Internet Malware Threats for School and Students

Transcription

1 FIVE THINGS YOUR SCHOOL NEEDS TO KNOW ABOUT CYBERPROTECTION.

2 Introduction As malware grows at an alarming rate, IT budgets are freezing and shrinking. Educational institutions are often forced into the precarious position of balancing adequate security with limited, available resources. To make matters worse, new technology and teaching models that rely on online research conducted in the classroom make your system vulnerable to infection at every turn. Conservative estimates have reported 1.5 million major data breach incidents in and a majority of schools have experienced an infection of some kind. If you re not convinced that your school is at risk, check out these details about just a few of the IT Security Incidents in the Education Sector. Kaspersky Lab has compiled this E-Book to provide you with five simple facts to consider when developing cyberprotection practices for your network, your school, and your student body. 1 Privacy Rights Clearinghouse, 2013

3 Managing threats and vulnerabilities is a high priority 1. Malware Threats Are Growing Which of the following initiatives are likely to be from your firm s top IT security priorities over the next 12 months? High priority Critical priority It s shocking when you see the amount of malware that can make your school and student data vulnerable. Kaspersky Lab researchers currently process 200,000 new malware samples every single day. These threats range from spamdelivered viruses that slow down your computers to complex malware that makes your entire IT infrastructure vulnerable to major data breaches. Data security Managing vulnerabilities and threats Business continuity/disaster recovery Application security Managing information risk Aligning IT security with the business Cutting costs and/or increasing efficiency 48% 52% 43% 33% 46% 34% 52% 21% 50% 22% 50% 20% 48% 21% A recent study by Kaspersky Lab found that more than 70% of sent in 2013 was actually spam. 2 With so many threats coming from a variety of sources, it s critical that schools keep their protection updated often, many times per day, to ensure they have the latest protection and to prevent productivity impacts as updates occur. As the prevalence of malware grows, so does awareness of the need for adequate cybersecurity. Regulatory compliance Identity and access management User security training and awareness Complying with security requirements placed upon us by business partners Implementing our security requirements with business partners/third parties Integrate/converge physical and logical security ediscovery Security outsourcing Base: 1,409 IT security decision-makers at companies with 20 or more employees Source: Forrsights Security Survey, Q % 16% 3% 37% 37% 32% 7% 4% 38% 45% 19% 47% 13% 11% 22% 32% 2 Secure List, Spam in Q2 2013

4 2. Schools Have Juicy Data Schools are sitting on a plethora of data that s veritable junk food for cybercriminals. There s charitable donor information, credit card and financial aid data, earnings history, birthdates, social security numbers, students academic records, etc. Throwing aside any creepy stalker s desire for this data, the monetary value of just the identity information is incredibly valuable. According to educational researchers at ikeepsafe, the number of records breached is growing steadily at 562,943,732. The education sector owns 20% of the data breaches recorded, totaling 10,241,581 records. 3 Last year, a minor hacked into the Eugene School District and stole 16,000 records containing current and former students. He intentionally downloaded hundreds of students Personally Identifiable Information (PII) records to taunt the school district. 4 3 ikeepsafe Blog, Has your children s school been breached?, October The Register-Guard, Student files breached, Eugene schools reveal, June, 12, 2012

5 Children s social security numbers (SSNs) are extremely valuable. An identity thief can use a child s SSN and apply for credit, rental property, or a job. Thieves know that the SSN is valid, less likely to be observed for misuse, and, unfortunately, few tools are available to safeguard children s SSNs. A thief will manipulate the credit application process and combine true SSNs with other PII to create a new, fraudulent identity. In addition to sensitive student data, educational institutions also keep banking information, employee payroll data, and even vendor accounts. Since their security protection tends to be significantly less than the private sector, it s not a wonder that they are vulnerable targets. For this reason, the frequency of cyberattacks in the educational sector is growing. Since the criminals target the weakest endpoints of the network, it s critical that schools have adequate endpoint protection to protect against data and financial loss.

6 3. USBs Can Be Sticky Personal devices don t always have to be PCs, smartphones, or tablets. Nefarious individuals can use something as small as a USB storage stick as a weapon of cybercrime. Whether it s a USB flash drive or another USB device that stores data such as a digital camera, MP3 player, gaming device, or a cell phone, connecting an infected USB drive to your computer can wreak havoc, not only on your individual computer, but on the larger network it s connected to. address this problem by simply using device control and killing the port, but of course in education, this method won t work. Students and staff need to input work and often - students work in groups and the primary method of sharing is the USB device. As the USB devices on the market continue to grow in capacity, users become less likely to scan them because of the length of time it takes to perform the operation. One measure of protection is to force a scan on the device before data can be accessed. According to recent reports by the U.S. Department of Homeland Security, Industrial Control Systems Cyber Emergency Response Team, almost 15% of all October 2010 malware infections came as a result of infected USB devices (over 700,000 instances). 6 Adequate endpoint protection is paramount to USB safety. The USB drive is the cube-dweller s effective method of moving data back and forth without IT s involvement. Some companies 6 ICS-CERT Monitor, October December 2012.

