Right before the holiday season, California’s Tulare Joint Union High School District received a very unwelcome gift – a cyberattack. The attack, which was coined, “very bad and complicated,” by the district’s assistant superintendent, Lucy VanScyoc, in an emailed statement to the Tulare Advance-Register, was reported to go after the district’s financial and administrative accounts.
Tulare isn’t an isolated incident. One month earlier, all the way across the country, New Jersey’s Livingston Public Schools were forced to open school on a two-hour delay as they worked to wrestle control of their systems back from a ransomware attack. That attack managed to take data and systems offline across nine district schools.
These two attacks are just a small sample of the nearly innumerable and seemingly increasing cyberattacks that have been perpetuated against educational institutions. To learn more about why these attacks are targeting schools, he recently sat down with Matt LeMiere, the regional sales director for SLED West at global cybersecurity firm, CrowdStrike.
During our discussion, we asked Matt if attacks against schools were – in fact – happening more often, who was perpetuating these attacks and what schools could do to protect themselves.
Here is what he had to say:
GovCybersecurityHub (GCH): We’ve seen two really prominent education-focused cyberattacks in just the past month. How common are attacks like this against schools, school districts and institutions of higher learning? Are they becoming more frequent?
Matt LeMiere: These are common and they’re unfortunately becoming more and more common. And they’re targeting all different types of educational institutions – from K-12 to institutions of higher learning like colleges and universities. We’re seeing an up-tick in these attacks across the country.
Why are they being targeted? Well, there’s a good reason for that – they’re considered a softer or easier target. Many of the K-12 schools and districts don’t have full-time staff that are responsible for cybersecurity and are dedicated to protecting them. Oftentimes, these schools and districts are strapped for cash and they don’t have the funding. The limited funding that they do have goes towards their core mission – the education of children.
That creates a knowledge gap, because the individuals charged with cybersecurity wear multiple hats – they’re doing that in addition to numerous other responsibilities. With so many hats and jobs they have to perform, they’re spread thin and overworked, which can make cybersecurity an afterthought.
There has been a huge uptick in ransomware attacks because it’s easy money. It’s an opportunity for bad guys to come in and get some money. The schools are just an easy target.
With the K-12 schools and districts, it’s often about shutting the schools down unless they get money. With higher education, malicious actors are often going after them for other reasons. Oftentimes, they’re after the university’s crown jewels – research information, or information about the provost or alumni donors , where they can get some significant dollars.
GCH: Are any particular educational institutions more susceptible than others?
Matt LeMiere: I think the organizations that don’t have a fully-staffed cybersecurity team that’s up-to-date on their attack vectors. Organizations that aren’t ready or trained to handle phishing and spear-phishing attacks – or are using legacy vendors to protect their environment – are the most susceptible.
And that’s not specific to any one particular type of school, district or college. That’s something that we see across the board in education. There are different types of attacks being utilized against K-12 institutions and higher education institutions, but we see schools that fit that profile across the board.
When it comes to higher education institutions, one of the challenges is academic freedom. They struggle with how to implement a security solution that will have visibility to everything that is going on in the university’s network and computers while preserving academic freedom. Those things can often conflict.
[Colleges and universities] want to make sure that they’re protecting the school while still allowing professors and students to freely work across the internet. It’s a fine line that they have to walk and a topic that comes up in many conversations that I have with colleges and universities as I travel across the country.
For K-12 schools, there are an entirely unique set of concerns and challenges that can arise from a successful cyberattack. Schools could have their cafeterias or payment processing systems impacted, making it impossible to sell students meals. In many cases, teachers may not be able to access their lesson plans and educational materials, making it difficult to teach their students that day’s lessons. Finally, with the advent of smarter, more connected and more automated buildings and devices, things like door locks can be compromised, making it difficult for schools to protect their students.
GCH: Who is perpetrating these attacks? What types of attacks are they using to compromise these school districts and educational institutions?
