Education: the final frontier of authentication

Steven Hope, CEO of Authlogics, explains how authentication can protect the education sector as distance learning spaces are targeted by hackers

Distance learning has made the education industry an ideal target for hackers hoping to exploit bad password practices – and contains exactly the kind of information they need.

Like almost every other discipline and practice on earth, primary, secondary and higher education has been thrown into chaos by the COVID-19 pandemic. Schools, colleges and universities had to adapt quickly to a locked world – a world that would radically affect the way they impart knowledge to their students. Gone are the 200 classrooms for freshmen and over 30 classes for 9th grade history have been replaced with Zoom lectures and virtually defined homework.

This new reality for millions of students has unfolded at lightning speed, as the pandemic accelerated and, in many cases, is sadly expected to continue until the end of 2021. New accounts had to be created at high speed to facilitate this transition, and with the delay of in-person learning, their numbers will only grow. Aside from the logistical issues associated with a distance education environment, the associated security concerns are glaring, especially considering that the education sector is still struggling with adequate cybersecurity, so much so that the NCSC has issued a safety warning for educational institutions in the UK. Today, as schools and universities switch to distance or hybrid learning models, the threat remains: these new vulnerable accounts along with a lack of visibility provide an easy entry point for bad actors.

How Universities Can Facilitate Blended Learning Through Smart Campus Infrastructure

Sean Lowry, CTO of Glide, discusses how smart campus infrastructure provides blended learning foundations for universities. Read here

The problem

Each of these students’ accounts must be authenticated, whether they are completing their studies remotely or in person. In the majority of cases, that means using a password, which human behavior dictates, doesn’t do the job necessary to accurately protect an account. A 2019 study conducted by Google and The Harris poll, for example, found that 52% reuse the same password for multiple accounts (but not all), only 35% use a different password for all accounts, and most shockingly, 13% reuse the same password for all of their accounts.

While the security person in me thinks this is an unacceptable standard of personal security, the surfer in me sympathizes. A Digital guardian study suggested in 2019, the average Internet user has 90 online accounts that require authentication. The reality of remembering a unique password for each of these accounts is not just an overwhelming prospect, but an utterly unrealistic prospect. Digital Guardian also found that young people were the worst culprits of password misuse, with 76% of 18-24 year olds reusing them.

This practically means that schools, universities and colleges are made vulnerable, not only by a compromise occurring in the accounts of their ecosystem itself, but also through a compromise on an account that one of their students holds separately. . For example, if an account not associated with the institution is compromised, but the user uses the same password for an associated account, the network could still be vulnerable to malicious activity. In fact, a recent study by the UK Department for Digital, Cultural Media and Sport (DCMS) found that a particularly common issue for colleges this year was account compromise, with 21% of colleges violated using this vector.

This should be of particular concern to educational organizations for a multitude of reasons. First, they hold a significant amount of PII (Personally Identifiable Information). A school, for example, may hold addresses, email addresses, business addresses, and other parent information as well as applicable student information. This information can be used not only for traditional cybercrime, but also in the most sinister examples represent a child protection issue. To put the value of a target school into perspective, in 2020 alone 58% of secondary schools across the UK was the victim of a cyberattack. 2021 wasn’t much different, with various schools targeted by cybercriminals. One of these incidents was experienced by 15 schools in Nova Education Trust, which had to shut down their IT operations and disrupt distance learning processes.

For higher education institutions, the problem is further complicated by the likely presence of payment information for students (or parents) who may have paid fees in advance, or paid for university residences, sports companies. or other goods or services, which means even greater motivation for malicious actors to gain a foothold in the network.

In addition, a university’s research components can also make it a “crown jewel” target for cybercriminals. This research could relate to an activity with very high added value: vaccinations against COVID-19 and revolutionary medical or nuclear research, to name but a few. Not only would this cutting edge research be of extreme interest to a cyber criminal gang who might auction it off to the highest bidder, but it might also be of interest to a hostile nation-state who might slip this research into its own national agendas. This thesis is supported by the NCSC, which has published a paper 2019 who said: “The threat posed to the academic sector is part of the larger context of the threat to the UK as a whole. Over the past two years, the UK government has attributed malicious state-sponsored cyber activities against the UK to Russia, China, North Korea and Iran. There is also a serious and sustained threat to the UK from organized cybercrime. “

The next wave of cyber adversaries and how to protect yourself against it

Adam Meyers, senior vice president of intelligence at CrowdStrike, explains how organizations can protect themselves from the next wave of cyber adversaries. Read here

The solution

While criminals who target PII will always attempt to gain access to high-value targets such as schools and universities, there are basic standards and best practices that organizations can deploy to ensure that their methods authentication do not provide a gateway. One of these methods is to replace passwords with a pattern-based authentication method, which is much more difficult to replicate and produces a unique pattern for the individual and individual account, thus eliminating the temptation to reuse a password.

Another method is to deploy a password security management system, which can ensure that your passwords are safe, secure, and comply with the latest regulations. Such a system could help not only secure passwords, but also reduce the problems associated with help desk staff and IT teams at educational institutions, many of whom would have been inundated with access issues as they go. as the pandemic progressed.

An educational institution that has made drastic changes to its cybersecurity over the past year, King Fahd University of Petroleum and Minerals (KFUPM) in Dhahran. With the increase in phishing attacks and other dangerous cyber threats, the University wanted to protect itself against breaches – especially as it is home to over 800 academic staff and just under 10,000 students, making it an ideal target for threat actors looking to execute passwords. spray attacks or credential jamming. With the large number of employees and students increasing the likelihood of violation, KFUPM is one of the leading world-class educational organizations specializing in scientific research. The university stores a wealth of information, both with regard to individual data and important information regarding two of the most valuable natural resources: minerals and petroleum. As such, KFUPM wanted to ensure the security of its resources and protect itself from any other imminent cybersecurity threat. The university has invested in a multi-factor authentication (MFA) solution, removing the need for the weakest link in security measures: passwords. The MFA solution incorporated PINgrid and PINpass technologies, which generate a unique secure model (OTP). Rather than having to memorize a word or phrase, this type of technology generates a pin grid, as described above for a template-based authentication approach, providing an easy-to-use and much stronger security barrier than the traditional password. As a result, staff and students were able to more easily access their accounts without needing to remember another password, knowing their information was safe from breach.

Ultimately, a system where academic institutions can completely remove passwords and replace them with a complete and secure MFA program would be the gold standard for secure authentication, but the best practices outlined below above are a solid first step in this journey. It is of crucial importance, however, that these are implemented quickly: with many universities continuing to online and hybrid conferences During the fall semester, the opportunities for hackers are more fruitful than ever. IT and security teams in educational institutions need to implement policies that can stop bad actors.

Written by Steven Hope, CEO of Authlogics

Source link

Norma A. Roth