the staff of the Ridgewood blog
Ridgewood NJ, around this time each year, students, faculty, parents, and guardians across New Jersey prepare for the beginning of a new academic school year. Similar to last year, the 2021-2022 school year will be unlike those prior to the COVID-19 pandemic. While remote learning may not be as integral in all school districts this year, the continued use of technology in school and at home still present significant cybersecurity challenges. The education sector continues to be one of the most targeted sectors by cyber threat actors who take advantage of the distracted or unaware user base, potentially unpatched systems and applications, and vulnerable networks in order to collect sensitive data, deliver malware, pilfer monetary funds, and launch ransomware attacks. It is vital for students, teachers, parents, and guardians to maintain an awareness of current cyber threats and employ best practices to increase their resiliency and prevent victimization. Educational institutions are also highly encouraged to review the “Achieving Cyber Resilience: Free Resources for K-12 Schools” document and corresponding webinar recording for information on cybersecurity best practices and featured presentations from the NJCCIC, CISA, MS-ISAC, and FBI on the free resources available via their respective organizations.
Device Security
Many devices with different operating systems and configurations will be exposed to numerous risks when connected to resources and networks at home and in public settings, and then reintroduced to the academic institution’s network. These devices include desktops, laptops, tablets, mobile devices, and internet-of-things (IoT) products. These systems can provide threat actors with additional attack vectors to connect to networks, infect other devices, and exfiltrate data.
Below are some general device cybersecurity best practices:
Use approved resources and platforms. Use only approved resources and platforms for academic communications to ensure they are trusted and secure.
Keep hardware and software, including mobile device operating systems and applications, up to date. Keeping programs up to date ensures they are patched against known vulnerabilities that could be exploited by threat actors to gain unauthorized access to your device and/or data.
Run an updated anti-virus/anti-malware program. Keeping these programs up to date ensures they contain the latest signatures and data necessary to identify malicious software and processes.
Check privacy and security settings. Checking these settings will help manage your cyber risk and limit how and with whom you share information.
Set up parental controls. Setting up parental controls allows the ability to control privacy and usage, content filtering, and location and monitoring settings to ensure internet use is safe and secure.
Secure physical devices. Safeguard devices and ensure a password/passcode or biometric authentication is enabled for all devices to prevent unauthorized access in the event a device is lost or stolen, or USB or external device is inserted.
Cover and/or disconnect your camera when not in use. Covering or disconnecting your webcam and microphone when class is not in session prevents malware from taking control of your camera to spy on you and your surroundings. Additionally, when the camera is in use, ensure no sensitive information is visible.
Backup devices. Protect your schoolwork and information from malware, hardware failure, damage, loss, or theft by making multiple copies and storing them offline.
Implement protective technologies. With remote learning, IT departments are advised to implement endpoint detection and response software, web content filtering software, host-based firewalls, device and file encryption, and keep devices updated with the latest security patches.
Email Security
Email is a commonly used method of communication in academic institutions and it is important to be vigilant about what is clicked on, downloaded, and transmitted, especially with the increase in social engineering tactics and spoofed domains. Threat actors may send phishing emails that appear to be from a trusted classmate, teacher, or colleague, and contain attachments or links that, if clicked. attempt to install malware or direct the target to a spoofed website to steal credentials or other sensitive information. Stolen credentials could then be used to send “trusted” emails to others in the academic institution to further compromise accounts or infect systems and networks with ransomware or other malware.
Below are some general email best practices:
Identify common red flags. Suspicious emails may contain external email tags but purport to come from internal sources, grammatical and spelling errors, oddly placed upper and lower-case letters, incorrect or missing signature blocks or company logos, or words uncommonly used in everyday communications. Any request for the purchase of gift cards should be met with suspicion.
When in doubt, throw it out: If a message or a request looks suspicious or is “too good to be true,” delete it.
Refrain from taking action, such as clicking links or opening attachments, on any emails received from unknown senders. Links and attachments delivered in emails are the most common tactics used by threat actors to deliver malware to end user devices.
Confirm the legitimacy of emails from known senders that request sensitive information by contacting the sender via a separate means of communication. Threat actors often employ email spoofing to impersonate legitimate and known individuals and academic institutions to convince targets to take a desired action that would compromise their device, data, or account.
Say “no” to macros. If a file is accidentally downloaded, refrain from enabling macros or content as this is often a technique used to deliver malware.
Verify domain names. Hover your mouse over the link to verify the URL before clicking or, instead, manually type the URL directly into the address bar of your browser. Once the website’s legitimacy is confirmed, bookmark the page when needed.
Account Security
Account credentials—username and password—are the keys to the kingdom and the primary target of many threat actors. Cloud service accounts, such as Microsoft Office 365 and Google’s G Suite, allow users to access email and documents, which contain critical applications and sensitive data. If an account is compromised via credential theft or data breach, threat actors have the opportunity (absent MFA) to gain unauthorized access that allows them to further compromise accounts and systems, thus increasing the attack surface significantly. Examples include launching internal attacks, sending malware through email to students or teachers, stealing additional credentials, and accessing and stealing data from other applications in the cloud service. Although multi-factor authentication (MFA) may seem like an inconvenient step in addition to account credentials, it is an important one—not only to protect an individual account, but also the community at large.
Below are some general account best practices:
Refrain from sharing login credentials or other sensitive information. Login credentials and other sensitive information should not be shared with anyone or saved on your computer or cloud storage platforms. If requested, consult a parent or guardian first before sharing.
Keep account credentials safe. Keep a list that is stored in a safe, secure place offline and away from your computer, or use a service like a password manager to keep track of your passwords.
Use unique, complex passwords for all accounts. Having unique passwords for each account prevents password reuse attacks, in which threat actors obtain your password for one account and use it to compromise an additional account using the same credentials.
Enable MFA where available. MFA is the use of two or more factors in order to authenticate to an account or service. This significantly reduces the risk of account compromise via credential theft in which your password has been exposed.
Update passwords immediately following a data breach or potential compromise. Use a resource, such as haveibeenpwned.com, to determine if your information, such as an account password, has been revealed in a public data breach. Change exposed passwords for every account that uses it to protect against account compromise.
Use the NJCCIC instructional guides to implement security and privacy controls for Android, Facebook, Google, Instagram, and Twitter , and configure similar settings on all other accounts. Tightening security and privacy settings will help to prevent account compromise and the unintended sharing of sensitive information and photos.
Review and apply recommendations found in the NJCCIC post How Big is Your Footprint? The smaller your digital footprint, the less publicly-accessible information is available for threat actors to more effectively target you.
Invest in security awareness training. Invest the time, money, and resources to ensure students, faculty, parents, guardians, and IT professionals understand risks, the latest cyber threats, and best practices. The NJCCIC is available by request to provide Outreach Presentations to inform users on current cyber threats and associated recommendations and best practices.