5 Threats That A Cloud Risk Assessment Can Uncover

And 4 Basic First Steps You Can Take To Assess Your District’s Cloud Risk

Well, we’ve wrapped up Cybersecurity Awareness Month already. But, truly, that went by way too fast! Do you feel like your district is better protected or prepared than you were on October 1? If not, (1) you are not alone, and (2) you should conduct a cloud risk assessment.

We know from CoSN’s 2020 report that cybersecurity threats are underestimated by district leaders, and that cloud security is being overlooked by school districts.

Together, this begs the question: Are technology leaders assessing their district’s cloud risks properly?

Unfortunately, it seems that district leadership doesn’t care about cybersecurity until something bad happens. But a cloud application risk assessment can help your district identify your security gaps and prioritize how to start protecting them before there’s an incident.

The 5 Top Cloud Risks

To be clear, cloud risks aren’t just about “keeping the bad guys out.” Though, that’s certainly a big part of it.

Most of your cloud data risk, however, is coming from the inside. Authorized user behavior that exposes your data is still far more common than infiltration of your systems by a hacker. These insider DLP risks can be accidental or malicious, but they can still be harmful. And they have real regulatory compliance implications. Further, it’s often more difficult to detect an insider data breach, particularly if your district is using Google Workspace and/or Microsoft 365 vs. local servers to store and share sensitive information.

1. Inappropriate Exposure of Sensitive Data

You’re familiar with the regulations you need to abide by. The Family Educational Rights and Privacy Act (FERPA) demands the protection of students’ private education records. You’re not allowed to share those records unless you have written consent from a student over 18 or the student’s parents.

HIPPA rules also apply to schools that aren’t covered by FERPA but are HIPAA-covered entities. The Children’s Online Privacy Protection Rule (COPPA) and the Children’s Internet Protection Act (CIPA) apply to schools when an operator of a website, online service, or application is being used in the schools. Many district leaders don’t recognize that this includes cloud applications from companies like Google and Microsoft.

Additionally, many states are enacting their own data privacy laws to strengthen data security, data breach incident reporting, and prevent unauthorized and/or unneeded sharing of private student data. Therefore, ignoring your responsibility to protect student data can result in severe repercussions for your district.

It’s much easier for teachers and staff to expose files containing sensitive and protected data in cloud computing, compared to on-prem.

I can tell you, as we are offering free cloud content and behavior audits for schools, we’re seeing a shocking number of incidents where teachers and staff are sharing highly sensitive files via global link shares. There have even been incidents of sharing personally identifiable information to their personal Gmail accounts! Many, many instances of teachers and staff sending their social security numbers and/or credit card numbers via emails as well. These are all concerning cloud risks that make your district’s information ripe for the taking.

“We had an incident occur when a teacher improperly shared about 100 different Drive files with their personal Google account. Before, finding all those files and breaking the sharing would have been a nightmare. With ManagedMethods, I was able to break all the shares in about five to ten minutes. That is just one thing that I really love about it.” —IT Leader in Virginia

These types of incidents rarely happen with malicious intent, but they can be just as dangerous as a hacker penetrating your system. The data is still unprotected and open to anyone who might be looking for this type of valuable information.

2. Vendors and 3rd Party Apps

Schools are a hotbed of 3rd party apps, and the shift to hybrid learning didn’t slow that trend down by any measure. The EdTech industry is growing, and teachers, staff, and students are taking full advantage of it. Unfortunately, there are a host of EdTech security risks that your IT teams need to manage.

The problem comes in when districts don’t have strict rules about the permissions 3rd party apps can be assigned, an effective process to evaluate the privacy and security practices of those vendors before approval, and a reliable way to determine when unapproved apps are active in your domain.

A cloud risk assessment can get you visibility into what 3rd party apps are connected to your domain, what permissions they have, who is using them, and more.

It’s not much consolation, but school districts aren’t alone. Research from Ponemon Institute and SecureLink reported that 51% the organizations they studied didn’t do security checks before giving vendors access to their data. And, over half of those who participated said that the data breaches they experienced were the result of giving too much access to 3rd parties.

Further, for the second year in a row, the State of K-12 Cybersecurity: Year in Review report found that at least 75% of the data breach incidents that were publicly reported in 2020 were a result of incidents involving school district vendors and 3rd parties!

3. Account Takeovers

Account takeovers happen when a hacker takes over one of your authorized user accounts.

Once that happens, they can use that access to get into other accounts and other areas of your system, and they can do a devastating amount of damage. The situation is even more complex because if you don’t have the right safeguards, an account takeover can be almost impossible to detect—particularly in cloud apps.

The most common account takeovers occur when someone shared their password or used a password that was easy to guess. They can also happen when users use the same password over and over again, and that password was compromised in a different data breach.

A newer form of account takeover that is gaining in popularity uses 3rd party app permissions for malicious deeds. For example, an app that a user has approved access to read, write, and send emails can be used by cybercriminals to send phishing emails. These phishing emails won’t be detected by most threat protection filters, particularly those that only operate at the perimeter, because they are being sent from inside your trusted domain, by a seemingly authorized user.

4. Phishing and Lateral Phishing

Phishing and lateral phishing are in the top five cloud risks because they are among the top ransomware early warning signs.

