The days of students bringing printed report cards home to their parents are coming to an end. As cloud services and data-management systems become cheaper and more robust, many schools, districts, and states are using online networks to store data such as records for attendance and grades that parents can access from their homecomputer.
Though the switch is often more convenient for teachers and parents, these networks can also make state agencies, districts, and schools vulnerable to cyber attacks.
At the end of August, the Kentucky Department of Education's statewide Infinite Campus information network was targeted by a distributed "denial-of-service" attack, or a DDoS. These attacks are designed to overwhelm the targeted IP address with requests, with the goal of interrupting or suspending service. They are also the most common form of cyber attack.
Although the Kentucky agency was able to fight off the DDoS attack before any data was compromised, DDoS attacks are occurring more often as they get easier to execute.
"What I understand from what I've seen is that [DDoS attacks are] a commonality now," said the Kentucky department's chief information officer, David Couch said. "I think most organizations have to add to their tool suite a way to detect them."
Because DDoS attacks can target any IP address, it's impossible to completely prevent them, so for districts and the companies that provide these data-management services, the focus is on battling these attacks as they come.
"We have to be prepared and understand the environment that we are operating in so we're prepared to address these issues as they come up," Eric Creighton said. Creighton is the chief operating officer at Infinite Campus, the company that provides data management services and operating systems to the state of Kentucky and many other schools and districts.
Part of predicting and combating cyber attacks is understanding why people order these attacks in the first place. When the target is a network that stores student grades and attendance information, the immediate thought is that a student is responsible. However, Creighton says that students rarely attempt attacks and, in his experience, have never succeeded.
"Some smart underperforming students might want to try to change [their grades], but we've never experienced a case where a student has hacked the system in a technical manner," he said.
A Price for Openness
Creighton also doubts that the attackers are attempting to retrieve data, as grades and attendance information are of little value to most hackers.
"I don't think these are attacks attempting to get data," he said. "There's no jackpot of valuable data unless you want to find out who the valedictorian is going to be--there's no payload here."
One reason that schools and districts may be targeted is that their systems, which are designed for convenient access for parents and teachers, are easier targets.
"By their very nature, [education networks] have to be a lot more open than a business network," said Marcus Rogers, a professor and chair of the cyber forensics program at Purdue University, in Indiana. "Universities and colleges used to get the black eye for being hack central, but they always go for the weakest link in the chain, and K-12 schools are where colleges were five years ago."
Rogers says that hackers use more vulnerable networks as a proof of concept or launching-off points for larger attacks on more valuable targets.
"For a lot of these attacks, the intended victim or goal is something bigger than the school," he said. "Obviously schools want to protect their data, but the bigger threat is when they use those networks now to go out and attack a power plant or a stock exchange or an air traffic control systems. That's when the stakes go up."
Kentucky education officials believe that the attack on their systems was triggered by a beacon unknowingly placed on a student's mobile device, which he or she took with them to school. Viruses can cause a device to send out a beacon, instructing thousands of other devices to attack the network the device is connected to. In Kentucky, officials say that this won't stop individual districts from implementing bring-your-own-device programs, but they can decrease the chances of an attack by making sure that these student devices are properly protected.
"I think what you're going to see is districts making sure that before people plug into their network they have up-to-date, good virus protection," Couch said. "Higher education has been doing that for a while, and I think you'll start to see that in K-12."
Rogers says that even when schools know best practices for avoiding and combatting attacks, such measures are often cost-prohibitive.
"The change that would do the most right now would be awareness of the issue, and potentially federal funds to help schools buy equipment and train network people," he said. "A lot of times the schools know what to do, but at the end of the day if they're trying to get library books, a firewall is not going to be their big concern."