The Educator’s Back-to-School Cybersecurity Checklist: Make Mitigating Command Injection a Priority

Pencils? Check.

Notebooks? Check.

Web applications and servers patched and sanitized? Hopefully.

In many parts of the world, educators and students in primary, secondary and higher education institutions are reviewing their checklists to ensure academic preparedness for the new school year. But what about the education sector’s IT workers? What should be at the top of their cybersecurity checklists?

Command Injection Commands Attention

According to X-Force analysis of 2016 data, the top attack vector targeting 42 percent of X-Force-monitored clients involved using malicious input data to attempt to control or disrupt the target system. Command injection, which includes operating system command injection (OS CMDi), SQL injection and other types of code injection, belongs in this category. When assessing attacks targeting the education sector, this percentage jumps to 63 percent.

Education Versus All Other Industries
Source: IBM Managed Security Services data

This statistic illustrates the need for the education sector to take steps to thwart command injection attacks. Earlier this year, an attacker obtained access to the computer systems of dozens of universities in the U.S. and U.K. through SQL injection. In another reported incident, a gray-hat security researcher accessed thousands of student records from an educational institution in India using an SQL injection exploit.

In fact, in the last five years, X-Force Interactive Security Incident data revealed that SQL injection incidents were one of the most reported types of incidents in the education sector, second only to malware incidents.

Impact of a Breach: Substantially Higher in the Education Sector

Heavily regulated industries such as education have higher data breach costs. According to the Ponemon Institute’s “2017 Cost of Data Breach Study,” the average cost for each lost or stolen record containing sensitive and confidential information in the education sector is $200, substantially higher than the overall mean of $141.

The victims of breaches in the education sector range from current employees and students to students’ parents, alumni and donors. Attackers’ interest in this sector is evident: Data that could be obtained from these breaches include names, addresses, login information such as passwords and usernames, email addresses, Social Security numbers and even medical and financial information.

Command Injection Mitigation Checklist

Command injection attacks affect most industries, and mitigation techniques are applicable across all sectors — including education. Security professionals in all industries should complete the following steps to reduce command injection attacks.

Robust Patch Management

Why does Shellshock activity remain prevalent across all X-Force-monitored industries nearly three years after its initial outbreak? Cybercriminals know there are large numbers of unpatched command injection vulnerabilities (new and old) in web applications and servers. To mitigate these attacks, patching and maintaining current software versions is essential.

The dilemma is that managing and deploying patches for multiple operating systems and applications across hundreds of thousands of endpoints can be challenging for administrators. Fortunately, patch management solutions can help organizations automate and simplify the patching process.

Input Data Control and Sanitization

There are many ways attackers can exploit unsanitized input data, so data sanitization must be comprehensive. Filter all user input, and use prepared statements and object-relational mapping (ORM) with parameterized queries. Form and URL data needs to be validated for potentially malicious characters. Examples of these can be found in the IBM report, “The Importance of Thwarting Command Injection Attacks.”

Test, Test, Test

Test your web servers for command injection vulnerabilities and your applications for input validation errors on a regular basis using application scanning tools. Unfortunately, tool-based testing can only go so far in today’s modern threat landscape. That’s why it is just as important to engage teams that perform penetration testing.

No Summer Vacations for Cybercriminals

There are an increasing number of third-party programs for students, parents, teachers and school administrators, all with varying levels of access. Education management solutions such as PowerSchool, Skyward, MySchoolApps, SchoolDude and Applane are meant to enhance the experience for all participants, but they can also open the education sector to additional vectors of cyberattack. Attention to third-party application security is a growing need throughout the sector.

While many students and staff take time off between semesters, cybercriminals operate year-round. Servers and websites don’t go offline while school is not in session, making them a potential target at any point in the year. Now is a good time to review the above checklist and then make it a priority to revisit these recommendations periodically.

Read the X-Force Research Report: The Importance of Thwarting Command Injection Attacks

Michelle Alvarez

Threat Researcher and Editor, IBM Managed Security Services

Michelle Alvarez is a Threat Researcher and Editor for IBM's Managed Security Services; she brings more than 10 years of industry experience to her role. In this role she focuses communications efforts around threat research and mitigation. Michelle joined IBM through the Internet Security Services (ISS) acquisition, where she served as an Analyst on the X-Force Vulnerability Database Team.