On 17 September 2018, an unknown cyber-attacker launched a DDoS attack against Infinite Campus, a large, established information management company. No one reported a data breach or stolen information, but the attack disrupted the operations of several customers and data stores.
Before you say, “Unfortunately, that’s not news,” consider these news-worthy facts:
- The exploit is part of a growing trend of school-related exploits.
- The attacker aimed malware at a website portal, a seemingly unlikely target.
- The attack volume and duration were many times greater than anything the company experienced before.
- The malware changed tactics in the middle of the attack.
- In cases such as this, students are the most likely suspect.
So, what happened at Infinite Campus, and what does it teach IT security pros about DDoS protection?
A longer, stronger attack and flexible tactics, too
Infinite Campus is an online student information systems company. Based in Blaine, Minnesota, Infinite Campus stores and manages records of K-12 students in 45 U.S. states. The company hosts the Oklahoma City Public Schools parent portal, the attack’s first target. Parents of district students use the website to view their children’s class schedules, attendance records, and grades.
Several things made the case distinctive. The DDoS attack was much more sophisticated than usual. It used 50 times more data to overwhelm the portal and lasted more than 100 times longer than previous exploits. Then, when portal security measures stopped the attack, the malware changed its aim to the site’s domain name servers. This sophisticated behavior represents evolution in the DDoS software. And finally, there were no data breaches, political manifestos, or ransom demands—just the attack.
Eventually, Infinite Campus stopped the attack, and the school district’s site operations went back to normal. No one has identified the attacker or possible motives. In school-related cyber-attacks, officials usually think of students as their number-one suspects. Revenge, showing off to peers, and bringing attention to political causes have been the most likely motives.
However, pointing the finger at students distracts from recent trends, which indicate something else entirely.
The lure of (relatively) easy pickings
Schools and universities have become a massive target of cybercrime. They store a vast amount of sensitive data that’s easy to monetize. Also, educational websites usually lack sophisticated defenses and monitoring tools that might alert operators to danger before serious damage occurs.
In most cases, the evidence suggests student involvement in DDoS attacks. However, recent trends put academic targets in a new light. Schools provide a new opportunity for enterprising crooks to steal intellectual property and convert valuable data into cash.
Criminals get help from IoT, hackers-for-hire, and misplaced priorities
So, what makes academic websites and their data so alluring to criminals?
- Treasure troves of valuable information. Educational sites provide easy targets, filled with intellectual property, research results, and personal data. Criminals can convert this information into cash on the dark web.
- Cheap, easy-to-use hacking resources. Cyber-attacker wannabes can buy tools or even rent hacking services with minimal money or effort. Novice hackers can check the dark web, pay their bill, and leave the work to experts. Technical skills are not required.
- IoT devices. Everyone on campus is bringing their devices to school. The variety of laptops, tablets, smartphones, and other wireless devices provide attractive entry points for hackers. The array of IoT devices also makes it difficult for school IT pros to set up useful countermeasures.
- A laid-back attitude about IT security. Despite severe threats, higher education ranks as one of the worst business sectors to handle cyber threats. EfficientIP has published their 2018 Global DNS Threat Report. In it, 73 percent of respondents admit to taking at least three days to create and apply a patch. Research from the UK shows university IT teams don’t always consider cyber-attacks a high priority.
So, who or what is responsible for cybercrime in academe: students, criminals, or upside-down priorities?
Reducing the risk of DDoS attacks without breaking the bank
Whatever the cause of DDoS vulnerabilities, you can minimize the expense and disruption that they cause. Some options, such as adding to your bandwidth or buying real-time, data analytics software can be pricey alternatives. However, there are creative ways to use the IT assets you might already have:
- Control access to system machines and devices. Then, centralize your management of those controls.
- Monitor your network for odd behavior. You can set up systems management platforms to look for spikes in network traffic and alert you if anything strange occurs.
- Discover and harden IoT devices. Many IoT devices have weak security or cannot be patched. But you can find them, identify them, and do the best you can to strengthen their security.
- Create a cyber-attack plan. That includes an official description of who does what and when. Then, practice what you wrote.
- Upgrade hardware with cyber-security in mind. When the refresh cycle allows, buy next-generation firewalls and load balancers designed to mitigate DDoS attacks.
- Update everything ASAP. No matter what platforms you use, installing updates as soon as they’re available reduces the risk of cyber-attack. Updates can fix vital security flaws; procrastinating can expose you to the newest innovations in DDoS mayhem.
Taking a more active security stance
Technology can automate essential monitoring and notification chores. However, the critical IT security task requires the human element—literally a change of mind. In university IT environments, especially, this means:
- Making IT security more important. When it comes to IT security, educational institutions have a poor reputation. It’s time to acknowledge the growing costs and disruption of DDoS attacks and give cyber-attack response a higher priority. exploits can happen to any school. Denial is a risky business.
- Developing home-grown DDoS countermeasures. Not all cyber-attack solutions cost an arm and a leg. Cyber-attack response training, setting up redundant servers, and centralizing access controls are within means of most IT departments.
- Expecting students and staff to develop cybersecurity awareness. It’s the IT team’s job to keep their IT infrastructure safe. However, students, faculty, and staff members must keep their accounts secure. That includes following security best practices and learning to recognize when not to click that friendly-looking file or link.
Effective DDoS countermeasures are a matter of more. Being a bit more vigilant to signs of attack. More inventive in creating low-cost DIY countermeasures. Most importantly, DDoS protection requires everyone to take a more active approach to IT security.
