The Best Defense Against Cyberattacks, From a District CTO
As Melissa Tebbenkamp sees it, cybersecurity is as much about district behavior as it is about the damage any bad actor tries to inflict.
Tebbenkamp, the director of instructional technology for the Raytown Quality Schools, a 9,000-student school system outside Kansas City, is expected to run point in guarding against phishing scams, malware, and other forms of cyberattacks.
But she’s also counting on her colleagues, from top administrators to the district’s teachers, to make the right decisions when a suspicious e-mail lands in their basket and something doesn’t seem quite right.
So Tebbenkamp has put an emphasis on training staff to do their part to make the district’s system’s more secure. Her district also puts restrictions on the tech applications that staff can access online, to keep the chances of unwanted intrusions to a minimum.
“It’s about protecting where you have control—which is your house—first,” says Tebbenkamp. “We do have a growing concern about outside malicious attacks directly targeting us. But the biggest and most frequent [vulnerabilities are posed by] our staff.”
Tebbenkamp has served in her tech role in Raytown since 2006. She’s also sought to help other district officials by serving as co-chair of the Consortium for School Networking’s Student Data Privacy working group, and as a member of CoSN’s professional development and cybersecurity committees. She’s also served on CoSN’s national board since 2014.
In addition, she’s consulted for the Federal Trade Commission and U.S. Department of Education on the impact of federal privacy laws on schools and online instructional tools. She’s also led several workshops aimed at helping schools and districts improve their data governance programs.
Tebbenkamp recently talked with Education Week Associate Editor Sean Cavanagh about the lessons she’s learned about cybersecurity, and what she sees as critical steps for districts trying to protect themselves.
Q: What is the biggest cybersecurity risk school districts face?
Your staff and students. Our biggest risk is ourselves. That’s your biggest preventable risk. You do have some students who are really smart and intentionally try to hack or gain access when they’re not supposed to. But with your staff, it’s more about the inadvertent disclosure of information or clicking on that phishing e-mail and allowing access, or clicking on something that has malware attached to it.
Q: What kinds of intrusions are you most worried about?
Not in my district, but W-2 phishing scams were big a few years ago, and I still see those phishing e-mails directly targeting our finance and payroll departments, saying, “I’m the superintendent and I need you to give me this information.” Those are our most frequent, and they’re hitting our business offices, mostly.
On the staff side, if teachers have administrative access to machines—and many districts still do allow it—their biggest threat is malware: A teacher clicking on a link, or inadvertently clicking on a link that’s going to install malware on their machine. Whatever trojan or virus attached to it will wreak havoc or exploit you in a way that’s preventable.
This Education Week examination of K-12 cybersecurity is the second of three special reports focused on the needs of K-12 district technology leaders, including chief technology officers. Each report in the series features exclusive results of a new, nationally representative survey of CTOs, conducted by the Consortium for School Networking, an organization representing K-12 district technology officials.
Q: There have been instances of students hacking their districts’ systems. How significant is that risk?
If your students have administrative access, and they have the ability or the permissions on their computers to download malware, you also have that same risk of them clicking a button and triggering something. We do have that small population of students—I think every district does—that are incredibly brilliant, and you run that risk of hacking. And being aware of who those students are and being mindful of what’s happening on your network is an important piece.
Q: Can students access your internal networks?
In our district, absolutely not. They don’t have that level of access. But in some districts, if you have iPads or other devices that aren’t locked down, and people can install Chrome extensions or download applications, you absolutely have that threat. Students can bring in some of that on USBs, as well. That inadvertent threat, that can be managed at the core device-management-rights level.
Q: What’s the information that bad actors in the cyber arena covet the most?
Information is probably not the number one thing. Number one is the computing power within a school system. [They want] to leverage the computing power in your servers to start running the other schemes that they run. It’s not necessarily about the information. But they do want student records. The latest from the Department of Education is that a student record on the black market can be between $250 and $350. You compare that to a social security number, which is like 10 bucks. Student records can be incredibly valuable. Depending on what kind of information they’re going over, most of their targeted attempts for student information are happening at the big company level, rather than at the school level. It’s really the resource-utilization they’re interested in.
Q: Can you describe in more detail the “resource-utilization” cyber-attackers want?
It’s running processes on our servers to use them to do denial-of-service attacks. Or they want to try to hack someplace—they don’t want to hack the FBI from their headquarters. It would be great for them to tunnel in here and use our resources to initiate the hack. Even at home, a lot of those viruses are after resource utilization. A lot of the hacks are going after people’s processing power. And those are the ones that go really unnoticed. We hear a lot about the big data hacks where [hackers] stole everybody’s credit card numbers.
Q: So if hackers were getting access to your processing power, how would you know that?
If you’re monitoring our network and tracking the traffic on your network—we do that—you know what looks off. You know how much [traffic] a server should have, in terms of download and upload. That will help you identify when you have resources being used maliciously.
Q: What’s your biggest worry about student records getting accessed?
