Combatting Insider Threats in Remote Learning Environments

Remote learning is now an inevitable reality for academic institutions. Even before the pandemic, remote learning was on the rise. The pandemic has only made that trend more pervasive and dominant across institutions, most notably among the public schools.

The Multi-State Information Sharing and Analysis Center (MS-ISAC), a federally funded threat intelligence and cybersecurity advisory organization, recorded a 19% increase in cyberattacks targeting K-12 schools in the 2019-2020 school year. Based on the rising trends of alerts from the academic sector, MS-ISAC projects the number of cybersecurity incidents targeting institutions to jump by 86% in the upcoming academic year.

Modern institutions invest heavily in educational technology (ed-tech). Compared to technology adoption, investments in cyber defenses lag and are usually poorer than the corporate sector due to budget and other constraints. As remote learning becomes a new norm, this gap continues to widen, exposing more vulnerabilities for hackers to exploit. The cybersecurity gap is often worse at schools in remote learning environments with less funding and in lower-income districts with less money to invest in cybersecurity.

Insiders such as students, teachers, and parents are significant threats in the academic sector. For instance, every remote student’s laptop used for remote learning is a potential entry point for hackers to make indoors into the institution’s IT infrastructure. This could lead to serious breaches, including phishing attacks, ransomware, data theft, and other cybercrime activities.

Recent trends of cyber incidents & their impact

According to the FBI, CISA, and MS-ISAC, cyber actors are expected to continue targeting educational institutions to exploit their weak security posture. In the post-pandemic recovery phase, most schools and colleges around the nation are resuming on-campus classrooms. However, remote and hybrid learning will continue as an option. This long-term trend would expose more access points for potential intrusion.

K-12 Cybersecurity Resource Center’s report cited 2020 as a “record-breaking” year from a cyber incident perspective targeting public schools in the U.S. The report’s K-12 Cyber Incident Map keeps track of these incidents and offers public and private sector organizations insight into valuable threat insights that apply to schools.

Among these incidents, nearly 40%  included data breaches and leaks, ransomware was 12% approximately, and the rest included denial-of-access attacks impeding access to programs used for remote learning.

“Cyber invasions,” an emerging threat reported by institutions, involved unauthorized users gaining access to online classes and video conference meetings. These intrusions often disrupted them with hate speech, threats of violence, and obscene images, sounds, and videos.

Identity theft, targeting students is another growing concern. Theft of students’ identity data often escapes detection till they apply for college loans.

Phishing campaigns targeting students and educators are getting more sophisticated. Attackers are spoofing email addresses to make phishing emails appear to come from recognizable email addresses at first glance. While in school environments, about 3% of teachers inappropriately yield to phishing scams. That number rises to 15 to 20% when they teach from home.

Remote learning environments remain particularly vulnerable as students and teachers increasingly use advanced ed-tech solutions from personal devices and networks that lack adequate security measures.

Real-world attacks in the remote learning sector

Since 2020, the average number of attacks targeting the remote learning sector has climbed to more than two per school day. Many of these attacks trace back to inadvertent actions of the insiders – school staff and students.

• • By employing social engineering tactics, a hacker compromised the Del Rio, Texas school district’s computer systems. Funds intended to cover the payment of three bond issues from the district comptroller were compromised and transferred electronically to a fraudulent account.
  • The school district of Live Oak, Texas, underwent a ransomware attack and had to pay over $500k to regain control of the IT systems and networks.

• An international malware group posted nearly 26,000 confidential files of Broward County, Florida, containing student and staff information. These files, stolen from the school’s servers, were published online after the district officials refused to pay the $40 million that this group demanded in ransom.

• In late 2020, a ransomware attack shut down Baltimore County schools for several days. Other prominent ransomware attacks have hit schools in Miami, Toledo, and Huntsville, Ala.

