CyberSecurity for K12 - Students Underestimate Risks of a Cyber Attack

Posted by Geraldine Hunt on Fri, Sep 23rd, 2016

Ah, to be young again. That incredible time in your life when we feel invincible. It’s a time when we are prone to take greater risks and haven’t yet grown skeptical of the world.  As a result, we are more trusting and less wary about the world compared to older adults.  These traits also make young people less guarded and susceptible to cybersecurity threats.

K12 Students – their naivety makes them ideal targets

Many school systems across the U.S. are implementing one-to-one programs so that every high school student has a computer device, usually a laptop.  In many cases these programs include middle school students as well.  For many, it is their first personal mobile computing device, and for some, the first mobile computer of the household.  For this reason, parents of these students cannot pass on basic security protocols and procedures concerning these devices.  For these students, cybersecurity threats and malware are irrelevant or unknown concepts and their naivety makes them ideal targets.

Privacy issues around File Sharing & Torrent Sites

As we all know, file sharing is still alive and well and teenagers today readily turn to cyberlocker and bit torrent sites to download movies and music.  In fact, until authorities recently shut it down in June of 2016, a site called KickassTorrents was the 69th most popular site on the Internet and garnered over 50 million visitors a month.  Of course torrent sites open users up to privacy issues by exposing IP addresses and create open connections to untold exploits.  Teenagers are also willing to download the latest game fad with little suspicion of Trojans and key loggers from anonymous sites.

Circumventing the school web filter

Many K12 students instigate a daily mission to circumvent the school web filter.  There exists a cat and mouse game between students and technology staff members as students readily share the latest public proxy executables such as Psiphon and UltraSurf amongst each other.  Although most school systems have some sort of web filtering, many of these solutions are incapable of filtering mirrored sites, especially those on the scale of these large proxy networks.  By bypassing total filter protection, students make their computers prime targets for ransomware and other types of malware.

Why a College or University network requires special attention 

During their high school years, students operate their computing devices within relatively safe and sheltered environment.  Although students constantly probe for security holes to obtain proxies and file sharing apps, their potential threats are controlled.  But then they go to college they experience an environment that is almost the exact opposite.

The nature of the University campus and network is the real difference between higher-education establishments and the corporate network. Made up of many, sometimes dispersed, networks; the university network infrastructure is the corporate security officer’s nightmare. But this is not down to any lack of foresight or ignorance on campus IT security. It is far from it. The educational environment and historically open campus means there is not the tight security focused infrastructure that corporate networks exemplify.

A regular flux of undergraduates; researchers and graduates collaborating and sharing data globally; visiting academics; “bring your own device” infrastructures long before business even considered it. These are environments where the concept of tight data security has traditionally been unhelpful or even unwanted. When an institution thrives on the free exchange of data and ideas, it cannot easily apply the same security measures as larger businesses do. K-12 communities have been slow to adopt the strict security standards.

Higher education is about the sharing of ideas and collaboration with just about anyone across the globe.  Thus the networks of these intuitions are far less guarded.  This is probably why according to DataLossDB, an organization that tracks cyber breaches across the world, 9% of all breaches within the U.S. were targeted at universities. 

While many college students continue to openly participate in file sharing sites and “free“ applications that are laced with Trojans and other malware, college students face a unique and rather large challenge concerning the security of their devices. When ten to fifty thousand students are congregated in one area, space is limited.  Whether it is the dormitory, college library, the student center or the local coffee shop, students operate in highly crowded environments.  In these types of congested venues, leaving a computer device unattended for even a few minutes can expose it to numerous physical breaches including theft and USB breaches.  Shoulder surfing is also a constant menace in crowded rooms full of activity. The implementation of password protected screens and USB blockers should be mandatory safeguards in these types of environments.

Malware attacks delivered through social media sites

Students today don’t value email as much as their parents, yet email is often the gateway to almost every other account a user may have.  When someone loses or forgets an account password, it is their email that is utilized to reset it.   While many working professional are now employing the use of multifactor authentication to better protect their email accounts, many students only utilize their email on a limited basis such as communicating with their instructors and operate their email with less caution.

While students may not be as susceptible to email phishing attacks since they don’t utilize email to the extent as older users, they are very exposed to malware attacks delivered through social media sites.  In June of 2016 a global Facebook phishing scam was discovered that delivered rogue friend messages through Facebook Messenger was claiming a victim every 20 seconds.  Recently a malware application called Instacare lured unsuspecting Instagram users into providing their account passwords. 

The truth is, when it comes to cybersecurity, students have a lot to learn. 

Attacks directed through compromised computers at US universities

IT admins in schools or schools districts need to make sure their machines are clean. They also need to use education, awareness and policies that apply across the entire institution. It's about educating the individuals who own and use the IT resources. The personal and financial data stored on university data systems is of great value to the  cyber-criminal. When the New York Times’ computer systems were hacked in 2013, the subsequent investigation found that the attacks had been directed through compromised computers at US universities . Commercial data can be of interest to corporate spies and scientific or grant-related research can be targeted by nation-state backed groups.

Security is a trade-off

There is a fine-balance on what has to be allowed and what security measures can be put into place. Security in all organizations, commercial or academic, is a trade-off between the likelihood and potential impact of an attack and the financial cost or loss of utility that are incurred in defence.

One successful approach has been to segment and partition campus networks as much as possible so that the most sensitive and valuable data can be protected adequately while allowing for relatively open parts of the network to support educational and research needs. This can be complex and requires detailed risk analysis, management prioritization and associated security measures.

Are you an IT professional at a school, that wants to ensure sensitive school, student, and staff data and devices are protected?  Talk to a specialist or  Email us at info@titanhq.com with any questions.