6 Cyber Threats for the 2021 School Year

This article was recently published in InsideRM and is authored by Lucas Anderson and Campbell Gill.

Cybercrime constantly evolves. If staying one step ahead of hackers is stretching your resources thin, you’re not alone. The Fund is here to support you. Here are six cyber threats you need to protect against this school year.

1. COVID-19 cyber threats

The Delta variant has pushed the pandemic back onto schools’ risk radar. It also continues to open doors for cybercriminals looking to crack your district's digital defenses.

Social engineering

When people feel uneasy and insecure, hackers feel empowered. Throughout the pandemic, criminals have leveraged fear to socially engineer people into giving up sensitive information. Make sure your employees know how to identify COVID-19 cyberscams and avoid becoming victims.

Zoom bombing

“Zoom Bombing” is the act of exploiting security vulnerabilities or improper configurations in remote collaboration software. Don’t let the name fool you; this activity is not limited to Zoom users. Most major collaboration platforms have been impacted.

Though this method of attack is usually used for disruption or digital vandalism, sensitive information could be in danger if your users share it in their conversations. To learn more about keeping virtual meetings private, see this InsideRM article.

2. Cryptojacking

Cryptojacking occurs when hackers infect your system with malicious software, or malware, that mines digital currencies (cryptocurrencies) like Bitcoin and Ethereum. It takes a huge amount of processing and memory bandwidth to create these currencies, so hackers try to use your network resources to do the work for them.

Cryptojacking seemed to be in decline from 2017-2019. However, it is back in a big way. Due to the increase in cryptocurrency values, we have seen a continuous rise in this activity since the beginning of 2020. Over the past year, new cryptojacking malware variants increased by over four times, and this activity accounted for 41 percent of all malware detected.

Cryptojacking is a serious network security issue for two main reasons:

1. According to global cybersecurity company Kaspersky, cryptojacking can slow your entire system (servers, mobile devices, Internet of Things devices) by up to 70 percent. This significant decrease in performance does more than drain productivity. In some cases, infected mobile devices have overheated and caught on fire.

2. The malicious software that mines cryptocurrency also communicates outside your network back to the hackers in charge. The result is a gaping hole in your network. Hackers can exploit the opening by installing other malicious software. They could also order the existing malware to steal sensitive information or execute other commands.

What can you do?

Kaspersky experts recommend these best practices for protecting your system against cryptojacking:

• Keep an eye out for unexpected system slowdowns. If Web browsing or email slows significantly, your system might be infected.
• Take note of mobile devices and laptops heating up and remaining hot.
• Have your IT team scan your network logs. They might notice suspicious outbound communication related to cryptojacking.
• As always, educate your team on safe browsing and email use, and keep firewalls and anti-virus systems up to date. Defenses against any newly discovered cryptojacking malware signatures are included with routine security patches and updates.

Watch our on-demand webinar for a deep dive into cryptojacking and other malware targeting schools.

3. Grade hacking

Grade hacking is the act of modifying official grades using digital methods. We have seen isolated instances of students changing grades by accessing staff computer terminals that had administrative privileges or grading system access. However, it appears grade hacking is becoming a systematic and ongoing threat.

Kaspersky discovered an internet marketplace full of services offering “grade hacking for hire,” as well as a list of bugs in the most commonly used school information systems.

What can you do?

Here are some recommended prevention techniques from Kaspersky:

• Introduce multiple forms of user authentication for information systems, especially for Web-based systems that might provide access to student records, grades, and assessments. Set strong and appropriate access controls so it’s not easy for a hacker to move through the system.
• Provide security awareness training for staff, explaining how to implement and use passwords.
• Encourage everyone to keep their login credentials confidential.
• Enforce a policy that requires network users to create strong passwords and frequently change them.
• Maintain separate and secure wireless networks—one for staff, one for students, and another for visitors if you need it.
• Use a reliable security solution for comprehensive protection.

