[BreachExchange] Saved By The Bell? Insecure Student Devices Must Be Addressed

[Destry Winant]

In March, the 2019-20 school year ended abruptly for many school districts
due to COVID-19.  Teachers and parents tried to pivot,conducting virtual
classes in order to make the best of a very bad situation. Unfortunately,
for many schools it turned out to be quite a struggle just to figure out
what technology to use. Even the choice of which video conferencing
platform to use quickly led to frustration for  teachers and parents as
they were forced to deal with security issues such as Zoombombing.

Now, a new recipe for a cyber security disaster is brewing and may be
served up to our children in the next couple of weeks. Across the nation,
students, parents, and educators are preparing for another school year
unlike any we’ve seen before. Some districts are opening their doors to
welcome students back, while many others will be relying on remote learning.

While schools have worked hard to overcome the challenges of remote
learning, there is a lurking issue that has received little attention: how
to secure the millions of laptops, Chromebooks, and iPads that were
previously distributed, or recently provided to children, to support the
remote learning process. The 2020-21 school year may usher in a flood of
vulnerable devices that could potentially compromise home and school
networks alike.

No More Pencils and No More Books (For Now)

Faced with limited options for in-person schooling, many districts have
opted to provide their students with devices in order to meet their
educational needs. Chromebooks and tablets are popular choices for
elementary school children, with more powerful Windows or Apple laptops
being put in the hands of many secondary and high school students.

For students who previously had a Windows laptop provisioned, many school
districts partnered with IT vendors to reconfigure the laptops to support
the new year. This primarily included enabling webcams (previously turned
off for privacy concerns) in order to optimize engagement and remote
learning for students and teachers in 2020-21.

USER ≠ ADMINISTRATOR

When schools “give” a device to a student it is typically loaned equipment,
managed to some extent by the school (either directly or via a vendor) that
provided the hardware. For Windows laptops, it usually means that
administrator rights are removed from the device before it’s handed over to
the student. That’s an important security control to have in place. It
doesn’t take much imagination to see that it is not a good idea to grant
students admin rights on any computer owned by the school and connected to
the school network. However, when administrative rights are removed, this
means that only school IT staff can install new software, which is a good
thing, but it also means only the school IT staff or their vendor can
install critical security updates.

When laptops and devices are managed this way at schools (or corporations
for that matter), they only check to see if there are any updates required
when connecting directly to the school network (or via a VPN). If there are
security updates available, those patches will be pushed to the laptop for
installation and then a reboot occurs to ensure they are applied.

Considering students have not been physically in schools since March, they
have not been able to connect their laptops to the school’s network. As a
result, there is a high likelihood that the laptops have not been patched
for security issues in months. The end result: over the next few weeks
thousands of student devices vulnerable to attack could be coming back
online, connecting to home and school networks with no simple options for
pushing critical patches.

While this issue may not apply to all school districts across the nation,
many educators may not be aware that they are potentially facing the
daunting task of patching student machines that may be woefully behind on
critical security updates.

Student Laptop Technical Review

Risk Based Security recently conducted a preliminary technical risk
assessment on a secondary school distributed Windows laptop from the
2019-20 school year. Immediately after boot up it was determined that
Windows security patches have not been applied since February 2020.


Our suspicions on how the Windows laptop was being managed were further
confirmed when we tried to manually update the laptop. Automatic updates
are turned off, and it is not possible for students or parents to force the
laptop to update.


Further analysis showed that other software such as Java, Adobe Reader,
Adobe Flash and Adobe Shockwave Player (yes, for security professionals,
you read that right: an end of life product, with a very poor security
track record is installed) were also running out-of-date versions with
known vulnerabilities. Even though February seems like yesterday, there
have been close to 900 new vulnerabilities involving Microsoft products
alone. Two recent vulnerabilities are especially concerning as they are
being actively exploited by malicious actors. Another patch, confirmed
missing from the reviewed laptop, fixed a security flaw that allowed
attackers to gain a backdoor into the system even after the machine is
updated. These three vulnerabilities alone can lead to a full compromise of
a Microsoft Windows system, and one is wormable, meaning that it can easily
spread.

When we saw the lack of up-to-date security patches, we were immediately
concerned – especially when discovering that updating the laptop manually
was not an option. This means that parents and students have to rely on the
school districts to ensure that these devices are properly maintained.

WHAT COULD GO WRONG?

