Covid-19 has fundamentally changed the way our society functions, as businesses, entertainment venues, and schools must adapt to the challenges of a socially distanced world. This week, most school districts will press forward with distance learning, in which teachers conduct a class over Skype adjacent apps, while students tune in from home. Distance learning provides an opportunity for kids to keep learning in a safe environment where they can maintain social distancing. However, the transition to distance learning was, in many cases, rushed and flawed.
Indeed, the new shift in learning vectors presents a wide array of attack opportunities. Earlier this year, many classes learning the hard way that Zoom was not a viable classroom option due to a trolling tactic called “Zoombombing“. Zoombombing is when a user will show up in zoom calls that are not password protected by testing out simple google searches that contain the URL “Zoom.us”. During these zoom sessions, a user will hijack class sessions to show obscene videos or say an offensive thing. However, Zoombombing is far from the only risk associated with distance learning.
Secure Remote Access
One of the most pressing risks with distance learning is the lack of remote access. Teachers will keep work computers at home and learning resources will primarily be hosted in Cloud systems. With more teachers and students online, the attack surface increases as the individual security of each user varies from computer to computer. In a school environment, the IT team has more control over its cybersecurity. When computers are distributed to families, a traditional remote firewall or web filter may vary in effectiveness.
Bring Your Own Device
In cases where certain school districts cannot afford to provide devices to their families, students, and, in some cases, staff may use their own personal laptops or Ipads to connect to school networks. In the case of distance learning, users bringing in their own devices may completely undermine the school’s security system. For example, a user could sign into the school network on an Ipad and then lose the Ipad. This would completely compromise the security of the entire school network. A cybersecurity protection plan is only as strong as the weakest link.
Phishing Attacks
The lack of a centralized, in-person system provides a compelling opportunity for hackers to increase phishing schemes. Students or parents may receive malicious links in emails that purport to be teachers or school staff. Parents are nervous about distance learning and will be easier to manipulate in a scenario where they aren’t getting much face-to-face time with their teachers.
How to Prevent Attacks
- Schools should be training their staff members to follow a strict cybersecurity strategy that covers appropriate conduct within school networks, as well as any third-party apps used for school. Distance learning mandates a unique policy for each school based on their situation.
- Staff should be monitoring when students and staff login. Any erratic behavior could be an indication that someone else may have taken over an account. These behaviors may include late-night log-ins, multiple failed log-in attempts, or log-ins from places outside of your district.
- Educate students and their parents on identifying phishing attempts and malware. Explain the ways in which hackers will try to take advantage of the new distance learning situation. Let parents know the signs of a phony email – bad grammar, erratic punctuation, or generic greetings (dear sir or madam). Make sure parents know that teachers will never ask them for personal information, such as social security numbers or account passwords, over email.
- Focus on securing the infrastructures of the systems that you store content on – Microsoft 360, Cloud, etc. Web filters and firewalls will only be effective if schools are providing computers with those blocks and filters already on are installed.
- Enable features you can control on Google, Cloud, etc to strengthen general security, such as Multi-Factor Authentication (MFA) or the required “strong password” feature.
Distance learning is new and for many students and staff, it may be scary. However, practicing cyber hygiene and developing a district-specific framework will go a long way in minimizing the threat surface.