"This blogpost is 1 of 4 blogpost created during my fellowship at the Consortium of School Networks (CoSN). In addition to these blogposts, I created a report identifying five actions a school system IT staff can take to better defend IT infrastructure. It is focused on low-cost solutions for districts with minimal resources. That report can be accessed here."
------------------------------------------------------
One of the most overlooked insider threats to a school is a student hacker. It can be tough to determine if student hackers are just script kiddies looking to cause mischief, or if the hacker is just interested in learning through hacking. Script kiddies are amateur hackers who typically use pre-existing tools and scripts to launch attacks. They often lack the technical skills to create their own tools and instead rely on others to do the work for them. While script kiddies are not typically considered to be a serious risk, they can pose significant problems to schools if they gain access to sensitive data or systems. According to the 2022 CoSN Ed Tech Leadership Report, district technology leaders believe that 42 percent of insider threats were more of a risk to schools compared to outside hackers and ransomware attacks.
Student hackers can be dangerous as they can easily launch attacks that can cause significant harm to a school system, other students and educators. This can transition from accidental damage to genuine malicious intent if not addressed in an appropriate fashion. Script kiddies do still count as a potential risk to schools if they are not addressed. Without any intervention, they evolve into a threat because they can easily exploit vulnerabilities in systems that are not properly secured. This can lead to data loss or theft, and in some cases, denial of service attacks.
While it can be natural to conclude that schools should just implement a stricter security framework in order to detect and mitigate threats like script kiddies, it is important to keep in mind that negative reinforcement could make the student look dangerous, which can be troubling in the long term. According to Seth Slater, Director of Technology for the Northwest Allen County School District, it's more important to encourage a student to use their skills for good and provide valuable insight on network security.
"I think there's a benefit there," Slater adds. "We had a stern conversation with the student, and we involved his father, who was aware of the situation." While the student hacker does have access to certain tools that are otherwise restricted to others, the student in exchange provides insight that helps an IT department fortify not just security measures to the system, but also confidential data that could have dire consequences if compromised. Slater continues to add that the outside point of view helps their IT team rethink some of the historical practices that school districts traditionally have for Education Technology (EdTech) practices. Such practices include the way school accounts provide usernames and ID numbers to how password resets are done.
Some experts believe there should be a strong focus on making sure that the student is not perceived as a threat. Tim Tillman, CTO of Chesterfield County Public Schools believes his time as a student hacker fostered his interest in helping school staff look at security practices in a different way. By the time he was a high school graduate, he was offered a job working at the very same school that he attended. “I was given the opportunity to expand my knowledge and to explore what prompted my love of my career." Tillman believes that students that start hacking school networks are not interested in causing any damage. “Most of what the K-12 environment would call a student hacker usually turns into someone who's trying to bypass a system. They're trying to bypass a content filter so they can watch YouTube or get the content that is restricted from them. In my position here I haven't really run across anyone yet that we have found any way that could damage our network, most of what kids are doing is trying to get to content because they're bored." There is a potential opportunity to utilize that boredom and engage with students that is both conducive to their learning environment, in addition to fortifying it. By encouraging student hackers to share their knowledge with teachers and administrators, it gives these students a chance to return a learning opportunity to staff and faculty.