Under Siege: Cybersecurity Threats Facing the U.S. Education Sector

Table of Contents

Schools and universities are the custodians of the education and future of our young people. They are also holders of valuable and sensitive data. Being in a position of control and management of students and their information makes the education sector vulnerable to exploitation by cybercriminals. A report from Malwarebytes has found a 70% increase in ransomware attacks targeting the education sector as a whole, with a staggering 92% surge in attacks against K-12 schools. Notably, the USA is the most targeted geography. Our education sector is under attack, and the data it holds is in the sights of attackers.

PowerSchool: When is a Ransomware Attack Not a Ransomware Attack?

PowerSchool is a widely used software platform in K-12 schools. Cybercriminals used stolen credentials to gain unauthorized access to the PowerSchool Student Information System (SIS), allowing them to steal sensitive data belonging to 62 million students and 9 million teachers. The stolen data included social security numbers and medical information. The attack did not install any ransomware. However, the attackers used the stolen data to pressure PowerSchool and several school districts to pay a ransom to delete the data.

Top Cybersecurity Threats to the Education Sector

The education sector is experiencing an alarming volume of cyberattacks. Research from Check Point found that the average number of weekly attacks on educational establishments was 3,323, an increase of almost three times in a year. The following are the most common threats targeting the education sector:

Ransomware

Ransomware attackers love the education sector because they have large volumes of sensitive data, and they must protect and educate young people; both of these factors allow ransomware threat actors to leverage large ransoms from schools, higher education, districts, and vendors in the supply chain. The Sophos State of Ransomware report found that ransom demands in the sector are high, with 58% of ransoms upwards of $1M and almost half (44%) of ransoms reaching $5M or more.

The University of California, San Francisco (UCSF) School of Medicine paid a ransom of $1.14 million to decrypt files locked by ransomware. The USA's education sector is the most targeted country in the world, according to data from Sophos:

USA
169
UK
24
Germany
7
Canada
6
Australia
5

Source: Ransomware attacks on education, per geography - Malwarebytes

Data Theft

Across all sectors, data is a lucrative win once in the hands of cybercriminals. Data is valuable and can provide the intelligence and credentials needed for follow-on attacks. The education sector is no exception to data-focused cyberattacks. Data from Comparitech has identified more than 37.6 million data records breached across K-12 school districts and colleges/universities in the USA since 2005. The aforementioned Sophos report highlights that ransomware attacks on education involve data theft in 22% of cases.

Check out Comparitech's map of data breaches affecting the USA education sector.

DDoS

School disruption is not just for the classroom. Distributed Denial of Service (DDoS) attacks on schools are commonplace. DDoS attackers send large volumes of data packets to web servers to overwhelm the server, causing it to crash. Schools are increasingly internet-connected, allowing them to offer remote education and online classes. If a DDoS attack occurs, these services are severely disrupted. Students themselves can sometimes be behind DDoS attacks - a senior High School student was arrested for creating eight DDoS attacks against the County Public School system.

Phishing

Phishing is often the technique most used to initiate cyberattacks like ransomware. Phishing has many variants, including email phishing, SMS text phishing (smishing), and voice phishing (vishing). Higher education is experiencing a staggering volume of email-based phishing, with 96% of phishing attacks coming from the email channel. Google's Workspace Trust and Safety team has identified long-term phishing campaigns targeting the sector. The attackers send phishing emails containing links to Google Forms that closely mimic university communications. The form gathers student data, which is then sent to the attacker behind the scam.

Why is the Education Sector Targeted in Cyberattacks?

Cybercriminals target the education sector for several reasons:

  • Data: Districts, schools, and universities all handle sensitive data on behalf of students, their families, teachers, and other staff. The data includes personally identifiable information (PII), social security numbers, and student loan information. Health data, like immunization records, may also be held by educational establishments. This data makes the education sector a potential target for cybercriminals intent on data theft and extortion.
  • Large attack surface: Modern digitized educational establishments use connected services to deliver virtual classrooms, student portals, and other E-Learning experiences. Platforms connect and facilitate communications between administrators, students, and staff, creating a large attack surface with multiple attack points, including human-centric interfaces like email. Many students now have iPads or Chromebooks, expanding the attack surface even further.
  • Lack of skilled staff: Educational establishments are typically run using a tight budget, which leads to cost-cutting in areas like cybersecurity staffing. A lack of skilled staff on site can lead to gaps in security, with little oversight of potential areas of concern.
  • Digitization of the sector (EdTech): The education sector is increasingly turning to digitization of services and processes. E-learning tools, online collaboration tools, like Google Workspace for Education, and cloud-based learning and communications are outpacing the security strategies of many establishments.

