Forum Guide to Cybersecurity: Safeguarding Your Data

Chapter 1: Cybersecurity in State and Local Education Agencies

This chapter defines cybersecurity and illustrates the extent of cybersecurity incidents, threats, and vulnerabilities in education agencies.

At 6:30 a.m. on a Saturday, your work cellphone rings. An analyst in your information technology (IT) department has called to let you know that your agency is currently experiencing a ransomware attack. The ransomware is spreading throughout your agency’s networks and encrypting each system and device it infects. The hackers have requested $1.3 million in exchange for the encryption key. Every minute that your agency waits to act, you run the risk of permanently losing access to mission-critical systems and data. If you do not counteract the ransomware by Monday morning, your agency might be unable to run payroll, track attendance, or even unlock the network-connected electronic doors. Your staff need permission to start taking all of your agency’s systems and devices offline, but first, you need to call the head of your agency to explain the situation. How well is your agency prepared to respond to this attack?

This is not a fictional incident, but a real-life example of a cybersecurity incident in a school district. To learn more about this incident, see the ransomware attack case study included in Chapter 5.

What is Cybersecurity?

In this resource, cybersecurity is defined as the protection of network-connected systems and the data and information that are stored on, processed by, or transmitted by these systems from threats or security vulnerabilities. In other words, cybersecurity is the protection of technology systems and networks—including all devices and tools connected to them—against intentional or unintentional attacks or exposure. Cybersecurity is neither limited to IT nor restricted to protecting data from criminal use. This resource emphasizes the importance of data in cybersecurity to enable a holistic, integrated approach to the security of systems and the data associated with those systems. While cybersecurity shares many principles and practices associated with data security and data privacy, cybersecurity is a distinct concept.

Why Does Cybersecurity Matter?

Given the widespread use of network-connected systems and devices, security is an increasingly critical consideration in education agency operations, including the collection, management, and use of education data. State and local education agencies (SEAs and LEAs) use networked technology such as Internet Protocols (IPs) to better monitor infrastructure and facilities to enhance physical safety and security. This technology has lowered costs for SEAs and LEAs because it can reduce the need for routine in-person monitoring and encourage regular maintenance, which can minimize the need for major repairs. SEAs and LEAs use other technology solutions, policies, and procedures to protect against threats to information systems and the confidentiality of sensitive data. During the widespread disruption caused by the coronavirus disease (COVID-19) pandemic, many education agencies rapidly responded by switching to a remote working and learning model.

As technological innovation advances, threats increase. Organizations across every sector experience cybersecurity incidents, and education agencies are no exception. The frequency, severity, and impact of cybersecurity incidents in education agencies are increasing. Nearly three times as many cybersecurity incidents in K-12 education agencies were reported in 2019 than in 2018.¹ Schools and colleges were the second-highest targets of ransomware in 2019.² Education agencies need to protect network-connected systems, including IT and data systems, from cyber-attacks, data breaches, and other security threats. It is important for education agencies to act now to ensure they are protected.

There are many reasons why education agencies, especially LEAs, are targets for cybersecurity incidents:

1. Education agencies are data-rich environments and have access to detailed and sensitive student and staff data.
2. Agencies need to balance security against the access needs of staff and other stakeholders, which can increase vulnerabilities and risks.
3. Competing agency needs may be prioritized over cybersecurity.
4. Smaller districts can face many cybersecurity challenges, particularly when few technology staff are available to manage or mitigate threats.
5. High-profile attacks against education agencies often garner media coverage, which could influence agencies to pay off ransoms and minimize the chance of negative press.
6. Agencies have the resources to pay off ransoms, either from cybersecurity insurance or from budgeted funds allocated for other purposes.

The Threat Landscape

Rapid innovation in the technology sector affects and reshapes nearly every aspect of society. Technology is used in education agencies to support student learning, agency decisionmaking, and organizational efficiency, as shown through the technology listed in figure 1. This figure presents various examples of common network-connected systems and devices that are used in various departments within an education agency; this figure is not an exhaustive representation of all technology that could be used in an agency. As with all network-connected systems and devices, each of the examples included in figure 1 can be compromised and used in a cyber attack against an education agency.

