Whether it’s a student trying their hand at hacking or leveraging a stolen teacher’s password, a teacher up to no good, or an external attacker leveraging stolen passwords, how are you supposed to spot inappropriate access?
Help is needed to identify when any kind of threat actor attempts to strike, and do so in a manner that does not inhibit everyday access for faculty, staff and students.
The very concept of your network environment “being secure” is a bit subjective. Secure from what? As the IT industry continues to focus on the security of its environments and data, it’s important to understand security contextually in terms of what attack types your layers of defense are protecting you from.
Today’s list of “usual suspects” include ransomware, phishing, hacking, data breaches, insider threats, and more. Given the compounding list of potential threats, it becomes increasingly more important to understand the specific threats that your industry vertical faces, looking for viable solutions to ensure a robust defense in depth strategy.
And when it comes to an industry under attack, one of the top contenders is the Education sector. While Finance and Retail sectors dominate most every report, the Education sector remains a top viable target for insider and external threats alike.
Education has the highest rate of ransomware of all industries1. In fact, Educational organizations experience over three times the number of ransomware attacks than that of Healthcare, and more than ten times the number found in Finance1.
Education organizations represent a repository of so many types of valuable data. Personal information on teachers, staff, and students along with payment information and health records can be used as part of a financially-motivated crime. Higher education institutions doing cutting-edge research have data sets and intellectual property that can be the perfect target for either a ransomware or espionage-motivated attack. While many colleges and universities have stepped up their security efforts, attempting to match that of other industries, they remain a target for both ransomware and external
Primary and secondary schools with younger students are also extremely viable targets, mostly due to the lack of budget assigned to security initiatives, causing antivirus software or spam filters to be the primary defense.
Defining the Attack on Education
While you may be keenly aware that your education organization may be the target of attacks, it’s important to better understand who is doing the attacking, why, what they’re after and – most importantly – what you can do about it.
The chart below provides some clarity on the nature of attacks in Education.
Data Breach Characteristics in Education2
External attacks make up the lion’s share, with criminal organizations looking for ways to gain entry to your network in an effort to exfiltrate valuable data or hold it for ransom.
And while the primary source of attack is an external threat actor, the Education sector is also subject to attack from within. Tech-savvy students who know more than their IT department are, generally, self-serving and unconcerned about the security and well-being of the network environment. They will work to find ways to circumvent any safeguards in place to ensure they can visit every part of the web they want, which puts the institution at risk of malware infection.
Students also leverage the applications and systems provided to them to reach their personal objectives – from downloading music, games, and movies to hosting a business website. Students are notorious for finding a way, regardless of whether their actions adhere to security policy or not.
It’s evident IT organizations in the Education sector need a strategy that helps to identify when any kind of threat actor attempts to strike, and do so in a manner that does not inhibit the abilities of faculty, staff, and students.
So, what is Logon Management and how can it help in an Education setting?
Logon Management: A Very Brief Primer
The concept of logon management centers around four primary functions – all working
in concert to maintain a secure environment:
- Policy – Establishes who can logon when, from where, for how long, how often, and how frequent. It can also limit specific combinations of logon types (such as
console- and RDP-based logons) and users.
- Monitoring – Awareness of every single logon as it occurs serves as the basis for the enforcing policy, alerting, reporting, and more.
- Alerting – Notifies IT and pertinent users of inappropriate logon activity and failed attempts.
- Response – Allows IT to interact with a suspect session, to lock the console, log off the user, or even block them from further logons.
By putting these sets of functionality together, Logon Management puts a protective layer at the forefront of your network, ensuring use is appropriate.
Why Logon Management?
Now, you might ask yourself, why Logon Management and not something else, like Next
Gen Antivirus or Endpoint Security? It’s a valid question. Unlike most security solutions,
which attempt to reside at the point of the malicious actions, Logon Management
seeks to seamlessly insert itself into the process, stopping the threat action
before it happens.
There are a few reasons why Logon Management is a responsible and effective part of
your security strategy.
The logon functions at the core of every attack
Common to every type of attack is the need to logon. Whether accomplished using a remote session, via PowerShell, leveraging a mapping of a drive, or by logging on locally at a console, your network requires that a user authenticate themselves prior to being given any kind of access.
