In 2020, the world experienced unprecedented disruption in the form of the COVID-19 pandemic. This led to a wave of attacks against all types of organizations as they scrambled to maintain some operational normality.
Phishing attacks soared. Externally facing services that had been exposed all along received a new wave of probing. Cloud providers accepted new customers onto the platforms at pace as remote access and distributed working rapidly became the new normal.
One sector faced particular challenges in providing secure access: education.
In line with other sectors, the education sector looked to cloud-based services to try and provide access to resources and support teaching requirements. Schools had already started transforming their technology stacks to mirror those of any other business. Online work submissions and the ability to contact the teacher via email and class conference calls were approaches that kept things moving forward.
As more school accounts transformed into cloud identities, attackers started to take notice and the NCSC issued warnings about a worrying trend: ransomware attacks against the education sector. Attackers were successfully breaching school environments and encrypting data. These attacks led to the loss of student coursework, financial information and access to sensitive, confidential data.
This caused massive disruption to school operations, which inevitably impacted the ability to support learning. Schools will always be hybrid environments and will always have internal networks designed to support the delivery of education for staff and students. Should an attacker gain the ability to execute payloads internally, the disruption can be severe.
Fundamental Challenges
Schools face security challenges that are not easily solved. For a start, a large proportion of the user base are children across a broad age range. This user population are expected to choose weak credentials. It’s inevitable.
If students are in school, they are using school resources. If they are at home, they are (commonly) using their own devices to access cloud accounts for email or work submission. The internal IT teams have no control over the state of the devices used to access these resources.
How do you implement multi-factor authentication for student accounts? You can’t assume they can use a phone if they have one, and even if they did, school policy would have to change to allow them to use such devices in school. Hardware token? Probably not; it will get lost, forgotten or broken regularly.
While a business can issue you a phone and a laptop on your first day, schools don’t have the luxury to assign pupil devices. Therefore, the security of student accounts will be bound to password strength for a long time.
Schools can have more control over staff devices and could request staff use their own phones as a secondary authentication mechanism. However, staff still generally hold administrative privileges over their issued devices. Therefore, a successful attack provides a great starting point, not to mention the ability to see all the communications with others and access to data.
The Case for Testing
We believe schools and colleges would benefit from an adversary-led approach towards assessing their cybersecurity resilience posture via active real-world simulation, using penetration testing approaches. To test this hypothesis, we partnered with a school and tested it. We wanted to give real-world insights into how effective the school’s controls were when tested against the tactics, techniques and procedures of real threat actors.
The results were alarming, if not unexpected. We demonstrated escalation routes for student accounts and access to sensitive data. We showed that we could gain control over the internal domain and use this access to deploy ransomware, essentially crippling the environment.
It is true that common IT management processes are vital; backups, network segregation and account control are all part of daily management. Frameworks can benchmark how effective schools are at managing these elements. However, the advice to the education sector so far has been largely focused on recovery from an incident. A proactive approach to prevention also needs to be a focus. Testing in other sectors helps to understand where attack chains exist so they can be broken. It also demonstrates the impact should a breach occur, which can support cases for investment in new technologies and approaches. Change can be difficult, but testing is very effective at helping to align priorities and to determine where the investment is most needed.
Protecting the Data
Schools have evolved to use the same technologies businesses have, but they are largely unequipped to deal with modern threats that target these platforms and internal networks. Testing can help to determine investment requirements and implement changes to improve the overall security posture of schools. The sensitive data held by our schools, and the learning outcomes of our children, must be protected.