From Blackboard to high-definition projectors to smart boards, technology has significantly improved the learning experience for students both inside and outside of the classroom.
Unfortunately, as the Education industry becomes a growing target for various cyber attacks, the classroom technology you use could be susceptible to Distributed Denial of Service (DDoS) attacks, ransomware attacks, and data breaches from human errors and cyber espionage that can compromise the data of your students, and other faculty and administrators.
How do you protect your personal and your students’ data while using advanced classroom technology? This guide is a crash-course in Classroom Cybersecurity 101 and will explain the cyber threats targeting higher education institutions and offer tips from the experts at Dashlane to help you protect your personal devices, keep your personal information private, and help you and your students practice safer online habits.
Cybersecurity 101: Cyber threats targeting schools and higher-ed institutions
Greenwich University, Newcastle University, the University of Virginia, Rutgers University, the University College London, the University of Central Florida, and the University of Calgary are just a handful of schools that suffered a data breach or became a victim of a cyber attack within the last two years.
In fact, Verizon’s 2017 Data Breach Investigations Report confirmed 455 cyber incidents were reported in 2016 alone–73 with confirmed data disclosures. These incidents and data breaches were the results of denial of service (DoS) attacks, phishing and social engineering attacks, ransomware attacks, human errors, and password attacks.
Denial of service (DoS) and Distributed Denial of Service (DDoS) attacks
A denial of service (DoS) attack occurs when a cyber criminal prevents users from accessing information or services by overloading a network or server with requests, preventing legitimate requests from going through. Similarly, a distributed denial of service (DDoS) attack occurs when a cyber criminal uses several computers to launch a DoS attack. DoS attacks can prevent students and faculty from accessing their email, internal websites, online accounts, and other online services.
However, in 2015, Rutgers University in New Jersey learned how DoS attacks can affect way more than Internet access. The school suffered a total of six DDoS attacks in 2015–the longest of which lasted five days. The attacks managed to take down the university’s website and online class portals, which forced the school to raise tuition 2.3 percent the following school year to increase its cybersecurity budget.
Moreover, Verizon’s 2017 DBIR report found that a half of cyber incidents targeting the Education sector were DDoS attacks.
Phishing and social engineering attacks
Social engineering is a technique used to retrieve important, sensitive information by manipulating a victim. Two of the most common forms of social engineering are phishing attacks and spear phishing attacks.
Phishing attacks often occur when a cyber criminal sends an email with a malicious attachment or link, which lures the recipient to disclose sensitive information, such as credit card information, usernames, passwords, and social security numbers. Similarly, spear phishing targets a victim by sending a malicious email from a known or trusted sender.
Phishing attacks and social engineering attacks often target C-suite executives and human resource employees at large corporations and schools. This was no exception for an attack which targeted the human resources department at the University of Virginia in January 2016. A phishing email scam was to blame for a data breach affecting about 1,400 employees, compromising W-2s, social security numbers, and direct-deposit banking information.
Colleges and universities are also subject to sophisticated phishing websites that use their brand to trick prospective students. For instance, Newcastle University in the UK recently discovered a scam websites using its brand to accept credit card information and other personal information from prospective student to attend fake courses. In addition, a Freedom of Information request from Duo Security revealed that 72 percent of UK universities have fallen victim to phishing attacks in the past 12 months.
Ransomware is a type of malware that infects your computer or your system and then encrypts your files until you can pay the “ransom” to decrypt your data. In recent years, these attacks have successfully extorted millions of dollars from individuals and organizations.
Aside from the WannaCry and Petya/Non-Petya ransomware attacks that made wrecked havoc across the globe earlier this year, ransomware attacks have steadily increased–moving from the 22nd most common variety of malware in 2014 to the 5th most common in 2016.
Commonly, ransomware campaigns target organizations in the Public Administration, Healthcare, and Financial Services industries, but also target some of the world’s most prestigious schools, including the University College London (UCL). In June 2017, a ransomware virus bypassed UCL’s anti-virus system after a user visited a malicious website and encrypted files on both local and shared network drives. The University of Calgary in Canada wasn’t as well prepared and paid $20,000 in bitcoin ($15,780 USD) to retrieve their files following a ransomware attack.
While IT departments primarily focus on thwarting external threats, human errors are still a leading source of data breaches within the Education Industry. Breaches involving human error are often the result of misdelivery of sensitive data, such as mailing documents to the wrong recipient, and publication errors, which refers to data that becomes available or viewable electronically to an unintended audience.
A prime example took place at The University of Greenwich in 2016, when students’ names, street addresses, dates of birth, cell phone numbers, signatures, emails between staff and students, and medical information was accidentally posted on its public-facing website. The exposed data was discovered by a University of Greenwich student who found the info with a simple Google search. A similar incident occurred at the University of Arizona in 2012. Approximately 7,700 vendors, consultants, guest speakers, and students had their names, tax ID numbers, and social security numbers exposed after it was mistakenly posted online while upgrading the school’s financial systems.
Password attacks taking advantage of weak or reused passwords are the result of risky password practices employees use on their personal accounts and inadvertently transfer into the workplace.
Although your online accounts may have never been hacked, there’s a good chance you practice poor password habits. You could be:
- Using a weak password that contains simple, easy-to-guess number combinations and common phrases and words.
- Reusing one or more passwords to protect multiple online accounts
- Recycling parts of old passwords instead of creating an entirely new one
- Using the default password that came with the device or software
- Share passwords with colleagues or students via email, text messages, Sticky notes, unencrypted documents, etc.
