It’s Time to Get Serious About Education Cyber Security

Back to School: Education Cyber Security

K-12 school systems, colleges, and universities are being increasingly targeted by hackers, yet education cyber security is as woefully lacking as other industries, as these recent incidents illustrate:

It’s Time to Get Serious About Education Cyber Security

Education Cyber Security Threats are Many and Varied

As the above incidents illustrate, K-12 schools and higher education institutions face threats on multiple fronts. Like healthcare facilities, school networks are a hacker’s treasure trove of identifying information on staff members, students, and students’ families, including names, birth dates, addresses, Social Security numbers, even medical information. Additionally, school networks are often connected to each other and to government agencies for information-sharing purposes, which means that in addition to data breaches, ransomware attacks, and other direct abuse, cyber criminals may infiltrate a school’s network for purposes of using it as a back door into another organization.

Further complicating education cyber security is the fact that K-12 schools, by their very nature, have a user base that includes minor children as well as adults. Not only are minor students potentially more vulnerable to social engineering schemes, they may also pose cyber threats themselves, as in the South Washington County Schools case. Students may also hack a school’s network to alter grades, cause general disruption, or even just to see if they can do it.

Third-party software applications also pose threats to education cyber security. Cash-strapped schools, under pressure from students and parents for more e-learning capabilities, often turn to free applications released by third parties. However, nothing is truly “free”; software developers must monetize their applications in some manner, and this could involve collecting personal data from teachers and students and selling it to other companies. Third-party developers may also practice poor data security. An independent audit of 1,200 education software applications by the nonprofit group Common Sense Education found that nearly half did not automatically encrypt students’ data.

How Schools Can Protect Themselves

Just as in every other industry, an education cyber security strategy must be proactive, not reactive. Teachers, other school staff, and students must all be trained on cyber security best practices, and schools must employ the same data security protection as organizations in other industries; for example, strong passwords that are changed regularly, two-factor authentication, and ensuring that software is kept up-to-date.

For generations, schools have taught students about “stranger danger” and how to stay safe in the real world; they should likewise be taught how to protect themselves from identity theft and other online crimes. Schools should also have specific policies regarding the use of third-party educational software in the classroom, and any software a teacher would like to use should be evaluated for data security before it is installed.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. We offer full-service risk assessment services and Continuum GRC software to protect companies from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization secure your systems.

Doxware Takes Ransomware to the Next Level

Doxware Leaks Your Private Data if You Don’t Pay the Ransom

Ransomware began grabbing headlines about a year ago, after Hollywood Presbyterian Medical Center paid hackers thousands of dollars in ransom after it got locked out of its systems. This large payday apparently encouraged hackers to keep going; a recent survey showed that about half of all businesses reported being victimized by ransomware at least once in the previous 12 months, and a stunning 85% had been hit three or more times. Because ransomware is now ubiquitous, organizations have learned to fight back by restoring their systems from backup drives, thus avoiding having to pay a ransom. Unfortunately, hackers are fighting back, too, using a combination of ransomware and extortionware called doxware.

A doxware attack unfolds similarly to ransomware: Victims attempt to log on to their computers and are greeted by a screen notifying them that their system has been locked down and demanding that a ransom be paid, usually in Bitcoin, for the code to get back in. However, doxware goes a step further, not only locking the system down but also threatening to expose the user’s private or sensitive data. This renders restoring the system from a backup ineffective because it will solve only half the problem.

One known doxware strain notifies users that it has compromised all of their login credentials, contacts, and Skype history onto a server and threatens to forward it to all of the user’s contacts unless the ransom is paid. Other variants are programmed to search the user’s system for files containing keywords that might indicate embarrassing content, such as “nude” or “sex.” In a unique twist aimed at self-propagation, a variant called Popcorn Time gives victims an alternate to paying the ransom: Infecting two of their friends with the malware.

As both Sony Pictures and the Democratic National Committee learned the hard way after their corporate emails were hacked and published on WikiLeaks, having embarrassing information go public can ruin reputations and derail careers. Additionally, the release of scandalous material isn’t the only thing organizations need to worry about; doxware could be set up to target trade secrets, intellectual property, and other confidential information that could be ruinous to a business if it were released. For hackers, this represents the “value proposition” of doxware over ransomware: The fear of financial ruin makes it far more likely that doxware victims will cave in to hackers’ ransom demands or even agree to infect their friends in order to get off the hook. Of course, there is no guarantee that the criminals demanding the ransom will keep their word and not release the information, anyway.

How serious is the doxware threat?