4. Third-party vendor issues

Vendors are often a great help to districts with limited information technology (IT) resources. They can assist with infrastructure upgrades, deployment of new software platforms, and even student data management. Vendors can also put your network at risk.

For the past two years, vendor security issues have caused at least
75 percent of data breach incidents affecting U.S. public K-12 school districts. Make sure vendors follow appropriate security procedures to protect your sensitive data.

What can you do?

Here are some tips to help you securely manage your third-party vendor relationships:

• Use a reputable vendor with positive reviews and a lengthy history of working with school districts.
• Ensure the vendor is aware of state and federal regulatory standards that may apply to sensitive information the district maintains. Those standards include the Health Insurance Portability and Accountability Act and the Family Educational Rights and Privacy Act.
• Inform the vendor of your local acceptable use policy and the types of sensitive student and staff information stored in your systems.
• Use resources such as Privacy Rights Clearinghouse, Krebs on Security, and DataBreaches.net to see if the vendor has experienced a data breach in the past with other customers.

5. Unpatched servers

In early July 2021, Microsoft discovered a vulnerability in the print spooler service on the Windows operating system. The print spooler is an executable file that manages the process every time you send a document for printing.

This vulnerability, known as “Print Nightmare,” allowed malicious actors to install programs, modify data, and create new accounts with full administrative rights.

By July 6, Microsoft had rolled out security patches for all Windows Server versions, Windows 10, and surprisingly, even the discontinued Windows 7. This vulnerability was widely publicized, meaning that hackers worldwide knew about it as soon as your IT team did.

Organizations that don’t run updates and patches remain wide open to malware and other malicious attacks.

In 2017, Cybercriminals exploited another Microsoft vulnerability with “WannaCry,” infecting over 200,000 computers across 150 countries. This is why it is imperative that your district has a routinely verified patching and updating policy.

What can you do?

• Speak with your IT team regularly regarding your patching and updating protocols.
• Ensure that routine backups are run and that the backup system is functioning properly.
• Confirm with your IT team that the Microsoft Windows file-sharing protocol, known as Server Message Block 1, is patched or upgraded to versions 2 or 3 on your system.

6. Business email compromise/fraudulent instruction

Business email compromise happens when highly sophisticated emails are crafted to appear to come from legitimate companies or third-party vendors affiliated with a school district. These emails may request sensitive information such as tax forms or Social Security numbers.

Fraudulent instruction is the transfer of funds by an employee to a third party as a result of deceptive information provided by a criminal claiming to be someone else, typically a vendor, client, or authorized employee.

These attacks are usually preceded by significant observation and research that allow cybercriminals to pretend to be legitimate business partners.

In some cases, hackers even infiltrate a company and send a “legitimate” email from within a partner organization. We have seen a significant increase in these attacks directed at the education sector.

In July 2020, a fraudulent instruction attack cost Wayne County School District in Mississippi $9.8 million, and millions of dollars were similarly stolen from Texas districts.

Download this cheat sheet to help your finance professionals fight cybercrime.

What can you do?

• Begin using a system of checks and balances so no single employee has the authority to change third-party financial information such as routing and account numbers without secondary authorization.
• Train your staff on common social engineering tactics such as spoofing, phishing, and spamming.
• Implement a policy that requires confirmation by a different method when vendors, contractors, or other external partners request a change in financial information. For example, if a contractor requests a routing number change in an email, make a phone call to an established point of contact to confirm the request is legitimate.
• Encourage staff, especially accounting staff, to think twice, then three times before complying with potentially suspicious financial requests.

Expert help from the Fund

Fund members with Privacy and Information Security coverage can report claims online or call the Fund at 855.295.8344. For more information about cybersecurity or to request guidance on this topic, contact TASB Privacy and Cyber Risk Consultant Lucas Anderson at lucas.anderson@tasb.org or 512.505.2893.

Editor's note: This article was originally published in August 2019. It has since been updated for accuracy and comprehensiveness.