This time last year, Jaggar Henry was enjoying the summer like so many other teens. The 17-year-old had a job, was hanging out with friends on the weekends, and was just generally spending a lot of time online. But then, at the end of July, Henry combed his hair, donned a slightly oversized Oxford shirt, and appeared before his school district's board in Polk County, Florida—one of the larger school districts in the United States—to outline a slew of security flaws he had found in its digital systems. His presentation was the culmination of months of work and focused on software used by more than 100,000 students.
Those vulnerabilities have been fixed, but Henry, who now works full time on education technology, says that his experience illustrates the challenges facing school districts across the United States—and a problem that's grown more acute in the wake of COVID-19.
The coronavirus pandemic has had major cybersecurity implications around the world. Tailored phishing attacks and contact-tracing scams prey on fear and uncertainty. Fraudsters are targeting economic relief and unemployment payments. The stakes are higher than ever for ransomware attacks that target health care providers and other critical infrastructure. For businesses, the transition to remote work has created new exposures and magnified existing ones.
School districts in the United States already had significant cybersecurity shortcomings. They often lack dedicated funding and skilled personnel to continuously vet and improve cybersecurity defenses. As a result, many schools make basic system-setup errors or leave old vulnerabilities unpatched—essentially propping a door open for hackers and scammers. Schools and students also face potential exposure from third-party education-technology firms that fail to adequately secure data in their platforms.
The pandemic amplified these risks, as school districts around the country transitioned to distance learning in the spring. Suddenly, millions of teachers and students relied on video chat software, lesson portals, digital message boards, and other online tools. If these systems are set up without proper authentication and controls, any of them can potentially become vectors for attack. And tools to access school networks remotely, including VPNs and Remote Desktop Protocol, can be abused by attackers to gain unauthorized access to sensitive systems. Last week, the Federal Bureau of Investigation issued a security alert about the threat of ransomware to schools amidst the COVID-19 crisis. "K-12 institutions have limited resources to dedicate to network defense, leaving them vulnerable to cyber attacks," the FBI warned, according to a ZDNet report.
In the past 30 days, more than 4.7 million malware incidents were detected in the education industry broadly worldwide, according to Microsoft's Global Threat Activity tracker—more than 60 percent of all the corporate and institutional malware incidents reported during that time. The next most affected sector is what Microsoft calls "business and professional services," with fewer than 1 million incidents.
"Many schools are ill-equipped to securely migrate to a completely digital learning experience, so it comes as absolutely no surprise that these vulnerabilities are so prevalent," says Henry. "School districts are scrambling, and threat actors know this."
Henry says he first became interested in probing his own school's digital systems after hearing how much they cost. Polk County is the seventh-largest school district in Florida, with more than 100,000 students, and in recent years it had been spending millions of dollars to develop an enrollment system called Delta and to contract for a new "Student Information System" from an outside vendor. The school board reportedly made the switch with security in mind. Henry first reported flaws in the school's new SIS implementation in September 2018, though. The following March, he found data exposed in Delta. The application accessed students' identifying information, like Social Security numbers, through an application programming interface. Henry realized that he could manipulate the API to spit out other students' results simply by changing an internal reference ID number the app used to keep track of each student.
Another issue Henry found was in the way Polk County used Microsoft SharePoint platform, a collaboration and storage tool, to manage data. He noticed that students and teachers were lumped together in a Sharepoint "user group" and had all been granted the same access to files stored in the system. This meant that students could access anything on the Sharepoint, including each others' data. One file was labeled as containing student usernames and passwords and was simply an unlocked, plaintext spreadsheet of student login credentials for school accounts.
Polk County Schools did not return a request for comment on Henry's research. At the July 2019 meeting where Henry shared his findings, though, members of the school board appeared to support his work. "I've directed him multiple times to our IT staff," Billy Townsend, the school board representative for Polk County's District 1, said. "I think he's done some very useful things, from what I understand. I think we should take seriously what he's saying."
“Nobody else is looking”
Henry also found and reported similar vulnerabilities in the systems of two private Florida universities last year. He says that making all of these discoveries while he was still a student motivated him to pursue a career in ed-tech cybersecurity.
"When I took a look, there was so much that was vulnerable—just a stupid amount of vulnerability," Henry says. "It doesn't feel good. When you participate in a capture-the-flag hacker competition or do a cool bug bounty, it feels good to find stuff, but you see these flaws in education systems and there's nothing to be proud of as a researcher. You changed a number or you just looked! I'm not some genius. It's just very obvious that noboRead More – Source