While technological advances enable new opportunities, they also introduce new threats. This may be exemplified best by the Internet of Things (IoT), which is composed of an evolving and expanding collection of interrelated and diverse technology devices that connect to a network or to one another and exchange data without necessarily requiring human-to-machine interaction. When unsecured IoT devices and systems are connected to agency networks, they can introduce new vulnerabilities and risks into a protected network environment. Bring your own device (BYOD) programs, paper and 3D printers, smart speakers and lights, and infrastructure monitoring devices (such as wind gauges and moisture monitors) may appear innocuous, but these devices can be exploited by attackers if they are not protected by cybersecurity best practices.

New threats also emerge at the intersection of physical security, cybersecurity, and data security. Networked components of physical security systems (cyber-physical security systems) and the emergence of the IoT present opportunities for safer facilities and schools. This convergence provides efficiencies and an expanded feature set to better manage both physical and cybersecurity. For example, internet-enabled devices have many convenient features such as

• automated safety notifications via text and e-mails;
• the ability to flexibly and easily add security cameras, sensors, and monitoring devices; and
• centrally managed automatic threat detection and response.

However, new technology also can create blind spots and vulnerabilities. New vulnerabilities and risks may include

• unauthorized local and wide area network (LAN and WAN) access to security devices;
• inadequate data protection policies and practices by staff, vendors, and service providers;
• staff prioritizing expedience and convenience over cybersecurity best practices;
• system patches and security updates that are not routinely and reliably applied;
• cloud service providers leaking information;
• systems and devices that are controlled, housed, or monitored off-site; and
• use of wireless networks for malicious purposes.

Network-connected utilities—water; electricity; lighting; heating, ventilation, and air conditioning (HVAC); and emergency response connections—are essential for continuity of operations, but are also susceptible to vulnerabilities. Even school security systems, such as surveillance cameras, are vulnerable to cybersecurity threats. Security systems now operate on the same wired and wireless networks using the same IPs as other network traffic. These formerly closed systems now depend on shared network infrastructure. Additionally, many devices are cloud-integrated or cloud-dependent by default. A malicious person or organization could, for example, hack into a surveillance camera system to spy on people in the facility, ascertain when parts of a building are most vulnerable, or disable the system to gain entry without being detected by security staff. These types of threats and vulnerabilities must be countered through a robust, integrated approach to cybersecurity.

Hackers, phishers, and spammers can disrupt education agency operations; compromise the confidentiality, safety, and integrity of important agency assets; and engender fear and mistrust in an educational community. When a cybersecurity incident occurs, education agencies need to be prepared to respond in a manner that quickly restores affected systems. Education agencies need to be proactive to protect their systems and data from threats, strengthen weaknesses and vulnerabilities, and plan for potential future incidents. These proactive measures will help minimize the likelihood of future incidents and help agencies respond in an appropriate and timely manner if an incident occurs.

Cybersecurity During Crises

It can be easy to overlook cybersecurity best practices when rapidly adjusting to high-pressure, stressful situations. During the widespread disruption caused by the coronavirus disease (COVID-19) pandemic in 2020, many education agencies focused on pressing matters such as ensuring continuity of learning and switching to remote working. Given the stress caused by the pandemic, identifying and processing cybersecurity threats may have been more difficult. During these types of stressful situations, taking time to ensure that security is not compromised can be helpful. Cybercriminals seek to exploit situations during times of confusion and distraction. Stay alert.

The best time to think about a crisis is well before it occurs. While the pandemic is a real-life example of organizations evolving rapidly to meet new requirements, education agencies will face new challenges in the future. Robust threat modeling including natural and human-made threats can be an effective way to identify organizational strengths and opportunities to improve.

