Login credentials are the source of a lot of messy situations. If they fall into the wrong hands, there’s almost no telling what might happen. Account takeover risks are among the least talked about cloud security issues for schools, but they are perhaps the most detrimental and most difficult to detect.

Before you can start scrubbing your district’s Google and/or Microsoft cloud domains of all its online risks and vulnerabilities, you need to know exactly what you’re dealing with. Let’s take a closer look at the reality of login activity in your cloud environment.

Account Login 101

By one estimate, the average person uses 191 different services that require a password or other login credentials.

191 services! Now think of that in terms of your school district: For every single student you have, they’re accessing multiple logins and multiple cloud services – all of which require a password. Simply put, the sheer volume of account login activity in your cloud environment is almost incomprehensible.

Here’s the problem: Most school districts lack the proper funding, staffing, and time to dedicate the necessary resources toward monitoring account activity – a weakness that renders them especially susceptible to malicious account takeovers. In fact, according to EdWeek Research, only one in five school cybersecurity budgets are being allocated to securing cloud applications.

In combination with the fact that student data is an incredibly lucrative target for cybercriminals, these reasons make school districts a hotbed for malicious account activity.

What is an account takeover?

An account takeover is exactly what it sounds like – the act of forcefully assuming control over somebody else’s online account.

In other words, an account takeover occurs when someone – i.e. a cybercriminal – gains unauthorized access to one or more internal online accounts, thus allowing them to use it at their own discretion. The same goes for your cloud applications, including Google Workspace, Microsoft Office and Sharepoint.

Once an account has been compromised, there’s no telling what actions a cybercriminal might take. They could upload malware into your school district’s system, launch a lateral phishing attack or even grant OAuth access to malware-infected third-party apps.

Take the example of the Downingtown Area School District in Pennsylvania. When a student hacked a school login portal, he gained access to student identifications, grade point averages, and other personal information. In this case, the student wanted nothing more than a competitive advantage in a harmless game among peers.

But more often than not, hackers are targeting student data with a nefarious purpose in mind. With login credentials in hand, they gain unobstructed access to all the data and files to which that account is connected.

Consequently, account takeovers open the door for malicious outsiders to exploit sensitive information and hold data ransom over the district. Think about the many types of data currently stored in your cloud environment:

• Personally identifiable information: Names, addresses, Social Security numbers, etc.
• Financial information: Credit card numbers, bank account numbers, etc.
• Medical records: Allergens, illnesses, medical histories, etc.
• Academic records: Grades, class rosters, schedules, etc.

Any given account may have access to a cloud application or service where these types of information may be stored. In turn, malicious outsiders might expose this data or leverage it for monetary gain – two risks your district simply can’t afford.

Risks and vulnerabilities

Critical to thoroughly deep-cleaning your cloud environment is knowing where the messes are made. Generally speaking, account takeovers can happen in many different ways.

Here are some of the most common:

• Brute force cracking: Some criminals will try various passwords to discover which one is correct, typically using automated bots to do their dirty work for them. Weak passwords – those with eight characters or less – are especially easy to crack. This is why the FBI recommends longer passwords over more complex ones.
• Phishing attacks: Other tactics involve fooling unsuspecting victims into revealing login credentials, such as password hints or personal information. For example, some hackers design fake login portals that mine usernames and passwords from users who believe them to be legitimate. Or, false emails sent by seemingly trustworthy sources might ask for personal details. In either case, these are scams designed to solicit account information.
• Third-party mistakes: EdTech SaaS vendors and cloud service providers may accidentally leak information or become compromised themselves, thus exposing user credentials that may be tied back to your district.
• Data breach: Hackers compromise cloud applications to gain access to login credentials and other types of information. Since 2005, a startling 28.6 million records have been stolen from schools during a data breach, according to Comparitech.
• Data leak: On the other hand, human error is always a factor. If sensitive data is mistakenly disclosed outside the district – such as by an erroneous file attachment in an external email – it could find its way into the wrong hands. Some cybercriminals even purchase lists of stolen or leaked credentials.

