Hardly a week goes by when you don’t hear a story about a school computer system being hacked. From New York to California, hackers are infiltrating networks and violating the security of K–12 district systems.
These violations range from so-called harmless pranks to much more serious offenses. In the recent case of a group of Long Island high school students, a wholesale attempt to change the grades of students was detected. The outcome: third-degree burglary, tampering, identity theft and more charges that are sure to haunt these teenagers’ future.
In Berkeley, racist threats appeared on library computers at a high school. As of this writing, the culprits have yet to be nabbed. They are faced with hate crimes, terrorism, and much more if and when they are caught.
It’s serious, any way you cut it. And just as the consequences of hacking haunts the futures of the hacker, school IT directors and administrators are haunted by the possibility that their district might be next.
Before I get too far here, remember this absolute: no computer is 100% secure. The simple act of connecting a computer to other computers on a LAN or the internet creates this danger. No computer system is unhackable. Anyone who tells you their software, service, or system is 100% secure is lying or terribly uninformed.
Also remember that there are many safeguards you can take to protect your website and networks. It may be as simple as a stronger password policy, or using some third-party tools. Or it could involve a look at the processes you have in place and some steps you can take to strengthen those. For a complete rundown of the things your school should be doing, download this checklist for preventing your school website from being hacked.
Editor's Note: Campus Suite itself came under a brutal DDoS attack for days, and we never had a clue why. More times than not – unlike unethical students wanting to change grades, or hate mongers trying to spread fear – the reason and the attacker go undiscovered.
Types of school hack attacks
So why would someone want to hack your website? Maybe a disgruntled ex-employee or student wants revenge. Is your server so open that any low-level hacker can steal your resources to pirate movies? Is a foreign cyber gang looking to steal parent information to order new TV's for the black market? Most schools never know. Hackers are rarely found or share motives.
Most attacks fall into these categories:
- DDoS attack – DDoS attacks look to overwhelm your resources and take you offline. DDoS attacks are difficult to mitigate, so use this helpful article on preventing DDoS attacks.
- Brute force attack – Someone tries to force different passwords to guess a user’s password.
- Security hole – The hacker uses a known hole in a software package to run an exploit, which is a malicious code that triggers something not wanted.
- Vandalism attack – A person steals a user account, and makes changes to content. Many people see this when their website is defaced, like the Berkeley high school mentioned at the start of this article.
- Person (or man) in the middle attack – A hacker will use a trick to get between a user and the system to steal information.
- Social engineering attack – Hackers attack the weakest link in your system – the humans. Hackers trick your users or vendors into giving out access to systems. Some of the most successful hacks of all time are social engineering attacks, like Kevin Mitnick, a man who’s made a career out of first hacking and now guarding against hacking.
Keeping your school website from getting hacked
All security starts with understanding your attack surface, which is any component of your system that is open to the internet. Most services on servers are set to listen for incoming internet connections on a port. Ports are part of TCP/IP, which runs the internet. On most web servers, the following ports might be open:
- Port 21 – FTP File Transfer Protocol – A service to upload and download files
- Port 22 – SSH or SFTP – Secure shell or SFTP – SFTP is a sub–service of SSH, which encrypts data for transport across the Internet
- Port 25 – SMTP – Simple mail transport protocol – A service to send or receive email
- Port 53 – DNS – Domain Name Server – A service to map domain names to IP addresses
- Port 80 – HTTP – Hyper Text Transfer Protocol – The service that powers websites to serve content
- Port 443 – SSL – Secure Sockets Layer – A service to encrypt communications. Used to encrypt data to and from the server, keeping data safe on the Internet
Not all servers use all these ports, although all web servers use port 80, 443, or both. The attack surface for your school is comprised of the ports that are open on the server. If you host with a third party, the hosting server may have some of these ports open.
Think of ports as windows. Some windows are wide open, and some have bars. We need your school to have bars on the windows. If you host your own site, running your DNS, email, and web site on the same server is risky. Here’s a helpful article on proper DNS set up for your school.
A single failure could take down all the communications channels depends on – website, email, voice, emergency notification and more. If you host with a third party, check that they spread their services across several servers.
Have a plan in place to try to prevent hacking
Your goal is to secure your systems and websites as much as possible (and keep your district out of the news for the wrong reasons).
For a detailed checklist on how hacking safeguards for your school, download this guide on how to prevent your school website and networks from being hacked.
Security is a journey, not a destination. You must test, retest, and review your systems and setups on an ongoing basis. There is no "set it and forget it" security setup for your school or website. Hackers are always on the prowl, and we all need to be ready.
Remember that no system is 100% secure. For you Mission Impossible fans, you might recall that even the CIA couldn’t keep Ethan Hunt from hacking into the un-networked computer in the vault. Starting with these simple steps, you can keep your school systems safe, and prevent hacked school websites.
Eric's background as a technical CEO with a big-picture focus brings the experience and vision that both gains the respect of technical audiences, and gets the attention of the progressive school leaders and administrators.