In a word, plenty. If your child’s school device becomes compromised by a
“hacker”, there are a multitude of potentially damaging outcomes such as:


   1. A hacker could potentially access the student laptop and then use the
   device’s webcam to spy on your child and family. With many families
   repurposing bedrooms as makeshift learning environments this becomes even
   more concerning.
   2. Malware designed to steal computing resources, like cryptocurrency
   miners, could degrade performance to the point where the laptop could no
   longer function effectively.
   3. A compromised student device could be used as a launching pad to get
   into other family computers or sensitive data.
   4. Taking that a step further, the compromised student device could
   potentially provide an avenue for attackers to gain access to corporate
   machines connected to the same home network for work-from-home situations.
   5. With so many vulnerable student devices across the country, it could
   lead to a very large botnet used to conduct denial of service activities.


And the potential issues don’t end there…

Where Do We Go From Here?

In defense of school districts, very few organizations were planning for
the long term effects of this global pandemic. So it makes sense that a
routine patching strategy for remotely located devices isn’t fully in
place. Many heavily-funded corporations with substantial Information
Security and IT staff have struggled with managing so many remote machines
so quickly. Unfortunately, based on the school laptop review, it seems that
the patching strategy prior to the end of the 2019-20 school year left room
for improvement. Although cyber security issues such as vulnerability and
patch management are understandably challenging for school districts, this
is a highly concerning and unacceptable situation for our children and for
the networks they could ultimately expose to exploitation.

It’s no secret that children will use their laptops for non-school related
activities. If your child’s device is anything like the laptop we examined,
that device has little chance of fending off recent attacks currently in
circulation. Without the proper updates and patching, that device is
essentially a wide open door to your home network. You can hope that no one
notices, but if someone wants to walk through it, they can.

Hackers will target anything that they believe to be vulnerable, especially
so if there is a chance they can turn a profit from it. Back in April 2020,
a data breach involving 25 California school districts was reported, where
attackers stole student usernames, email addresses, names, and home
addresses. If an attacker cannot sell the data, they may simply release the
data on the dark web for free, or possibly leverage access to the school
network to launch a crippling ransomware attack like the recent incident at
Athens ISD.

At Risk Based Security we take coordinated disclosure of security issues
very seriously.  We spent a great deal of time debating the best way to
handle the disclosure of the laptop situation outlined above. We contacted
the school district that issued the reviewed laptop and provided details of
our findings. We even offered to assist with addressing the situation.
Considering that many schools are starting the new 2020-21 school year, we
have made the decision to publish this research with the hope of raising
awareness for school districts and parents. Time is very short for affected
districts to make the necessary updates, especially so if laptops need to
be brought on-site, or have fixes coordinated with outside vendors. It’s no
easy task, and it will likely take a considerable effort to implement.

WHAT SCHOOL DISTRICTS CAN DO

There will likely be tens of millions of school-provided devices being used
by students across the country this year. From our limited research so far
there is a mix of school-issued laptops,  consisting of Google Chromebooks
as well as traditional Apple and Windows devices. If the Windows laptops
are anything like those we have already come in contact with, there is work
that needs to be done.

We recommend school administrators consider the following as a starting
point:


   - Determine your school’s cyber security risks and create a security
   improvement plan
   - It is important to specifically ask your IT staff or vendor about the
   issues outlined in this post. Consider asking questions like “how are we
   ensuring the laptops we’ve provided are safe for students,” and “what is
   the process for maintaining the security of these devices throughout the
   year?” It is important to carry the conversation further and ask about
   other potential security risks facing the school.
   - Patching catchup and on-going remote strategy implementation
   - For starters, school provided devices must have the latest security
   updates applied – especially so for laptops running Microsoft Windows.
   Older machines need to be updated, and a plan needs to be in place for new
   devices that are being deployed.
   - The traditional “managed” approach most likely won’t work if the
   Windows or Apple laptops need to be directly connected to the internal
   school network to update.
   - Secure web browser
   - The majority of remote learning applications rely on using a web
   browser for access, so ensuring browser security is a critical first step.
   - For Windows laptops we recommend using Google Chrome or Microsoft Edge
   (the Chromium version). We do not recommend using the older Microsoft Edge
   (the EdgeHTML version) or legacy Internet Explorer.
   - Secure configuration (also called security hardening) is important as
   well as proper web filtering.
   - Ensure Virus and Threat protection is enabled.
   -
   - Antivirus or Endpoint protection is very important and should be
   implemented on all devices (and yes, this means Apple products too).
   - Chromebooks have it built-in. Microsoft ships Windows with Virus and
   Threat protection (previously called Defender).
   - It is even more important to ensure that whatever solution is in place
   for your particular device is current, and is configured to update new
   protection signatures regularly.
   - Provide cyber security awareness training for students
   - The first week back will no doubt be a challenge, and just getting the
   new technology to work is top priority.
   - We recommend that training be provided, and made mandatory for all
   students, to ensure they understand the issues they may face in the 2020-21
   year.
   - Consider cyber insurance
   - Data breaches can be expensive, and liability for insecure devices is
   highly debated. Solid cyber insurance can substantially reduce the
   financial pain of an incident.
   - Shopping around and consulting with a specialist can help ensure you
   get good coverage at a fair price.


