How Ever-Worsening Malware Attacks Threaten Student Data

For as long as there have been Internet users, there have been Internet abusers: cybercriminals who are out to steal victims’ information through any means possible.

While the years have taught us that we probably shouldn’t hand over our bank account info to a questionable Nigerian prince, no amount of experience can prepare us for the overwhelming number of malware attacks seen today.

Kaspersky Lab reports that over the course of 2015, more than 34 percent of users’ computers fell victim to one or more web attacks. A Trend Micro article from March claims the company blocked upwards of 52 billion attacks last year. And Dell’s annual threat report states that from 2014 to 2015, there was a 73 percent jump in unique malware samples.

In other words, the threat landscape is not looking good — especially for schools, which have a large number of end users who are inexperienced in the ways of cybersecurity.

Attacked on All Sides

For K–12 IT professionals attempting to guard against cyberattacks, diligence is key. The massive amount of student data maintained by schools and districts presents itself as a prime target for cybercriminals who have a variety of web- and email-based attacks at their disposal.

Some Blackboard Learning users, for example, were targeted by a clever phishing scheme that asked them to click a link in the body of the email in order to unlock time-sensitive messages from their faculty administrator. The malicious URL likely installed malware that would then spread to other computers on the network.

Web-based attacks, such as malvertising, are also inducing major headaches among K–12 IT staff. That’s because malicious advertising can appear on any site — even a legitimate, student-focused one, such as Thesaurus.com — and doesn’t require the victim to click anything; just viewing the ad can initiate the malware download.

What’s even scarier is that these attacks are becoming more pervasive: RiskIQ reports that the number of malicious ads jumped 260 percent between the first half of 2014 and the same period in 2015. And according to a recent Computerworld article, some cybercriminals have learned to shield their malvertisements from the probing eyes of ad networks and security professionals out to thwart their schemes.

So What’s the Worst That Could Happen?

Schools and districts that fall victim to malvertising could be in for real trouble. Cybercriminals are using this increasingly popular form of attack to deliver ransomware to victims’ computers. After spreading through the local network, ransomware can encrypt a school’s files and require a hefty payment in return for their release.

According to CNN Money, Horry County School District lived this nightmare in February, when administrators and IT staff had to decide whether to pay $10,000 worth of Bitcoins to hackers who were holding their files hostage. In the end, the South Carolina district chose to pony up the money, which may seem like the wrong move but is actually the FBI’s recommended course of action in these situations.

Next Steps for Securing School Data

While the threat of ransomware is daunting, K–12 IT professionals can help close the door on attacks by making sure that school and district computers use only the latest versions of major browsers, which have controls designed to block malware. Disabling Flash and Java plugins can also reduce vulnerabilities.

Beyond those basic defense tactics, schools and districts can choose to undergo a third-party security risk assessment to detect system vulnerabilities. IT professionals can then team up with experienced technology partners who have the skills and resources to plug security holes and provide school administrators, staff and students with some much-appreciated peace of mind.