Matt LeMiere: There are usually three types of “bad guys” out there. There are nation state criminals – threats from Russia, China, North Korea and Iran. Then there are eCriminals that are out for money and financial gain – although this kind of malicious actor will sometimes work in conjunction with nation states. Then there’s hacktivist organizations, like Antifa. These organizations want to disrupt or cause chaos in an environment. And we’ve seen attacks against schools and education institutions from every one of those.
We’ve seen plenty of ransomware attacks from the eCriminals that just want financial gain. They come in, gain control of a school, they lock up school networks and ask for a ransom. They take the money, and then they’re gone. In Iowa, we saw them shut one school down, and then threaten to shut down more across the state if they didn’t get paid a ransom.
While it may be surprising to some, we’ve also seen nation states hack into universities across the country. For example, we’ve witnessed nation states hack into college networks and the social media accounts of former citizens and foreign nationals to see if they’re spreading negative sentiment about the country and its government. In some cases, these individuals have had their visas revoked and have had to return to their home countries.
Then, with hacktivist organizations, at universities like Berkley where a conservative speaker is planned to appear, they’re simply trying to cause problems and chaos on the campus. They create mayhem at the school to disrupt those activities.
It’s really across the board. Schools are targets for a number of reasons – their information, money, and even the events that they’re holding. We see attacks from all three different types of adversaries, but for different reasons.
GCH: Why are their networks vulnerable to attacks? What about schools and universities make their networks more vulnerable or susceptible?
Matt LeMiere: There are a few reasons. Like we talked about, most schools are strapped for money. As a result, they rely heavily on legacy systems in their operations, and it’s hard to monitor them around the clock.
Many of these schools – especially at the higher education level – have just small groups of individuals that have to monitor a giant network with multiple, disparate types of users. I’ve seen small teams of IT and cybersecurity professionals have to monitor a network with 20,000 users and 200,000 devices since each member of the faculty, all of the staff members and each of the students has multiple connected devices.
Trying to control and monitor all of that with a small crew is virtually impossible. And that makes then particularly susceptible.
The lack of funding also means that they often don’t have staff members that are educated on the latest and greatest cyber threats and security solutions. That lack of knowledge is compounded by challenging procurement processes and steps that keep them from embracing the newest security technologies.
We’ve seen the government step in and put programs like E-Rate in place to help cash-strapped schools purchase modern infrastructure. But that is for infrastructure. There is no program like that for cybersecurity today. However, it’s something that they’re talking about at the federal level right now, and something that could have a huge, positive impact on the cybersecurity of schools.
GCH: What should schools do to protect themselves? What are three simple steps they should be taking to make their networks more secure and decrease their chances of becoming victims?
Matt LeMiere: First off, they need to educate the staff, the faculty and the students. They need to learn about phishing scams and spear phishing attacks. They need to be educated on how to identify them and the damage they can do.
Then, they need to partner with a technology company that is going to help them. The partner they choose should be able to educate them on the threat landscape and help them clean up their current and existing network environment.
That partner should help them to embrace new solutions – especially solutions that are easily deployed and easily managed. Their chosen partner should understand their goals, know their playbook and set up defenses appropriately.
Finally, they need to start taking cybersecurity seriously.
Right now – especially with the K-12 schools – it’s all about security. The one theme that I see everywhere I travel across the country in K-12 schools is, “security first,” and, “if you see something, say something.” But that’s about physical threats, like an active shooter incident.
Those threats and those incidents are awful and they’re taking incredible steps to prevent them. Which is admirable. But I’d like to see them taking cybersecurity as seriously. We need to get all schools to start taking cybersecurity as seriously as physical security and ramping up their defenses accordingly.
One of the best ways to protect your organization is to understand the full scope of the threat you’re facing. Click HERE to download a copy of the 2019 OverWatch Mid-Year Report and learn more about the threat landscape in 2019.