On May 7, hackers held the city of Baltimore hostage in a vicious cyberattack. They infected the city’s servers with a new form of malware called RobbinHood and demanded a ransom of about $76,000—or Baltimore’s data would be lost forever.
Ultimately, the city opted not to pay the ransom. According to The Baltimore Sun, officials project they will spend about $10 million in recovery efforts by the end of the year, compounded by an additional $8.2 million in lost or delayed revenue—not to mention the millions of people affected, inconvenienced or worse. Baltimore isn’t the first U.S. city to weather this type of threat—Atlanta suffered a similar attack in 2018—and it won’t be the last.
“But cities aren’t the only highly vulnerable targets to be found by would-be attackers,” writes Sean Gallagher, IT and national security editor of Ars Technica. “There are hundreds of thousands of internet-connected Windows systems in the United States that still appear to be vulnerable … and hundreds of them—if not thousands—are servers in use at U.S. public school systems.”
In fact, as reported by writer Benjamin Herold in Education Week: “Districts around the county have fallen victim to phishing scams, hacks, ransomware attacks and missteps by their own staff and students. The fallout has included millions of lost taxpayer dollars, tens of thousands of teachers and children who have had their personal data compromised, and an erosion of public trust.”
Every school has student data that can be stolen, files that can be corrupted, and networks and data systems that can be held for ransom. Therefore, it is vital for educational organizations, whether they own their own network infrastructures or not, to protect themselves as much as possible.
Experts say schools and districts need to proactively teach students and staff to be good digital citizens, to guard their online privacy and security and to be knowledgeable about hardware, software and personnel-based defense systems.
The best weapon in this fight is information and a strong support network. Hopefully, with a broader group working to support each other, academic professionals can build a future where technology enhances the educational experience, while keeping all of its users safe.
Best Practices for Educational Institutions
NETWORK SECURITY
External
Networks should be protected through a systematic integration of appliances, tools, services and practices. From the outside, a district should actively block access to and from countries that produce high levels of fraudulent activity.
Internal
Network account management should be automated and integrated with HR/personnel employee onboarding management systems. Student access should be handled in a similar manner. No pre-shared or open guest access should be allowed.
MONITORING
Simply put, all activity should be subject to monitoring.
Student Networks
Communication within a student network should be strictly limited to domain-to-domain traffic only. All other traffic should be blocked except for the staff administrative domain, which allows for a safe environment for students and teachers to communicate.
HARDWARE
Client Access
Networks should require a minimum specification for a device to obtain access.
Security Updates
District-owned devices should be maintained at the highest levels of validated security/operating system updates.
Internet of Things (IoT)
Strict protocols and policies should be utilized to evaluate the proper integration of each IoT device within a network using factors such as data collection and compliance with current child privacy policy acts.
END-USER PROTOCOLS
Passwords
Districts should also use a password change and retention policy. This policy includes password requirements involving length, complexity and acceptable types of letter combinations.
Sharing
Passwords should not be shared; no one should log on to the network for anyone else.
Group Emails
Access to “all”-type group emails (i.e., all staff, all teachers, etc.) should be limited to designated individuals only, and all one-way group communication should be sent via BCC.