Whether it’s a student trying their hand at hacking or leveraging a stolen teacher’s password, a teacher up to no good, or an external attacker leveraging stolen credentials, they all need to logon in order to be successful.
It provides the earliest of warning signs
Unlike security solutions that require an attacker to perform some kind of inappropriate action, such as attempting to access sensitive data, making copies to a USB stick, or attaching files to web-based email, identifying a potential attack with Logon Management occurs before any access of any kind is achieved, let alone leveraged.
This gives IT a leg up on responding before any damaging actions are taken by an attacker.
It limits false positives
The dreaded part of any security solution is the potential for a storm of alerts that turn out to be false positives. With so many users logging on – and at just about any time of the day in universities – it’s critical that IT have solutions in place that are certain about the attack potential.
Using policy-driven controls, Logon Management is configured based on the normal use of the environment, only providing alerts when a logon is out of policy.
For example, if a student gets a hold of a teacher’s credentials and tries to logon on a Saturday at 3 in the morning, you want a notification on it. Likewise, if the student is trying to logon during regular school hours but keeps getting cold feet, resulting in multiple logons within a short duration of time, IT also wants to know.
It actually can stop an attack
This is one of the most important aspects of your security strategy. Nearly every security solution on the market says they stop attacks. Be careful here – does the solution just alert IT to a threat potential (which only stops an attack once IT intervenes, or perhaps just minimizes the attacker’s exposure, but didn’t actually stop the attack), or does it actually take action and stop the attack?
Unlike solutions that detect malicious actions (such as antivirus detecting the presence of malware, or data loss preventions detecting a user attempting to copy data to a USB drive) once some degree of damage is done, Logon Management takes a far more proactive approach. Should a logon fall outside a set of established restrictions, it can automatically block access or if already connected, immediately log a user off forcefully and lock the account, putting a stop to the attack before any malicious actions are taken.
Because of Logon Management’s ability to provide early detection of inappropriate activity well before any malice takes place, it is a viable candidate for putting protection in place that will assist in securing access to critical systems and sensitive data.
But how does Login Management specifically help Education?
Why Logon Management in Education?
Being such a unique networking environment, Education can’t always afford to tailor its
security needs to match the capabilities of security solutions designed for traditional
business environments. What’s needed is a security solution that can easily adapt to the
changing needs of educational institutions at any level.
Logon Management is an ideal fit for the security needs of the Education industry for a
number of reasons:
The ratio of user-to-IT is so high, any security measures put in place need to facilitate both security and productivity, ensuring the user can quickly get access to online learning resources, but in a way that allows IT policies to fully be in control at a moment’s notice.
Logon Management integrates with the logon process, allowing users to participate in a secure model of scrutiny without sacrificing productivity.
Could you imagine if you had to train every single student how to use some new security solution? Such an idea is a complete non-starter. Logon Management should require zero training, making implementation easy in an educational setting.
Zero Trust Model
Because the Education environment is uniquely used by a majority of users with high-risk (that is, students), Logon Monitoring policies can be created to specifically put more stringent limits, alerts, and responses on those with higher risk.
Education organizations have a limited budget and, therefore, need to spend that budget wisely, ensuring they get (in the case of security spend) the most security protection with the least amount of money spent.
Given the tech-savvy nature of your students, your security cannot be reactive, waiting until a malware infection occurs or hacking activity is successful. Logon Management effectively limits the scope of access, stopping the threat actor before they can do any harm.
Securing Education at the Logon
The Education industry is one of the most heavily targeted (and successfully attacked) industry verticals. Its user base can range from the completely innocent to the absolutely sinister, making it necessary to provide protection in a way that is integral to the very way students, teachers, and faculty interact with the network – one that facilitates security as much as it does access.
Only Logon Management provides educational organizations with the ability to seamlessly secure the entire network. It allows the process of educating to continue as normal, but with the scrutiny and control necessary to automatically shut down suspicious activity at the point of entry.
1 BitSight, The Rising Face of Cyber Crime: Ransomware (2017)
2 Verizon, Data Breach Investigations Report (2017)