The NJCCIC assesses with high confidence that educational institutions across the globe will remain attractive targets for a range of cyberattacks designed to disrupt daily operations, steal sensitive data, instill fear in the community, and hold critical operational data for ransom.
Summary
The education sector stands out as a primary focus for threat actors, ranking among the most vulnerable sectors globally. This susceptibility stems from the vast collection of valuable data, a general deficit in cybersecurity awareness, and extensive, prevalent vulnerabilities. Educational institutions manage the daily activities of hundreds or thousands of students and faculty members. Consequently, they handle extensive and sensitive data such as student and educator login details, home addresses, birthdates, full names, social security numbers, credit card details, and other financial records. According to Check Point Research, the education sector experienced an average of 3,086 weekly attacks per organization, marking a 37 percent increase compared to 2023. Social engineering, various business email compromise scams, and vulnerability exploitation pose significant threats, resulting in data breaches, financial losses, and reputational damages.
The education sector is often slow to adopt modern cybersecurity solutions due to a lack of funding. This can lead to outdated technology, limited resources to invest in cyber solutions and ever-growing institution sizes. Public schools receive funding from the government, which often leads to budget constraints. Consequently, cybersecurity is often deprioritized in favor of staff salaries, school resources, and infrastructure upgrades.
Vulnerability exploitation in educational institutions involves attackers identifying and leveraging weaknesses in the institution’s software or systems to gain unauthorized access or cause harm. Educational institutions often use a wide array of technologies, including older legacy systems that may not be regularly updated or patched, making them susceptible to such exploits. The open network environments common in educational settings and the high turnover of students and staff can exacerbate these security challenges. Additionally, limited cybersecurity budgets and resources mean that necessary updates and security practices may be neglected. The consequences of vulnerability exploitation can be severe, ranging from data breaches and loss of privacy to substantial disruptions in educational services and financial losses.
Social engineering poses the most significant threat to the education sector, which includes phishing and business email compromise (BEC) attacks. Phishing, a type of social engineering attack against educational institutions, typically involves cybercriminals sending fraudulent emails or messages that mimic legitimate communications. The emails may appear to originate from trusted sources like the school administration, IT services, or popular educational software providers. Often, these messages include urgent requests or threats, compelling recipients to act quickly without proper scrutiny, leading to compromised accounts or data breaches. Personal data obtained through successful phishing attacks enables cybercriminals to target high-profile individuals with spear phishing and whaling attacks and distribute malware, such as ransomware. Additionally, cybercriminals benefit from compromising account credentials to gain access to a school or university network, often through successful phishing attempts.
Unlike generic phishing scams, BEC scams are a highly targeted form of social engineering, often incorporating preliminary reconnaissance on potential victims and using various impersonation techniques, including email spoofing and look-alike domains. Threat actors spoof a familiar contact’s source name or email address to convey a sense of legitimacy, use domain names that mimic a trusted source, or compromise a legitimate account. The messages typically instruct the target to transfer funds, purchase gift cards, or provide other sensitive information to the threat actors posing as trusted individuals or businesses. Common types of BEC attacks include wire transfer scams, direct deposit scams, W-2 scams, and invoice scams. BEC scams can result in system compromises, data breaches, financial losses, and reputational damages.
Invoice scams begin with a threat actor impersonating trusted vendors with whom the target organization does business. They send emails to redirect outstanding and future invoices for products or services to a new bank account. Threat actors may attach legitimate or fraudulent invoices with inflated amounts and provide new payment policies with payment instructions and updated bank account details to steal funds from the vendor’s customers. According to the 2023 FBI IC3 Internet Crime Report, BEC scams are the second most expensive type of cybercrime. In 2023, New Jersey claimed 628 victims in BEC scams and ranked second in the nation with an average loss per victim of $223,000.
Direct deposit or payroll diversion scams occur when threat actors impersonate an employee, often by creating a free email address using the employee’s name and employing display name spoofing in the messages. They frequently send fraudulent emails to payroll or human resources departments, and direct deposit change forms are requested. Occasionally, threat actors may locate an organization’s direct deposit change form online and include a filled-out form in the email to divert an employee’s direct deposit account information to an account under the threat actor’s control.