Cybersecurity Incidents in K-12 Education Agencies

States have varying reporting and disclosure requirements for cybersecurity incidents, so determining how often SEAs, districts, and schools experience cybersecurity incidents can be difficult. Cybersecurity can be a sensitive topic; as a result, agencies may be reluctant to voluntarily disclose an incident due to the negative publicity such an incident can generate. As a result, any counts of publicly disclosed cybersecurity incidents likely are underreported and represent a subset of incidents experienced by districts and schools. Nevertheless, a review of publicly disclosed information can illustrate the extent of cybersecurity incidents.

K-12 Cybersecurity Incidents in 2019

During the calendar year 2019, the K-12 Cyber Incident Map cataloged 348 publicly disclosed cybersecurity incidents affecting public K-12 schools, districts, charter schools, and other public education agencies (including regional and state agencies) in 44 states. Nearly three times as many cybersecurity incidents were reported in 2019 than in 2018, when 122 incidents were reported. This rise or hike can likely be attributed to schools’ increased technology use, cybercriminals’ increased targeting of LEAs, vendor incidents that involved a number of LEAs, and greater awareness of and reporting about cybersecurity incidents.³ Figure 2 shows that data breaches were the most common type of K-12 cybersecurity incident reported during 2019, followed by ransomware, phishing attacks, and denial of service (DoS) attacks. Other types of reported incidents include malware and viruses, unauthorized access to systems, hacking and defacing school websites and social media, and attempted financial theft.

Cybersecurity incidents are not limited to a specific type of locality or setting. As shown in figure 3, between 2016 and 2019, nearly every state in the nation was affected by at least one publicly disclosed cybersecurity incident in a public K-12 education agency.

Types of Cybersecurity Threats and Vulnerabilities

Education agencies face a wide variety of cybersecurity threats and vulnerabilities. “Threat” refers to any circumstance or event with the potential to adversely affect agency operations (including mission, functions, image, or reputation), agency assets, people, or other organizations through a system via unauthorized access, destruction, disclosure, modification of information, or denial of service; vulnerability refers to weakness in a system, system security procedures, internal controls, or implementation that could be exploited by a threat source.⁴

Even staff with in-depth cybersecurity knowledge can fall victim to common threats and vulnerabilities, like phishing e-mails and weak passwords. Common threats:

