As the pandemic set in, schools suddenly had to revamp their technology infrastructure, not only to support online schooling but also to protect students and student data from internet attacks. This mammoth undertaking hasn’t been without issues.
According to the Director of Information Technology at LPS, Mr. Nicholas Jorge, just a few weeks ago, Friday, March 5th, fourth grade students at Blueberry Hill School, who were practicing math on the website IXL, had popup ads with images of female genitalia populate the screens of their school issued Chromebooks. While this incident wasn’t a result of a hack (Mr. Jorge says the students had simply installed an extension to their devices that mimicked the dinosaur game blocked by default on school issued computers), it highlights the difficulty of navigating the tight borders between flexibility, privacy, and security.
The Chromebooks that were given to students following the new one-to-one device initiative have presented a challenge for Mr. Jorge, who manages the IT infrastructure for both the Town and the school. By federal law, the school must protect minors from accessing inappropriate matter on the internet and ensure safety of minors using electronic communications. To meet that standard, all school issued Chromebooks now have web filtering enabled through the service Securely, in addition to the in-line web filter for the highschool’s network.
Mr. Jorge says that he tries “to avoid using configuration measures as a way to control behavior. Sometimes people might want to be more restrictive to prevent distraction. When we make restrictions on the Chromebooks it’s more in line with ensuring that the device is reliable and that user data isn’t being impacted.” Still, after parents raised concerns about a students’ ability to sign into the Chromebook through a personal account, allowing them to bypass all school restrictions, the devices can now only be accessed with a school Google account. Mr. Jorge says that after last week’s extension incident, only extensions on an “allow-list” will be available for students to install.
The school also experienced a Distributed Denial of Service (DDoS) attack this year on January 14th. In a DDoS attack, many devices controlled by a malign actor attempt to connect and overwhelm a network, causing disruptions for everyone using the network. “I try to get everyone to understand, it’s not a compromise, it’s a denial of service. Someone hasn’t gained access to something they shouldn’t, but what they’ve created is a bottleneck,” says Mr. Jorge. The attack lasted around four hours before the Town’s Internet Service Provider (ISP) identified the technique being used, and took measures to end it. Mr. Jorge says, “with DDoS attacks you’re pretty much dependent upstream [internet] providers to perform the filtering, because by the time it hits your firewall and you’re doing the filtering, you’re already saturating the network.”
DDoS attacks are done mostly for disruption. They require little skill, are relatively inexpensive, and is an anonymous service that can be purchased from the dark web. The Town has not discovered who was behind the January attack, “it’s the kind of thing that is hard to attribute to an individual actor. They kind of use the penalty as a deterrent, the penalties can be pretty severe,” says Mr. Jorge.
The attack the Town’s technology department is most concerned with is known as a ransomware attack. In a ransomware attack a hacker finds a way into a server and then blocks owners of the data from accessing it through encryption. The only way to get the data back is to pay the hacker to decrypt it. This attack, which has been on the rise over the past year, has disrupted critical infrastructure like hospitals and town governments, as well as poorly equipped school districts and universities. For students, the kind of data that could be involved in this attack is Powerschool data, which is hosted on the school’s servers.
To help protect student and staff data in the case it was hacked, the school is switching PowerSchool over to a Google Single Sign-On (SSO). This would mean that one would only need to sign in through Google, removing the possibility that PowerSchool passwords and usernames would be stolen in an attack, since they wouldn’t exist. Students could also use double verification if they have it enabled for their Google Account, improving their security. Mr. Jorge says, in January, PowerSchool staff login was transitioned to use Google SSO for the aforementioned benefits, and will be transitioning for the students in the coming weeks.
To protect the Town from having to negotiate with hackers for the data, over the past few years Mr. Jorge and his team have created backups of the data that are separated from the Town’s network. If a ransomware attack were to occur, the school could avoid shelling out tens of thousands of dollars and negotiating with hackers, and instead load up a backup of our data.
To avoid falling prey to a ransomware attack in the first place, teachers received state grant sponsored training to avoid phishing emails that are often used to gain a foothold into a system. Phishing emails sent by hackers are disguised to look like reputable companies or people that aim to steal passwords or credit card numbers. As part of the training, teachers received emails that mimicked phishing attempts and were directed to remedial training if they interacted with those emails. The department has also tightened filters on Google apps so they detect phishing scams and will highlight suspicious activity.
Along with these measures the school’s strategy is a “defense-in-depth” approach –establishing layers of protection like: strong/unique passwords, network segmentation, antimalware software, frequent patching schedules to fix identified software flaws and limiting publicly exposed services on the internet. Even with all those measures it’s impossible to totally remove the risk of a hack as demonstrated by the successful Solarwinds attack on the federal government. “No matter how good of a job you’re doing, you have to plan for the eventuality that your organization will be affected by ransomware despite your best efforts,” says Mr. Jorge.
Though students have access to computer lab environments and Chromebooks, teacher’s computers are evaluated to be a higher risk target than student devices. “The Chromebooks themselves are harder to compromise and less likely to result in a wider network compromise,” says Mr. Jorge. “It used to be really easy to spot” phishing emails, says Mr. Jorge, “but they’re getting pretty sophisticated, it’s not as easy as simply looking for grammatical errors.” Mr. Jorge suggests that students pause and think before opening a link or an attachment, “for someone to scam you they have to get you to do something that is against your better judgment, so they often try to create a sense of urgency, like ‘click this link because if you don’t you’ll lose access to this account.’ Be a skeptical thinker, evaluate sources, and don’t jump into something.”