Responding to Potential and Successful Cyber-Attacks Against US Schools - Part 1
Ransomware Attacks & Password ManagementWritten by Tom Neuschafer, D.Ed. on Friday, 06 May 2022.
In December of 2021 my school district suffered a cyber-attack. For us, this was an entirely new type of crisis to cope with. However, we learned that this is a phenomenon that many public-school district’s in the United States have experienced, are currently experiencing, and are likely to experience going forward (Klein, 2022a).
The attack on our district was a ransomeware attack. This type of cyber-attack is one in which the perpetrator gains access to your system and then locks you out of your own data (Goldsborough, 2016). Through the process of recovering from the attack, we learned that coverage for ransomeware attacks is now an integral part of many school district insurance policies.
Organizations that are locked out of their data often decide to pay the ransom rather than loose the data. In our case, specifics about the attack were restricted, and so we (the teachers) primarily learned what we did about the attack by making observations.
While cyber-attacks are a more recent occurrence for public school districts, cyber-attacks and ransomeware attacks have been occurring, in general, for the past decade. This causes one to wonder what has led to the increase in attacks on districts, specifically. The answer requires us to examine the changes school districts have undergone in order to meet the needs of students during the Covid-19 pandemic (Klein, 2022b). Simply put, the initial shutdown of school districts and subsequent periodic shutdowns required districts and their teachers to teach students remotely. Previously, learning activities occurred in schools themselves. Even when online activities occurred, they occurred within the networks of the district. The expansion into remote learning has greatly expanded the networks used to access district learning spaces, such as a district’s Learning Management System, which teachers use to distribute assignments and collect and grade submissions. This has made the district and its members significantly more prone to cyber-attacks.
Once one gains a broad understanding of the situation, one might feel powerless to prevent a cyber-attack. While it is true that there are limitations to what individual district members can do to prevent such an attack, there are still clear actions one can take.
To begin with, individuals can be careful not to succumb to a phishing scam. Such scams have been an ongoing problem since well before the pandemic. A phishing scam is an attempt to get a user to divulge sensitive information such as a password, or to get a user to download a file which can be used as a tool to conduct a cyber-attack on the user’s system (Thomas, 2018). If one is careful not to divulge sensitive information, or download items from contacts one does not know, a cyber-attack can be avoided. Teachers can learn to detect the signs of a phishing scam, and pass on that knowledge to their students.
The next action one can take is to effectively manage their account passwords (Szumski, 2018). Developing, deploying, and maintaining a fleet of highly effective passwords is one of the most important elements of cyber security, and is primarily in the hands of the individual. In order to be highly effective, a password should be 15 characters in length and contain characters beyond lower case letters, such as uppercase letters, numbers, and other punctuation and symbols. Passwords should be updated regularly. Once a year is sufficient.
Proper password creation, updating, and management is severely lacking among many teachers. The lack of appropriate password creation and management practices makes password management an important topic for teachers and students to focus on (Richardson, 2020). It is understandable that the average person does not follow ideal practices. Doing so can be time consuming and tedious. If done manually, by creating passwords from one’s mind when needed for a new account and writing them down on various pieces of available paper, the task of creating and maintaining a fleet of viable passwords seems, and often is, unmanageable. However, the advent of password managers has made what previously seemed undoable quite doable.
A password manager has four (4) primary functions which allow users to efficiently and effectively create and manage passwords as they work. As you will see, these four functions not only ensure that each user is employing ideal password management practices, but is also increasing the work speed of that user.
Save Passwords as You Create Them
Once you set up an account with a password manager and create a long, memorable password, it will become the only password you will need to remember. After sign-up, you will be prompted to install both (A) a web browser extension provided by the password management company via the browser’s extension store and (B) an app for your cell phone, again, provided by the company via the phone maker’s app store. You will log in to both the extension and app with your password manager credentials. From that point on, each time you create a new password for a new account, the manager will ask you if you want to add the newly created password to your vault, and you will say yes.
Generate Passwords When You Need New Ones
When people are prompted to create a new password, they often choose very simple passwords and re-use existing passwords since they already know them by heart. Rather than continuing with this habit, people can now rely on the extension or app to generate and enter new passwords for them. In the example of the web browser extension, you click on the extension’s icon (often in the upper right-hand corner) and select the option that allows you to generate a password. The plugin will then create a password for you. You can adjust the parameters as needed. This includes the password length, and what types of characters you want included (lower-case letters, capitalized, letters, numbers, symbols, etc.). Being able to adjust the parameters is useful because different accounts have different password requirements. Once the password is generated you can click a button that fills the password in for you, or copy and paste it. Save updated passwords as they are created In addition to saving passwords as they are created and generating new passwords as needed, password managers also recognize when you are updating a password for an account already in your password vault. They are able to do this because when they saves the initial password, they log the URLs of the pages you create the passwords on. This enables the managers to recognize the websites later when you return to them. When updating a password in a web browser, the plugin will ask you, via a pop-up prompt, if you would like to update a password in your vault. A similar prompt appears on the app.
Provide Feedback on the Strength of Your Security
Once your fleet of passwords has been saved in your password vault, it would be well worth your time to visit the security section of your password manager. This is most likely to be found within your password vault, which can generally be accessed via the web browser plugin, app, or via the password company’s website. The security section can show information that will allow you to address any gaps in your security. The system will highlight accounts that use the same password as another account. This will prompt you to visit the account in question, and change the password using the methods described above. The system will also show you when a password is considered to be too weak. For example, it may be too short, or too simple. Finally, the system will note when a password you are using has been involved in a security breach, again, prompting you to change the password. I recently saw this feature in-action. My school district password was saved in my password vault, and the system noted that it had been involved in a breach (which I knew was accurate).
While the features and processes I have described should be generalizable to any password manager, I use LastPass. This is the company and service I have pictured when describing ideal password management. I have no affiliation with LastPass, nor do I receive any incentives for naming them. I have simply used their service for over five (5) years and can speak to the quality of its product and service. LastPass offers both free and paid subscriptions. With a free subscription, LastPass allows you to use the service in either the web browser or on your cell phone, but not both. I subscribed to the free version for several years, as I used LastPass exclusively on the computer. I upgraded to the paid version two years ago so that I could also use the app to my cell phone. I tend to use more and more apps, and it is convenient to have my passwords (which are now long and complicated) automatically filled into apps. An example of how that would be helpful is if you needed to log into your Hulu streaming account to activate the service on a Roku. The paid subscription (called Premium) costs $40 per year as of March 2022.