Cyber Security for Schools – Strategies & Lessons Learned

 

Alex Henderson has extensive experience as an IT lead across a number of industries, becoming Head of IT Services at Eton College in 2017. He fully appreciates the need for robust cyber security, having responsibility for the most famous school in the world, an attractive target for cyber criminals.

 

John Sainthouse is Group Director of inTEC EDUCATION. Before joining inTEC, his experience includes well over a decade working as Head of IT for two of the leading UK independent boarding schools.

 

Between them they know a thing or two about independent school information technology!

 

 

In February 2022 John interviewed Alex on the topic of “Cyber Security for Schools – Strategies and Lessons Learned”. This article follows on from their discussion and we hope provides some helpful information for anyone working in a school or educational organisation to combat the threat of cyber-crime and ransomware.

Click here to watch their original discussion.

 

We welcome your comments or questions about the video or article:

john@inteceducation.com

 

What would you say are the major threats facing independent schools today?

 

Viruses, Malware, hacking, denial of service attacks – they are still there, as they always have been

Ransomware has to be the most significant threat

Instances of phishing and malicious emails and texts are on the increase, with criminals taking advantage of Covid ‘Test & Trace’, etc. But these are not threats in themselves, merely entry points for threats I’ve already mentioned. Ransomware remains the greatest risk, both in terms of its likelihood and its potential damage.

 

Do you see the nature of cyber threats evolving?

 

Yes, without a doubt. Ten or twenty years ago there were two types of cyber attack: at one end of the scale were the targeted hacking events, aimed at large multinational, government or military targets. These were for financial or political gain, and schools simply weren’t on their target list. At the other end were the more generic viruses or malware, which were really just digital vandalism. We all took every precaution not to let a virus run riot and kill our systems, but we didn’t feel “under attack” as if there was someone specifically aiming at us: although we could lose, the hackers and authors of 20th century viruses didn’t really stand to gain – not financially, anyway. If you were infected it was just “bad luck” rather than deliberate, and the damage was probably not too acute.

But over the last five or so years, the advent of ransomware and of untraceable digital cryptocurrencies has meant that everyone is now a target. Now criminals can release viruses that don’t just cause inconvenience – they can also earn them a lot of money. Untraceably. Suddenly they have a real reason to attack any organisation they think might be willing to pay. This is no longer throwing bricks at bus shelters – it is a multi-billion dollar industry, and they are getting very, very good at it.

 

So, how vulnerable do you think schools are to ransomware, compared with other industries?

 

It rather depends what you mean. If you are asking whether schools are more likely to be targeted, I would say “not really.” Two thirds of ransomware infections begin with someone opening a phishing email, and most phishing emails take a scattergun approach: they are sent to millions of recipients and infect anyone who happens to click the links. So in terms of how likely we are to receive a malicious email, I would say that schools are no more at risk than other organisations.

Of course, there’s spear-phishing and whaling: phishing emails specifically aimed at an individual, and these are definitely on the increase, but I’ve never heard of one of them aimed at a head teacher or bursar.

However, if you’re as asking if schools are more likely to fall victim, then I would definitely lean more towards “yes.” It is the nature of schools that a large proportion of our users are children, and children tend to be more naïve, less cautious and more prone to explore and experiment online than adults. Also, a lot of schools make extensive use of BYOD, meaning many, or even most of the devices on our networks are beyond our control in terms of security and patching. And there’s no denying that most schools don’t have enormous IT budgets to play with, so the products that cost the big bucks simply aren’t an option. So I would say the chances of a phishing email being clicked in a school are higher than the chances of the same email being clicked in, say, a law firm. And the chances of that click doing some damage in a BYOD environment with security-on-a-shoestring are certainly higher than the same click in a tightly controlled law firm.

Or are you are asking whether schools are more exposed to significant damage if there is a successful attack? If so, I think a fair answer is “probably more than most.” The criminals who launch these attacks and demand ransoms do their research, and are well aware both of the value of the information they might extract, and the wealth of the victim. This is why I believe independent schools are vastly more exposed to ransomware than state schools. If our parent databases include the rich and famous, and if we are known (or are perceived) to have deep pockets, they will see far more value in attacking us than, say, a small primary school who won’t have high-value data to steal, and won’t be able to afford the ransom. They know we have information we want protected, and they know we can pay. Or they believe we can, and that comes to the same thing.

