Primary schools are similar to small and medium-sized businesses in terms of their information infrastructure, and therefore susceptible to similar security threats. Social engineering remains a key attack method – time and again we find that organisations fall victim to an attack because someone’s been tricked into doing something that jeopardises their organisation’s security.
That might be clicking on a link, or opening an email attachment that seems to come from a trusted sender. Beyond that, there’s the potential for attackers to exploit vulnerabilities in certain applications, such as a PDF attachment that’s been modified to install malware when clicked on. Phishing and the use of exploits are still proving to be very successful approaches for bad actors, and remain the principal mechanism by which systems come under attack.
Culture of security
These types of attacks have grown increasingly sophisticated over time and continue to resemble moving targets – last month’s scam may not look anything like this month’s. There’s always new content to capture people’s interest and new deception strategies. Somebody targeting a school organisation may go the extra mile and attempt to masquerade as the headteacher or someone at the LA, making it that much more likely that their email will be clicked on.
Yes, it’s possible to analyse the constituent parts of a phishing email and teach people the warning signs to watch out for, but it’s better to develop what I’d call a ‘culture of security’. Rather than telling people how to respond to this or that phishing email, it’s more about encouraging a kind of ‘informed paranoia’ – ‘I didn’t expect this email and it’s asking me to click on something – I should probably check with someone.’
It’s effectively a digital counterpart to what schools already do in the real world. If a teacher encounters a stranger when walking the school corridors, the teacher will likely greet them before asking about the purpose of their visit and whether they have an appointment. We don’t currently model those same behaviours in the digital space, which is why developing that wider culture of security is so important.
The overall level of threat has remained fairly consistent over time, though the method of delivery has changed considerably. We’ve recently been researching malware masquerading as digital textbooks and essays, and found that criminals are increasingly targeting education entities. We identified more than 356,000 such attacks on Kaspersky users over the past year involving malicious essays, books and other forms of data downloaded from sites purporting to help people with their work.
The most likely weak points of a primary school’s ICT network will obviously be any machines that aren’t protected by security software or haven’t had their operating systems and applications properly updated. The classic illustration of what can happen as a result is the 2017 WannaCry attack, where organisations which hadn’t applied a particular update were left vulnerable to the threat it posed.
Another thing which doesn’t help is that certain networks can be very ‘flat’ – configured so that all users are given the same level of access, with everybody allowed to connect to everything, write to everything and see everything. This can play right into the hands of any attacker, so look at ways in which you can adopt a default of ‘least privilege’. If somebody doesn’t need to access to something, don’t give it to them.
During a ransomware attack the perpetrator will want to hit as many machines as possible. If my machine is restricted from writing data to the network drive, any malware that infects me won’t be able to either.
The human element
As well patching our digital resources, we should think about trying to ‘patch’ our human resources too. Are some staff regularly putting off the installation of important system updates? Are they logging in every session with an unrestricted administrator’s account?
Presently we’re seeing fewer ransomware programmes in the wild, but we aren’t seeing the rate of attacks go down. What seems to be happening is that such attacks are becoming more targeted. Three years ago they were much more indiscriminate, whereas now they’re focused more on specific organisations.
Maintaining regular backups will get you out of that invidious position where you can find yourself contemplating whether you need to pay a ransom for important data to be released. Even simply dragging and dropping important data on to an external USB drive will give you some added security.
Another really important area is passwords. Obvious risks include easy to guess passwords and reusing passwords across multiple accounts, so it might be worth using a password manager. These have become far more flexible in recent years, to the point where they can now work across multiple machines, including mobile devices.
The National Cyber Security Centre (ncsc.gov.uk) has previously suggested viewing your password arrangements as a hierarchy – if somebody knows the primary email address and email password that I use for important authentications, then I’m in real trouble. For that email account, it may be best to use a personally devised, complex and well-remembered password, while leaving ‘lesser’ accounts that aren’t associated with other services to a password manager.
So how should schools seek to improve their staff’s awareness of network vulnerabilities and build a robust culture of security? One of the best things you can do is remove these concerns from the realm of the ‘techie’. If information security is seen as strictly a technical issue, it’s likely that ‘technical people’ will be asked to do the related educational work – but if you’re constantly immersed in this field, it’s possible to take a great deal of knowledge for granted.
Technical abbreviations, acronyms, basic security concepts – it’s important to be aware that many colleagues won’t have that internalised that kind of information, and to pitch any education and training at a level people will understand. Instead of organising a one-off training session and ticking it off as ‘job done’, make it an ongoing process.
Think back to public information campaigns about road safety, for example, which would drip-feed information via multiple channels. Put posters up. Create a ‘Spot the difference’ display with a series of technical gaffes in one half and offer a prize for whoever can spot the most. Be imaginative, while ensuring that the information you impart remains accessible.
Finally, it’s worth remembering that the awareness you’re raising can also benefit colleagues in their personal lives by helping them protect their own computers at home and educate their children.
The National Cyber Security Centre’s ‘Cyber Essentials’ scheme (cyberessentials.ncsc.gov.uk) aims to help organisations of various sizes keep their information secure into the long term and provides a range of resources concerning internet connections, how to secure devices, controlling access to data and protections against malware.
Those wishing to further develop their cyber security practice can opt to become Cyber Essentials certified at Basic, Entry or Plus levels, which can help their organisation move with the times and adapt to ever-changing information security threats more effectively.
David Emm is principal security researcher at Kaspersky