Sponsored Around 2013, the early pioneers of mass ransomware made a discovery that changed the entire trajectory of what has since become the most unpleasant and financially successful industry in the history of malware.
With names like Reveton, CryptoLocker, and TorrentLocker, the malware of that era landed on the PCs and servers of end users, encrypted their files, and demanded a do-able ransom, usually around $200-$300. But as more and more small organisations were caught up in the same scattergun attacks, the criminals noticed how desperate many SMEs were to get their data and systems back pronto.
Ransomware, it seemed, wasn’t just hiding data but bringing entire organisations – sometimes surprisingly large ones - to a standstill. It was a proverbial lightbulb. The criminals had invented a denial-of-business attack much more reliable than any old-fashioned DDoS. As the malware industry realised its true calling panic spread and ransoms started to rise.
Schools were no exception, often defenceless against something as fast-spreading as ransomware. Looking back from 2021, two things stand out. The first is that, without realising it, schools had come to rely on the digital world to the extent that without computers and networks they could no longer function.
Secondly, getting devices to students became the top priority for educational continuity during the Covid-19. But this sometimes meant that security considerations had to take second place, with hard-pressed school IT departments fire-fighting on all fronts and typically with limited resources at their disposal.
Schools out forever
In 2019, a UK National Cyber Security Centre (NCSC) audit found that 97 per cent of the 432 schools questioned admitted that losing access to their network would cause major disruption. Almost all, 83 per cent, had experienced some type of security incident, with the leading causes cited being fraudulent emails sent to staff, important data being made unavailable, malware infection (including ransomware) in that order.
More than nine in ten schools said they suffered significant disruption because of these attacks, with ransomware and other malware mentioned in 30 per cent of cases. Given that 69 per cent also mentioned phishing attacks - a big way ransomware gets behind school defences - this is probably an under-estimate of its true impact.
“What jumped out at me from the NCSC report was that less than half - 49 per cent -of schools were confident they were adequately prepared in the event of a cyberattack,” says Lenovo worldwide education solutions architect, Shayla Rexrode. “I think this is indicative of the situation of a lot of schools in a lot of markets. Threats against schools have really proliferated in the last one-to-two years, and now they are here to stay.”
In 2018, Lenovo launched ThinkShield, a suite of services designed to secure devices, the way users access them and, most importantly, the data they hold. Although offered to a wide range of businesses, Rexrode believes that layered security solutions such as ThinkShield are now an essential aid for an education sector in need of specialised advice.
“A basic question people ask is: why schools? Why would a cyberattacker want to come after a school?” Students are unfortunately easy targets once their personal data is compromised since their credit is typically not monitored as frequently as adults, so theft of their identity is less likely to be found and addressed.
Schools have seen a huge influx of technology in the last decade, primarily in devices such as laptops and Chromebooks, and in the remote learning classroom support software used to administer digital learning. This has happened in every industry and as in every other sector it has increased what the cybersecurity industry refers to as the attack surface. “Since the pandemic started, continuity was the priority. In many cases, security was a secondary priority. Now, nearly two years into the pandemic, with devices already in place, a big shift is occurring and now security is being addressed with more urgency,” says Rexrode. However, schools typically “do not have the headcount to support this technology in terms of security. Historically, money has not been available to purchase cybersecurity software or to add staff. This has made schools soft targets.” “Due to competing markets, I don’t anticipate we will see an influx of IT staff going into the school sector. But it’s not always the number of people you have; even school districts with larger IT departments can find themselves being compromised,” she says.
Follow the data
Following on from a long list of attacks on US schools in recent years, the UK has seen a sharp uptick in reported incidents since the 2019 NCSC report. There is now a dispiriting inevitability about reports of new incidents. In March 2021, 15 schools in Nottinghamshire had to shut down their systems after ransomware struck, followed a few weeks later by another 50 in London that reportedly left 36,000 students without access to email
This August it was the turn of schools on the Isle of Wight. Two months earlier, the NCSC issued a warning to schools about the threat posed by ransomware that highlighted the risk of VPN access, Remote Desktop Protocol (RDP) remote access, and phishing. This underscores how like other businesses schools have become, including having the same mix of vulnerable hardware and software.
