Arthur T Knackerbracket has processed the following story:
If we were to draw an infosec Venn diagram, with one circle representing "sensitive info that attackers would want to steal" and the other "limited resources plus difficult-to-secure IT environments," education would sit in the overlap.
Schools – including K-12, colleges, and universities – store health and medical records, data belonging to minors, financial information, sensitive research, AI training models and other proprietary IP. At the same time, they are famously understaffed (with the exception of some well-heeled private institutions) and underfunded – especially when it comes to IT and security.
Their network users include students – some as young as five years old – teachers and professors, doctors and patients, food service workers, janitors, staff, and visitors.
Plus, educational facilities and campuses have to secure IT environments that span both legacy and modern systems, covering everything from payment processing systems to medical equipment as well as personal phones, computers, and gaming consoles.
Every week, the education/research sector faces an average of 2,507 attempted cyber attacks, with everyone from nation-state groups to ransomware gangs and other financially motivated criminals putting schools in their crosshairs. At least according to Microsoft, which, in its Cyber Signals report published today, warned that Iran and North Korea are among the miscreants targeting schools.
As of the second quarter of 2024, education holds the dubious distinction of being the third most targeted industry, based on analyzed security events, Redmond notes.
[...] One of the ways that criminals are gaining initial access to people and devices in their attacks is by abusing QR codes, which schools and school-adjacent orgs – like parent-teacher associations, campus clubs, sports teams and the like – use on flyers offering information about everything from school fundraisers, financial aid forms, parking passes, band sign-ups, and other events.
"This creates an attractive backdrop for malicious actors to target users who are trying to save time with a quick image scan," according to Microsoft, which spotted more than 15,000 messages with malicious QR codes targeting the education sector every day over the past year.
Universities have their own security challenges. These institutions' leaders effectively act as the "CEOs of healthcare organizations, housing providers, and large financial organizations," according to Redmond.
They also are engaged with federally funded research programs, and work with defense contractors and technology companies – making them prime targets for espionage.
"They may be conducting breakthrough research. They may be working on high-value projects in aerospace, engineering, nuclear science, or other sensitive topics in partnership with multiple government agencies," the report notes.
"For cyber attackers, it can be easier to first compromise somebody in the education sector who has ties to the defense sector and then use that access to more convincingly phish a higher value target."
So, for example, after compromising credentials belonging to a professor or researcher, an attacker could then send an email from a university account to a government official and trick them into disclosing sensitive information.
Unfortunately, there's no easy fix when it comes to education-sector security. It requires a lot of user education for students and staff about best practices, like multifactor authentication (MFA).
(Score: 2, Insightful) by Anonymous Coward on Thursday October 17, @05:30PM (9 children)
Dump MSFT
Use common sense and airgap.
(Score: 4, Insightful) by aafcac on Thursday October 17, @05:48PM (8 children)
More like actually pay for the necessary IT people and gear to secure the stuff properly.
(Score: 3, Insightful) by MostCynical on Thursday October 17, @07:20PM (1 child)
Where do you want the school's money to go?
IT professionals are often (usually?) paid more than teachers.
They can barely afford pens, let alone the teachers.. paying for 'proper' IT is way out of the budget.
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 3, Informative) by aafcac on Thursday October 17, @07:35PM
It's also more expensive to hire IT due to competition with private industry. Not to mention that they are in different budgets and even if you halved the it budget it likely wouldn't make that much difference.
(Score: 4, Insightful) by Gaaark on Thursday October 17, @08:39PM (2 children)
STOP paying MS big dollars for a crap operating system and put more money into the schools and securing the network. IT investment alone will not solve the issue.
MS products ARE the problem: a LOT of this shit could be stopped by getting rid of them. TCO says "Dump MS products" and invest savings back into the schools.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. I have always been here. ---Gaaark 2.0 --
(Score: 0) by Anonymous Coward on Friday October 18, @02:34AM (1 child)
(Score: 2) by aafcac on Friday October 18, @08:55PM
Yes, that was certainly something I saw when interning. They have the chromebooks because we're too far along as a society to not ensure that all the kids learn how to use them. But, there's too much of a wealth gap to assume that all of the kids will have proper access to them at a home. Which leads to the problem that schools can't get away with having a computer lab, or labs, like they did in the '80s and '90s. The kids need to have access to them more sporadically.
I'm not personally a massive fan of chromebooks, but I own one and for basic computing tasks it's OK. It's also far easier for schools to afford than more fully featured laptops.
(Score: 2) by driverless on Friday October 18, @01:30AM (2 children)
It's a unsolveable problem. Friend of mine works in education IT, where you've got a combination of no money to do anything or pay anyone to do it properly, an environment where a good percentage of the users struggle to log on with a password that passes even the most basic security checks and which is shared everywhere for everything, and the need to access a ton of IT gear set up and run under those two constraints. There is no solution to these problems, no matter how often you click your heels together and say "Ditch MSFT" or whatever other favourite mantra you have.
(Score: 3, Interesting) by aafcac on Friday October 18, @08:53PM (1 child)
Essentially yes, it has a solution, and that solution is to actually pay for the necessary gear and employees to perform whatever is considered to be a required part of the infrastruture and find money to actually pay the teachers and support staff.
