On May 7, hackers held the city of Baltimore hostage in a vicious cyberattack. They infected the city鈥檚 servers with a new form of malware called RobbinHood and demanded a ransom of about $76,000鈥攐r Baltimore鈥檚 data would be lost forever.
Ultimately, the city opted not to pay the ransom. According to The Baltimore Sun, officials project they will spend about $10 million in recovery efforts by the end of the year, compounded by an additional $8.2 million in lost or delayed revenue鈥攏ot to mention the millions of people affected, inconvenienced or worse. Baltimore isn鈥檛 the first U.S. city to weather this type of threat鈥擜tlanta suffered a similar attack in 2018鈥攁nd it won鈥檛 be the last.
鈥淏ut cities aren鈥檛 the only highly vulnerable targets to be found by would-be attackers,鈥 writes Sean Gallagher, IT and national security editor of Ars Technica. 鈥淭here are hundreds of thousands of internet-connected Windows systems in the United States that still appear to be vulnerable 鈥 and hundreds of them鈥攊f not thousands鈥攁re servers in use at U.S. public school systems.鈥
In fact, as reported by writer Benjamin Herold in Education Week: 鈥淒istricts around the county have fallen victim to phishing scams, hacks, ransomware attacks and missteps by their own staff and students. The fallout has included millions of lost taxpayer dollars, tens of thousands of teachers and children who have had their personal data compromised, and an erosion of public trust.鈥
Every school has student data that can be stolen, files that can be corrupted, and networks and data systems that can be held for ransom. Therefore, it is vital for educational organizations, whether they own their own network infrastructures or not, to protect themselves as much as possible.
Experts say schools and districts need to proactively teach students and staff to be good digital citizens, to guard their online privacy and security and to be knowledgeable about hardware, software and personnel-based defense systems.
The best weapon in this fight is information and a strong support network. Hopefully, with a broader group working to support each other, academic professionals can build a future where technology enhances the educational experience, while keeping all of its users safe.
Best Practices for Educational Institutions
NETWORK SECURITY
External
Networks should be protected through a systematic integration of appliances, tools, services and practices. From the outside, a district should actively block access to and from countries that produce high levels of fraudulent activity.
Internal
Network account management should be automated and integrated with HR/personnel employee onboarding management systems. Student access should be handled in a similar manner. No pre-shared or open guest access should be allowed.
MONITORING
Simply put, all activity should be subject to monitoring.
Student Networks
Communication within a student network should be strictly limited to domain-to-domain traffic only. All other traffic should be blocked except for the staff administrative domain, which allows for a safe environment for students and teachers to communicate.
HARDWARE
Client Access
Networks should require a minimum specification for a device to obtain access.
Security Updates
District-owned devices should be maintained at the highest levels of validated security/operating system updates.
Internet of Things (IoT)
Strict protocols and policies should be utilized to evaluate the proper integration of each IoT device within a network using factors such as data collection and compliance with current child privacy policy acts.
END-USER PROTOCOLS
Passwords
Districts should also use a password change and retention policy. This policy includes password requirements involving length, complexity and acceptable types of letter combinations.
Sharing
Passwords should not be shared; no one should log on to the network for anyone else.
Group Emails
Access to 鈥渁ll鈥-type group emails (i.e., all staff, all teachers, etc.) should be limited to designated individuals only, and all one-way group communication should be sent via BCC.