AI and Education Sector Threats and Mitigation

The education sector is embracing AI, with spending on AIexpected to reach $32.27 billion by 2030. AI-driven cybersecurity solutions can help prevent cyberattacks through AI-enabled network threat detection, phishing, and malware detection, including emerging threats and zero-days, and provide automated incident response. Conversely, AI enables attacks on education, using AI to create smart and evasive malware, sophisticated and personalized phishing, and deepfakes. AI-enabled cyberattacks are one to watch in the sector in the coming years.

CIPA Compliance and E-rate Funding

The Children's Internet Protection Act (CIPA) requires that students in the USA be protected from harmful online content. CIPA requires schools and libraries to implement security measures, including content filtering and monitoring solutions. If a school or library complies with CIPA, it can apply for E-Rate program discounts for internet access and internal connections. CIPA requirements include the following:

  • Control of access to inappropriate content
  • Prevention of unauthorized access
  • Protection of personal data
  • Monitoring of online activities.

Other Education Sector Regulations in the USA

  • Family Educational Rights and Privacy Act (FERPA): This is a federal law that applies to all institutions receiving U.S. Department of Education funding. The law requires the protection of student records, including the requirement for written consent for the disclosure of personally identifiable information (PII).
  • Higher Education Opportunity Act (HEOA): This act requires that higher education institutions develop plans to secure student data and respond to data breaches.
  • Protection of Pupil Rights Amendment (PPRA): The PPRA requires schools that receive federal funding to obtain parental consent before collecting sensitive student information.
  • Children's Online Privacy Protection Rule (COPPA): This federal lawimposes security and privacy restrictions on operators of online services when collecting data on children under 13 years of age.

In addition to federal laws, various states enforce similar laws on data protection in educational establishments.

The Dark Web and Education

Educational establishments are often victims of threat actors that use stolen data to propagate follow-up attacks, often selling the data on the dark web. For example, the ransomware group Vice Society uses ransomware-as-a-service (RaaS) to carry out attacks on schools across the USA. A recent attack carried out by the gang stole 500 gigabytes of data from the Los Angeles Unified School District, serving over 600,000 students. Vice Society posted the stolen data, including confidential documents, on the dark web to force the ransom payment.

Mitigating Cybersecurity Risks: Best Practices

Educational establishments must find a balance between developing an effective cybersecurity strategy to handle the large volumes of cyberattacks and using cost-effective measures. Using managed service providers (MSPs) and collaborating with industry experts can help achieve this balance. The following security measures are recommended as a baseline for protecting students, staff, and other associates:

Robust Identity Management

Unauthorized entry is often the starting point for a cyberattack. Establishing robust identity management is an essential part of protecting education networks, applications, and devices. Phishing-resistant MFA, Privileged Access Management (PAM), and enforcing the principle of least privilege (only allow access on a need-to-know basis) help to mitigate attacks. An example of a popular identity management service is Microsoft EntraID.

Security Awareness Training for Education

Security awareness training can be delivered to all staff, students, and even parents using centralized management portals. The training covers many aspects of security, including phishing, secure password use, and safe mobile and internet use.

Web Filtering

Protecting children from inappropriate images and adhering to CIPA compliance requires DNS filtering. DNS filters, like WebTitan, prevent students from navigating to malicious or inappropriate websites.

Email Filtering

Phishing emails are becoming more evasive. Cybercriminals are using tactics like QR codes to hide malicious links. AI-enabled email filtering solutions can identify evasive patterns in phishing emails and stop them from entering the inboxes of students and staff.

Update Software

Software and IoT firmware vulnerabilities are often exploited during attacks. Make sure that your establishment(s) update software as soon as patches are available.

Enforce Encryption Use

Encrypt data in storage and during transfer.

Backup and Restore

Use ransomware-resistant data backups and set up a secure restore process.

Dark Web Monitoring

Sentinex is recommended for use by schools and higher education to aid in dark web monitoring. Sentinex can help identify data stolen from educational establishments that is being sold on the dark web. This can help the establishments to prevent further attacks and lock down the data to stop other cybercriminals from abusing the data.

Monitor and Audit

Web application firewalls (WAFs) detect and respond to network traffic anomalies. Web monitoring tools monitor student activity on devices without blocking access.

Review Security Posture of Connected Third-party Suppliers

Regularly monitor and assess the security measures used by third-party suppliers.

Create an Incident Recovery Plan

An incident recovery plan provides a documented path to proactively dealing with a cybersecurity incident. The plan provides guidelines and a framework for security personnel to identify, mitigate, and recover from malicious attacks.

Read more:

Table of Contents