Security vulnerabilities make the education sector a risky business – Open Access Government

The education sector continues to find itself increasingly vulnerable to cyber-attacks. Over the past 12 months, in particular, attacks have led to significant disruption to teaching and, worse, the temporary shutting and even complete closure of schools and universities. Whilst students and teachers might pay the heaviest price, they usually have little control over their fate after a cyber attack.
The education sector is particularly vulnerable because of squeezed budgets, which have led to outdated, unprotected technologies that are easy to infiltrate. Whilst not a cash-rich target, education facilities hold a treasure trove of individuals’ personal and financial data.
Even though cyber attacks have the greatest impact on students and teachers, they often have little control over stopping them. The majority of cyber-attacks are the result of security weaknesses in EdTech providers’ products and systems. So, how exactly is the sector being let down, what is the impact on schools and universities, and — most importantly — what can be done to improve the situation?
EdTech developers are not necessarily taking adequate or sufficient steps to secure their products and systems.
In fact, Rapid7 found vulnerabilities involving cached credentials in an education technology provider dubbed Cengage. The technology provider is predominantly used in the United States for higher education environments, offering digital products, including homework tools, e-textbooks, and online learning platforms (such as WebAssign).
The vulnerabilities allow a malicious actor to read and alter a student’s personal information by accessing the target’s browser session or the network proxy logs. The vulnerability can also allow an attacker to hijack an administrator or teacher’s sessions.
Education establishments are also a hotbed for shared computers, and quite often, users are naive to the importance of locking shared machines, for example, which stops hackers quite literally waltzing up to a machine to gain access to a system and attempting to bring it down.
Ultimately, the high price being paid for oversights by EdTech developers is by the students. Attackers are not always demanding ransomware payments but instead are halting learning and the delivery of services. Primarily hackers look to disrupt access to systems — systems that would otherwise allow lecturers to deliver slides, students to submit vital assignments or access supporting resources that only exist in digital format on the school’s network.
Where ransomware attacks do happen, already struggling education hubs are crippled by the sums demanded
Where ransomware attacks do happen, already struggling education hubs are crippled by the sums demanded and, in the tragic case of Lincoln College last year, forced to cease operating. The college struggled financially post the COVID-19 pandemic, but the ransomware attack was the last straw. The attack in December 2021 disintegrated admission activities and obstructed institutional data that significantly impacted enrolment projections for Autumn 2022.
We’ve also seen the impact of ransomware on UK universities. The University of Portsmouth was forced to partially close its campus after an attack shut down its IT systems. It resulted in the start of the new term being delayed, and on top of Covid, it meant further disruption for students.
Whilst in both of these cases, students would have been fine staying at home on their own, it would be different if a ransomware attack hit a primary school. If these schools are disrupted to such an extent that they need to close, then parents might have to stay at home and not go to work. Suddenly, a cyber-attack affects not just the education world but businesses across different sectors.
Greater responsibility must lie with EdTech developers when supporting the sector to stand up against cyber-attacks. Tech supplied to schools, sixth-form colleges, universities and other teaching establishments must be frequently updated, and patches to vulnerabilities need to be implemented as quickly as possible. There should be better processes for reporting vulnerabilities and patches released timely, with strong communication as and when they are available.
From the educator’s side, we advise putting together some probing questions for technology vendors on how they deal with vulnerabilities found and reported, what patch cycles typically look like, and how much secure software development they have experience with. If a company has a published Vulnerability Disclosure Program (VDP), take that as a great sign that the company has at least heard of modern VDPs.
Schools are traditionally very tricky to secure; budgets are tight, students are notoriously patient hackers, and security concepts like proxies and firewalls are often at odds with academic freedom. The key to working together as an EdTech provider and an education provider is to ensure both parties are aligned and understand secure network design — but also the importance of (and how to go about) transparent vulnerability reporting processes.
Supporting education establishments to put network segmentation in place can also prove extremely useful. By segmenting a network, you are stopping attackers from moving laterally across entire systems and containing a breach in a network at the point of entry.
Equally, getting the basics right is fundamental to cyber security; therefore, reminding education providers of good cyber hygiene practices can go a long way to prevent attacks. Education around shared computer use and password length, even though both may sound basic, can have a huge impact once better practices are in place across the teaching establishment. Finally, a more complex password and a locked shared workstation can protect a network from attack more than you may think.
The education sector will continue to find itself in the middle of a perfect storm of increased attacks and weakening networks if immediate steps aren’t taken by both education and technology providers. Without addressing the basics, teaching is in danger of being continually disrupted and worse — where there are financial implications of an attack — education providers may be forced to close together.
Written by Tod Beardsley, Director of Research, Rapid7


Leave a Comment