A phishing attack can be mounted by a cybercriminal who has some of your email addresses on file. A malicious link is included in the email body or an attachment, and when the recipient takes the bait, they have gained some level of access or have downloaded malware.

Lateral phishing happens after an account takeover has occurred. The account starts sending phishing emails to the contacts in the legitimate user account(s) that has been compromised.

The recipients, believing the email came from someone who is trusted, are much more likely to click the link and/or download the file. And the hacker is one step closer to meeting their goal of getting enough access to start giving you headaches and sleepless nights.

“ManagedMethods caught a dozen phishing attempts and disabled a couple of accounts that had logged in from overseas just this morning. I’m grateful that I have ManagedMethods to catch and remediate these attacks quickly. The Login Analyzer is particularly helpful because we’re able to see where logins are coming from. There’s no way our small team could stay on top of it all while also supporting our students, faculty, and staff.” —Network Administrator in Florida

5. Malware and Ransomware

Ransomware is a form of malware, and both pose a significant risk to your student and data security. Either type of code can get in your cloud, and no next gen firewall or content filtering is going to stop it.

Hackers are interested in attacking cloud-based systems because so many schools are using cloud applications. And, they know two things are true. First, the cloud is where the data is that they use to make money. And, second, they know that school districts aren’t doing a very good job of protecting their cloud domains.

4 Basic First Steps to Assess Your Cloud Risk

So, how do you know if your cloud apps—and the data stored in them—are at risk? Here are the first four things you need to do during a cloud risk assessment to find out.

1. Check Security and Access Configurations

Over 90% of schools are using Google Workspace and/or Microsoft 365 as their primary data center. Both provide good basic security and access settings that you can control out-of-the-box.

But, you need to make sure they are configured correctly. To assist you, try conducting a four-step cloud security audit and download our free cloud security checklist.

2. Inventory Your Cloud Applications

Even if you’ve been trying to keep track of 3rd party apps, conduct an inventory of the apps that are connected to your domain. You may be surprised by what you find. For each application, determine:

Is the app authorized for use by your district (and/or others)?
Who is using the app and what is the educational purpose?
What level of access permissions are granted, are they appropriate?
Do you have Terms of Service, Privacy Policy, and Student Data Privacy agreements with the vendor on file?

If you don’t have a formal process for evaluating 3rd party vendors for cybersecurity, our free EdTech Vendor Security & Compliance Evaluation Checklist might help.

3. Conduct a Phishing and Malware Audit

You need to find out if the tools you’re using to filter out phishing emails are sufficient.

Even though we work with hundreds of district IT teams and know how powerful ManagedMethods’ phishing and malware protection technology is, I’m still somehow surprised how often we hear how we’ve helped customers thwart an attack that got through their Microsoft, Google, and other 3rd party threat protection filters.

“Phishing emails get past Google and Microsoft’s native filters. ManagedMethods is really good about flagging those emails that are able to get through, identifying if anyone in our domain has interacted with them, and quarantining or deleting those emails directly from anyone’s inbox.” —CISO in New Hampshire

Run an audit to see if your tools have missed something. You want to detect these threats at your perimeter. But, we all know that attacks can get through. You need a way to find those that are already in your cloud environment.

“The amount of phishing emails that get through our other filters was a reality check. We simply couldn’t keep up with them in Microsoft, but ManagedMethods gives us that information and makes it fast and easy to follow-up on.” —CTO in Illinois

4. Complete a User Behavior Assessment

User behavior analysis focuses on monitoring user behavior for anomalous activity. It contributes to an overall zero-trust cybersecurity strategy that many school districts are moving toward.

Look for unusual login locations and inexplicable user behavior. A cloud behavior security audit will find and alert you to these seven most common cloud security threats in your domain (and, trust me, we’ve seen all of them when running audits with school districts):

Account takeovers
Login attempts from unusual locations
Sudden spikes in user activity
Lateral phishing
Changing admin privileges
Unusual and/or inappropriate file sharing and downloading
Risky or unauthorized OAuth permissions

Where to Go from Here?

There are persistent cloud security myths that are contributing to the increase in cyber incidents that we’re experiencing every year.

The K-12 cloud risks you’re not aware of can, and do, hurt you and others. School leaders have needed to shut down classes for days and spend untold money, time, and resources to recover.

A cloud risk assessment will be a real eye-opening experience for you, but it’s an awakening that is definitely needed today.

Take advantage of our offer of a free cloud content and behavior security audit, and you’ll be on your way to improving your district’s K-12 cloud security.

“In Google Admin Console, it’s tough to dig into the logins and user details to determine what’s going on with an account. Using ManagedMethods’ Login Analyzer, we can quickly see account login locations and the activity history of that account. Previously, suspicious login tracking was time-consuming. Now, we can analyze potential incidents quickly without needing to bother the end-user.” —Infrastructure Engineer in Wisconsin

The post 5 Threats That A Cloud Risk Assessment Can Uncover appeared first on ManagedMethods.

*** This is a Security Bloggers Network syndicated blog from ManagedMethods authored by Alexa Sander. Read the original post at: https://managedmethods.com/blog/5-threats-that-a-cloud-risk-assessment-can-uncover/