 

Is it really that big a threat?

 

Without question: yes it is. The Covid pandemic hasn’t helped, with a plethora of new NHS, government and ‘Test & Trace’ emails for the authors of phishing emails to imitate. The US firm Purplesec reckons cybercrime as a whole has increased by 600% since the start of the pandemic, with a new ransomware attack every eleven seconds. The global cost of ransomware was about $11Bn in 2019 and $20Bn in 2021, which is 50 times what it was five years ago. This is definitely a very real threat, and no one can afford to ignore it or think they are invincible.

 

So what can schools do to protect themselves against ransomware?

 

Before I can answer that, it’s important to understand how ransomware works. You can’t protect yourself against something if you don’t really know what it is or what it does. Of course, there are many forms of ransomware, and they’re all slightly different. If all viruses were identical it would be simple to stay protected. Just like with Covid or ‘flu, every mutation or variant requires a slightly different vaccine, each computer virus exploits a different vulnerability and we need a different patch or process to stay protected, but there are a number of common traits that seem to apply pretty much across the board.

The objective of ransomware is always to encrypt your data, so you no longer have access to it, and for the criminals to then demand a ransom before they decrypt it and return it to you. Depending on the nature of the data, they may also threaten to publish it if you don’t pay. So, if they get your parents’ or alumni address lists, this could be very damaging.

It will always start with a single, initial case. One infected computer, and the infection then spreads across your network. But ransomware often lies dormant, spending days, weeks, even months spreading and infecting your network, but otherwise doing nothing, so you have absolutely no idea it is there until it is too late.

There are all kinds of things it can do to help it spread. It might install a keylogger to harvest administrator credentials when they are typed in, it might exploit any one of the many vulnerabilities in Windows, in network protocols (think TLS 1.0 or SMB 1) or it might simply decide to encrypt data on every network share the infected computer can browse to.

The other thing ransomware typically does is to attempt to locate and destroy your backups. If you can restore damaged data from a backup, the criminals have failed: you won’t pay a ransom, you will simply revert to yesterday’s backup. But if your backups are encrypted too; if the ransomware has been in your system for weeks and every incremental backup ends up as infected as your live data, then your backups are worthless, and the criminals have won.

 

That all sounds pretty depressing.

 

Well, yes, it’s pretty grim if it gets that far, but there are steps we can all take to limit our exposure. You should be aware of the four aspects of cyber security: Prevention, Detection, Mitigation and Recovery.

By ‘Prevention’ I mean anything we can do to stop that initial infection. There are all kinds of ways an infection could arrive, but the chances are it will be one of your users: one of your staff or pupils, who will do it. They might click a link in an email, visit a compromised website, use an unsanctioned VPN service or insert an infected USB stick. It will be accidental, but that is small compensation. There are a few things we can do that will make this initial infection much less likely:

  • Implement DMARC and DKIM on your email systems
  • Have a robust anti-spam and anti-virus email filter, ideally one that offers a sandbox for embedded links
  • Undertake annual penetration and vulnerability tests and have your network security independently tested. Cyber Essentials is a good start.
  • Patch everything. Your servers, your desktops, your laptops, your firewalls, your switches, your wireless. Just patch it all. Regularly. You don’t have the time to analyse every new vulnerability; Microsoft do. Cisco do. Apple do. All you have to do is install the updates they hand you. But make sure you have a proper process in place for patching. Make sure you don’t miss any. What about that spare laptop that sits on a shelf and only gets used when the inspectors visit? It only takes one forgotten-about Windows 7 device that’s three years out of date to undo all your hard. Use a tool to deploy your patches so you get an audit log of successes and failures.
  • I can’t stress this enough. Train your staff and pupils on what they can do to keep your school secure and how to spot a malicious email. And do it regularly. It should be as key as the annual KCSIE refresher training. It is actually pretty unlikely that someone will hack your firewalls and implant malicious code from the safety of their bedroom in Moscow, or Pyongyang, or wherever. Not impossible, but unlikely. 98% of all cyber attacks rely on some form of social engineering. The single best thing any organisation can do is to raise awareness of the risks, and prevent the avoidable accidents. Think of cyber security at your school as like defending a medieval castle: you can have the thickest walls and the deepest moats, but they are useless if someone leaves the gate open.

