Education cybersecurity: K-12 schools get a mixed report card

The education sector sees an improving window of exposure despite lower remediation rates and higher than average time to fix, according to an NTT report

Why schools and universities are such a tempting target for ransomware attacks

A new report from NTT Application Security has found that applications used by organizations in the education sector have an improving window of exposure despite having lower remediation rates and a higher than average time to fix.

This month, the NTT Application Security research team focused on cyberthreats targeting education applications as security concerns in that sector continue to grow with the school year starting. 

Accelerated online learning environments due to the pandemic and considerable rates of ransomware and phishing attacks against K-12 schools have increased focus on the unique cybersecurity challenges these organizations face. 

According to the report, although the education sector's breach exposure has remained relatively consistent this year, it's taking longer to fix high severity vulnerabilities compared to other industries (206 days vs 201 days). 

Additionally, applications within the education sector show an increased Window of Exposure (WoE) rate, rising to 57% in August from 53% last month.

Setu Kulkarni, vice president of strategy at NTT Application Security, told ZDNet the education sector showed a positive trend as far as WoE is concerned. 

"As we completed the research, it was surprising to see that less than 50%, actually only 46% of the critical vulnerabilities are ever fixed. That's a shockingly low remediation rate, but that's only half of the story. For those 46% of the vulnerabilities that get remediated, on average it takes over 200 days to fix a critical vulnerability once an organization decides to address the vulnerability," Kulkarni explained. 

"Those two factors are majority contributors to the high breach exposure for applications -- that is, applications have an unacceptable WoE to attacks. Moreover, the mix of serious vulnerabilities has remained constant over time and that means, the attackers do not have to try too hard." 

Despite the issues, the data indicates that organizations in the education sector are hyper-focused on fixing critical vulnerabilities within some of their web applications and Kulkarni said this approach seems to be working, as the sector's otherwise stable Window of Exposure metrics are now improving.

The education sector has one of the best Window of Exposure metrics (less than one month) across all sectors, according to the report. 

The researchers found that 53% of applications in the education sector have at least one critical vulnerability exploitable throughout the year, yet 34% of these applications have a Window of Exposure of less than one month. This means that serious vulnerabilities in 34% of applications in the sector get addressed within one month.

Kulkarni said that moving forward, there needs to be a focus on reducing the average time to fix critical and high severity vulnerabilities, which are critical to improving the WoE and consequently the overall security posture of applications. 

"The application security statistics for the education sector indicate a hyper focus among organizations in this sector on a handful of critical web applications and fixing a handful of critical vulnerabilities in those applications," Kulkarni added. 

"To accelerate the improvement in the Education sector's overall application security posture, organizations in the sector should expand their approach to identify their overall attack surface and put in place a systematic program that progressively covers all applications." 

Kulkarni also suggested educational organizations provide security training to students and demand that the SaaS and non-SaaS products are thoroughly checked for vulnerabilities.