schoolAs we approach mid-June, our thoughts in the U.S. naturally turn to those that are graduating High School and College at this time of year.  This is a major accomplishment for many, to be celebrated by all.  It is also a time to reflect upon our educational institutions, and the many threats facing them today.  While some of these threats have been well documented (skyrocketing costs, low teacher salaries, child abuse scandals, etc.), the Cyber threat to our educational systems has been steadily growing.

Cyber threats to educational systems can take a number of forms, from the bored student to political extremists and even foreign Governments.  The sheer cost of higher education in the United States will likely draw the attention of Eastern European organized cyber criminals specializing in penetrating databases for the exfiltration of financial data.  While cases in which students “hack” systems to change their grades garner a bit more attention (and perhaps a bit of envy), other cases can be much more serious.

Some threat actors want attention, and find school websites around the world to be easy targets.  “Hackers” affiliated with the Islamic State and other extremist organizations are demonstrating their ability to deface websites, even at elementary schools and churches.  This can be quite disconcerting to average American elementary school students, naturally worrying that “terrorists are coming to get them.”  Such was the case in March, when a group claiming to be the “Voice of Palestine” defaced the webpage of the Greenbrier Christian Academy in Chesapeake, Virginia.  The FBI later stated that the attack originated from a “local” IP address, but it is not clear whether that IP was used as a transit point or was the actual source.  The FBI is continuing to investigate.

Penn State recently announced the FBI had told the College their systems had been penetrated by “Advanced Persistent Threat” actors operating from China.  This intrusion forced the disconnection of the College of Engineering at Penn State, and the outage lasted several days.  Far from changing grades, the actors in this case were specifically targeting Intellectual Property, and the losses are still being evaluated.  Additionally, more than 500 public (government) and private research partners were notified of the breach, and more than 18,000 people were offered credit monitoring services due to the compromise of their personal information (including social security numbers).  Penn State furthermore brought in expensive outside consultants to combat the intrusion, and promptly discovered two other previously undetected threat actors on the Penn State network, one of which dated back to September 2012.  Remediation is ongoing.

The above examples are not likely to be isolated incidents, and it is expected that many more educational institutions are unaware of threat actors already on their networks, including threats posed by “trusted insiders.”  Recently, the media has reported several cases of high school students gaining unauthorized access to restricted areas of school networks in order to change grades for themselves and friends.  These activities were not detected by vigilant network security staff members, but rather teachers that noticed something odd occurring within their accounts.

Educational systems must invest in their network security, just as many in the private sector have already discovered.  Risks to educational networks are arguably higher, as seemingly tech-savvy students may not always recognize dangerous phishing emails and do not have corporate IT policies to follow.  Further, peer pressure is often a factor, with many students downloading and running popular games, sharing video sites, and trading pictures with their friends to pass the time in monotonous classes.  It is not a stretch to envision malicious software hosted on sites specifically aimed at students in order to target educational institutions.

Schools and Universities must begin to take steps to protect not only their students, but also their investments in Intellectual Property and research partnerships.  As government and corporate networks improve their Cyber defenses, so must educational systems.

Dave Bell, EdgeWave Technical Director, Security Operations and Analysis,  is a former Red Team leader for the U.S. Department of Defense. With over 20 years of experience within the DoD and Intelligence Community, Dave led the Red Team in many major DoD exercises in order to demonstrate the potential operational impacts of offensive cyber operations and improve the effectiveness of US Military cyber tactics and personnel.  You can read Dave’s blog HERE