After Prevention comes Detection. If all your preventative steps have failed, and someone clicks a link and causes that dreaded initial infection. How do you know you have an infected computer? More importantly, how quickly do you know? I’m afraid, this is where you need to put your hands in your pockets, because effective, autonomous detection systems don’t come cheap. You might be able to persuade your governors that £10,000 annually to save a million pound ransom is money well spent. If your budget stretches to it, great, go for it; if it doesn’t, I suggest you shelve this one and concentrate on the other three stages first – Detection is the icing on the cake, but you have got to bake the cake first.

 

What do you mean by ‘mitigation’, then?

 

Mitigation is your bursar’s favourite part of this process, because it is largely free. It’s all about getting your policies and standards in order, and doesn’t normally involve buying anything. Think of all the things I mentioned that enable ransomware to spread around your network. Take each one in turn and tighten your security so you close each loophole that could be exploited:

  • Enable MFA. This is so obvious it hardly needs mentioning. Multi-factor authentication is the quickest route to blocking unauthorised access to your network. If a keylogger gives criminals a valid username and password combination and they then try to log in to your domain controller from a bedsit in Moscow, they simply won’t be able to if that account has MFA enabled. It’s easy; it’s free… don’t wait – just do it.
  • Have a robust password policy. Industry advice has changed recently over what makes a good password policy: we’re not being advised to change our password every month like we used to be, and there’s more emphasis on having a password that is suitably complex and hard to guess. Do you have senior members of staff whose password is their dog’s name and is set never to expire and hasn’t been changed for a decade? It’s not enough simply to have a policy – you must make sure all accounts comply with it.
  • Next, don’t let user accounts have local administrative rights to their computers. There’s really no justification for anyone outside of the IT Department to be allowed to make change to School-owned computers. If you click a malicious link and your account is an administrator the malware will just install, and you probably won’t even notice. This goes for IT staff too: there’s no need for their main login accounts to be elevated – give them a second account so they have to type in a password to make changes. It’s not that much of an inconvenience.
  • Also, don’t use the same admin password on all computers. If a keylogger picks up the admin password for one, how much safer will you be if that is the only computer it works on, rather than have hackers knowing a password that gives admin access to every single computer on your network?
  • You should restrict the number of domain- or enterprise admin accounts. It might be convenient for your network manager’s account to be a domain admin, but is it really necessary? It may be convenient for him, but it’s also jolly convenient for a criminal who happens to capture his password.
  • Have a regular review of user accounts and their access. If ransomware can encrypt all data on every mapped network drive on an infected computer, you can minimise your exposure by not giving people access to data or servers they don’t need. If someone used to work in Finance but has now moved departments, take away their access to the finance system if they’re not using it anymore.
  • Don’t use deprecated systems like TLS 1.0 or SMB 1. There aren’t many devices or systems that require these now (some older photocopiers, perhaps, don’t support SMB 3 for scanning, but they must be pretty old by now anyway.) This is where the NHS came unstuck with WannaCry, but they had million-pound MRI scanners that relied on XP workstations; but that shouldn’t apply in a school – if you have any outdated system that requires a security loophole to be opened, replace the system, don’t live with the loophole.
  • This is all a trade-off between convenience and security. Don’t get brow-beaten into allowing a few people’s convenience to jeopardise everyone else’s security. I guarantee your leadership team will be completely on your side if you explain to them what the consequences could be of not taking appropriate action.

 

Is that it?

 

Almost certainly not, but it’s a pretty good start. If you do all this, you will be making it as hard as you can for criminals to infiltrate your network. Hard, but not impossible. So there’s one final stage, which is arguably the most important of the lot: Recovery.

You MUST have a good backup strategy. The world has moved on from tape backups, and almost all backups these days are disk-based, either on-premise or using a 3rd party cloud provider (or – better still, a combination of the two.)