• Data breach—The intentional or unintentional release of secure information—including personal, sensitive, or confidential information—to an untrusted environment. Once released, information is vulnerable to being viewed, copied, transmitted, stolen, or used in an unauthorized manner. A data breach may originate from various sources:
• Internal threats—Actors within an organization (for example, employees, contractors, and partners) who introduce risk through intentional or unintentional behaviors.
• External threats—Actors who originate from outside of an organization (such as cybercriminals, attackers, or hackers), often with malicious intent.
• Intentional breaches—Breaches that are motivated by intentionally malicious purposes.
• Accidental breaches—Breaches that occur as a result of human error. For example, unintentionally providing public access to files or information, rather than limiting access to authorized people within an agency.
• DoS and Distributed Denial of Service (DDoS) attacks—A DoS or DDoS attack occurs when a server is deliberately overloaded to the extent that the website shuts down and is made inaccessible to legitimate users. A DoS attack uses one computer and one internet connection, while a DDoS attack uses multiple computers and internet connections.
• Spoofing and phishing—Both spoofing and phishing involve the use of fake communication, most commonly e-mail, to obtain personal or sensitive information. Spoofing is the use of a fake e-mail header or IP address to appear legitimate, while phishing is the use of targeted communication in which an illegitimate sender poses as a legitimate business or organization. Various phishing techniques can be used to obtain personal information from targets, including, but not limited to:
• Spear phishing—A targeted attack on a specific person or organization that appears to originate from a colleague or acquaintance.
• Short message service (SMS) phishing—An attack via text message.
• Voice phishing (Vishing)—An attack via telephone.
• Engine phishing—An attack via a fake website.
• Malware, scareware, and ransomware—Malware, or malicious software, is intentionally designed to damage a computer, device, server, client, or network. Scareware is a form of malware that uses social engineering to induce concern, anxiety, or fear, typically to manipulate users into buying unwanted software. Ransomware is a form of malware that encrypts a user’s system, device, or data and demands payment of a ransom for the user to regain access.
• Business e-mail compromise (BEC)—Also known as e-mail account compromise (EAC), BEC is a form of online crime that exploits the use of personal and business e-mail. BEC scams target both organizations and people using a combination of phishing, social engineering, spoofing, or malware to negatively affect the targets.
• SQL injections and cross-site scripting (XSS)—SQL attacks exploit website security vulnerabilities, often by inputting malicious SQL statements into a web application form, to gain access to the website’s operations. XSS uses malicious script embedded in a web application (such as a compromised link in an e-mail message) to gather user data and, when executed, allows attackers to access sensitive user data.
• Man-in-the-middle and eavesdropping attacks—Man-in-the-middle attacks are conducted by attackers who secretly intercept or alter data or communications that are exchanged between two parties. Eavesdropping attacks are when an attacker listens passively to authentication protocol to capture information that can be used in a subsequent active attack.
• Password-related attacks and vulnerabilities—Attackers can obtain passwords for malicious purposes through physical discovery, social engineering, network monitoring, malware, cracking, or guesses. Attackers sometimes share exposed passwords, credentials, and other sensitive data on the dark web. Passwords that use common phrases or are recorded in an unsecured environment are more vulnerable.
• Software and operating system vulnerabilities—Outdated or unpatched software can be vulnerable to cybersecurity threats. Systems and devices can also be more susceptible to threats when cybersecurity scanning and monitoring applications, such as antivirus software, are not used.
• Infrastructure and facilities vulnerabilities—Network-connected infrastructure and facilities systems can be vulnerable to cybersecurity threats. Not only do they provide an avenue for malware to be introduced, but they can also be hacked and then manipulated in ways that compromise operations. Cybersecurity vulnerabilities can also be introduced through lax physical security, such as an unlocked server room.
• Removable media—Removable media, such as thumb drives, external hard drives, and CDs or DVDs, can be lost or stolen, leaving the data stored on these devices susceptible to misuse. Corrupted removable media also could introduce malware into a secure device or network.

The following threat matrix (table 1) illustrates how the security of networked physical systems, IT systems, and data systems often overlaps.

Table 1. Threat Matrix

Threat	Networked Physical Systems	IT Systems	Data Systems
Data breach via human error or intentional attack		✓	✓
DoS and DDoS attack		✓
Spoofing and phishing		✓	✓
Malware, scareware, and ransomware		✓	✓
BEC and EAC scams		✓	✓
SQL injections and XSS		✓	✓
Man-in-the-middle and eavesdropping		✓	✓
Password-related attacks and vulnerabilities	✓	✓	✓
Software vulnerabilities that leave systems and data susceptible to attack	✓	✓	✓
Unauthorized access to or cyberattack on physical facility systems (such as door locks, HVAC, security cameras, Voice over Internet Protocol (VoIP), public announcement, security alarms, fire/chemical/smoke alarms)	✓	✓
Physical intrusion or forced entry to gain access to systems and data	✓	✓	✓
Removable media and devices that are used for malicious purposes or store unsecured data		✓	✓

The simplest cybersecurity measures can have a big impact, but may be easily overlooked. Sharing usernames and passwords is commonly acknowledged as inappropriate, yet staff still compromise system security with this frequent practice. For example, a staff member might leave their desk computer on for their colleagues to use during a meeting. While the staff member intended to be helpful, their action could leave any information stored on the computer vulnerable. If the staff member also happened to leave a sticky note on their monitor with the username and password for their agency’s SIS, the agency could face serious consequences as a result of leaving student information susceptible to a data breach. Furthermore, sharing access to secure data systems is considered a crime in certain jurisdictions. Remember, being helpful should not include compromising security.

Cybersecurity threats and vulnerabilities can manifest in different ways and cause varying levels of damage, as illustrated in table 2.

