The shift from in-person learning at colleges to remote classes due to the coronavirus pandemic has led to a spike in cybersecurity needs, although not necessarily greater success on the part of hackers.
The U.S. Education Department’s Federal Student Aid (FSA) office this month issued an alert about ransomware campaigns targeting education institutions in which hackers hold sensitive data and systems hostage until a payment is made. “Multiple schools” have reported phishing attacks used to access account credentials, which hackers use to get to data, financial information and intellectual property, according to the alert.
FSA encouraged cybersecurity practices like data backup, multi-factor authentication, regular patches to hardware and software, continuous monitoring of your network, creation and updating of an incident response plan, and an emphasis on not falling prey to phishing attacks during training of network end-users.
The Phish Scale: The National Institute of Standards and Technology has developed a new tool to help organizations better train their employees to avoid phishing.
The Education Department (ED) notes the immense pressure that colleges have faced to rapidly adopt new platforms and tools to enhance student learning during the pandemic. While most schools have not experienced additional cybersecurity problems — an indication that protocols are mostly effective — there has been an uptick in ransomware, and training remains a critical safeguard, according to an ED spokesperson. Student information and financial data are often what cybercriminals are looking to access.
Fending of phishing
With about 10,000 students — 36 percent to 38 percent of whom are learning online even in a normal semester — the College of Central Florida (CF) was well-prepared for social distancing and has kept cyber safe despite a 50 percent increase in attempted cyberattacks, mostly through “phishing,” says President Jim Henningsen.
“Cybersecurity has been growing phenomenally in terms of importance,” he says. “It costs millions of dollars. But we’ve got a strong handle on it.”
When the COVID shutdowns hit, a relative handful of students borrowed laptops from the college. Most students used their own devices to log onto the college’s portal, which is behind a firewall and is regularly tested by third parties, Henningsen says.
“Our firewall is pretty impregnable,” he says. “The protocols and security systems are working well.”
The college has not been Zoom-bombed, perhaps partly because administrators used federal CARES Act funding to hire computer science adjuncts to help properly train faculty and staff, Henningsen says. But the phishing e-mails remain a constant worry, and hackers are always trying new tricks, he adds.
“They come up with very creative ways of taking our logos, or using my name or a vice president’s name and getting you to click somewhere,” Henningsen said. “The (e-mail) address will be off by only one letter. If you don’t look closely enough, it looks like my e-mail address.”
CF hasn’t been successfully hit with a phishing attack since COVID started, although a faculty member once did click on a bogus link and had their check rerouted.
Front-of-mind issues
In Michigan, Lansing Community College typically only has about 10 percent of its students online, but for the past six months that figure has been closer to 90 percent, says Paul Schwartz, director of information security.
Students and adjuncts typically use their own devices, although Lansing has a loaner program with about 800 laptops, Schwartz says. They currently enter the college’s network through a virtual private network (VPN), which provides easy access but not firewalls or web filtering, although Lansing has been slowly adopting a virtual desktop infrastructure (VDI) that the school plans to mandate in November.
IT staff is working to reconnect with students through videoconference systems to remind them about the importance of cybersecurity and avoiding phishing attacks, Schwartz says. The numbers of phishing attacks at Lansing have remained similar to past years, although there’s been a noticeable uptick in phishing e-mails that are somehow COVID-related, as hackers know people are especially interested in information about the pandemic right now, he says.
“Our attacks have stayed level, but they have fine-tuned it,” he says, which is why it’s important to keep the possibility of breaches and account compromises front-of-mind for all network users.
More entry points
In Nebraska, Southeast Community College was already revamping its cybersecurity plans for about 18 months prior to the virus outbreak, which meant it had tools in place to support that rapid transition to remote working environments, says Ed Koster, vice president of research, planning and technology.
“The speed of this transition required us to roll out some of our newer tools at scale, versus testing in a smaller subset of users, and certainly required some of our approval processes for access to have to be streamlined,” he says.
Southeast had been testing a new protocol for remote network access that it took to scale very quickly, Koster says.
“We have had to be more open to remote work, and therefore remote access to our systems,” he says.
That means many more entry points to the network, “With the human firewall being the toughest to defend,” he adds.
When the pandemic hit in March, San Juan College (SJC) in New Mexico quickly checked out around 200 laptops and scrambled to come up with 125 more in a demand-heavy market for a student body that often did not have them at home, says Ed DesPlas, vice president of administrative services.
Hotspots proved to be another challenge, especially to serve students in Navajo and other nearby Indian Nations. Putting all students on the school’s VPN was impractical due to the licensing costs involved, DesPlas says.
Phishing attacks on students and others working off-campus have skyrocketed, and SJC has implemented software that quarantines suspicious-looking e-mails as well as bolstering its network and cyber-defenses. DesPlas declines to get too specific for publication, making an analogy to a popular movie when he says, “The first rule of Fight Club is, you don’t talk about Fight Club. I’m not going to get real deep into what we’re doing.”
But he characterizes the volume of attacks as “overwhelming.” One employee on a home network has been successfully phished five times. “We have to tell folks, ‘Don’t answer e-mails from this person,’” DesPlas says.
Addressing the human element
To better combat such threats, SJC is focusing on the human element, with plans to play it up during National Cybersecurity Awareness Month in October.
“People generally believe every e-mail that comes their way is somebody reaching out to help them, somebody giving them valuable information,” DesPlas says. “The human piece of cybersecurity is probably our most vulnerable point. We can put all sorts of expensive protections in place to protect the machines and protect us from threats. It’s the people who open the e-mails. … We’re constantly keeping people up-to-date on phishing or malware messages. But it’s difficult.”
AI help
San Juan also is in the process of changing its security software and upgrading to different vendors that DesPlas believes will strengthen the school’s defenses. In addition, the college has purchased a software package to redouble security awareness training.
“The other thing we’re doing is, we used to always monitor network activity, but now, we are obsessively monitoring network activity,” he says.
To do that, San Juan is using artificial intelligence to scan e-mail patterns and send alerts to a network technician if those change noticeably, an architecture set up a year ago by a network engineer at the college who took it upon himself to train in network security.
“That is serving us really well right now,” DesPlas says. “He is on top of the latest developments. Sadly, some of these newest capabilities are very, very expensive. We’re trying to balance the costs and our resources. In this environment, we could never spend enough to get a good night’s sleep.”