Districts can fight against lateral phishing emails that lead to ransomware attacks
A recent CoSN survey, The State of EdTech Leadership 2021, found that cybersecurity and student data privacy are the top two technology priorities for education IT teams. What the survey doesn’t discuss is that many cyber threats district leaders are facing today come from school cloud ransomware attacks.
Cloud technology has spread rapidly, especially after the pandemic sent many students home for remote learning. CoSN finds that 91% of districts use cloud-based learning from providers such as Google and Microsoft. This means that a whole lot of valuable data is being stored in these applications, making school cloud ransomware one of the greatest, yet least understood, cyber threats to districts today.
Lateral phishing is one of several ransomware early warning signs that you should be on the lookout for to protect your district. Detecting lateral phishing activity can help you avoid a Microsoft 365 or Google cloud ransomware attack that will cost your district time and money, and potentially even close down classrooms and remote learning.
What is School Cloud Ransomware?
Ransomware attacks that start in the cloud are becoming so frequent that there’s even a new name for them, RansomCloud. While the healthcare industry has historically been the biggest target of ransomware, last year the FBI reported that 57% of the reported ransomware attacks were against K-12 schools.
Ransomware in the cloud is K-12’s least understood threat vector. Schools have a large amount of data, some of which is sensitive, personally identifiable, financial, and/or protected health information, in cloud-based drives and shared drives like Google Drive, OneDrive, and SharePoint. That means that threats no longer stop at the perimeter and relying on firewalls or web content filters isn’t effective against cloud threats.
Another harmful and pervasive cybersecurity myth is that your cloud providers are going to protect your data in their applications for you. In reality, your agreements with Google and/or Microsoft use a shared responsibility model. This means the provider is responsible for securing their equipment to avoid customers having downtime due to an equipment failure and from app infrastructure intrusion. However, you are responsible for protecting your own data, which includes protecting it from cyberattacks.
Third-party apps represent another K-12 ransomware risk and is another type of “RansomCloud” attack that is gaining popularity with cybercriminals. If hackers can compromise a third-party app, they can gain a foothold in the cloud systems of many different schools at one time through OAuth credentials. This is a big reason why school vendor security is so important to securing district data.
There are a number of ways schools can work to control third-party apps ransomware threats using tactics such as enforcing an approved app list and using app control tools to automate sanctioning and unsanctioning of those apps.
How are School Cloud Ransomware and Lateral Phishing Related?
A phishing email is one that looks like it comes from a reputable source, but it’s actually sent from cybercriminals. Lateral phishing describes a situation where a cybercriminal gains access to the email account of a trusted person in your district, and then sends phishing emails from that account.
A lateral phishing email can be difficult to spot, both for people and for traditional email security tools. The reason is that the email is from a real account that the recipient (and the phishing filter) wouldn’t typically question. And, cybercriminals have gotten more sophisticated, meaning that the emails aren’t usually full of grammatical errors and ridiculous requests.
The purpose of a lateral phishing email is to ask the recipient to click on a malicious link in the email, download a malicious file, or provide information that the hacker can use to break into other accounts.
Lateral phishing emails can also be used to trick the recipient into revealing sensitive information that would allow a hacker to access your cloud apps. These account takeovers can spread rapidly to many accounts in a district that makes stopping them even more difficult.
Once a successful lateral phishing campaign is launched, a ransomware attack will probably soon follow. You can learn more about how lateral phishing detection works by watching this short demo video.
5 Tips for Protecting Your District from School Ransomware and Lateral Phishing Threats
School district IT teams need all the help they can get to protect their districts from school ransomware and lateral phishing threats. Here are five school ransomware protection tips you can use to do just that.
- Set up account login activity monitoring to catch suspicious login activity that may be the result of an account takeover.
- Treat internal emails the same way as external emails, doing the same kind of monitoring that will uncover lateral phishing emails.
- Set up internal file scanning to detect shared files that contain malware.
- Use automatic controls to find and disable unapproved third-party apps.
- Adopt a zero trust cybersecurity mindset, which will support the first four tips. Secure your data by assuming that all activity is not trusted, whether it is internal or external. Assume you need to withhold trust and verify all activity.
There are many other things you can do to protect your district. The participants in our recent panel discussion identified some excellent school ransomware protection tips. They talked about the importance of maintaining 24/7 K-12 cybersecurity monitoring and detection, establishing a written data use policy, managing 3rd party vendors, and implementing an automated response system.