Table 2. Potential Consequences of Cybersecurity Threats and Vulnerabilities

Threat/Vulnerability	Potential Consequences
Phishing messages	Identity theft Password disclosure Provide access credentials for secure data systems Unauthorized data disclosure
Unsecured network and internet connections	Identity theft Malware infections Password/credential theft Unauthorized disclosures and access to connected systems
Payroll system vulnerabilities or attacks	Financial theft or fraud Identity theft Theft of financial information (for example, bank account numbers)
Hacked notification/ automated call system	Inciting panic by sending false messages of emergencies Theft of personal contact information Threatening message sent to parents or students
Infrastructure and facilities vulnerabilities	Fire alarms triggered to evacuate school puts students exiting the building at risk or provides malicious actors with access to an unsecured building Hacked VOIP systems allow malicious actors to steal information, eavesdrop on conversations, or place fraudulent calls Hacked food service systems reveal student/family financial information Hacked HVAC systems result in unhealthy temperatures that lead to school closures

Cybersecurity Threat Sources

While cybersecurity threats are perceived as originating outside of the education community, insiders also can be a source. After all, staff may unintentionally put their agency at risk by sharing passwords, storing passwords in browsers, leaving applications or data systems open and unmonitored, publicizing their vacation schedules, or other seemingly innocuous actions that can be exploited by malicious actors or unauthorized people. Threats can come from

• criminal outsiders—people who intentionally take advantage of security vulnerabilities for malicious purposes;
• unintentional outsiders—vendors, contractors, and other agency partners who compromise systems and data through lax security practices;
• malicious insiders—staff or students who intentionally compromise the security of a system or data; or
• unintentional insiders—staff or students who compromise security, even after receiving appropriate training.

Malicious Actors Capitalize on Major Events to Manipulate Targets

Malicious actors have exploited major events to target users’ important information, as evidenced by the security threats that emerged during the coronavirus disease (COVID-19) pandemic.

• The U.S. Department of Homeland Security, Cybersecurity and Infrastructure Security Agency and the United Kingdom’s National Cyber Security Centre issued a joint alert on April 8, 2020, about how malicious actors exploited the pandemic (https://www.us-cert.gov/ncas/alerts/aa20-099a). This alert provided an overview of COVID-19-related malicious cyber activity and offered practical advice that people and organizations could follow to reduce the risk of being affected.
• Phishing attempts, malicious websites, malware, ransomware, and shadow IT solutions increased as attackers targeted remote workers, many of whom were working from home for the first time. Teleconferencing services were vulnerable to attacks and scams, particularly services that were popular or new to the market. Malware distribution, such as spoofed messages from a user’s IT department prompting users to install new software, also was observed.
• Malicious actors launched phishing campaigns and created fake websites to capitalize on public interest in the pandemic and make targets take specific compromising actions. Attackers sent phishing messages about government stimulus payments, intending to steal sensitive user information through credential harvesting. Attackers also presented malware as COVID-19 outbreak tracking software.
• To appear trustworthy, malicious actors use spoofed information, like using the name of official health agencies and organizations or official titles, such as “Doctor.” Malicious files and fake e-mails, text messages, and websites also used pandemic-related themes, such as “Federal government issues stimulus payments to help all citizens during COVID-19.”

¹ Levin, D. A. (2020). The State of K-12 Cybersecurity: 2019 Year in Review. Retrieved March 9, 2020, from https://k12cybersecure.com/year-in-review/.
² Sheridan, K. (2019, September 20). Ransomware Strikes 49 School Districts & Colleges in 2019. Retrieved March 9, 2020, from https://www.darkreading.com/threat-intelligence/ransomware-strikes-49-school-districts-and-colleges-in-2019/d/d-id/1335872.
³ Levin, D. A. (2020). The State of K-12 Cybersecurity: 2019 Year in Review. Retrieved March 9, 2020, from https://k12cybersecure.com/year-in-review/.
⁴ U.S. Department of Commerce, National Institute of Standards and Technology. (2017). An Introduction to Information Security. Retrieved January 8, 2020, from https://doi.org/10.6028/NIST.SP.800-12r1.