A new report out Monday found K-12 organizations’ cyber postures slipping slightly over the prior year as they grapple with stubborn cybersecurity challenges and threats ranging from banking Trojans to ransomware.
Cybersecurity funding remains a top concern for the sector, but federal officials are turning attention to the issue and various organizations offer low-cost and free cyber tools.
On Nov. 13, the Federal Communications Commission (FCC) proposed a pilot program that would provide funding supporting cybersecurity and advanced firewall services at schools and libraries. Plus, K-12 Dive notes, state planning committees could use funds from the ongoing State and Local Cybersecurity Grant Program to help school districts in adopting cyber best practices.
Meanwhile, organizations like the Multi-State Information Sharing and Analysis Center (MS-ISAC) offer some free tools and resources, while the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerability list can be a helpful way to prioritize, advises the new Center for Internet Security (CIS) MS-ISAC K-12 Cybersecurity Report.
STRENGTHS AND WEAKNESSES
In 2022, 402 K-12 organizations participated in the Nationwide Cybersecurity Review (NCSR). They listed a familiar set of security concerns. Alongside funding shortcomings, those included cyber threats’ rising sophistication, insufficient availability of cyber professionals and lack of documented processes or cyber strategies.The NCSR scores organizations’ cyber maturity to help them assess strengths and gaps. In 2022, K-12 participants averaged a score of 3.25 out of a possible high score of 7. That’s a touch below 2021’s average score of 3.55 — although still “satisfactory,” the report said.
Improving means K-12 must shore up areas like supply chain risk management. Plus, more K-12 organizations should adopt protective measures like collecting audit logs, maintaining data classification schemes and defending against some malware by disabling the autoplay feature on removable media.
Those were also areas of weakness in 2021, but new issues emerged in 2022, too: lack of maturity around “information protection processes and procedures” and around “detection processes.” The report advised organizations ensure they’re conducting automated vulnerability scans of externally exposed enterprise assets, and that they’re taking incident response management steps like establishing and regularly exercising incident response processes.
On the plus side, K-12 organizations showed new maturity around maintaining and repairing industrial control and information system components. They also continued a strong showing on identity management and access control, and cybersecurity awareness and training, per the report.
During a CIS webinar Monday, Texas Education Agency Deputy CISO Todd Pauley said training goes a long way, because hackers often take advantage of social engineering and human mistakes.
”We [in K-12] are doing a wonderful job on training,” Pauley said. “If you look at any kind of statistics as far as initial access into a ransomware event or malicious event, it‘s 93 percent user-initiated — whether through phishing or a misconfiguration … on the flip side of that, it’s the people who catch those; they point those out.”
Improving the security culture of an organization can require persistence and patience, said Brian Paulhamus, information security officer at Central Susquehanna Intermediate Unit, a regional education service agency in Pennsylvania. Paulhamus managed to get cybersecurity to become a regular part of new employee orientation and monthly supervisor trainings — but not quickly.
“Be patient,” Paulhamus advised during the webinar. “I’m talking a five-year-plus process to get to where we now have this embedded in the organization. Small wins are important just as much as the big ones are, because it can take literally years to see the fruits of your effort fulfilled in that way.”
As K-12 organizations look to advance their cyber journeys, Indiana Department of Education Director of Educational Technology Brad Hagg recommended taking the free NCSR, both to better inform entities about where they stand and provide the sector with information to help advocate for supports.
“[The NCSR] contributes to these incredible statistics that help inform our lobbying and legislative efforts to increase funding and availability of services to support the educational process,” Hagg said during the webinar. “… Giving those policymakers and people around the world as much data as possible, while improving your own posture, just to me seems like a great way to start no matter where you’re at.”
The CIS MS-ISAC report identified top threats facing K-12 entities in the 2022-2023 school year, based on data from 4,600 K-12 MS-ISAC members, as well as findings from CIS’ security operations center and cyber threat intelligence team.
Alongside ransomware, certain families of banking Trojans and a cryptocurrency miner were frequent threats. K-12 organizations also suffered from attackers using legitimate remote access tools to conduct activities while better evading detection, and Magecart card skimming was another common threat.
Perpetrators using malware often gained initial access to K-12 entities by sending malspam, or emails containing malicious links or downloads — a method employed 43 percent of the time. Meanwhile, 14 percent of the time, hackers infected systems by dropping malware. All other times, the hackers used multiple methods.
CoinMiner comprised 20 percent of malware affecting K-12 entities from August 2022 to May 2023. It’s a type of cryptominer, which hides in the background and uses victims’ devices to mine cryptocurrency. The malware family was also a common threat between August 2021 and May 2022, per last year’s report.
Banking Trojans, meanwhile, aim to steal online banking customers’ credential and financial information. Tiny Banker — also called Tinba — captures victims’ information off login pages and web forms and comprised 11 percent of malware affecting K-12 organizations this past school year.
Tinba often spreads through exploit kits. Per CrowdStrike, attackers using exploit kits typically find a compromised website and make it redirect traffic to a malicious landing page that scans visitors’ devices for vulnerable browser applications. If any are found, the kit exploits them and spreads and executes malware, infecting the victim’s host environment with malicious code.
Qakbot, was the most reported threat, comprising 23 percent of all malware impacting K-12. This banking Trojan intercepts authentication tokens during active banking sessions, per the report. The danger doesn’t end there, with Qakbot operators often getting what they want from victims then selling access to other threat actors, who may then introduce their own malware — including ransomware.
Qakbot often spread through malspam, including thread hijacking, in which attackers strive to appear more legitimate by sending their malspam within existing email conversation threads.
Schools may be able to breathe easy on this particular threat, however: In August 2023, the FBI and international partners announced they’d dismantled Qakbot’s infrastructure.
Another bright spot: Shlayer is no longer the significant threat it was in last year’s report. In April 2021, Apple issued a fix for a zero-day exploit Shlayer had been abusing in macOS, per TechCrunch and BleepingComputer.