Bach Seat

Cloud services and data-management systems are multiplying in the edu market. Schools, districts, and states are using online networks to store student data such as records PII, medical records, attendance, and grades. Putting all of this data online is scary enough, these systems are designed to allow parents (and attackers) to get to data from a home PC.

More convenient for teachers and parents

Education Week explains that the switch to online data is often more convenient for teachers and parents. But these changes can also make state agencies, districts, and schools vulnerable to cyber attacks. The author cites the August 2013 DDoS attack on the Kentucky Department of Education’s statewide Infinite Campus information network as a precursor of things to come. The Kentucky agency was able to fight off the DDoS attack before any data was compromised but school DDoS attacks are occurring more often as they get easier to execute. David Couch the Kentucky Department of Education’s chief information officer said.

What I understand from what I’ve seen is that [DDoS attacks are] a commonality now … I think most organizations have to add to their tool suite a way to detect them.

Online attacks

GCN reports another edu DDoS attack. This one is on OnCourse Systems for Education a SaaS that provides software services to K-12 schools. The firm became the victim of UDP flood from Germany and the Netherlands. The firm tried to fly under the radar, Mark Yelcick, chief technology officer and partner at OnCourse said.

This was the first DDoS attack at OnCourse, and we never thought that we would be a target … There’s no money or assets to be gained by attacking an SaaS provider of K-12 educational systems. We felt that the firewall, intrusion protection and DDoS protection from our data center provider would be enough.

In order to turn back the tide of rouge packets, OnCourse brought in Prolexic. Prolexic has solutions tailored for the education market. The company engaged its emergency services, routing traffic through Prolexic’s 1.5 Tbps cloud-based DDoS mitigation platform and stopping the attacks. CTO Yelcick said, “We simply cannot afford downtime brought about by a DDoS attack.”

Because DDoS attacks can target any IP address, it’s impossible to completely prevent them, so for districts and the companies that offer data management services, the focus is on battling these attacks as they come.

“We have to be prepared and understand the environment that we are operating in so we’re prepared to address these issues as they come up,” says Infinite Campus CEO Eric Creighton, the victim of the Kentucky DDoS attack.

Attackers are after student PII

Part of predicting and combating cyber attacks is understanding why people order these attacks in the first place. When the target is a network that stores student grades and attendance information, the immediate thought is that a student is responsible. However, Mr. Creighton says that students rarely attempt attacks and, in his experience, have never succeeded.

“I don’t think these are attacks attempting to get data … There’s no jackpot of valuable data –there’s no payload here.” CEO Creighton may be spinning the results. rb- I wrote about schools collecting and losing PII here.

One reason that schools and districts are targeted is that their systems are designed for convenient access. Easy access for parents and teachers, makes for easier targets. Marcus Rogers, a professor, and chair of the cyber forensics program at Purdue University told Education Week.

For a lot of these attacks, the intended victim or goal is something bigger than the school. Obviously schools want to protect their data, but the bigger threat is when they use those networks now to go out and attack a power plant or a stock exchange or an air traffic control systems. That’s when the stakes go up.

Caused by a BYOD device

Kentucky education officials believe that the attack on their systems was triggered by a beacon. They hypothesize that a beacon was unknowingly placed on a student’s mobile device, which he or she took with them to school. Viruses can cause a device to send out a beacon, instructing thousands of other devices to attack the network the device is connected to. In Kentucky, officials say that this won’t stop individual districts from implementing bring-your-own-device programs. However, schools can decrease the chances of an attack by making sure that these student devices are properly protected according to Education Week. CIO Couch believes schools will start to protect themselves.

I think what you’re going to see is districts making sure that before people plug into their network they have up-to-date, good virus protection … I think you’ll start to see that in K-12.”

Purdue’s Rogers says that even when schools know best practices for avoiding and combating attacks, such measures are often cost-prohibitive. “A lot of times the schools know what to do, but at the end of the day if they’re trying to get library books, a firewall is not going to be their big concern.”

Related articles

• DDoS as a distraction: The one-two cyberpunch (pando.com)

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.