And attackers may be taking note. Schools suffered a variety of attacks this year, and the report warns they’re likely to remain tempting targets in the 2022-2023 school year, because they have few cyber resources but plenty of data. That data wealth puts schools in the cross hairs for financially motived attackers like ransomware perpetrators, and their limited defenses attract ideologically motivated hacktivists looking to build reputations.
The threat isn’t staying still, either. Some ransomware actors have been updating their tactics and now email students, parents and faculty to alert them to the attacks, increasing pressure on schools to pay up.
Yet schools only show moderate preparedness. CIS’ Nationwide Cybersecurity Review (NCSR) — a voluntary, free cybersecurity self-assessment — considers the maturity of participants’ cyber programs. The K-12 sector received only a 3.55 out of 7 on its scale.
Changing the picture could mean seeing more schools sign on for free CIS cybersecurity resources, the nonprofit suggests. Plus, other voices have been calling for greater federal support.
The report drew on feedback from the Multistate Information Sharing and Analysis Center (MS-ISAC)’s roughly 350 K-12 school and district members, NCSR assessments of 197 K-12 districts in 2021, data from CIS’ security operations center and threat data and analysis from CIS' Cyber Threat Intelligence Team.
SCHOOL CYBER GAPS
Schools are no stranger to cyber attacks, with the MS-ISAC finding about 29 percent of its K-12 members were victimized by cyber incidents.
As threats become more advanced, K-12 entities struggle to keep using limited funding and staffing. Forty-nine percent of K-12 schools have only one to five cyber or IT employees, the report found, and the average school directs 8 percent or less of their IT budgets into cybersecurity.
Lack of cybersecurity strategies and documented processes presented another hurdle. K-12 entities appeared more likely to have cyber insurance than to have documented incident response plans or certain other cyber best practices. Eighty-three percent of MS-ISAC K-12 members had insurance, but only 63 percent had incident response plans and 71 percent had implemented some level of multifactor authentication (MFA).
This raises some strategy questions: while cyber insurance can be useful, it only provides money to help after damage is dealt. The Government Finance Officers Association (GFOA) and Center for Digital Government* previously issued a report advising entities to carefully consider how to split their cybersecurity dollars among insurance coverages that help with recovery and preventative measures that can reduce the likelihood and severity of incidents in the first place.
Turning an eye to specific practices, CIS found K-12 entities needed improvement on best practices like collecting audit logs, encrypting data on removable devices, evaluating the security practices of service providers and establishing and maintaining data recovery practices.
Still, schools shined in some areas, showing maturity around cyber awareness and training practices, identity management and access control and using information about their business environments to inform cybersecurity roles, risk management decisions and responsibilities.
MAIN THREATS: MALWARE AND EXPLOITS
From August 2021 to May 2022, schools were targeted by different malware strategies.
Nearly one-fifth of the cases saw perpetrators send emails to trick recipients into downloading or opening malware or clicking on links to malicious sites, while 4 percent involved “dropped” malware, in which cyber attackers deliver the malicious software manually through infected third-party software or via malware already present on a system that “contains exploit code for known vulnerabilities,” per the report. Slightly more than a fifth of malware attacks, meanwhile, used multiple methods to infect systems.
But the greatest share — 56 percent — of malware reached victims through real digital advertisements that had been infected.
Shlayer — one of the two most common malwares impacting K-12 entities this past academic year — often masquerades as a fake Adobe Flash updater or uses malicious websites or hijacked domains to infect victims’ systems, then drops adware or other malware. So far, Shlayer’s attacks have had “low impact,” the report found, but could become more serious if used to drop more damaging malware like ransomware. Shlayer targets Apple macOS devices, which puts schools — and their many Mac computers — particularly at risk.
Schools also frequently confronted CoinMiner malware, which often enters a network through malicious spam or being dropped by other malware. Next, it spreads across a network by abusing a legitimate Windows function and known exploits, then directs victims’ systems to mine cryptocurrency.
K-12 also needs to be alert to Jupyter — also dubbed SolarMarker — which works to steal data stored in web browsers, and to attackers looking to exploit known vulnerabilities to stealthily gain access to victims’ systems or data.
WHAT CAN BE DONE ABOUT IT?
The CIS report advised K-12 entities to take advantage of its free resources. That includes conducting cyber maturity assessments with the Nationwide Cybersecurity Review and joining the MS-ISAC for free threat intelligence, services and connection with peers. CIS also advised adopting network and endpoint defense services and following core cybersecurity best practices, outlined under its CIS Critical Security Controls.
Others also say the federal government has a bigger role to play.
The Government Accountability Office (GAO) has been urging more federal help and criticized the Department of Education’s slow response in a recent report.
The GAO critiqued the Education Department for lackluster effort to coordinate among federal agencies and K-12 districts about supporting the latter’s cybersecurity. One area of contention: the Education Department has resisted calls to establish a formal collaboration and intelligence sharing body, instead taking an informal approach.
The GAO also pressed the department to identify ways to address K-12 challenges, like limited funding and staffing, and to assess the effectiveness of current federal offerings aimed at helping boost school cybersecurity.
Others, too, have suggested that the federal E-rate program, which provides funding to support K-12 and library Internet connectivity, should also come with monies for securing that connectivity. The Consortium for School Networking (CoSN) petitioned the FCC to make such a change last year and continues to advocate for this. John Harrington, CEO of Funds For Learning, a firm that consults on E-rate compliance, spoke similarly in a recent GovTech interview.
“Internet access is only good if it’s reliable and secure,” he said. “And that is where the E-rate program is woefully inadequate.”
*The Center for Digital Government is part of e.Republic, Government Technology’s parent company.
