Pencils? Check.

Notebooks? Check.

Web applications and servers patched and sanitized? Hopefully.

In many parts of the world, educators and students in primary, secondary and higher education institutions are reviewing their checklists to ensure academic preparedness for the new school year. But what about the education sector’s IT workers? What should be at the top of their cybersecurity checklists?

Command Injection Commands Attention

According to X-Force analysis of 2016 data, the top attack vector targeting 42 percent of X-Force-monitored clients involved using malicious input data to attempt to control or disrupt the target system. Command injection, which includes operating system command injection (OS CMDi), SQL injection and other types of code injection, belongs in this category. When assessing attacks targeting the education sector, this percentage jumps to 63 percent.


Source: IBM Managed Security Services data

This statistic illustrates the need for the education sector to take steps to thwart command injection attacks. Earlier this year, an attacker obtained access to the computer systems of dozens of universities in the U.S. and U.K. through SQL injection. In another reported incident, a gray-hat security researcher accessed thousands of student records from an educational institution in India using an SQL injection exploit.

In fact, in the last five years, X-Force Interactive Security Incident data revealed that SQL injection incidents were one of the most reported types of incidents in the education sector, second only to malware incidents.

Impact of a Breach: Substantially Higher in the Education Sector

Heavily regulated industries such as education have higher data breach costs. According to the Ponemon Institute’s “2017 Cost of Data Breach Study,” the average cost for each lost or stolen record containing sensitive and confidential information in the education sector is $200, substantially higher than the overall mean of $141.

The victims of breaches in the education sector range from current employees and students to students’ parents, alumni and donors. Attackers’ interest in this sector is evident: Data that could be obtained from these breaches include names, addresses, login information such as passwords and usernames, email addresses, Social Security numbers and even medical and financial information.

Command Injection Mitigation Checklist

Command injection attacks affect most industries, and mitigation techniques are applicable across all sectors — including education. Security professionals in all industries should complete the following steps to reduce command injection attacks.

Robust Patch Management

Why does Shellshock activity remain prevalent across all X-Force-monitored industries nearly three years after its initial outbreak? Cybercriminals know there are large numbers of unpatched command injection vulnerabilities (new and old) in web applications and servers. To mitigate these attacks, patching and maintaining current software versions is essential.

The dilemma is that managing and deploying patches for multiple operating systems and applications across hundreds of thousands of endpoints can be challenging for administrators. Fortunately, patch management solutions can help organizations automate and simplify the patching process.

Input Data Control and Sanitization

There are many ways attackers can exploit unsanitized input data, so data sanitization must be comprehensive. Filter all user input, and use prepared statements and object-relational mapping (ORM) with parameterized queries. Form and URL data needs to be validated for potentially malicious characters. Examples of these can be found in the IBM report, “The Importance of Thwarting Command Injection Attacks.”

Test, Test, Test

Test your web servers for command injection vulnerabilities and your applications for input validation errors on a regular basis using application scanning tools. Unfortunately, tool-based testing can only go so far in today’s modern threat landscape. That’s why it is just as important to engage teams that perform penetration testing.

No Summer Vacations for Cybercriminals

There are an increasing number of third-party programs for students, parents, teachers and school administrators, all with varying levels of access. Education management solutions such as PowerSchool, Skyward, MySchoolApps, SchoolDude and Applane are meant to enhance the experience for all participants, but they can also open the education sector to additional vectors of cyberattack. Attention to third-party application security is a growing need throughout the sector.

While many students and staff take time off between semesters, cybercriminals operate year-round. Servers and websites don’t go offline while school is not in session, making them a potential target at any point in the year. Now is a good time to review the above checklist and then make it a priority to revisit these recommendations periodically.

Read the X-Force Research Report: The Importance of Thwarting Command Injection Attacks

More from Risk Management

The Evolution of Antivirus Software to Face Modern Threats

Over the years, endpoint security has evolved from primitive antivirus software to more sophisticated next-generation platforms employing advanced technology and better endpoint detection and response.  Because of the increased threat that modern cyberattacks pose, experts are exploring more elegant ways of keeping data safe from threats.Signature-Based Antivirus SoftwareSignature-based detection is the use of footprints to identify malware. All programs, applications, software and files have a digital footprint. Buried within their code, these digital footprints or signatures are unique to the respective…

Contain Breaches and Gain Visibility With Microsegmentation

Organizations must grapple with challenges from various market forces. Digital transformation, cloud adoption, hybrid work environments and geopolitical and economic challenges all have a part to play. These forces have especially manifested in more significant security threats to expanding IT attack surfaces. Breach containment is essential, and zero trust security principles can be applied to curtail attacks across IT environments, minimizing business disruption proactively. Microsegmentation has emerged as a viable solution through its continuous visualization of workload and device communications…

How the Silk Road Affair Changed Law Enforcement

The Silk Road was the first modern dark web marketplace, an online place for anonymously buying and selling illegal products and services using Bitcoin. Ross Ulbricht created The Silk Road in 2011 and operated it until 2013 when the FBI shut it down. Its creator was eventually arrested and sentenced to life in prison. But in a plot twist right out of a spy novel, a cyber attacker stole thousands of bitcoins from Silk Road and hid them away. It…

Third-Party App Stores Could Be a Red Flag for iOS Security

Even Apple can’t escape change forever. The famously restrictive company will allow third-party app stores for iOS devices, along with allowing users to “sideload” software directly. Spurring the move is the European Union’s (EU) Digital Markets Act (DMA), which looks to ensure open markets by reducing the ability of digital “gatekeepers” to restrict content on devices. While this is good news for app creators and end-users, there is a potential red flag: security. Here’s what the compliance-driven change means for…