The cost of these breaches adds up considering the potential for identity theft of students besides the cost to insure against attacks and repair breaches. The rising number of breaches in the remote learning sector is partially blamed on weaker cyber defenses than the corporate sector and the lowering costs to execute an attack. For example, by exploiting the dark web, hackers can launch a ransomware attack by spending as little as $100.

Looking deeper into threat Dynamics

Since the pandemic, cybercriminals leveraged new attack vectors for data breaches and phishing scams, ransomware, and malware attacks targeting the remote learning sector. The insider threats get worse when staff and students use insecure personal devices in less secure networks.

According to CISA, the primary attack vectors used in recent attacks targeting remote learning can be categorized into specific threat types.

Ransomware

Ransomware has been one of the top attack types targeting the remote learning sector. Many of these attacks end up with a ransom payment. Since ransomware attacks render remote learning difficult if not impossible, disrupting the lives of thousands of students and parents, the pressure on educational institutions to pay up quickly remains high.

In ransomware attacks, malicious actors compromise IT systems, encrypting files that slow down access and, in some instances, make remote learning platforms inaccessible.  The threat actors primarily employ social engineering tactics to make inroads into the institution’s IT networks, steal confidential files, and lock up access to classes. Finally, they threaten to leak confidential student data unless institutions pay a ransom.

In August and September 2020, 57% of ransomware incidents reported to the MS-ISAC involved K-12 schools. This is a significant jump compared to 28% of all reported ransomware incidents from January through July.

Based on the victim and third-party incident response reports, the five most common ransomware variants used in these attacks are Ryuk, Maze, Nefilim, AKO, and Sodinokibi/REvil.

Malware Attacks

Among the malware strains affecting the state, local, tribal, and territorial (SLTT) education institutions, the most prevalent ones are ZeuS and Shlayer (Figure 1).

Figure 1: Top Ten Malware affecting SLTT educational institutions (Source: CISO.gov)

ZeuS, a Trojan, has several variants that target Microsoft Windows operating systems. Threat actors use ZeuS to infect Windows machines. The stolen information is subsequently sent to command-and-control servers.

Shlayer is a Trojan downloader and dropper for MacOS malware. Malicious ads for products like Adobe Flash updater, malicious websites, hijacked domains are the primary channels used to distribute Shlayer.

Distributed Denial-of-Service Attacks 

Distributed denial-of-service (DDoS) attacks temporarily limit or entirely prevent users (students and teachers) from conducting remote classrooms. Cyber actors target both the institution and third-party services to support remote learning. The rise of DDoS attacks in the education sector is partly fueled by DDoS-for-hire services that enable threat actors to launch attacks regardless of their experience level.

Video Conference Disruptions

The sudden shift to remote learning in masse following the pandemic caught many leading third-party virtual learning platforms as unprepared as the teachers and staff who were offering the classes remotely. Unless adequate security controls protect the video conference sessions, the risks of disrupting classroom conversations (aka. cyber invasions) and exposing sensitive information increase significantly. These disruptions have been widespread since March 2020, when uninvited users tricked hosts to accept them in class sessions by feigning valid student names. After breaking into the online classrooms, the disruptors verbally harassed the students and teachers, displaying pornography and/or violent images and even doxing meeting attendees.

Social Engineering 

Social engineering methods are what threat actors routinely employ against students, parents, faculty, IT personnel, or other individuals involved in remote learning. These methods include phishing emails, vishing, baiting, etc., those trick victims into revealing personal information such as passwords, bank, clicking on a malicious link, opening a malicious attachment, and more. The absence of adequate cybersecurity awareness and security hygiene often escalates this threat in the educational sector.

Domain Spoofing

To capture individuals who might inadvertently mistype an URL or click on a link that looks similar to a familiar website, threat actors usually register web domains with names very similar to legitimate websites. These websites may automatically push malware or spyware on the victim’s device. These attacks are called Domain Spoofing or Homograph attacks. With the rise of online education, as students, parents, and teachers resort to various websites to collect information, complete assignments, etc., domain spoofing becomes a common vector to trick them into malicious sites that may look familiar and safe.