Right now, doxware is a new threat, and attacks have been confined to Windows computers and laptops, but this particular attack vector is so potentially lucrative, there’s no reason to think that cyber criminals will stop there. Doxware would lend very well to mobile devices, where it could be set up to send photos, videos, and text messages to all of the user’s contacts.

The bright side is that since doxware isn’t yet at epidemic levels, organizations have a chance to get ahead of the game and take proactive cyber security measures before it becomes as common as ransomware. Methods to prevent a doxware attack are essentially the same as those used to fend off ransomware: training employees on how to spot phishing emails and other cyber security best practices, deploying antivirus packages that protect against ransomware strains, and maintaining regular system backups. Organizations should also air-gap intellectual property, employee tax data, and other highly sensitive information to make it more difficult for hackers to access, and encrypt the data so that it is useless even if they do manage to get at it.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. We offer full-service risk assessment services and Continuum GRC software to protect companies from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization secure your systems.

Hackers’ Next Target: Smart Toys

Smart toys were a popular gift item this holiday season, but they present serious cyber security vulnerabilities.

Cyber criminals don’t care who they hurt. This was made obvious during the rash of ransomware attacks on healthcare facilities this year, where hackers locked down electronic health records systems, putting patients at grave risk. There is great concern that the proliferation of Internet of Things (IoT) medical devices, such as smart insulin pumps, will enable hackers to go after patients directly, demanding that they pay a ransom to keep their lifesaving devices working. Now, a new threat is emerging: The opportunity for hackers to target children for identity theft by exploiting vulnerabilities in internet-connected smart toys, which were all the rage this holiday season.

Smart Toys and Child Identity Theft

When most people think of identity theft, they imagine hackers stealing adults’ personal data. However, child identity theft is a serious and growing problem that existed even before the introduction of smart toys. A study commissioned by the Identity Theft Assistance Center in 2012 found that 1 in 40 U.S. households with minor children (under age 18) have at least one child whose personal data has been compromised.

Child identity theft is particularly insidious. Child identities can be worth more than adult identities on the black market because thieves can operate under them for years before being detected. An adult may discover that their information has been compromised fairly quickly; say, after their credit card company flags suspicious activity on their card. Child victims, on the other hand, may have no idea their identities have been stolen until they apply for their first job, try to obtain a college scholarship, or attempt to rent their first apartment, only to find that their credit has been ruined before they can even begin building it.

The attraction of smart toys is that they offer a personalized interactive experience, such as dolls that can talk to children by name and remember their birthdays. However, this interaction is made possible by the toy connecting to the internet, just like all other IoT devices, so any information the child or parent gives to the toy – the child’s name, address, and birth date, or the parents’ credit card information – is transmitted over the internet. And, just like all other IoT devices, there are serious questions as to the security of the information smart toys collect and store.

These concerns are not hypothetical. In 2015, hackers breached servers owned by VTech, a manufacturer of smart toys and baby monitors, compromising the personal data of over 5 million parents and about 200,000 children. Senator Bill Nelson (D-FL) cited the VTech breach, as well as security vulnerabilities in other children’s IoT devices, when he called on the Federal Trade Commission to “carefully monitor” smart toys and demanded that manufacturers of these devices properly secure them.

Securing Smart Toys

Some consumer groups are advising that parents steer clear of smart toys until manufacturers can ensure they are secure. In the meantime, if you have purchased a smart toy for your child, you should take the following precautions:

  • Immediately change the toy’s default login credentials.
  • Limit the amount of information the toy can collect on your child – and on you, as parents’ data is also at risk. Do not give the toy any sensitive personal data, such as addresses or birth dates, and turn off geo-tracking features.
  • Do an internet search on the toy’s manufacturer. If they have already experienced a data breach, consider returning the toy to the store.

Smart toy manufacturers have a responsibility to their customers and the public at large to prevent their products from becoming vehicles for child identity theft. Lazarus Alliance agrees with Senator Nelson’s suggestions for smart toy manufacturers, which include the following proactive measures:

  • Build strong cyber security into smart toys from the start. Cyber security should be an integral part of a smart toy’s software development lifecycle, not an afterthought.
  • Limit the amount of data smart toys collect to only that which is necessary for the toy to operate.
  • Retain customers’ personal data only for as long as absolutely necessary.
  • Continually reassess the threat landscape and reevaluate the cyber security of individual toys, as cyber threats morph and change over time.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. We offer full-service risk assessment services and Continuum GRC software to protect companies from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization secure your systems.