WHAT YOU CAN DO AS A PARENT

For starters, as parents we need to remain calm, but in the case of cyber
security we must always be vigilant. The main issue with unpatched Windows
laptops may not even apply to your children’s school district. However,
cyber security, and what is described as good cyber hygiene, should be a
focus for the entire 2020-21 school year. Without it, remote learning can
be quickly derailed.


   - We recommend parents consider the following as a starting point:
   - Don’t wait, review your children’s laptops and devices as soon as
   possible
   - Make sure that it has been recently updated with the latest security
   measures. Here are some links with the steps to do this for Windows, Apple,
   and Google Chromebooks.
   - If you see that provided devices are not able to be updated, please
   contact your school. Reminder, educators are working hard to make sure they
   are prepared for teaching your children. Please be kind when raising yet
   another issue they must address!



   - Review your home network
   - Confirm your router is up-to-date and any default passwords are
   removed.
   - Confirm that you have a firewall installed and turned on, either from
   your Internet Service Provider, or on your router.

   - Consider Chromebooks

   - If you have an old Windows laptop, and you have the ability, we
   recommend you consider a Chromebook as your next purchase.
   - Chromebooks have security built-in and are quite easy to maintain
   securely.
   - This doesn’t mean that Apple or Windows laptops are bad and shouldn’t
   be used.  But for non-technical people they can be viewed as more of a
   challenge to maintain. Older operating systems such as Windows XP and
   Windows 7 should not be used.

   - Speak with your children about online risks

   - As a parent, talk with your child so that they are aware of the
   issues, and encourage them to use their school-provided device exclusively
   for school.
   - In particular, your child needs to understand and be wary of possible
   malicious links.

   - Understand your risks at home, and potentially to your employer


Make sure that your work-related devices are also up to date and that
sensitive company data is not easily accessible.
Reach out to your employer if you have concerns, they should be able to
assist.

Working Together To Secure Our Schools

While the single device we examined belongs to a single school district,
from conversations with other security experts and parents we believe that
this just one example of the cyber security issues plaguing school
districts across the United States. We are by no means placing all the
blame on the schools. School districts commonly struggle with small budgets
and staffing shortages, which have been amplified by the current pandemic.
To make matters worse, while the federal CARES Act helped secure additional
supplies, it does not provide any funding for beefing up cyber security.

We understand that school districts are basically on their own to “figure
things out”, including the cyber security issues that they face for the
2020-21 school year. It is a tremendous task and extremely important that
we work together to ensure that the upcoming school year is a success for
our children.

At Risk Based Security we want to help, and here are our current plans:


   - We will continue communication with the school district that issued
   the laptop we reviewed and provide assistance as appropriate.
   - We want to provide school districts free access to our YourCISO
   product. We are in the process of reconfiguring the Security Health Check
   to be focused on what school districts should assess, as they are getting
   back to school. If your district is interested, we encourage you to reach
   out to us directly. No strings attached.
   - We are aiming to publish a security training and awareness
   presentation that school districts can freely use. We also have aspirations
   to record the presentation and publish for usage.
   - We are working to collect existing material and links to other
   resources that may help school districts with cyber security training and
   content to address other issues.


School districts and parents need to be aware of the recent vulnerabilities
and patching concerns that were highlighted in this post. Let’s make sure
that together, our children’s privacy and security are protected.

If you have any additional thoughts or ideas on how we can further help, or
you would like to help produce material or assist, please let us know!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20200818/73c78257/attachment.html>