Is This the Blind Spot in K-12 Cybersecurity and Student Privacy?
…and is runZero the key to fixing this problem?
Recently, Infosecurity Magazine published a report on the skyrocketing number of vulnerabilities in Internet of Things devices which provide entry into networks for bad actors. The terms Internet of Things (IoT) and Operational Technology (OT) have come to encompass pretty much anything that doesn't have a screen and a keyboard: security cameras and recorders, printers, routers, HVAC controls, home automation systems, badge readers, vape sensors, voice over IP phones, and more. Many of these devices lack the ability to be centrally managed like staff and student devices.
Forescout Technologies reports that education is the second most at risk industry in terms of attack surface. Their report is worth a glance.
Recommended by LinkedIn
Some of the key points as to why schools are particularly at risk, based on our work:
- Schools tend to have very large numbers of OT/IoT devices, such as TVs, video systems, VoIP phones, security cameras, access control systems and extensive, complex wireless infrastructure.
- Devices that humans do not "touch" daily are often forgotten about until they are broken. It is difficult to ensure the "invisible" devices are updated regularly, when it is a challenge just to keep student and staff laptops operating daily.
- Refresh rates on many devices are often far too long. Politicians and leaders prioritize new shiny things that they can take credit for; very little love is given to leaders that just maintain a previous leader's technology initiatives.
- Schools often have very open networks, with students bringing multiple devices on campus daily.
- School networks are rarely segmented properly. Ideally, educational systems should be segmented from guests, which should also further segmented from embedded systems.
- School technology departments are often drastically understaffed relative to their IT footprint.
Fortunately, North Carolina provides access to an amazing network asset discovery and enumeration tool called runZero, at no cost to any public school in the state. runZero enables schools to see all devices that are (or have been) on their network; even devices that are there without permission or against school policy. In a single dashboard, schools can perform queries and analysis with visibility into virtually every device that is on the network.
Some examples of the types of queries and questions we can answer with runZero include:
- Show all the devices with WindowsXP (yes they still exist in schools)
- Show all the printers that have telnet enabled (yes, still happens)
- Are there any security cameras on my network that are not part of our security system?
- Show all the devices that have an OS that will be end of life in the next three months
- Show all the devices that are on the federal government's "do not buy list"
- When was the last time the Chromebook with x MAC address was on campus? And who was the last person that logged into it?
- What was the last school at which this laptop was online?
- Show all the devices that are visible from the public side of the firewall
- Show all the machines running RDP
- How many devices do we have with CVE x?
- Are there any rogue APs on my network?
Additionally, runZero catalogs screenshots for the login/banner for all devices that it finds. This is particularly helpful for quickly finding strange things that should probably not be running on the school network, or at least not broadly available.
runZero has published an outstanding report. I encourage every IT leader to download and share with their teams. Are you sure you don't have any internet connected aquarium pumps on your network?
You cannot secure your network, until you know everything that is on it. In a K-12 environment this is a particularly challenging problem. North Carolina has done an amazing job providing leadership for their schools to improve cybersecurity. What has your state done? Write in the comments please.
#k12technology #education #educationPolicy #runZero #IoTsecurity #OTsecurity #cybersecurity #caasm
Information Technology
4wGreat article! It's interesting how our K-12 schools still use legacy systems, leaving them vulnerable to attacks. Also, the lack of staff relative to the technology demand is subpar, providing attackers with a significant attack surface. Making k-12 perfect for ransomware attacks.
Cultivating the North Carolina Cybersecurity Ecosystem
1moIs runZero available for small businesses to use? I'm always on the lookout for affordable cybersecurity products and services that I can recommend - particularly to small defense contractors.
Cybersecurity Analyst | NCSU College of Engineering, Class of 2024 | Computer Science, Cybersecurity Concentration | PGP Fingerprint: 42CF 431F 67DA 1A0A 2990 CCEF 7774 2E15 E6F0 119B
1moGreat article! I'd also like to emphasize the importance of being able to monitor the schools' networks. runZero has been significant in patching recently found vulnerabilities. These vulnerabilities have resulted in major exploits in areas where the attack surface was previously overlooked. Within the K-12 system, attacks were thwarted because of the early and easy detection enabled by these tools.
Helping enterprises propel their application security programs by reducing the noise of traditional toolsets #appseclumberjack #owaspmaine
1moGreat write up Ray Zeisz! It was a pleasure working with you and Samuel Carter during this initial project and so glad to see the schools are still getting value from the technology
Cyber Security Executive at Infoblox
1moDNS can help immensely in this scenario as there are tools that do real time DNS Protective services.