School security has to include cyber

If schools aren’t safe, not much else matters. Children can’t learn and teachers can’t teach effectively if they are worried about their security.

That’s why, in the wake of catastrophic mass shootings, school officials have dramatically tightened the physical security of education facilities. It’s why, since the start of the pandemic lockdowns 18 months ago, schools have either conducted classes remotely or with a hybrid model, which allows for fewer students and staff in a classroom.

All of which is, sadly, necessary.

But the current threats to students, teachers and staff go beyond physical attacks and deadly viruses. The internet is a portal to the world, for both good and ill. And due to the pandemic, education has become more connected to that portal than ever before — for good and ill.

Schools were vulnerable enough to cyber attacks when students were gathered under one roof. But since March 2020, tens of millions of students have attended classes remotely from their homes. Which means, just as is the case with hundreds of millions of people working from home, there are that many more “endpoints” for cyber criminals to probe for vulnerabilities.

Kathryn Yang, program manager at Synopsys, said those endpoints have an endless variety of connections. “Students use so many different devices and leverage different apps. With many schools underfunded, it sure makes them an easy target,” she said.

“When I spoke to the Calgary school board legal team, they said they prevented 1,600 cybersecurity attacks in 2020.”

And while most students in the U.S. K–12 public systems are minors and therefore don’t have credit cards or bank accounts, school staff and their parents almost certainly do.

Hacker incentives

Indeed, public education in the U.S. is a $760 billion industry with more than 50 million students — plenty of incentive for hackers.

In a recent report titled “The State of K–12 Cybersecurity: 2020 Year in Review,” Douglas Levin, national director of EdTech Strategies’ K12 Security Information Exchange, noted that “school IT systems collect and manage sensitive data about students, about their parents, guardians, and families, about educators and other school staff, and about school district operations.”

He added that while some of those IT systems are “locally hosted on school district premises or in shared hosting arrangements with other local government entities; increasingly, they are hosted by an ecosystem of vendors in the cloud on systems accessible by any internet-connected device.”

And obviously, cyber criminals work with “internet-connected devices.”

According to the report, there were 408 publicly disclosed cyber incidents at schools in 2020 that included data breaches, ransomware, phishing and other social engineering scams, and denial-of-service attacks.

The number of attacks increased 18% from the previous year — not exponential growth but enough to set a new record for the second year in a row. And, one would think, more than enough to prompt some serious government focus on public education cybersecurity.

Not from the top so far, however. President Joe Biden’s much-anticipated “Executive Order on Improving the Nation’s Cybersecurity didn’t mention education or schools.

Do the basics

But multiple experts say outside of more funding, the educational industry doesn’t need a presidential executive order to improve its security. Keeping schools safer from cyber threats comes down to the same things that protect any organization — better cybersecurity “hygiene,” or simply doing the basics. And that takes a combination of technology, policies and people.

On the technology front, the most important basic is keeping track of and keeping up to date the software that runs the organization. While most school IT departments won’t be writing their own code, they should vet the software components used in their applications, networks, and systems, whether they are commercial or open source. A regular mantra at security conferences is: “You can’t protect what you don’t know you have.” And if you fail to install a patch or an update, it’s a bit like leaving the door unlocked, or even open.

“The software supply chain will continue to be the number one challenge,” said Debrup Ghosh, product management manager at the Synopsys Software Integrity Group. “School departments should leverage a security consulting firm to do a full assessment — yes, budget is a challenge but it’s normally a one-time expense with many long-term benefits — or you can leverage the community. Ask experts to invest time to help school districts if money is not available,” he said.

Another technology basic is to build the principle of “least privilege” into the entire school network. It’s the digital version of limiting the physical access of students and staff only to what they need to do their work. Obviously, most don’t need access to files in the principal’s office. The IT department should segment its network, functioning as what some experts call a “DMZ” that lets users get access to what they need but nothing more.

Alex Serebreny, director, information security at Synopsys, said another way for technology to limit risk is to limit the attack surface. “Schools can’t afford to pay for multi-million-dollar detection tools nor 24x7 SOC [security operations center] teams to monitor them,” he said. “But moving off Windows to a managed Chrome OS device would be a good idea to reduce the attack surface.”

Still, security experts have been saying for a long time that the best technology in the world, including firewalls and secure software, won’t be enough if the people in an organization aren’t well trained in security awareness, like using strong passwords and recognizing social engineering attacks.

Most agree that the youngest students shouldn’t be expected to handle two-factor authentication (2FA). “Anyone who seriously proposes 2FA for schools should be required to alphabetize the contents of an elementary school lost-and found,” said Beth Linker, director, product management at the Synopsys Software Integrity Group. “Kids lose everything — you can’t give them a 2FA token.”

But most also agree that older students and the adult staff can and should use 2FA. Indeed, even young students, given that they are digital natives, are often more internet savvy than their parents.

The UK Council for Internet Safety, in its latest “Education for a Connected World” framework, says that children as young as 4–7 can understand and explain the basics of passwords and privacy. By ages 7–11 they should be able not only to explain what a strong password is and demonstrate how to create one, but also “describe effective ways people can manage passwords (e.g. storing them securely or saving them in the browser).”

And by age 11 and older, students should be able to explain the Internet of Things, know how to control their personal data online and use 2FA, the council said.

Training trumps technology

Multiple Synopsys experts said the biggest bang for not many bucks in improving school cybersecurity would be to spend time training the students.

“It’s a school after all,” said Grant Robertson, security engineer at the Synopsys Software Integrity Group. “I’d personally like to see every school running sessions on an irregular basis about web security. Give good information to kids when they’re young and they’ll teach their parents, grandparents etc.”

Michael White, applications engineer at the Synopsys Software Integrity Group, said even young children can be trained to spot social media phishing scams. “I wouldn’t focus on the technical stuff so much but consider awareness and social aspects with the goal of making the humans less vulnerable to begin with,” he said.

Robertson agrees, with the caveat that “it should be fun and engaging, not boring IT classes about Outlook, Excel, or Word. They should start showing and explaining how computers work, how to set one up, and how to setup a Wi-Fi network securely. I could see this turning into a great school activity.”

Rachel Zahr, security solutions manager at the Synopsys Software Integrity Group, also agrees that the primary cyber threats to school systems are “novice internet users who don’t understand how to identify cybersecurity traps,” she said.

The way to address that, she said, is security awareness training, adding that there are free materials available online to help with that.

Because while she agrees that even the youngest students know a remarkable amount about how to use computers and smartphones, she said “safely interacting with their files, apps, email, and the internet is not something inherently taught.”

What is somewhat promising, Robertson said, is that a growing number of school districts are aware of their weaknesses. “Nowadays most schools know they aren’t experts and have started using COTS [commercial off-the-shelf] tools, which is a good thing.”

Ghosh encourages that as well. “Low-code/no-code should be the way to go — write as little proprietary code as possible,” he said.

Because even after the pandemic recedes, remote learning is likely to continue. “I predict that your traditional snow day where kids get a day off because of unsafe travel conditions could be transformed into a remote day,” Zahr said. “I think if a facility or classroom ever needs maintenance, repair, or needs to be shut down for a time, it will be an easier decision to make those classrooms remote,” she said.

In other words, the classroom can be anywhere. Which means security measures will have to adapt accordingly.