Credential harvesting allows threat actors to compromise further accounts, escalate privileges, exploit vulnerabilities, move laterally within a network, deploy malware, and breach data. Threat actors attempt to harvest or steal these credentials primarily through phishing or distributing malware such as infostealers. Infostealer malware has significantly increased, in which threat actors compromised business and personal devices and exfiltrated millions of credentials, usually sold on dark web forums to other threat actors looking to compromise accounts or conduct further malicious activity. Moreover, in the education sector, it is common to observe the reuse of passwords across multiple accounts and the sharing of account credentials for frequently used applications. This practice increases the impact of a successful cyberattack and poses significant risks, potentially resulting in numerous compromised accounts.
School networks can be challenging to secure because they have a large user base, including faculty, staff, and students. With technology being an essential part of education, many schools have opted for Bring Your Own Device (BYOD) policies, which allow students and employees to connect their personal computers, tablets, and mobile phones to the school network. However, if BYOD policies are not implemented with security in mind, it can increase the risk of compromising the network and exposing sensitive data to potential threats from vulnerable and infected devices. Additionally, students are not bound by strict corporate guidelines for network access, thereby increasing the risk posed by their personal devices, shared accommodation, and public Wi-Fi use on campus.
Ransomware attacks on educational institutions involve encrypting data and demanding a ransom for access. Educational networks’ interconnectedness and insufficient cybersecurity measures make them lucrative targets for cybercriminals. These attacks can disrupt academic operations and cause significant financial and reputational damage. Additionally, they may result in the theft or sale of sensitive information.
The education sector also has a significant risk of Distributed Denial of Service (DDoS) attacks, which could impact students trying to access learning resources or submit time-sensitive assignments online. DDoS attacks attempt to deny access to various websites or domains and force a server overload, which can significantly impact day-to-day operations.
A successful DDoS attack can cause significant disruption, halting academic activities and administrative processes. The diversity of users and devices connecting to these networks often leads to security inconsistencies, which attackers exploit. The impact goes beyond inconvenience; it can also damage the institution’s reputation and incur significant costs for mitigating and preventing future attacks.
Common Attack Types in the Education Sector
Data breaches: The main reason data breaches happen is due to human error, either by stolen or weak credentials or through social engineering tactics. A data breach happens when an unauthorized person gets access to protected information such as dates of birth, Social Security numbers, banking information, and medical records. Data breaches can have a devastating impact on students, teachers, and staff.
Phishing: Attackers go to great lengths to ensure that their emails appear as legitimate as possible, for a phishing attack to be successful. These emails most contain links that direct target recipients to an attacker-controlled website that delivers malware or steals user credentials. Such an attack can lead to more sophisticated attacks such data breaches, malware or ransomware attacks.
Ransomware attacks: A ransomware attacks is financially motivated. It generally aim to damage and steal from a information system or server by targeting vulnerabilities within the network. Furthermore, the use of external devices and the absence of anti-virus software protection facilitates the task of the hacker. Such attacks can cause a lot of damage to schools because they disrupt key computer systems and school operations, and, more importantly, put at risk student data and safety. Ransomware is often spread through phishing emails that contain malicious attachments.
Business email compromise (BEC) scams: Involving the use of email to scam school business officials and staff members out of sensitive information and large amounts of money, including by issuing fake invoices to districts, by redirecting authorized electronic payments to bank accounts controlled by criminals, and by stealing W-2 tax information of district employees.
Denial of service (DoS) attacks: Intended to make school IT resources unavailable to students and staff by temporarily disrupting their normal functioning.
Website and social media defacement: Involving unauthorized changes such as posting inappropriate language and images to a school website or official social media account.
Online class and school meeting disruption: Involves unauthorized access to online classes and meetings for the purpose of disruption. Invaders usually share hate speech, sharing via shocking images, sounds, and videos and threats of violence. Despite the attention drawn to these incidents and availability of advice on how to defend against them school districts continued to fall prey to these incidents.
Email compromises: Involving the compromise of a school district’s email systems by unauthorized individuals for the purpose of bulk sharing of or links to disturbing images, videos, hate speech, and/or threats of violence to members of the school community.