One advantage of tape backups was that they were cheap: you could put a tape on the shelf and store it indefinitely, using a blank tape next time around. You would have this backup copy forever. Disks, however, fill up and eventually get overwritten. It’s imperative that your backups reach far enough into the past that you can create a restore point BEFORE any infection, if one were to occur. If you were infected by ransomware today, but the payload didn’t activate until April, would you have a backup that was old enough that it didn’t also contain the ransomware code? If all your backups get overwritten after a month, they would be completely useless, as they would be encrypted along with your live data. The watchword here is ‘immutability.’ That is to say, you need to be certain you have copies of your data that cannot be changed once they are made. These are immutable copies. If you accidentally delete a file today you can restore from yesterday; but if you discover an infection today you might need to restore from six months ago – so make sure you can.

 

Who is responsible for cyber security?

 

Well, one answer would be “everyone.” There’s no escaping the fact that every single person needs to play their part in keeping your organisation secure, and preventing a ransomware infection.

However, obviously, someone needs to be in charge, to set the policies, agree the timescales and manage the implementation of any changes. Exactly who that would be will depend on the structure of your IT Department: most schools won’t have a dedicated security position, so whether the responsibility lies with your network manager, your Head of IT, or whoever, will vary from school to school.

What is very important, though, is that your leadership team is involved in the process: they are the ones whose necks will be on the line if it all goes wrong, so it’s essential that any changes you put in place come backed with a mandate from them. If your school does fall victim, the buck will not stop on the Head of IT’s desk; it will stop with your board of governors, so ultimately it is their responsibility to ensure cyber security is handled properly. Their job is to instruct the Head of IT to implement appropriate precautions, so now is the time to advise your governors and leadership team on the changes you would like them to request.

 

What is the cost of effective cyber security?

 

To quote William Webster, a former director of the FBI, “Security is always too much, until the day it is not enough.” You can spend tens, hundreds of thousands of pounds on cyber security and you still won’t be 100% protected against every possible scenario. The good news is that the prevention and mitigation steps I mentioned earlier come with a pretty low price tag. Most are simply changes of approach and cost nothing to implement, and these, in fact, are where the biggest gains can be made. An enterprise-class AI-driven autonomous detection system is of little use on its own if your firewalls are wide open and your computers aren’t properly patched, so get your house in order before you invest in an expensive system to tell you what you should already know.

The one place where we should all be spending some money is backups. There is no alternative to a good backup solution; if you have a lot of data the cost can be high – I can’t put a price on it, as there are so many variables, but the cost of getting it wrong is unthinkable.

 

What three things should I prioritise following this webinar?

 

  • Train your users
  • Secure your workstations
  • Review your backups

 

Three Pillars for Cyber Resilience

 

John explains the inTEC EDUCATION approach for schools. We have produced a simplified strategy for cyber security and resilience, built on three important ‘pillars’, very much in line with Eton College’s ‘four aspects of cyber security’ mentioned above .

 

1: Protection

These are the gates that prevent bad things from happening. These can be firewalls, web filters, anti-malware protection, email security, multi-factor authentication and much more.

Prevention is better than cure, but schools must choose wisely which measures to take and how much to invest.

Each school will need a portfolio of protection measures, but it is easy to get distracted and neglect some basics. Start with a security test by a trusted partner, address the items highlighted as critical, then build the school protection plan with enhancements that are appropriate.

 

2: Detection/Mitigation

No matter how comprehensive the protection measures are, there will be a chink in the IT armour. No system can ever be 100% safe from attack.

So, a method of detecting a live attack is really important, and essential is an automated response to stop the attack in its tracks.

 

3: Recovery

It is critical to have a way to recover systems and data. This is the last line of defence, but one each school must assume they will need to rely on.

Multiple backups, with some stored off line, is essential. However, recovering systems from backups can still be a very complex and time consuming task, taking weeks in some cases.

There are additional systems that will enable the school to rapidly recover access to essential data and systems should the need arise.

 

inTEC EDUCATION can help advise schools on all of these three pillars.

 

 

Final Words

Cyber crime is here to stay, and increasing exponentially. Schools are seen as soft targets, with independent schools being “hacker’s honeypots”!

 

Don’t fight the war alone, act promptly and get expert help from trusted partners where you need to. Please get in touch today.

 

 

 

The authors of this article accept no liability for errors or omissions.

Copyright Alex Henderson and John Sainthouse. All rights reserved.

Leave a Reply