Parents and school officials must collaborate to operate schools like a digital native start-up instilled with a security culture
Parents have long held a special duty to protect their school-aged children from bad actors on the Internet.
Now COVID-19 has dramatically and permanently expanded that parental responsibility, as well as extended it to ill-prepared school officials in K-12 campuses all across the nation. The prospect of remotely-taught lessons remaining widespread for some time to come has profound privacy and cybersecurity implications, going forward.
Overnight, those in charge must learn how to operate all of our elementary, junior high and high schools as if they were digital-native startups. Students, parents and teachers at each K-12 facility, henceforth, need to be treated as the equivalent of remote workers given to using a wide variety of personally-owned computing devices and their favorite cloud services subscriptions. And it must be assumed that many of them are likely ignorant of good cyber hygiene practices.
School district officials will have to adapt and embrace a bold, new paradigm – and they’ll have to do it fast. The stakes are very high. Organized hacking groups will be quick to single out — and plunder — the laggards. Here’s what all parents and school officials need to spend the summer thinking about and planning for:
“Zoom-bombing” entered our lexicon soon after schools began their first attempts at using the suddenly indispensable video conferencing tool to conduct classes online. Attackers quickly figured how to slip obscenities and even pornographic videos into live classes.
This was an early indicator of how far most schools have to go in adopting an appropriate security posture. No one enforced the use of passwords, nor insisted on strict teacher control of those lessons. To Zoom’s credit, password protection and a “waiting room” feature, which allows the host to control when a participant joins the meeting, are the default settings
for its free and single license paid accounts. Yet it’s understandable that a teacher, in the absence of school policy, might disable the password and waiting room functionalities to keep the class open to last-minute stragglers.
“What people have to keep in mind is that using a cloud service to hold a meeting or call is kind of like having a meeting out in the middle of a city where anybody can potentially join or listen in to what’s going on, or just cause problems,” observes Kowsik Guruswamy, chief technology officer at Menlo Security, a Silicon Valley-based supplier of malware-blocking technology. “However, these inconveniences of enforcing passwords and using waiting rooms are completely reasonable if you want to ensure a secure, private meeting.”
Clearly, school districts need to set basic security criteria for Zoom classes, including processes for making sure participants only use the latest, fully patched version of whatever collaboration tools are being used and reporting any malicious, or even suspicious, activity to school district security.
Zoom-bombing is comparatively easy to get under control. However, operating more like a digital-native company presents a host of complex exposures school districts will now have to come to grips with.
For one thing, the youngsters are apt to be light years ahead of the adults in terms of their digital aptitude. “The fact is that K-12 students are social media savvy, incredibly comfortable on the internet and willing to stretch the boundaries of common sense, to a greater degree than the faculty,” says Colin Bastable, CEO of Lucy Security, a cybersecurity training company based in Zug, Switzerland, that does a lot of work with schools.
And yet, school districts, now more so than ever, must take proactive steps to mitigate the same privacy and data security risks as any other small- to medium-sized business (SMB.) This begins with securing sensitive school district records, belonging not just to students, faculty and staff, and includes monitoring and protecting online payment systems, now sure to come under expanded Business Email Compromise (BEC) attacks.
The thing that most alarms Jesse Norton is the exposure to kids. Norton is a security consultant at Spirent Communications, an 82-year-old British supplier of network performance testing equipment. “This brings the possibility of pedophiles getting access to these lists,” Norton says. “This can result in long-term consequences, like identity theft ten years from now, or even the use of childrens’ identities in human smuggling/sex trafficking rings. Criminals can be ingenious when it comes to utilizing the resources they get their hands on.”
When I asked Norton how he would grade the security posture, generally, of K-12 schools, in the U.S., here’s what he told me: “I can't speak for all schools, the only one I know about is where my kids go. They are ill prepared for configuring a network to work, let alone securing it; definitely getting a D minus.”
One of the big things school districts do have going for them happens to be the same advantage all SMBs currently enjoy: there is no lack of technology and best practices regimens readily available to tap into. It’s just a matter of finances and institutional intent, which go hand in glove.
I discussed this with Tim Keeler, co-founder and CEO of Remediant, a San Francisco-based provider of privileged account management software.
Keeler outlined how implementing three tried-and-true technologies — Single Sign-On (SSO,) multi-factor authentication (MFA) and virtual private networking (VPN) — can go a long way to locking down school networks.
Says Keeler: “Implementing a robust SSO offering ensures strong authentication, robust password management, as well authorization to the right resources. This will also allow remote employees to conduct their day to day activities without the added friction of handling multiple accounts and complex passwords . . . An added VPN layer enables companies to segment their IP and critical infrastructure and control access to those resources separately. In addition, an added MFA layer for administrators of these resources can be added to verify sensitive actions, such as configuration changes.”
Laurence Pitt, global security strategy director at Juniper Networks, a Silicon Valley-based supplier of high-performance network routers, notes that many school districts are likely to have many of these systems already in place. Like SMBs in other sectors, they just never got around to fully deploying them.
Observes Pitt: “The problem is that they’ve gotten accustomed to having a controlled environment that allowed them to rely on protection against attacks coming from outside sources . . . Now that the ability to educate remotely has settled in, schools and school districts need to reassess and update their security policies. Perhaps teachers should have in-house technology so that their home Wi-Fi becomes an extension of the school Wi-Fi. That would secure their access to systems and enable policies to be applied to the devices they use for accessing data or managing classes.”
These are all important notions for parents and school district officials to contemplate this summer and begin factoring into their expanded duties to protect children in the fall. The tools and best practices are the simple parts of the equation. Keeping up with the kids will be the hard part.
Even very young children today have a completely different perspective on data, online and personal privacy compared with previous generations, says Bastable of Lucy Security. “They are harder to protect at school, at home or in the mall -- if and when the mall reopens,” he says. “I don’t think schools can protect students against themselves to the extent that they could and should be protected. The toothpaste is never going back in the tube.”
He’s right. It’s important to deal with the toothpaste, where it lays. I’ll keep watch.
Many of the underlying algorithms we rely on are only as good as the human knowledge they come from. And sometimes, the knowledge transfer from humans to formulas falls short.
Security weaknesses align seamlessly with the spreading of disinformation. The purveyors of disinformation know this and have taken to spreading malware via vulnerable mobile apps.