Gone are the days when no one cared about the Internet, devices, and data of K-12 institutions.  For one reason or the other, the rate of attacks on K-12 infrastructure and data has become rampant and lucrative for bad actors. The concept of thinking of information technology in K-12 educational institutions as a second or third-tier function has been recently replaced by renewed urgency to upgrade both its defenses and structure.

There are some basic security functions that all K-12 institutions must perform to cover the three structures of security. The structures are as follows: physical security (this includes the firewall), management of users, and continual maintenance of a secure backup infrastructure.

Myriad devices are connected to the Internet that may need to be upgraded, updated, or patched to ensure that they meet industry standards and best practices. The responsibility of the K-12 educational institution is to make the physical hardware unavailable to bad actors. Patching or updating the applications that run on the physical hardware device is one way to protect the infrastructure of the institution.

Another way to protect the institution’s infrastructure regarding physical security is the physical storage space itself. The closets in which the routers, switches, and UPSs are stored need to be out of reach of visitors. The main server room and supplementary rooms should be kept locked to prevent bad actors or unauthorized persons from accessing the hardware within them. Access control mechanisms should be put in place to determine the level of security access that users have. The installation and monitoring of a secured camera system go a long way to ensure the physical security of the IT systems of the institution.  Cameras can provide information on who enters the building, server room, or IT closets. alan j hendry knt4zd8hpb0 unsplash

Continuing within the structure of physical security let us discuss firewalls. A firewall’s purpose is to allow traffic both in and out of the network. Therefore, K-12 managers of their firewalls must ensure that outdated or ineffective firewalls are not placed along the edge of the network. It is also important that all firewall software programs are updated and in addition, the logs are read as often as possible to determine vulnerabilities and activities. These are just a few basic IT hygiene that could help secure the IT infrastructure of K-12 educational institutions.

Teachers, students, and school administrators also have an important role to play to prevent attacks on K-12 infrastructure. All user accounts must have unique and complex passwords. Users must not use the same password across multiple applications as this makes it easier for attackers to access accounts with one compromised password. To help users secure their passwords, all major user accounts must have Multi-Factor Authentication (MFA) or Two-Factor Authentication ability.  MFAs and 2FAs minimize the unfettered access that attackers may gain to user accounts since the access has to be verified using either a phone or a token. Users must do everything possible to protect their accounts, especially if the accounts have elevated privileges.

Users should also be made aware of phishing and scam emails as those could be used to gain access to educational institutions’ data and infrastructure. Specific training must be set up to ensure that users can identify and report phishing emails. Social engineering is another area that could pose problems to the infrastructure and data of K-12 educational institutions. Teaching the users to use caution when clicking on links sent through emails and other means is a good security hygiene method to keep the IT infrastructure of K-12 educational institutions both secure and safe. Clicking on deceptive links can potentially provide a hacker access to sensitive data or a secured part of the network.sandy millar 4moiqt9beoq unsplash

Whenever possible K-12 educational institutions should always encourage the use of Virtual Private Networks (VPN) by their vendors and partners compared to remote desktops. VPN provides security to the network infrastructure and confidentiality to the data. The encrypted tunnel that VPN uses makes it possible for data to be safely transferred between the user and the internal network of the educational institution. Attackers are unable to access the data traversing the network even if the remote user’s Internet Service Provider is not the same as the one being used by the K-12 educational institution.

But, what can be done before an attack occurs? It is always a good idea to have a secure backup system in place as a safety precaution. Secure backup systems give K-12 educational institutions the ability to restore their systems and data if they are attacked.  When using secure backups, educational institutions need to ensure that their backups are constantly being tested. These tests will verify the backup’s ability to restore processes and will ensure the confidentiality, integrity, and availability of their data.Students giving each other a high five

It is critical for all users of the infrastructure in the K-12 educational ecosystem to play their part to ensure the security of the network, devices, and data both at rest and in motion. Being on the lookout for phishing, unauthorized access and vulnerabilities related to unpatched devices or software could potentially prevent downtime and data loss. The work we do is important to the growth and success of our students. We must not let bad actors interrupt our daily operations in destructive or demoralizing ways.

Author: Dr. Tony K. Harvey, Chief Technology Officer, MSD of Wayne Township (IN)
Cybersecurity Advisory Committee Member

Published on: November 8,  2022

CoSN is vendor neutral and does not endorse products or services. Any mention of a specific solution is for contextual purposes.