Social security numbers aren’t worth much anymore. But that information that is tied to the individual...the really scary part is some of our student information is valuable to people who want to prey on students. That’s one of the pieces I used in my training with teachers: We wouldn’t let someone come in off the street and talk to our kids. We need to protect all of their online information, as if we’re protecting them physically. Because that information could give someone the ability to approach a student, have a conversation with them, and then target them.
And there’s a lot of marketing that comes with identifying someone as a student. There’s a lot of money in that. Our kids under the age of 13 are protected by COPPA for that, but how valuable is that information? Also, in the development of new products—where are they succeeding, where are students struggling? I’d hate to accuse any company of buying that information to find out where there’s a need in the market, but I could see that, as well.
Q: So what are the most fundamental strategies to protect school districts from cyberattacks?
You obviously have to have the gates closed. You need to have your firewalls in place, and meet those best practices. Your virus protection. The majority of schools do that pretty well.
The next piece, once you take care of the basics, is user training. Making sure your staff know what a phishing e-mail looks like, what those scams look like, how to respond or not respond. Where it’s important to share student information, and where it’s not. That end-user training is going to protect you. That will protect you against the lost USB drive with personal information on it. That training can’t be once a year. You have to keep it front of mind.
K-12 districts face an array of threats from cyberattacks and security breaches. In this Education Week webinar, staff writer Benjamin Herold talks with guests about how district leaders can secure data and networks and insulate schools from bad actors.
Q: What other steps do you recommend to encourage staff to manage cybersecurity?
The other thing is restricting access. My teachers don’t need to have administrative access to their computers to do their jobs. We find a way to make sure they have the resources they need. It’s a little more load on my department, but we stay safe. We don’t have the threats of someone having all their documents encrypted, and then having ransomware.
And then making sure you have all your data backed up. And there’s a layer of protection between what’s being backed up, and your live environment. If you get an attack on your network, and you have a virus infect everything or encrypt everything, that your backups aren’t infected and you have a restore point. If you accomplish those big pieces, you’re so far ahead of the game.
Q: How are you defining “administrative access”?
Some people refer to it as a power user. It’s what allows you to install software on your computer. If I click on “install now,” and it doesn’t prompt me for an administrative password, then I have access on your computer to install that software. But if you have access, that means so does anything that comes down through the internet. We have that safeguard, so our users cannot install any software on their computers.
That stops most of those malicious attacks that come through that user interface—from someone either clicking on a bad website, or an attachment in an e-mail. Because whatever is downloaded doesn’t have the rights to run what it needs to run.
Q: How easy or difficult would it be for a district to restrict administrative access?
It’s a big culture change. I implemented it about 12 years ago, and it’s a very, very hard change. But even I, as CTO, don’t have administrative access to my computer now, and neither do any of my local techs. We have a separate account, that has elevated access, which you use only in the instance when you need elevated access. When you’re talking about how most malicious attacks come in, which is through the end-user, that’s one of the key things you can do to keep yourself safe. That culture change goes all the way through to your superintendent, your CTO, your CFO. There’s no reason for any of us to have that level of access.
Q: You mentioned the importance of backing up your data. What makes for an effective backup?
If your permissions aren’t set right on your backup server, and you’re backing it up at the file level, that ransomware will propagate and infect everything. And so if it still has permission to do that on your backups, then all of your backups become encrypted. You have to make sure your backups are configured properly. [It’s things like] making sure your directories don’t have the ability to write between each other.
My backups are in a read-only state; they’re not able to have any write permissions. If you’re using a backup system software, you’re going to be able to set that up properly. Where you run into trouble is where you’re doing something homegrown and you’re just doing copies of data over to a separate server.
Q: We hear of districts moving to the cloud. What implications does that carry for cybersecurity risks?
Anytime you’re moving your data to a location where a lot of other people have their data, you become a bigger target. Do you have a risk? Absolutely. In terms of what are you willing to put on the cloud versus in-house. Every district has to make that decision. And you have to look at your provider, who you're hosting with. What are their security protocols? What is their business continuity, how are they protecting their files? Are they backing up in a way that if something happens or there’s a virus or encryption, can you restore to a point that you’re healthy again? Those are great questions to ask your cloud provider. Some of them do it great. Some will have a challenge. There’s just certain data I don’t put in the pool of everyone else’s data.
Q: For example?
If I host my student information system [in the cloud], I have 9,000 student records here. If I go with a hosted SIS that hosts 50 other districts, now they have 500,000 records. Now, it’s a lot more of a lucrative hack at this point. A lot of school hacks we hear about are the [really large ed-tech platforms]. They’re big targets. You have to look at what data you’re willing to put out there. And what are the practices the cloud-provider has out there?
Q: What other advice do you have?
We look not just at cybersecurity, but data privacy. We do a video at the beginning of the year, and we do a staff meeting at the beginning of the year. Every Thursday, we send out a communication. We send out a lot of training videos. We try to use humor, so people will actually watch them. On May 4, we did one on a Star Wars theme about phishing e-mails, and how to become a master in spotting a phishing e-mail. We try to keep them under four minutes and focused on best practices. We also do a poster campaign. We’re attacking it through several angles.