Recommendations
At minimum, the education sector is advised to implement the following to strengthen cyber resiliency:
- Consider cyber insurance: Cybersecurity insurance protects businesses against computer-related crimes and losses. This can include targeted attacks, such as malware and phishing, as well as the occasional misplaced laptop containing confidential material.
- Patching and updating: Staff must install critical updates as soon as they are available. Install and regularly update anti-virus and anti-malware software on all hosts. Disable unused remote access/RDP ports and monitor remote access/RDP logs.
- Create backups: Regularly back up data, air gap, and password-protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
- Use strong passwords: Use at least 12 characters, with a mix of numbers, symbols, and capital letters in the middle of the password. Never use the same password for more than one account or for personal and business accounts. Consider using a password manager, an easy-to-access application that stores all valuable password information in one place. Do not share passwords on the phone, in texts, or by email. Implement the shortest acceptable time frame for password changes.
- Enable MFA: Use multi-factor authentication (MFA) where possible. Also known as two-factor or two-step verification, this security feature requires the combination of at least two of three factors – something you know, something you have, or something you are. Oftentimes, MFA will use a password and either a code or biometric to fulfill MFA requirements to log in to an account. MFA protects accounts even if a password is compromised.
- Ensure physical security of devices: Do not leave laptops, phones, or other devices unattended in public or even in a locked car. They may contain sensitive information and should be protected against falling into the wrong hands. Turn on device encryption to encrypt all data on each device and reduce the risk to sensitive information in case the device is stolen or misplaced.
- Think before clicking or sharing information: Every time someone asks for business information, whether in an email, text, phone call, or web form, think about whether the request is trustworthy. Scammers will say or do anything to get account numbers, credit card numbers, Social Security numbers, or other sensitive information. Scammers will rush, pressure, or threaten to get targets to give up company information. Do not click any links in emails, as this can lead to credential compromise or malware installation.
- Only give sensitive information over encrypted websites: If a company is banking or buying online, stick to sites that use encryption to protect information as it travels from a computer to the server. Look for “https” at the beginning of the web address in the browser’s address bar, as well as on every page of the site being visited – not just the login page.
- Secure wireless networks: Unsecured routers could easily allow strangers to gain access to sensitive personal or financial information on devices. Users are advised to change their router’s name and password from the default to something unique that only they know. Keep router software up to date and turn off any “remote management” features, which hackers can use to get into the network. Once router setup is complete, log out as administrator to lessen the risk of someone gaining control of the account. Only use secure networks and avoid public Wi-Fi networks. Consider installing and using a virtual private network.
- Segregation of duties and minimum privileges: Staff must have discrete credentials and relevant privileges based on their job descriptions and needs. The Principle of Least Privilege must be implemented on all accounts and require administrator credentials to install software.
- Catalog and reduce system dependencies: Critical systems dependencies, such as third-party vendors and processes, should be identified and minimized where possible.
- Encryption: Devices should implement end-to-end encryption and include embedded security in their processes. In some cases, certificate pinning (SSL pinning) must be required to avoid spoofed devices, and this includes protection from side channel attacks that can compromise encryption keys.
- Employee training and awareness: All employees working on critical systems must have proper training or certifications to support the elevated threat level of their positions. Human error and phishing attacks are most effectively avoided through proper employee awareness rather than technical means.
- Trusted procurement procedures: Commercial off-the-shelf hardware and software IT products that are ready-made and available for purchase by the general public must follow strict procurement procedures that only allow installing to certified devices that follow strict security standards.
- Vulnerability management: All organizations are encouraged to implement vulnerability management policies that include vulnerability assessments, a patch management plan, and penetration testing audits, where feasible, on a regular basis to maintain an understanding of an organization’s risk posture.
- Network segmentation: All facilities must deploy proper network segmentation, with DMZ configured and network isolation to protect critical systems. Whenever possible, any industrial control systems should not share the same network with internet-accessible devices.
- Cybersecurity plans: Implement various cybersecurity plans, including continuity of operations plans (COOPs), incident response, disaster recovery, and a data backup plan in which multiple data copies are kept in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud). Establish, test, and update all cybersecurity plans at regular intervals.
- External email tags: Consider adding an email banner to messages originating outside the organization and disabling hyperlinks in email sent from external accounts.