Third-party apps are an often overlooked and misunderstood factor in ransomware protection
K-12 Cybersecurity Resource Center’s third annual The State of K-12 Cybersecurity 2020 Year in Review reported a total of 49 publicly disclosed ransomware incidents impacting K-12 schools in the United States in 2020. It’s another stat in an ever-concerning trend in cybersecurity incidents impacting schools, students, and their communities as a whole.
To be clear, at this time, there is scant data available on the source of the ransomware or the specific data systems impacted by each incident. But it is a folly to think that your cloud data storage is somehow protected from ransomware attacks.
Here, we’ll review why ransomware in the cloud is a growing threat and how third-party apps can contribute to the problem. Then, we’ll discuss six tips that will help you control third-party app ransomware threats.
Ransomware Threats in the Cloud
You may already know that ransomware in the cloud is a growing problem. Ransomware attacks have hit school districts including one of the largest districts in the country, Broward County in Florida, and smaller districts like the Athens ISD in East Texas.
The attacks have cost districts time and money. Even if they don’t pay the ransom, they need to pay for professional help to counteract the attack. Not to mention the immense amount of time and resources that internal staff needs to spend during and after an incident.
Further, in several cases, in-class and remote learning classes were interrupted for a week or more due to a school ransomware attack.
Why Third-Party Apps are Popular Targets
Hackers know that gaining access to third-party apps is easier than penetrating your district’s defenses. They also know that once they have access to third-party apps, they can use that as a foothold to spread their attack. It can be an efficient way for them to gain access once and reap the benefits of demanding ransom from many organizations.
Third-party apps are also handy targets because people often use OAuth to login to an app. Users like to use OAuth because they can use their credentials from another system to login, which saves them from needing to remember one more login.
The problem is that OAuth risks can occur because hackers have learned to create apps that mimic trusted apps and therefore are granted permissions such as access to email. There have also been incidents of hackers being able to effectively “hijack” a legitimate app’s OAuth connection. Once that happens, you’re faced with account takeover risks and more.
You Need to Lead the Fight Against Third-Party App Ransomware Threats
Third party apps are one of the key threat vectors that you need to fight yourself. Research shows that malware attacks on Android devices are increasing.
Some district leaders still believe that their cloud storage is protected by the vendor. But, the truth is that with the shared responsibility model that vendors like Google and Microsoft use, those vendors are only responsible for preventing failed software and hardware from interrupting service. You are responsible for protecting your systems from ransomware attacks, data loss, and other types of data security incidents.
Incidents like Google cloud ransomware attacks can be devastating, and it’s your responsibility to stop the attack and recover from it if it does occur.
6 Tips for Controlling Third-Party App Ransomware Threats
Here are six tips you can use now to protect your district from ransomware threats:
1. Don’t Allow Users to Connect Personal Apps to School Accounts
An internet search reveals many articles telling users how to do things like connect work and personal apps, combine personal and work profiles, and check personal email while staying logged in to work software. You need to make it clear that these actions aren’t allowed.
2. Enforce an Approved/Sanctioned App List
You know which apps you’ve already tested and verified for safety. Keep that list updated and only allow those apps to connect to user accounts.
3. Create a Process for Approving New Apps
The latest cybersecurity report by the K12 Security Information Exchange and the K-12 Cybersecurity Resource Center found that “For the second calendar year running, at least 75 percent of all data breach incidents affecting U.S. public K-12 school districts were the result of security incidents involving school district vendors and other partners.”
That should be enough motivation to take the time to develop a process for evaluating new apps that are requested by students, teachers, or staff. No app should be authorized for use unless it has passed your review process.
4. Never Install an App from an Unauthorized App Website
No one in your community should ever install an app from an unauthorized app website. Not even just this once. You’ll need to educate your community about why the rule is in place, and the importance of following it.
5. Consider App Control Tools
Automated tools can make controlling apps much easier and less time consuming. As a result, your level of security will increase. For example, a tool can be used to automate sanctioning and unsanctioning third-party apps, which will help an already overburdened IT department.
6. Use Detection Technology to Prevent Account Takeovers
You can identify attacks sooner with the right detection technology to spot account takeover behavior and other anomalous behaviors that could signal an attack.
The EdTech Vendor Security & Compliance Evaluation Checklist
Third-party apps are very useful for classroom learning and school administration. But there are legitimate concerns about student data privacy and third party apps. These apps can pose real threats to data privacy and security if they are not properly managed and monitored.
To assist you in fighting things like third-party app ransomware threats, we have developed a checklist that allows you to review a set of evaluation standards for EdTech apps and outline your own requirements for approving third-party apps. It’s a valuable tool to help you in meeting your responsibility for protecting student data and avoiding costly data breaches.