Complex Environments Cause Schools to Struggle for Passing Security Grade

  /     /     /  
Publicated : 23/11/2024   Category : security


Complex Environments Cause Schools to Struggle for Passing Security Grade


As ransomware attacks surge against school systems, an analysis of 1,200 K-12 institutions in North America shows complex environments and conflicting security controls.



IT environments at primary and secondary schools are complex and full of security gaps, leaving them more vulnerable to attacks such as ransomware and crypto-miners, according to an analysis of 1,200 schools in the US and Canada.
The analysis, conducted by managed security services provider Absolute and released this week, found that the typical school in North America has to manage hundreds of versions of applications across dozens of operating-system builds. Overall, the company found more than 250 versions of major OSes — such as Windows, Mac, Linux, and ChromeOS — and 137,000 unique versions of applications installed on devices managed by the 1,200 schools. 
School districts IT teams are hard-pressed to manage such complex environments, says Josh Mayfield, director of security strategy at Absolute. Ransomware attacks against US school systems surged by more than 30% in 2019, driven in part by the difficulty that overworked IT teams have in securing the complex environments, he says.
The amount of tech complexity in K-12 environments is overwhelming, as their attack surfaces have grown by several orders of magnitude, he says. In this new reality, there are too many tangles and limited visibility, leaving gaps open to exploit and space for attackers to camp out, which has set the stage for ransomware.
With knowledgeable security professionals in short supply and technology proliferating in school systems, the cybersecurity picture for schools continue to grow darker. In the first nine months of 2019, the number of security incidents at K-12 schools jumped to 160, exceeding the number of incidents in all of 2018 by 30%, according to Absolutes accounting of public data. 
Schools are now the second largest group of victims, behind municipalities,
according to cloud security services firm Armor
.
Due to the volume of device types, operating systems, and applications, managing and patching devices is a huge challenge,
Absolutes report stated
. The potential impact of this cannot be overstated.
The education sector has always been hard-pressed to protect its networks and systems. School districts reliance on public funds means low salaries for IT and IT security workers. Education also relies on the open sharing of information, making stringent security measures not generally possible. 
Little wonder, then, that the educational sector as a whole has
received failing grades
from ratings firms.
Most school districts — 53% — rely on the default patch management and client controls that ship with the chosen devices and operating systems. But such utilities and controls have a 56% failure rate, with more than a third of devices requiring at least one repair a month, Absolute found.
Each time that situation arises ... it means that the agent not only failed, but that it failed repeatedly due to ... complexity and decay ... with other tools foreclosing access to machine resources, Mayfield says.
Rather than add security, each layer of security often added complexity to the detriment of the overall security of the organization, Absolute stated in the report. 
[E]very additional security tool only increases the probability of failure as agents and controls conflict with one another on the endpoint, the report stated.
Students also cause significant complexities for IT administrators and security teams. Unlike workers who have an incentive to follow the rules of IT security, students are often incentivized to get around controls and are often more tech-savvy than teachers.
The report found that 42% of students use virtual private networking (VPN) software or Web proxies to get around security controls. Absolute found 319 such applications and services across the 1,200 schools in its dataset. 
Even if K-12 organizations accounted for the complexity and bolted on maximum strength defenses, they still are left with rogue students swinging open the door to attack and industrious users who simply disable controls, Mayfield says. 
Students often do not understand the consequences — or are not concerned — when they circumvent security measures. Yet more education is not the answer, he says.
Turn it into a game. Teach them what attackers do, test them on practical examples, and give each of them a sense of achievement when they win, Mayfield says. Let them know what villains may try to do, and challenge them to step up and help stop them. Make them the hero of the cyber-resilience story.
Related Content:
Back to School? Not So Fast, Cybercriminals Say
No Quick Fix for Security-Worker Shortfall
University Networks Become Fertile Ground for Cryptomining
72% of Educational Institutions Lack Designated InfoSec Staff
Education Gets an F for Cybersecurity
Check out
The Edge
, Dark Readings new section for features, threat data, and in-depth perspectives. Todays top story:
How the City of Angels Is Tackling Cyber Devilry


Last News

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Complex Environments Cause Schools to Struggle for Passing Security Grade