According to FBI, CISA, and MS-ISAC, malicious cyber actors can be expected to seek new opportunities to exploit the evolving remote learning environment in addition to the methods that have already been published.

Mitigating insider risks in the academic sector

The growing number of cyber incidents in the academic sector has one thing in common. These incidents come into fruition by leveraging the insiders. Whether it is the students, their parents, or teachers unknowingly clicking a malicious link or the lack of cybersecurity protections in the devices that they use, insider risks remain a leading cause of breaches and disruptions in institutions. The common denominator in mitigating insider threats is the human element.

Cybersecurity awareness training

Promoting cybersecurity awareness among the students, teachers, and staff remains critical in the fight against cyber threats. Security awareness training that focuses on modern social engineering threats, ransomware attacks, and phishing scams and how they are delivered is essential. Good digital literacy and security hygiene training can prevent insider risks from coming into fruition. Ensuring students and employees know who to contact should they see suspicious activity or when they believe they have been a victim of a cyberattack can expedite incident response.

Ed-tech implementation considerations 

According to CISA cybersecurity advisory, when educational institutions partner with third-party ed-tech services to support remote learning, they must evaluate the ed-tech provider’s cybersecurity practices and incident response plan. It is also essential to consider the provider’s data security practices for their products and services, their data maintenance and storage practices, types of student data the provider collect and tracks, and entities to whom the provider will grant access to the student data.

Monitoring and surveillance

One of the critical steps to prevent insider risks is ensuring a good security state of both the employees and their devices. Academic institutions can deploy solutions like Veriato employee monitoring to keep up with employee activity even when they are remote without violating privacy regulations. Monitoring can ensure the privacy settings in the device and the sites accessed are adequate, which eliminates inappropriate use of the internet and access to risky sites.

Automate insider threat prevention

In the Consortium for School Networking’s most recent Ed-tech Leadership Survey Report, respondents confirmed that “cybersecurity and the privacy of student data are the top two technology priorities.” However, strapped IT budgets in academic institutions lead to IT staff shortage. Inadequate cybersecurity staff allows cyber incidents that could be otherwise mitigated. It is prudent to adopt technologies that can automate threat detection and intelligently respond to attacks in such circumstances.

The growing recognition of cybersecurity investments among the IT leaders in the academic sector is a trend in the right direction for investing in advanced and automated insider threat detection solutions. Endpoint-based insider threat detection solutions can provide organizations complete visibility into user behavior, regardless of their applications. Veriato’s Cerebral, for example, is an AI-driven solution that automates the entire flow of insider threat detection. It provides visibility into user activity that serves as the basis for behavioral analytics and activity monitoring for accurate early detection of both potential and active insider threats.

Ransomware protection

To mitigate ransomware threats, the FBI and CISA recommend:

• • Regularly back up data, air gap, and password-protect backup copies offline.

• Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location.

Advanced solutions like Veriato RansomSafe™ provide all of the above and more. Veriato RansomSafe^™ maintains an up-to-date, robust database of known ransomware signatures. It also uses honeypot files, which, if modified, informs RansomSafe of the potential attack. These techniques allow RansomSafe to detect ransomware variants early enough to prevent data theft.

Conclusion

As remote learning becomes integral to academic institutions and ed-tech investments continue to trend upwards, it should be no surprise that cybersecurity measures should be a top priority for IT leaders and administrators. Insider risks collectively form a severe weakness in remote learning environments. Cybercriminals are now routinely exploiting this weakness. The lifecycle issues of inadequate security staffing, lack of security education, and hygiene in the educational institutions must be countered with security awareness training and advanced solutions that automate threat mitigation.  As many school districts face resource limitations, educational leadership, information technology personnel, and security personnel must balance this risk when determining their cybersecurity investments.