Pencils? Check.

Notebooks? Check.

Web applications and servers patched and sanitized? Hopefully.

In many parts of the world, educators and students in primary, secondary and higher education institutions are reviewing their checklists to ensure academic preparedness for the new school year. But what about the education sector’s IT workers? What should be at the top of their cybersecurity checklists?

Command Injection Commands Attention

According to X-Force analysis of 2016 data, the top attack vector targeting 42 percent of X-Force-monitored clients involved using malicious input data to attempt to control or disrupt the target system. Command injection, which includes operating system command injection (OS CMDi), SQL injection and other types of code injection, belongs in this category. When assessing attacks targeting the education sector, this percentage jumps to 63 percent.


Source: IBM Managed Security Services data

This statistic illustrates the need for the education sector to take steps to thwart command injection attacks. Earlier this year, an attacker obtained access to the computer systems of dozens of universities in the U.S. and U.K. through SQL injection. In another reported incident, a gray-hat security researcher accessed thousands of student records from an educational institution in India using an SQL injection exploit.

In fact, in the last five years, X-Force Interactive Security Incident data revealed that SQL injection incidents were one of the most reported types of incidents in the education sector, second only to malware incidents.

Impact of a Breach: Substantially Higher in the Education Sector

Heavily regulated industries such as education have higher data breach costs. According to the Ponemon Institute’s “2017 Cost of Data Breach Study,” the average cost for each lost or stolen record containing sensitive and confidential information in the education sector is $200, substantially higher than the overall mean of $141.

The victims of breaches in the education sector range from current employees and students to students’ parents, alumni and donors. Attackers’ interest in this sector is evident: Data that could be obtained from these breaches include names, addresses, login information such as passwords and usernames, email addresses, Social Security numbers and even medical and financial information.

Command Injection Mitigation Checklist

Command injection attacks affect most industries, and mitigation techniques are applicable across all sectors — including education. Security professionals in all industries should complete the following steps to reduce command injection attacks.

Robust Patch Management

Why does Shellshock activity remain prevalent across all X-Force-monitored industries nearly three years after its initial outbreak? Cybercriminals know there are large numbers of unpatched command injection vulnerabilities (new and old) in web applications and servers. To mitigate these attacks, patching and maintaining current software versions is essential.

The dilemma is that managing and deploying patches for multiple operating systems and applications across hundreds of thousands of endpoints can be challenging for administrators. Fortunately, patch management solutions can help organizations automate and simplify the patching process.

Input Data Control and Sanitization

There are many ways attackers can exploit unsanitized input data, so data sanitization must be comprehensive. Filter all user input, and use prepared statements and object-relational mapping (ORM) with parameterized queries. Form and URL data needs to be validated for potentially malicious characters. Examples of these can be found in the IBM report, “The Importance of Thwarting Command Injection Attacks.”

Test, Test, Test

Test your web servers for command injection vulnerabilities and your applications for input validation errors on a regular basis using application scanning tools. Unfortunately, tool-based testing can only go so far in today’s modern threat landscape. That’s why it is just as important to engage teams that perform penetration testing.

No Summer Vacations for Cybercriminals

There are an increasing number of third-party programs for students, parents, teachers and school administrators, all with varying levels of access. Education management solutions such as PowerSchool, Skyward, MySchoolApps, SchoolDude and Applane are meant to enhance the experience for all participants, but they can also open the education sector to additional vectors of cyberattack. Attention to third-party application security is a growing need throughout the sector.

While many students and staff take time off between semesters, cybercriminals operate year-round. Servers and websites don’t go offline while school is not in session, making them a potential target at any point in the year. Now is a good time to review the above checklist and then make it a priority to revisit these recommendations periodically.

Read the X-Force Research Report: The Importance of Thwarting Command Injection Attacks

More from Threat Intelligence

FYSA – Adobe Cold Fusion Path Traversal Vulnerability

2 min read - Summary Adobe has released a security bulletin (APSB24-107) addressing an arbitrary file system read vulnerability in ColdFusion, a web application server. The vulnerability, identified as CVE-2024-53961, can be exploited to read arbitrary files on the system, potentially leading to unauthorized access and data exposure. Threat Topography Threat Type: Arbitrary File System Read Industries Impacted: Technology, Software, and Web Development Geolocation: Global Environment Impact: Web servers running ColdFusion 2021 and 2023 are vulnerable Overview X-Force Incident Command is monitoring the disclosure…

Strela Stealer: Today’s invoice is tomorrow’s phish

12 min read - As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be…

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today