How to spot suspicious account activity

Once an account has been taken over by an outsider, it isn’t long before the situation goes from bad to worse. The earlier the risk is identified, the sooner it can be eliminated. That’s why detecting an account takeover is critical to your cloud security.

To help you identify suspicious account activity before it’s too late, here are a few telltale signs that an account has been compromised:

1. Abnormal login locations
It’s not uncommon for students and staff to access their school-provided cloud applications while on vacation or traveling abroad. That being said, one of the biggest giveaways an account has been breached is when it’s being accessed from an abnormal IP address, such as in a different country.

Numerous logins from a far-off location may indicate an account takeover has taken place. In situations like this, it’s best to confirm them with the student or staff member whose account is in question.

2. Multiple failed login attempts
In this case, multiple failed attempts may indicate an account takeover in progress rather than one that’s already occurred. Hackers may be attempting to crack an account’s password through brute force or automated methods.

3. Failed multi-factor authentication
Multi-factor authentication (MFA) is a login procedure that requires a user to provide two or more means of authenticating their identity before gaining access to their account. According to Microsoft, MFA thwarts 99.9% of all account takeover attempts. Nonetheless, multiple failed attempts could indicate a hacker is trying to break in.

4. Downloading and sharing files
Look out for users that are acting outside the realm of normal behavior – especially if they’re accessing, downloading or sharing files they normally wouldn’t. This could be a sign of data exfiltration – the process of sensitive information leaving the security of your school district.

5. Lateral phishing communications
Lateral phishing is a brand of phishing attack that uses an already-compromised account to fool fellow users into revealing sensitive information. For example, if a school-provided email is cracked, the hacker may use the hijacked account to communicate with students or staff under the veil of authenticity.

Because the email is sent from an internal address, the threat may not be caught by IT teams.

How to prevent account takeovers in your cloud environment

Unfortunately, account takeover prevention is easier said than done.

Why? Because cloud activity isn’t detected by traditional perimeter-based cybersecurity. That means account takeover activity might go undetected by your security team if you’re without a proper cloud security platform.

Cloud data loss prevention (DLP) software uses advanced protection techniques to monitor account activity, identify suspicious logins and mitigate risks in near-real time. The best part? Cloud DLP can automate these actions and work as a force multiplier for your school district.

Cloud security automation also mitigates the threat of risky OAuth apps that could lead to account takeover. With formal DLP policies, the solution can be configured to automatically remove risky applications, prevent unsanctioned apps from being downloaded and monitor for abnormal behavior.

Automating account activity has helped Cody Walker, the Director of Technology at West Rusk County CISD save a ton of time compared to how he was previously managing accounts using native Google admin tools: “We’d never used a tool quite like ManagedMethods before, but it did replace the process of how we managed accounts both on and off-site. It’s much, much better now and doesn’t involve nearly as much human activity to ensure that our students are safe.”

It also helps Reginald Gossett, Executive Director of Technology at Troup ISD, sleep better at night: “It used to be that we’d find out about a compromised account after the fact. Now, if a user logs in from outside the US, ManagedMethods automatically suspends the account. This is extremely helpful because I’m not worried about an account being compromised overnight and then I’m finding out about it the next morning. ManagedMethods literally allows me to sleep better at night.”

Simply put, cloud DLP provides the additional layer of security your district needs to properly manage your cloud environment and safeguard it from danger. At ManagedMethods, our out-of-the-box cloud security platform is tailored to the needs of the K-12 school district so protecting your students and staff members is as simple as possible.

The post Assessing your district’s account login activity appeared first on ManagedMethods.

*** This is a Security Bloggers Network syndicated blog from ManagedMethods authored by Alexa Sander. Read the original post at: https://managedmethods.com/blog/account-takeover/