Imagine going for an outing at sea in a boat in choppy waters. The boat is stocked only with life vests designed for leisurely cruises around a lake; their power to provide buoyancy is easily overwhelmed by strong currents. Those life vests did the trick back in the 1980s, when the boat was used to putz around a lake. It would cost a lot to replace them with ocean-ready upgrades. Surely, no one would take such a ride in such a boat. Or so you would think. And yet.... A majority of US school boards secure their data as if they occupied a far safer environment than they actually do. According to a survey of 428 school board officials conducted by BoardDocs and the NSBA, only 42% of school boards in the US store their digital board materials on a board portal. The rest store their data on the wholly unsecured repositories of school websites, file-sharing servers or local hard drives. And not all of those 42% are using fully secure portals: Their cheaper counterparts may offer no encryption, low encryption (156-bit) or unsecured cloud storage. School boards using inadequately secured board portals put all of their district's data in dire danger: Real cyber risk makes these waters choppier than they realize. The waters are rough indeed, and school boards notoriously underestimate their exposure. Midway through 2017, the Wall Street Journal reported that more than 36 school districts had been hacked so far that year. Inadequate board portal security leaves district data susceptible to ransomware schemes and identity theft.
RansomwareAccording to leading security consulting firm Aon Cyber Solutions, ransomware schemes increased in 2017 and show every sign of continuing their meteoric rise. International criminal rings like the notorious SamSam insert cryptoworms into a district's operating system, garbling all the data. They then demand ransom to restore it. Such a scam brought Atlanta to its knees in March of this year, costing over $2 million to address. The rise of cryptocurrencies promotes the proliferation of these schemes by wedding the anonymity of cash with the long-distance reach of online payments. Ransomware rings love school districts. Unlike 'whalers' that go for a few attacks on large entities, the business model for ransomware rings relies on a large volume of soft targets that meet a certain profile: (1) Corruption of data would interrupt mission-essential operations; and (2) the victim could access the $52,000 that is the average ransom. That business model puts school boards squarely in their crosshairs.
Identity TheftSchool districts are low-hanging fruit because their data includes bank account numbers, Social Security numbers and the medical records of staff, students and vendors. Identity thieves may use a victim's credit card. They sometimes hold private data hostage, demanding a ransom in exchange for not publicizing it. Imagine receiving a note that reads: 'I have the medical histories of all your eighth graders, and I'll post them online unless you pay me $100,000.' In October 2017, the US Department of Education issued a warning that cybercriminals were targeting US schools in an attempt to steal confidential student data, which they would then hold hostage.
Chinks in the ArmorWhile ransomware in its pure form corrupts operating systems, classic identity theft snatches data. Both rely on an outsider's penetrating the documents or operating system that the school board is responsible for keeping safe. Subpar security leaves many openings by which a district's data can be attacked:
- If board members send important board business communications as email attachments, they are easy for hackers to penetrate.
- If a portal stores documents on the (phenomenally public) cloud, rather than on a private server within the cloud, it is easy to break into. If there's no encryption or light (128-bit) encryption, it's that much easier. Data Guardian's Data Insider warns: 'even if the cloud service provides encryption for files, data can still be intercepted en route to its destination. The best form of security against this threat would be to ensure that the data is encrypted and transmitted over a secure connection, as this will prevent outsiders from accessing the cloud's metadata.'
- If credential management is lax, crooks can pose as legitimate users to snatch, alter or delete data, or snoop on data in transit.
- If board members communicate via an unsecured messaging app, a hacker can intercept a text and enter the district's system through there.
- If a board portal offers no preferable alternative to personal email accounts or (worse!) district-issued email accounts, and the school board publicizes its board members' email addresses on its website, a 'phisher' can send email to a board member. When the board member clicks on the email, the hacker infiltrates the hard drive of her computer and any network to which she is connected.
- A portal that stores data on the cloud and contains exploitable bugs invites hackers to infiltrate the system, stealing data or corrupting the code. That risk is growing; CSOonline reports on new frontiers for hackers: 'With the advent of multi-tenancy in the cloud, systems from various organizations are placed close to each other and given access to shared memory and resources, creating a new attack surface.'
- Using Advanced Persistent Threats (APTs), hackers infiltrate unsecured systems undetected. Once there, they can quietly steal FERPA-protected student data and employee personal identifying information from the inside. Undetected, they 'can move laterally through center networks and blend in with normal network traffic to achieve their objectives.' (CSOonline) A single document stored on the cloud can provide their point of entry.
- Denial-of-Service (DoS) schemes. If cybercriminals can penetrate lackluster security shields, they can effectively freeze a system by flooding it with high volume so that legitimate users can't access system data unless they pay a ransom.