Identity Management Tools Guard Districts Against Credential Stuffing
One common, hard-to-catch security threat when it comes to cloud applications — and cloud access in general — is credential stuffing.
When users choose the same password for multiple websites and applications, they create vulnerabilities. It’s common for people, including school administrators and students, to reuse passwords. However, when a network is breached, cybercriminals steal and sell the names, email addresses, passwords and any other information they’ve acquired. Users who reuse their passwords for nonschool sites — such as Target or T-Mobile — might use that same password to access their institution’s cloud applications and on-premises systems. Unfortunately, credential stuffing ultimately puts the entire school at risk. Here’s how it works.
There are databases of stolen usernames, passwords, corresponding personal identifiable information, security questions and answers for password reset, and other data collected from users — all for sale to bad actors. Once they have this stolen information, they can use it to target a specific school or schools.
The hacker then chooses a stolen record and creates a targeted plan, using information from public resources such as LinkedIn, Twitter or even a school’s website to find where a K–12 administrator works. From there, they will exploit the stolen password using credential stuffing to attack the system and wreak havoc. A persistent threat actor will often create programs or scripts to try the password on a recurring basis to circumvent password history and age policies the institution has set.
The best protections against credential stuffing are identity and access management tools such as multifactor authentication and single sign-on. Enforcing strict password policies outside of the institution is unrealistic. IAM solutions provide added security to keep districts safe from credential stuffing by providing an extra layer of security that cannot be stuffed.
Cloud Application Protections for Data and Student Mental Health
A cloud access security broker is another protection district leaders can implement. A CASB works like a middleman between the users and the cloud. It creates visibility and control into cloud platforms so the institution can ensure the policies they set on-premises are also being followed in their cloud environments.
This tool can also handle the encryption of sensitive data, perform data loss prevention and much more. For example, if a user — or an attacker using stuffed credentials — attempts to share vulnerable data, such as a Social Security number, the CASB would alert an administrator to review the data before sharing it.
CASBs are used in various industries’ IT environments, though K–12 has unique use cases and considerations when it comes to security. iBoss and ManagedMethods are two CASB providers specific to K–12 education, where school administrators often need to worry about student self-harm and cyberbullying.
A school-specific CASB will alert admins if students look up or write in their cloud files anything that indicates the potential for harm to themselves or others. This gives educators and school leaders better insights into students’ mental health, something a pharmacy or manufacturing company’s CASB wouldn’t necessarily provide.
This article is part of the “ConnectIT: Bridging the Gap Between Education and Technology” series. Please join the discussion on Twitter by using the #ConnectIT hashtag.