Cyber criminals will also use password-cracking strategies to access your online accounts, including brute force attacks, dictionary attacks, and keylogger attacks. By using a weak, predictable password to protect your online accounts, external actor and tech-savvy students can find a way to exploit your poor password practices.
Take, for instance, this case at Florida International University, where two students and an alumnus gained access to a professor’s email account, found future tests, and began selling the exam answer keys for $150. In another incident, two Miami University students managed to install keylogging software to capture the login credentials for instructors, breached the school’s computer system, and changed grades for themselves and more than 50 other students.
With the growing number of Internet-connected technology being brought into the classroom, what can you do to combat cyber attacks?
Cybersecurity 102: How to Secure Your Personal and Your Students’ Data Inside and Outside the Classroom
In Cybersecurity 102, we’ll answer frequently asked questions about how to protect your personal and your students’ data while using advanced classroom technology. If you still have questions, feel free to leave them in the comments below!
How do I keep my data safe when using my school’s Wi-Fi network?
If your school provides an Internet connection accessible to all students, staff, faculty members, and guests, keep these tips in mind:
- Avoid logging into sensitive online accounts, like an online banking account and your social media accounts when using the public computers in libraries or connecting to a public Wifi network.
- Close all tabs in the browser, log out of all of your personal accounts and delete your browsing history when you’re done using a public computer, smart board, or a digital classroom podium.
- Do not select the “Remember Me” option or save a password to a browser on a public computer or digital classroom podium, even if you use the same device frequently.
- Do not save an of your files or any student’s files on a public computer. Instead, safely store it on USB thumb drive, in a cloud-storage service, like Dropbox or Google Drive, or in your email secured with a strong, unique password.
How do I know if a website or email is a phishing attempt?
Here are some quick tips to help you quickly identify a “phishy” website or email:
- For websites that require entering sensitive information, like your full name, street address, and credit card information, check for a secure connection. Look for URLs with “https://” or a green padlock or key in the address bar. This will let you know that a website it taking extra precautions to keep your data secure.
- Double check the website’s URL. Criminals are using sophisticated techniques to create wake websites that look nearly identical to a legitimate website. Always look for any misspellings, unusual words, special characters, and unusual endings, like “.so” instead of “.com”.
- If you get an email, direct message, or a text message with a link or attachment from a person or service you don’t know, delete it. If you know the sender, verify that message is legitimate before clicking a link or downloading an attachment.
- Enable your browser’s popup and phishing protections. Popular browsers like Chrome and Firefox have features that will alert you if you visit a suspicious website.
- When in doubt, trust your gut. If you have any doubts that an email or website looks suspicious, report it to your school’s IT department immediately.
How do I keep my computer, smart boards, and other classroom tech free from malware and other viruses?
To avoid damaging Trojans, ransomware, viruses, and other types of malware, it’s critical that you always keep your computer and mobile devices clean and up-to-date.
- Enable automatic software updates to keep all of your web browsers, apps, security software, and your operating system secured from known threats.
- Install antivirus and anti-malware software on your computer, mobile, and gaming devices, and regularly run security scans.
- Watch what you download. Only download apps and programs from a trust vendor’s verified website or from their verified app store page.
- In the event of an emergency, always backup your data onto an external hard drive, a cloud storage platform, or onto a USB thumb drive.
- Use an ad-blocker to prevent drive-by downloads from infected online ads.
- Declutter your devices frequently. Remove unused browser extensions, plugins, and old software that could be vulnerable.
How should I do to protect my email, online class portals, and other online accounts?
Practicing better password habits and enabling two-factor authentication are key to keeping online accounts secure.
- Use strong passwords, and change them often. This sounds like a no-brainer, but password reuse is a leading cause of account takeovers. Use a password generator to help you create longer, stronger passwords and use a password manager to encrypt and safely store them for you. Some will also help you identify passwords that you’ve reused, haven’t updated recently, are too weak, or have been compromised in a recent data breach.
- Use a different password for every website, service, or app you use. It’s tempting to use your school mascot for every password, but it makes you very vulnerable to cyber criminals and tech-savvy students.
- Delete old login and password reset emails. If you never delete the dozens–probably hundreds of login detail emails from your email account, you have created a gold mine for hackers. All they have to do is get into your email and then they have access to every service or website you’ve used.
- Never share your login credentials with anyone, including your colleagues or students. It’s especially important that you don’t share credentials over text message or email.
- Enable two-factor authentication on all of your online accounts. This will add an extra layer of security and privacy on your online accounts.
- Encourage students to also create and use unique passwords. Their passwords should be at least 8 characters long, and should be memorable to you, but doesn’t make sense to any person or automated computer program.
What is the best way to make sure I maintain my privacy online?
To aid students outside of the classroom, sharing your personal email address and phone number may not be unusual, but it could jeopardize your privacy. The best way to maintain your digital privacy is to control your security and privacy settings and to not overshare too much personal information.
- Customize the security settings for all of your social media accounts to limit who can see what you post.
- Think before you post. Be careful not to share posts that could reveal personally identifiable information like where you live, where your family members work, or what car you drive.
How can I ensure that my students’ data remains secure and private?
Glad you asked! You can share our guide make exclusively for college students, which teaches them about the unique cyber threats they face as students and how to protect themselves both on and offline. Click the link below to learn more!