The clear reason why that's not likely to happen any time soon is that the interests with the money to make it happen use their clout to avoid paying taxes. So, probably the closest thing we're likely to get for a solution any time soon is massively cutting back the scope of what infrastructure is used which comes with it's own set of problems.
As far as MSFT goes, I remember back in college asking about why they were using MS servers and the answer had a lot to do with the fact that they weren't paying the normal rates that businesses would be paying.
(Score: 2) by canopic jug on Saturday October 19, @01:21PM
As far as MSFT goes, I remember back in college asking about why they were using MS servers and the answer had a lot to do with the fact that they weren't paying the normal rates that businesses would be paying.
Groklaw.net is gone, probably forever, but it used to have PDFs from Plaintiff's Exhibits (PXE) from the Comes v Microsoft case, which itself went offline almost simultaneously with Iowa's folding like a cheap card table^W^W^W^W^W^Wsettling out of court with M$. Several of the documents referred to a slush fund for marketing which went by the acronym EDGI. The fund could be used to drop the prices for m$ licenses very low at educational institutions, sometimes to zero. I'm not sure if they could go negative, but zero was not uncommon. One of the PXEs had a long list of institutions which m$ had successfully crushed using EDGI.
EDGI probably does not exist any more, but the activities have certainly continued and made all the more easier by having embedded sales teams on school property using school staff budgets and posing as "IT" or "support".
Money is not free speech. Elections should not be auctions.
(Score: 3, Troll) by Frosty Piss on Thursday October 17, @05:42PM (1 child)
Schools have become much like the corporate world, top-heavy with "administrators" (PHBs) that believe the path to their own higher compensation is the elimination of staff at the bottom, those people that actually make things happen. Indeed, there are many actual real universities that have outsourced IT to companies run by fellow members of the club. The only real solution is a French Revolution style wholesale purge of these people.
(Score: 1, Informative) by Anonymous Coward on Friday October 18, @08:41AM
Criticizing the administration was a reasonable start, but then your comment turned completely bizarre.
This part of your comment has a lot of truth to it. During my time in academia, I witnessed consolidation of power and the centralization of IT, often in the name of cutting costs. That inevitably came with more restrictions on faculty and how computers could be used. There were multiple attempts to stop faculty from being the administrators of their computers, and that eventually succeeded. Everything was very centralized, with the central IT department having remote control over all computers. It wasn't just mandating antivirus and security software. Although they didn't use Crowdstrike, they had software from another vendor that served a similar purpose and probably poses similar risks. But their remote control meant that IT staff could remotely access the files on every machine on campus, and perhaps eventually on all the campuses in the university system. When I left, there were proposals to restrict where faculty could store data sets, with the goal of forcing them onto "virtual drives" that would presumably be hosted in a Microsoft-based cloud and would be under the control of the central IT department. It hadn't been implemented, but it was clearly in the works.
IT officially supported Mac and Windows systems, though it seemed like they hadn't been openly hostile toward Linux quite yet. Still, it seemed like the writing was on the wall, that Linux systems would eventually be forced to migrate to Mac or Windows, or they would find a way to enforce the same regulations on Linux users. If you were a faculty member who used Linux systems and Linux-only software for your research, it implied an uncertain future for those projects. Some of the old IT staff got reassigned to other duties and seemed skeptical of the new IT policies that were being ushered in.
The administration was implementing this partly because they wanted more control over data because of intellectual property reasons, but they were also terrified of ransomware. The university system had insurance that could pay in the event of a ransomware attack, and they were very concerned that this would make them a more attractive target.
Now, I'm all in favor of mandating software updates, restricting who has access to data because it could be compromised in a phishing attack, and other common sense security measures. I generally supported the idea of mandatory training about computing security, though the actual training session that the IT staff created was pretty much useless, and I don't believe it was effective in educating people about good practices. But giving a central IT department remote access to the configuration and files of virtually every computer on campus seems like a horrible idea. If the IT department is compromised, it's a single point of failure that gives the attacker access to every computer that the IT department can remotely access, and perhaps even assets stored in the cloud like research data sets. Instead of having lots of smaller IT systems around campus and mandating standards for each of those systems, where an intrusion into one would still have a somewhat limited scope, they created a single point of failure. And somehow they thought this was a good idea. Go figure.
But a literal French Revolution style beheading of the administration and IT staff with guillotines is an utterly stupid suggestion. A much better idea is to force universities to prioritize their actual mission (teaching, research, and service) instead spending billions on constructing new buildings and on athletics. Then replace the career administrators and rotate academics through management positions like deans and even chancellors. Yes, a university system needs someone in charge like a president, but that's really a figurehead position that does stuff like fundraising, and could just be merged into the role of a chancellor. When you have budget cuts, don't spend millions on football coaches and hundreds of millions on stadium renovation. Use common sense, and understand that centralizing things like IT doesn't necessarily mean better efficiency or real cost savings.
