Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

10/4/2019
11:15 AM
50%
50%

Complex Environments Cause Schools to Struggle for Passing Security Grade

As ransomware attacks surge against school systems, an analysis of 1,200 K-12 institutions in North America shows complex environments and conflicting security controls.

IT environments at primary and secondary schools are complex and full of security gaps, leaving them more vulnerable to attacks such as ransomware and crypto-miners, according to an analysis of 1,200 schools in the US and Canada.

The analysis, conducted by managed security services provider Absolute and released this week, found that the typical school in North America has to manage hundreds of versions of applications across dozens of operating-system builds. Overall, the company found more than 250 versions of major OSes — such as Windows, Mac, Linux, and ChromeOS — and 137,000 unique versions of applications installed on devices managed by the 1,200 schools. 

School districts' IT teams are hard-pressed to manage such complex environments, says Josh Mayfield, director of security strategy at Absolute. Ransomware attacks against US school systems surged by more than 30% in 2019, driven in part by the difficulty that overworked IT teams have in securing the complex environments, he says.

"The amount of tech complexity in K-12 environments is overwhelming, as their attack surfaces have grown by several orders of magnitude," he says. "In this new reality, there are too many tangles and limited visibility, leaving gaps open to exploit and space for attackers to camp out, which has set the stage for ransomware."

With knowledgeable security professionals in short supply and technology proliferating in school systems, the cybersecurity picture for schools continue to grow darker. In the first nine months of 2019, the number of security incidents at K-12 schools jumped to 160, exceeding the number of incidents in all of 2018 by 30%, according to Absolute's accounting of public data. 

Schools are now the second largest group of victims, behind municipalities, according to cloud security services firm Armor.

"Due to the volume of device types, operating systems, and applications, managing and patching devices is a huge challenge," Absolute's report stated. "The potential impact of this cannot be overstated."

The education sector has always been hard-pressed to protect its networks and systems. School districts' reliance on public funds means low salaries for IT and IT security workers. Education also relies on the open sharing of information, making stringent security measures not generally possible. 

Little wonder, then, that the educational sector as a whole has received failing grades from ratings firms.

Most school districts — 53% — rely on the default patch management and client controls that ship with the chosen devices and operating systems. But such utilities and controls have a 56% failure rate, with more than a third of devices requiring at least one repair a month, Absolute found.

"Each time that situation arises ... it means that the agent not only failed, but that it failed repeatedly due to ... complexity and decay ... with other tools foreclosing access to machine resources," Mayfield says.

Rather than add security, each layer of security often added complexity to the detriment of the overall security of the organization, Absolute stated in the report. 

"[E]very additional security tool only increases the probability of failure as agents and controls conflict with one another on the endpoint," the report stated.

Students also cause significant complexities for IT administrators and security teams. Unlike workers who have an incentive to follow the rules of IT security, students are often incentivized to get around controls and are often more tech-savvy than teachers.

The report found that 42% of students use virtual private networking (VPN) software or Web proxies to get around security controls. Absolute found 319 such applications and services across the 1,200 schools in its dataset. 

"Even if K-12 organizations accounted for the complexity and bolted on maximum strength defenses, they still are left with rogue students swinging open the door to attack and industrious users who simply disable controls," Mayfield says. 

Students often do not understand the consequences — or are not concerned — when they circumvent security measures. Yet more education is not the answer, he says.

"Turn it into a game. Teach them what attackers do, test them on practical examples, and give each of them a sense of achievement when they win," Mayfield says. "Let them know what villains may try to do, and challenge them to step up and help stop them. Make them the hero of the cyber-resilience story."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "How the City of Angels Is Tackling Cyber Devilry"

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9349
PUBLISHED: 2020-04-02
The CACAGOO Cloud Storage Intelligent Camera TV-288ZD-2MP with firmware 3.4.2.0919 allows access to the RTSP service without a password.
CVE-2020-11100
PUBLISHED: 2020-04-02
In hpack_dht_insert in hpack-tbl.c in the HPACK decoder in HAProxy 1.8 through 2.x before 2.1.4, a remote attacker can write arbitrary bytes around a certain location on the heap via a crafted HTTP/2 request, possibly causing remote code execution.
CVE-2020-11450
PUBLISHED: 2020-04-02
Microstrategy Web 10.4 exposes the JVM configuration, CPU architecture, installation folder, and other information through the URL /MicroStrategyWS/happyaxis.jsp. An attacker could use this vulnerability to learn more about the environment the application is running in.
CVE-2020-11451
PUBLISHED: 2020-04-02
The Upload Visualization plugin in the Microstrategy Web 10.4 admin panel allows an administrator to upload a ZIP archive containing files with arbitrary extensions and data. (This is also exploitable via SSRF.)
CVE-2020-11454
PUBLISHED: 2020-04-02
Microstrategy Web 10.4 is vulnerable to Stored XSS in the HTML Container and Insert Text features in the window, allowing for the creation of a new dashboard. In order to exploit this vulnerability, a user needs to get access to a shared dashboard or have the ability to create a dashboard on the app...