of the State Educational Technology Directors Association who now heads the consulting firm EdTech Strategies, is more concerned about what happens when millions of devices that have been removed from the protection of school district firewalls for five months are reconnected to district networks in August.
“Unless students, teachers, and administrators are IT experts, it’s not out of the realm of possibility that they have had malware introduced to their device,” Levin says. “We have seen a spike in the number of COVID-related phishing scams, and malware can be introduced through the sites that users have visited, the links they have clicked on, or the material they’ve downloaded — and also through home routers that aren’t very secure. If you got your router from Best Buy or the cable company, you might not have changed the settings on it. Bad guys know that, and they look for devices they can compromise.”
He adds: “What I worry about is that when all those devices are reintroduced to school district networks, they’ll pass along malware or ransomware.”
Remote learning’s IT security challenges
The sudden shift to remote learning this past spring brought many challenges, including how to keep devices and networks secure.
While K-12 leaders grappled with immediate priorities such as how to deliver high-quality instruction remotely, how to reach and engage every student online, and how to answer stakeholders’ technical questions, it would have been easy for leaders to overlook cyber security — or at least not give this issue the full attention it deserved.
Learning and working remotely raises a few different cyber security challenges, Levin says, depending on how a school system has set up its IT infrastructure. “A lot of this depends on what tools schools were using and how prepared they were to go fully virtual,” he explains.
If school and district personnel have been logging in from home to applications hosted locally on school district servers, those connections need to be secure so that hackers can’t gain entry into district networks. “In the best of circumstances, schools have deployed virtual private networks [VPNs] to protect these connections and ensure that only authorized users could access local servers,” Levin says.
School employees using RDP connections to log in to local district servers from home is the scenario the FBI warned about in June. The agency observed that “cyber actors are likely to increase targeting of K-12 schools during the COVID-19 pandemic, because they represent an opportunistic target as more of these institutions transition to distance learning,” ZDNet reports.
A growing number of school systems are using cloud-based applications instead of hosting software on local servers. In these cases, students and employees have been accessing software directly from the cloud instead of logging in to district servers. “In general, their security posture remains largely unchanged,” Levin says.
However, in the rush to pivot to remote learning nearly overnight, many schools and individual teachers “have chosen to use new apps and services they have not fully tested or vetted,” he says. These cloud-based apps and services might not be very secure and may be susceptible to breaches.