(Score: 3, Informative) by VLM on Thursday October 17, @07:30PM
There's a lot of scaremongering about Nation-State level direct attacks, but from talking to my buddy the real world problems are much more like you'd expect:
We're replacing that system next year, no need to "waste money" applying patches this year.
If the computers/wifi are down then we can't have class so we have a day off leads to some mostly physical vandalism. If a student smashes an ethernet switch with a sledgehammer the police will be called. If the same student "snags their hoodie" on the power or ethernet cable, well, no harm no foul right?
The usual lack of maintenance/backups because they try to assign the same people to fire fighting as to long term support. Normally you'd just restore the backups when that server's drive fails, but we haven't done backups for months because of the enormous ticket backlog. Remember not fixing some kids tablet/chromebook is "creating a hostile educational environment" or "violating that student's legally mandatory IEP" but not making server backups is just poor practice, but unavoidable... until the hardware failure or security incident.
(Score: 4, Touché) by pTamok on Thursday October 17, @09:51PM (6 children)
Why do schools need IT anyway?
Generations of schoolchildren have been educated using textbooks, pen (or pencil) and paper and chalkboards. Timetables were worked out manually. Letters were typed. It worked.
Now, I did get some exposure to necessary concepts - like binary representation of numbers, and elementary logic operations (AND, OR, NOT, NAND, XOR) - and we learned some BASIC programming.
Interaction with a teacher in lessons, and written homework seemed to work.
How has the use of IT improved things? Larger class sizes? Better attainments? Happier pupils?
(Score: 0) by Anonymous Coward on Thursday October 17, @11:17PM (2 children)
Started with "No child left behind", absurd compulsory testing, and deciding that STEM
is the only thing that matters for the next generation of consumption drones.
(Score: 0) by Anonymous Coward on Friday October 18, @07:50AM
"No chile left behind" ==> No child left a dime (FTFY)
(Score: 3, Interesting) by pTamok on Friday October 18, @08:26AM
STEM (in schools) does not require IT.
Neither Newton, nor Einstein used electronic computers for their work. Nor did Euler, or Gauss. Or Mendeleev, or Helmholtz, or Faraday, or Maxwell.
Certainly, if you are at the forefront of research, and need to do a lot of calculations in a short time (e.g. in molecular modelling, fluid dynamics and the like) - but schools are not at the forefront of STEM research, and teach concepts.
I don't see how 'IT' has improved the productivity of schools. Perhaps an education expert can enlighten me on why things are so much better now than they were. Perhaps IT measurably improves the attainment of the less able? I know that school curricula have changed greatly since my youth, but I'd like someone to explain clearly and concisely why they are better, especially with the extensive use of IT. As a grumpy old man, it's not clear to me.
(Score: 2) by aafcac on Saturday October 19, @01:46AM (2 children)
We live in a society where most jobs will involve a computer at some point, even if that's just to apply for the job in the first place.
Technology has been somewhat overemphasized at times in recent memory, but that pretty much always is the case when you've got new ideas coming out without any real way of foreseeing the ultimate solution.
(Score: 1) by pTamok on Saturday October 19, @02:35PM (1 child)
Computers must be awfully complicated if it takes so many years of education to learn how to use them.
...or maybe not, since ease of use is meant to be a thing.
The question remains: does the use of computers in education enhance the productivity of education?
Note that there is a well known problem in economics that the massive investment in computerisation has not shown a corresponding increase in economic productivity. It's called the 'productivity paradox [wikipedia.org]'.
Spending lots of money, time, and resources to achieve the same outputs as previously achieved without the investment by different means is a questionable activity.
This is not me saying things were better in my youth, but given we are educating people for (broadly) the same length of time, I'd expect the benefits of IT to be transparently obvious.
They aren't.
(Score: 2) by aafcac on Saturday October 19, @03:21PM
They were a lot less complicated 20 years ago. But, a couple decades of incompetent UX and various companies intentionally trying t trap customers and here we are. MS is one of the worst in that respects. They created that horrible ribbon interface and they're apparently going to keep it, even though it's objectively terrible. A proficient user of the software wasn't going into all those menus previously, they were using the hotkeys for the stuff they did regularly. The ribbon is just a mess that hides a bunch of features that require a deep dive to find if it's not something you normally use.
You'd be wrong to expect that. The baseline living in society requires a lot more use of computers than it did decades ago. So, you might see a lack of ability with computers, but you won't see expertise standing out the way that it used to. It's the case across many other domains where the standards from 30 or 40 years ago might not even qualify you for an entry level job in many sectors.
(Score: 4, Informative) by looorg on Friday October 18, @08:51AM
It's not only that. It's that they have so many computers. Connected 24-7 to very high bandwidth. Add in all the people that bring their own laptops, phones and other devices to hook up. It's a nightmare in that regard to secure it.
The only good thing, for the IT department, in regards to laptops and smartphones is that they in turn had to get less physical computers, desktop machines and computer labs since the students now bring their own.
But as noted. A whole other nightmare to monitor and be responsible for. Since they have no actual power over the machines in question. At most they can monitor the network traffic but not what you have on the machines.
University IT is like a horrible roman orgy where a few people carry horrible diseases.