At first glance, organizations in the education sector don't seem like a typical target for a cyberattack. After all, most of its users are young students. However, upon closer examination, educational institutions are lucrative one-stop shops for cybercriminals looking to swipe sensitive data. Since 2020, the education industry has rapidly adopted new digital platforms and advanced technologies to facilitate teaching and provide a smooth and efficient learning experience for students. Unfortunately, this has introduced cybersecurity risks. User and entity behavior analytics (UEBA), or anomaly detection, is a cybersecurity technique that can help ensure data privacy and security in educational institutions.
In this page, we'll discuss:
The education industry has become an attacker favorite, especially the K-12 schools are often subjected to attacks involving data breaches, ransomware, DDoS, phishing, and insider threats. According to the 2023 Microsoft Digital Defense Report:
The reasons why attackers target the education industry include:
Access to sensitive data: Educational institutions contain a hoard of personal and financial information of the students, their parents, faculty, and other staff members. The sensitive data that academic institutions collect and hold include names, phone numbers, addresses, Social Security numbers, email ID, student records, payment data (credit card information and student loan information), and even critical medical conditions of the students enrolled. Threat actors target educational institutions due to the sheer volume and sensitivity of the data they manage, which they can exploit for identity theft, financial fraud, and resale on the dark web.
Intellectual property and unpublished research data: Research centers and universities often engage in cutting-edge research generating valuable intellectual property and proprietary data, or even unpublished research that has life-changing implications. And in today's world, where numerous higher educational institutions collaborate with both the government and private sector to undertake research, cyber espionage and state-sponsored cyberattacks with geopolitical motives are a constant threat.
Diverse user base: Educational institutions typically have a large and diverse user base, including students, faculty, staff, contractors, and visitors, who access their networks from a wide range of devices and locations. This diversity creates numerous entry points for attackers, increasing the potential for vulnerabilities and the attack surface. Additionally, the varying levels of cybersecurity awareness and behavior among users make it easier for attackers to exploit weak passwords, phishing susceptibility, and other security vulnerabilities.
Weak cybersecurity measures: Many educational institutions have limited budgets and lack specialized cybersecurity personnel or threat detection and response tools, resulting in low security maturity, outdated and unpatched systems, and poorly configured security and access control policies. Moreover, the lack of cybersecurity awareness among students and even faculty makes it easier for attackers to employ social engineering tactics and trick users into providing their credentials or sensitive information.
Operational disruptions: Cyberattacks on educational institutions, especially ransomware attacks, can cause significant disruption to academic and administrative operations, affecting classes, exams, research, and communication. With their institution’s digital infrastructure crippled, attackers pressure educational organizations to pay the demanded ransom to restore access to critical systems.
As educational institutions continue to digitize their operations, the importance of robust cybersecurity measures becomes even more critical to protect against these persistent threats.
Here are the key reasons why cybersecurity is crucial in the education sector:
To protect students' healthcare data, academic institutions might have to comply with laws such as the Health Insurance Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health Act, and the Health Records Act, 2001. To secure their financial data, institutions might need to comply with Gramm-Leach-Bliley Act (GLBA) and Payment Card Industry Data Security Standard (PCI DSS).
Effective cybersecurity measures are necessary to meet these regulatory requirements and avoid legal penalties, fines, and reputational damage.
UEBA plays a crucial role in enhancing the security of the education industry by providing advanced threat detection and monitoring capabilities that go beyond traditional security measures. In educational environments, data access by students, faculty, and staff is frequent and varied, making it challenging for security teams to identify what's normal and what's not. And that's where UEBA comes in.
UEBA leverages ML algorithms and statistical models to continuously monitor the behavior of users (students, faculty, staff) and entities (devices, servers) across the network, to create a baseline of expected activities for every user and entity. If it observes any activity which deviates from the expected norm, such as attempts to access sensitive student records outside regular hours or from unusual locations, it'll deem it anomalous and increase the user's risk score accordingly. This holds true irrespective of whether it's an insider threat or an external attack.
UEBA analyzes vast amounts of data in real-time, allowing for the rapid detection of potential security incidents. It also minimizes false positives by using ML algorithms to refine and adjust the baseline behavior model continuously, ensuring that alerts are more accurate and relevant. This enables security teams to respond quickly and prevent data breaches and other security incidents before they escalate.
Regulatory mandates such as FERPA, HIPAA, and the GDPR require monitoring access to sensitive data. UEBA provides detailed insights into user behavior and access patterns, helping educational institutions demonstrate compliance with these regulations.