7 4. Social Media Mania Is Spreading Whether your students and staff have Macs or PCs, social media is the common denominator of all users. These digital watering holes are the destination of choice where nearly everyone regardless of background, age, or role gathers together to share ideas, events, emotions, experiences, and even research, and schoolwork. Social media is prime feeding ground for cybercriminals. While will always be a key method of malware distribution, the ubiquitous acceptance and click-driven dashboards of social media sites make it a warm and inviting spot for cybercriminals. There are primarily two tactics used to exploit online social networks. Cybercriminals can create code to gain access or install unwanted software on your computer or mobile devices. They can also become social engineers who manipulate people through social interactions (in person, over the phone, or in writing). 7 Academic institutions are heavily at risk from the perils of social media. Some schools have policies that completely block access to social media on the network, which may be an extreme solution. Even if the students and instructors don t click on a bad link while on the network, their mobile device may download malware while using Facebook or another social media site at home and is now infected. Security perimeter before social media and now 7 The Federal Bureau of Investigations, Internet Social Networking Risks, 2012

8 5. Vulnerability Is Much More Costly than Protection Benjamin Franklin said An ounce of prevention is worth a pound of cure. Although IT budgets in the education sector aren t getting any bigger (and in some cases, they re shrinking), the cost of fixing or replacing an infected system is a lot more expensive than the price of preventative cyberprotection. Schools looking for a bargain should beware of software prices that are just too good to be true. Questionable software companies offer inferior products that are far below what can be found on the open market. There have been several instances where schools have been sold software that was intended to be sold only with a new PC (from a retailer). While it s a working product, this software usually doesn t come with support not to mention that buying or selling it is a violation of the publisher s licensing agreement. It s important to get the right protection for your particular system and not just the security software on sale. Whatever security solution you select, it should protect all endpoints, include patch management and encryption features, and reduce the complexity of your ever-changing system. The math for staying secure is pretty basic: THE BASIC THEORY FOR STAYING SECURE Cost of the attack Well-funded targeted attack Spray and prey Sophisticated cybercrime The chance of getting infected drops exponentially while the cost of the attack increases linearly. 2 Centers for Medicaid and Medicare, HIPAA Security Series, Security Standards: Technical Safeguards, (Volume 2, Paper 4, March 2007) Chance of getting infected

9 The Total Cost of Protection Now that you re aware of the growing malware battle, the risks to your institution s network, and the importance of proper endpoint protection, you re faced with the daunting challenge of finding the right anti-malware suite. Of course, everyone wants the best possible protection at the lowest price. Kaspersky has developed a model for evaluating anti-malware software. The idea is to assist your IT manager in considering all the components of deployment during the RFP development stage and during the evaluation process. This model is called the Total Cost of Protection, which helps you calculate all hard and soft costs associated with an anti-malware deployment. Poor detection rates, a negative impact on system or network performance, complex administration, and poorly outsourced vendor support can increase costs and put data at risk. Educational institutions often have diverse and heterogeneous networks which are difficult and expensive to protect across the multiple platforms present. Even free software can impact costs. A prudent institution evaluates not only the street-price of an IT security solution, but also the effect on your existing infrastructure and the level of protection you require. Using the Total Cost of Protection framework provides a school with the ammunition it needs to make the case that the street price of anti-malware isn t the best determinant for mitigating the risk to your network.

10 About Kaspersky Lab Kaspersky Lab is the world s largest privately held vendor of endpoint protection solutions. The company is ranked among the world s top four vendors of security solutions for endpoint users. Throughout its 15-year history, Kaspersky Lab has remained an innovator in IT security and provides effective digital security solutions for educators, consumers, SMBs and Enterprises. The company currently operates in almost 200 countries and territories across the globe, providing protection for more than 300 million users worldwide. Call Kaspersky today at or us at corporatesales@kaspersky.com, to learn more about Kaspersky Endpoint Security for Business. SEE IT. CONTROL IT. PROTECT IT. With Kaspersky, now you can.