School is in Session
What COVID-19 taught educational institutions about cybersecurity
When lockdowns began in March of 2020, educa- tors scrambled to adjust to the new reality. In a reactive mode, universities, colleges, and K-12 districts quickly instituted policies and embraced platforms without a thorough cybersecurity vet- ting process. They were ill prepared for the BYOD free for all that began logging into their networks combined with the widespread use of unsecured or poorly secured home wireless connections.
Not surprisingly, 2020 attacks on K-12 were up 18% over the previ- ous year and ransomware attacks on colleges doubled during that same period . The education sector already ranked in last place for cyber safety before the pandemic ; 2020 only made things worse.
Now, with more than a year of remote learning under our belts and hybrid models probably here to stay in some capacity, what lessons have educational institutions learned about better securing their net- works? What potential vulnerabilities lie ahead?
Increasing VPN Capacity
VPNs can keep communications secure by creating an encrypted “tunnel” through which all data travels. Pre-pandemic, if a school had a VPN set up, it was not designed with enough bandwidth for the volume of traffic created by an entirely remote student body.
To accommodate the flood in traffic, schools relied on a split-tun- neling feature of VNPs, which sent traffic to and from the school’s network through the encrypted pipe but excluded everything else. Web surfing and other connections, open and accessible at the same time, as school-hosted applications on personal devices, were inse- cure and vulnerable to hackers. Fortunately, many school IT depart- ments have sufficiently increased their VPN capacity to eliminate the need for split tunneling.
One hundred percent remote learning is hopefully behind us, but networks must be prepared for any future conditions that could require its temporary return. For example, remote days may be the new snow days. Complete 100% VPN access, without split tunneling, will help keep networks and personal PCs safe.
The Cloud
IT departments are accustomed to establishing strict security policies for their own networks. However, schools now use the cloud to host all sorts of applications, extending IT departments' supervisory responsibilities to those environments. The security policies for Google, AWS, Azure, and other host environments must align with those of the institutions that rely on them.
Cloud applications are vetted carefully as well. In 2020, we saw what happens when they're not. For example, widespread use of Zoom early in the pandemic led to cyberattacks, data leaks and unwelcome "zoom bombers." (The platform subsequently introduced new security features.)
Before a cloud solution is endorsed for widespread use by educa- tional institutions, whether it will be used remotely or in the classroom, IT departments must first vet it thoroughly for cybersecurity risks.
The Human Firewall
The trusting culture prevalent in educational communities makes their human firewalls far more porous than those in another environ- ment do. Phishing is rampant and a big problem. Some emails are opened that should not be, and dangerous links are clicked on, pro- viding an entrée for ransomware attacks. Other unsafe behaviors also
By Wayne Dorris
persist. Students share passwords with their friends and roommates. Maybe, they innocently set up accounts on sham websites using the same credentials they use for accessing the school's network.
Breaking these bad habits requires consistent, engaging education. There are many turnkey resources available to help. For example, gamified learning modules that challenge participants to spot the phishing email from among the "real" ones are both fun and effective.
Educational messaging must also train staff, students and the par- ents of younger students on the importance of immediately reporting their actions when they believe they have made an error in judgment. They should know whom to contact and how. Everyone must under- stand that self-reporting will not result in punishment. The sooner IT knows of a problem, the sooner it can mitigate the threat. By contrast, the consequences of not reporting such an event can cause wide- spread harm.
Multi-Factor Authentication
Multi-factor or two-factor authentication (2FA) serves two purposes. First, it dramatically increases the likelihood that the person entering a username and password is who they claim to be. Secondly, if a user receives a text with a 2FA code when they are not trying to log in, they become aware that their password and credentials have been compromised, and IT should be alerted immediately.
2FA should be the norm at the university level whenever signing into network applications, whether on-campus or remotely. It is rea- sonable to assume that all faculty members and students own a cell- phone; 2FA is not an overly burdensome expectation.
For K-12, 2FA certainly makes sense for any remote access to net- work resources, including homework portals and collaborative work sites. Most junior high and high school students have phones. For elementary school, parents or a caregiver would likely have to assist with 2FA.
Protecting Research Data
Research projects conducted on Higher Ed campuses, often in con- junction with military, medical, technology and corporate partners, are prime targets for bad actors seeking to exploit the data for nefari- ous purposes. Prior to the pandemic, laboratory computers were on closed networks that could only be accessed from within physically secure facilities. However, the pandemic necessitated some research- ers to have remote access, opening the door to attacks.
Cybersecurity
VideoFlow/Shutterstock.com
18 campuslifesecurity.com | NOVEMBER/DECEMBER 2021