Educational institutions have long been a data goldmine due to the collection and storage of sensitive student information. From personal information such as address, health records and payment information, these institutions often run massive network systems across various campuses, with thousands of students and staff connecting to their online portals. To home in on this point, a Bangalore-based edu tech start-up, Unacademy, recently suffered a major security breach with the details of over 22 million users up for sale on the dark web. Global data from this past year shows that this industry had seen phishing attacks in 28 percent of breaches and hacking via stolen credentials in 23 percent of breaches. According to Verizon’s Data Breach Investigation Report 2020, educational services performed poorly in terms of reporting phishing attacks, thus losing critical response-time for the victim organizations.
In the education sector, the top three patterns are ‘everything else’, ‘miscellaneous errors’, and ‘web applications’ and they alone represent 81 percent of the 228 breaches that we covered in DBIR (data breach investigations report) 2020. Phishing dominates the everything else pattern by a comfortable margin, not unlike many other industries. However, the educational services sector stands out by also getting a failing grade in phishing reporting practices. Of all industries, according to our non-incident data, only 24 percent of organizations had any phishing reporting at all, and none of them had at least 50 percent of the emails reported in phishing awareness when your organization is being targeted. If they don’t report it, you miss out on your early warning systems.
Ashish Thapar
Managing Principal & Head - APJ Region
Verizon Business Group
Similarly, the prevalence of the ‘web applications’ pattern is mostly because of the use of stolen creds on cloud email accounts. Although we cannot say this is the organizations’ fault, according to our non-incident data analysis, education services had the longest number of days in a year – 28 – where they had credential dumps run against them. The global median here is eight days. The overall number of credentials attempted is also one of the highest of all industries we analyzed for this year’s report.
Outside of these two patterns (everything else and web applications), sadly, the news is still not great. Ransomware is really taking hold of education vertical incidents, and has been responsible for 80 percent of the malware-related incidents, up from 48 percent last year. All of those Ransomware cases have also played a role in the increase we have seen in financially motivated incidents for the past two years.
According to our analysis, one additional concern in this sector is the fact that this is the only industry where malware distribution to victims was more common via websites than email. This information doesn’t really seem to make sense until you consider malware being distributed via unmonitored e-mail (such as personal mail accounts from students on bring-your-own devices connected to shared networks), and all of those infections obviously endanger the larger organization.
This year, we’ve aligned our findings with CSCs (center for internet security critical security controls) to provide you with a way to translate DBIR data into your security efforts. The 2020 data breach investigations report offers critical insights into today’s cybersecurity landscape. Findings are based on extensive data – the DBIR team analyzed 32,002 security incidents, including 3,950 confirmed breaches, from 81 countries around the world.
Relevant CSCs for Education Sector:
Continuous Vulnerability Management (CSC3): Use this method to find and remediate things like code-based vulnerabilities; also great for finding misconfigurations.
Secure Configuration (CSC5 and CSC 11): Ensure and verify that systems are configured with only the services and access needed to achieve their function.
Email and Web Browser Protection (CSC 7): Lock down browsers and email clients to give your users a fighting chance when facing the Wild West that we call the internet.
Limitation and control of network ports, protocols and services (CSC 9): Understand what services and ports should be exposed on your systems, and limit access to those.
Boundary Protection (CSC 12): Go beyond firewalls to consider things like network monitoring, proxies and multifactor authentication.
Data Protection (CSC 13): Control access to sensitive information by maintaining an inventory of sensitive information, encrypting sensitive data and limiting access to authorized cloud and email providers.
Account Monitoring (CSC 16): Lock down user accounts across the organization to keep bad guys from using stolen credentials. Use of multifactor authentication also fits in this category.
Implement a Security Awareness and Training Program (CSC17): Educate your users, both on malicious attackers and on accidental breaches.