An UEBA-integrated, unified SIEM solution like ManageEngine Log360 can help educational institutions protect sensitive information, prevent data breaches, and maintain a secure and compliant learning environment. Log360 provides smart thresholds, an ML-led security alerting capability. It also improves risk scoring accuracy by factoring in peer group analysis, seasonality, user identity mapping, anomaly modeling, and enables you to customize user risk score. To learn more, read the e-book: How to improve risk scoring and threat detection with UEBA.
To better understand how UEBA can help educational institutions, let's take a look at some examples.
Let's discuss some of the threats that can bring down an educational institution, and how UEBA can help combat them.
It felt like the 90's at Greendale Community College, with assessments being conducted on pen and paper, professors marking students' attendance manually, and librarians racing up and down the aisles to help students locate books. A massive ransomware attack had crippled Greendale's network, plunging the college into the pre-internet era.
Ransomware attack causes network shutdown at Greendale Community College.
Greendale fell prey to a malvertising campaign that introduced Locker ransomware into the organization's network. Malvertising is a technique hackers use to plant malware within online advertisements to infect computers. A user within the college clicked on one of these malicious advertisements, which redirected them to a different URL from where the ransomware payload was downloaded without the user's knowledge, giving hackers access to the network. Once hackers gained access, they scanned the network for shared resources that had weak passwords or unsecured hardware, and from there, moved laterally in the network until finally bringing the organization to a standstill.
While Greendale decided not to pay the ransom and is fervently working towards bring its systems back online, the mishap could have been prevented if the college had utilized a UEBA solution to protect its network. UEBA could have spotted the pattern and count anomalies right when the malware began executing changes on numerous files in the first victim's computer, and alerted the IT administrators to take corrective action. The device could have easily been quarantined from the college's network, halting the outbreak and limiting the damage.
Ryan Demming is an admissions officer at the Brookefield Academy, one of the most established private boarding schools in the United States. Its peak admissions season is in late July when Ryan receives an email with the subject, "Offer acceptance - Reg," containing some questions about how to accept the offer of admission on the school's portal. Ryan doesn't realize that this is a spear phishing attack.
Attackers employ spear phishing to gain access to the school's critical database.
Once he opened the email, the embedded malware, capable of wiring data to the attackers via email, was downloaded into Ryan's system. The malware began executing numerous commands in PowerShell to access the database containing student information. This sensitive database containing students' personally identifiable information, copies of educational certificates, medical history, and more, could have been used to perform identity theft and extortion, or even to commit organized crime.
Luckily, Brookefield's UEBA solution was able to avert the malware data exfiltration attempt before it could email the copied database to the cyberattackers' command and control (C&C) server. The UEBA solution increased the risk score of Ryan's computer drastically when it spotted multiple PowerShell commandlets that were executed in quick succession to access and copy student databases, alerting the school's cybersecurity personnel and helping them prevent the attack.
Most educational institutions restrict internet use to prevent access to unauthorized sites and applications. The University of Hudson, one of the country's premier institutions, is known for its high research output, breaking ground recently for innovation in regenerative medicine. Several pharmaceutical companies were trying to get their hands on the research methodology and outputs that the university held, making it a prime target of intellectual property theft.
Samantha Fernando, an undergraduate in the school of life sciences, is unaware of the cybercriminals looking to gain access to the department's network, and downloads a virtual private network (VPN) app from an unverified source to access blocked web pages. The VPN, originally a Trojan malware, was programmed to move laterally in the network, gain access to the server that housed research files, and transmit the files to the criminals' C&C server. Inadvertently, Samantha became the point of entry exposing the entire network.
A Trojan malware disguised as VPN to penetrate the university's network.
However, the criminals didn't succeed in their pursuit to steal research files. The UEBA solution that the university employed spotted the sudden and unusual count of port scan events happening in the network and increased the risk score of the entities from which the event was happening. The sudden increase in the risk score of numerous entities connected to the network alerted the network administrators to suspicious activity, who investigated the incidents and terminated the malware, effectively mitigating the malware intrusion before it could reach critical servers.
Many schools and colleges do well in imparting cybersecurity education to their students, but fall short in practically implementing those principles on their institutions' networks. With the number and intensity of cyberattacks starkly increasing in this field, educational institutions that don't have adequate cybersecurity measures in place should be worried.
By leveraging intelligent security solutions such as UEBA, universities and schools can guard their networks from various cyberattacks that can jeopardize the institution and its stakeholders alike. ManageEngine Log360 is a SIEM solution with integrated UEBA, SOAR, and CASB capabilities that help secure both your on-premises and cloud environments against various cyberattacks. It also provides comprehensive, audit-ready reports for various compliances including FERPA, HIPAA, GLBA, PCI DSS, and the GDPR. To learn more, sign up for a personalized demo and talk to our solution experts.
You will receive regular updates on the latest news on cybersecurity.
© 2021 Zoho Corporation Pvt. Ltd. All rights reserved.