Ransomware attacks are usually seen as disrupting important services to make the extortion demand more compelling as a way out. It’s understandable educators would focus on this because any interruption in service hinders their ability to educate youngsters. And yet there are much darker possibilities the sector might still be downplaying.
Rexrode mentions the anecdote of a young person she heard of who applied for a college grant at the age of 17 but was turned down. It transpired that ID thieves had taken out financial products in that individual’s name, ruining their credit score before they’d reached voting age.
“The school was able to show where multiple credit cards and two vehicles had been purchased in this person’s name. His parents had not thought to track the credit score of someone so young. There is a strong likelihood this kind of data can be utilised for some time before it is detected.”
Now that ransomware seems increasingly focussed on stealing data as encrypting it, the game changes. From the attacker’s point of view this makes sense. The data of young people will be useful for longer, which makes it more lucrative to sell on. It’s the issue nobody trying to stop ransomware attacks likes to think about: hardware such as PCs can be physically restored after a malware attack, but once personal data has been stolen, it is gone forever and can never be un-stolen.
“Anywhere they can find data that can be utilised for ID theft, they will target.” It just so happens that schools have an endlessly refreshing cache of useful identities with decades ahead of them.
According to a recent NBC News story, an analysis by security company Emisoft detected data stolen from 1,200 kindergarten to age 12 (K-12) US schools in dark web forums. All were leaked in 2021 after ransomware attacks, with some schools contacted about the issue not even aware it had been taken. This was based on US leaks but there is no reason to believe that the same wouldn’t apply to similar data stolen from schools anywhere in the world.
Not just Chromebooks
A major problem for schools is choosing and integrating the range of products they need to secure the PCs, Chromebooks and tablets devices used by pupils, teachers, and administrators. It’s a device challenge but also a software and data protection challenge.
The way Rexrode describes it, ThinkShield is a portfolio of layered security solutions offered through partners, including SentinelOne’s endpoint security platform, as well as device and asset tracking from Absolute, with encryption and remote erase capabilities to secure data stored on devices.
“We created ThinkShield to be very customisable and end-to-end. And that is no matter what device students are trying to use,” says Rexrode. Schools can not only track the device if it is stolen they can monitor its health, how it is being used, and whether its software needs to be updated.”
Lenovo laptops, Chromebooks and servers for education can be protected by an array of security measures. These include mechanical privacy shutters for webcams, locked-down USB ports, physical and BIOS-level asset tagging, and the ThinkGuard screen privacy feature.
“Every school is different. Some might already be using Absolute and need something like SentinelOne. But we always ask a lot of questions about their devices and anti-virus so that we can better understand their needs.”
Rexrode offers a few recommendations to assist schools in evaluating their IT infrastructure to decrease vulnerability. One of the first priorities for school cybersecurity is protecting devices themselves. An important underpinning of this is having an accurate asset inventory which provides a complete picture of what must be tracked, protected, and patched. The ability to track a device’s location is a particular issue in an environment where student laptops are often lost and mislaid. The Absolute tracking service means that this can immediately be traced and locked down.
However, she warns, good cybersecurity is also about people and not just hardware. “Schools need to look at what awareness and protocols they have put in place for students and teachers about the implications of a cyberattack. For example, how often are they having training sessions? Schools would be well served to create greater awareness and a sense of urgency around cyber attacks.”
Part of Lenovo’s consulting offer is that it will analyse each school’s infrastructure for security weaknesses as well as human vulnerabilities. In the event an attack happens, Lenovo ThinkShield cyber security solutions will provide services to aid remediation and recovery through its partners.
Rexrode believes that schools can cope with the rising complexity of cybersecurity by accessing services offered by third parties. “It’s not enough to ensure that children are physically safe when they come into a school. We need to safeguard their data too.”
Sponsored by Lenovo.