Return

Class in Session:
Cybersecurity 101 for Schools

Cybersecurity presents a challenge in education – our schools have to manage old and new threats along with utilizing edtech vendors who are behind in their own cybersecurity implementations. The recent Powerschool breach has brought issues in the edtech space back into the spotlight. Fortunately, many threats can be mitigated by basic security tools and awareness.

 

There’s a balance between security and usability – the challenge is finding the right tools to keep that balance. Here are some tools to help navigate these challenges:

  • Awareness & Training – If you (or your administrators, teachers, students, parents, and others) don’t know what threats exist, they (they) can’t learn how to recognize and react to them. ARM offers free access to training through Ninjio for entities covered under their cybersecurity policies. Many digital citizenship curriculums have started including cybersecurity pieces for students as well.
  • Passwords – Use strong, unique passwords across sites. A password manager can help by generating and remembering them for you. If an attacker gets a username/password they can try that across multiple sites. Some services are moving away from passwords and moving to a passwordless login process.
  • MFA – Multi-factor authentication helps to secure accounts by adding another mechanism to verify that the person logging in is the person who is supposed to be. Many incidents have occurred due to accounts lacking this feature. This should be enabled for all accounts that have it available – make sure you have a backup method in case something happens to the primary method so you don’t get locked out. There are bypass techniques, so selecting a strong MFA option for high-risk accounts is important.
  • SMS – codes sent via text messages are the least secure method.
  • Email – codes sent via email aren’t much better than SMS.
  • Authenticator app – These apps use the time and a special code to generate dynamic login codes. This method is better than SMS and email codes but is vulnerable to newer attacks.
  • Security key – these are hardware devices that store cryptographic keys. They typically require some form of a PIN or biometrics to unlock and are one of the more secure methods that are resistant to new phishing techniques. When purchasing, buy 2 to set up so you have a backup.
  • Passkeys – Similar to security keys these are based on cryptographic keys to verify the login. They’re stored on an app and are becoming standard on newer phones and devices.
  • Continuity and transition planning – while not specifically a security tool, schools should plan how they will keep/regain access to important accounts as teachers and principals move to other schools, MFA is lost when a key is damaged or misplaced, a phone is wiped without transitioning codes, or someone is unavailable due to a leave.
  • Filtering – Schools should be filtering their internet to protect students – most filters will have categories for filtering sites flagged as potential security issues. Using an adblocker helps too.
  • Data Minimization – Schools should make sure they’re not keeping more data than they need. You can’t leak something you don’t have. Make sure any sensitive information needed temporarily is removed after it’s no longer needed, and use only the least amount of information that’s required. Many edtech services will have fields for data such as a student’s birth date, evaluate if that’s needed for that service’s role.
  • Privacy Policies – Any service that’s collecting data should be evaluated based on the type of data and how narrowly and broadly they share data.
  • AI and Online Services – Use caution using AI and free online services (like file converters). Be aware of what data you’re putting in and where it might be going and stored. If it leaked would it cause a problem?
  • Updates – System updates should be automatic. In the rare event an update does cause an issue, that’s easier to recover from than a ransomware incident.
  • Backups – Back up your data and make sure it’s not vulnerable to the same types of threats. 3-2-1 – 3 copies, 2 different media, 1 offsite. 1 copy should be offline or immutable to protect it from ransomware. Remember, a backup isn’t a backup unless you can restore it – test your backups occasionally.

 

Scam List - trying to keep it concise:

  • Fake invoices
  • Copier/Toner – Scammers will pretend to be your copier vendor to find out what copier/printers your school uses. Then they’ll create a fake invoice for toner, or sometimes even ship the product and price it several times the normal price.
  • Domains – A common scam has been sending paper “renewal” notices that appear to be a domain renewal but are just paying to have your name on their website. Verify where your domain is registered – most registrars won’t send regular mail for renewals.
  • DNS – Similar to the domain renewal scam, schools will receive a paper invoice for renewing their DNS and nameservers – the company is fake and doesn’t host anything.
  • BEC – Business email compromise – threat actors will breach a user’s email and monitor it until they find something they can use. The breach could be at your school or could be a user outside of your control at a vendor you do business with. They’ll wait until they see payment instructions or some other large payment to be coming and will hop into the email chain with fake payment instructions. The emails will appear to be legitimate. Always verify payment information out-of-band (via a phone call, in-person, or some other type/form/method of communication).
  • Gift Cards – Scammers will email staff pretending to be the principal/administrator/pastor with the goal of having them buy gift cards and will actively watch for new staff to be announced to target.
  • Phishing
  • Email – Be suspicious of any email trying to get you to click something quickly. Fake password expirations, voicemails, and faxes are common.
  • Social media – Social media phishing has been increasing. Attackers will send messages pretending to be support, letting you know your account has some violation you must resolve right away. Their forms and pages are often well done and look like they’re real. Do not click on links from these messages.
  • Fake CAPTCHAs – Websites will trick you into allowing notifications or even running special commands on your computer under the guise of testing if you’re a human.
  • Tech Support – Be on guard when searching for support phone numbers. Scammers have gamed search algorithms to have their fake numbers show up instead of legitimate ones. Never call a number from a pop up message. Never let anyone remotely control your computer unless you are certain of their identity and purpose.

 

Scammers will try to make the issue urgent to influence you act quickly and not have time to fully process what’s happening, hoping you’ll ignore the signs of the scam.