Security of Online Learning

How to avoid Zoom class pranks and data breaches, and keep students safe

As a majority of schools and universities move to either 100 percent online or hybrid online and in-person learning this fall, security has become even more important. Just as we saw hackers preying on the public’s heightened awareness when the pandemic began with targeted attacks, if the education community does not secure their data and communications with an increase in online learning, they could be a major target.

Schools and teachers need to consider authentication, access control, data integrity and content protection to keep their courses and students safe. Education systems face two major concerns in securing their online learning. First, they must secure their sensitive data, and second, they need to secure online communications and classes.

Securing student data

Gone are the days when students attempted to change their grades by sneaking into a physical office or stealing papers. Now students hack school systems to change their grades. One student hacked his school district and warned them of their vulnerabilities after he found millions of records, from test grades to medical records to the lunch menu. The severity of attacks has escalated as hackers have taken advantage of vulnerabilities in school systems. Last year, over 500 schools were hit with ransomware, with hackers demanding $1.6 million. That could be worse this year, as schools are preoccupied with adapting to digital classrooms. Just this summer, several universities have been hit by ransomware. The University of Utah paid almost half a million dollars in ransom in July, and in June hackers threatened to sell Columbia College student data on the dark web.

Securing student data is especially important considering that schools host massive amounts of data; besides test scores and grades they also collect age, race, gender, special education needs, attendance, behavior and more about their students. This data must be encrypted and access restricted wherever it is hosted.

On third-party platforms

Many schools use third-party learning platforms like Blackboard or Canvas, which are then custom-branded for the school (i.e. see: blackboard.gwu.edu). Two-factor authentication should be mandatory for these systems. Some schools only allow access to these systems via single sign on (SSO). Additionally, when using client software, such as zoom, schools or administrators should provide only official links to their download page so that students do not accidentally download malware.

On your site

Your organization’s website needs to be secured with a TLS/SSL certificate to encrypt information and ensure trust in your site. There are three types of TLS certificates: Domain Validation (DV), Organization Validation (OV) and Extended Validation (EV). Certificate authorities (CAs), like DigiCert, validate each type of certificate to a different level of user trust. EV certificates provide the highest level of authentication and are the global standard for encrypting highly sensitive data.

Securing online communications and classrooms

Imagine a teacher leading a class on Zoom and the entire class interrupts with synchronized dancing. Well, this actually happened in May. The class pranked their teacher several more times, passing a pencil around their videos, backing out of their videos and more. As entertaining as pranks like these are for the students, it disrupts class and makes it difficult for the teacher to virtually regain control. In other accounts, pranksters have hacked video conferencing classes to post inappropriate messages. Role-based accounts and access control can help solve this. You may also want to require regular reauthentication.

On video conferencing classrooms

While the use of video conferencing platforms has increased significantly, we’ve also discovered more of their vulnerabilities. Back in the spring, when issues with Zoom arose, some school districts banned Zoom over security concerns. So the New York City Department of Education developed a DOE-licensed version of Zoom to better meet their security standards. Their version blocks students from controlling the screen, allows the host to mute participants, prohibits participants from renaming themselves and blocks private chats. Besides Zoom, many use Webex, Microsoft Teams and Bluejeans. No matter which platform you use, ensuring that only those who are authorized to access your video conference can enter, and only those permitted to screen share, chat and lead the discussion can keep classes secure and running smoothly — and it prevents classes from pranking their teachers.

On school-issued devices

One way schools have added a level of security to their online learning is through issuing devices to students, which must be used to access their video conference links and classwork. However, this also requires managing devices remotely. You can do this through Mobile Device Management (MDM). PKI can solve the access and identity portion of MDM management. MDM can give you control over devices and the security profile and level of access for device users. And you can do that remotely from wherever you are in the world.

Over email

Students are subject to the same type of phishing accounts as corporate employees. Although there isn’t necessarily a financial gain, hackers do it for fun and then lock out the real students. Especially with school-issued devices, it is key to ensure that students do not accidentally install malware on school property. You can secure email through protocols like S/MIME and work towards DMARC certification for your domain.

On important documents like report cards and diplomas

Finally, you don’t want students tampering with their report cards or diplomas. Secure sensitive documents with digital document signing. Digital document signing allows individuals and organizations to add a digital signature to a document to prove the identity and authenticity of the sender. And it is more secure than scanned signatures or electronic tickets, which can be easily tampered with. It also never expires and follows local regulations so documents can be legally binding.

Having the right security measures in place can help avoid teachers’ worst nightmares of losing control of their classrooms, protect sensitive student data and help avoid costly attacks. You should regularly check for vulnerabilities to prevent issues. While these measures are not a comprehensive list, they are an important step towards securing online classrooms.

Posted in Best Practices, Data Security, Internet of Things, Privacy