Addressing Growing Application and Bandwidth Risks in Education Networks

istock 683461608

According to recent FortiGuard Labs research that looked at technology and threat trends among educational institutions in the US, both K-12 and higher education institutions are consistently operating at the cutting edge of technology use. This may be due, in part, that the students in this current generation of students (known as Gen Z or the iGen) never experienced a time in their lives that wasn’t dominated by technology. This is good news for the future of our digital economy, as it depends on technical savvy workers and users. Two areas in particular, application usage and bandwidth consumption are good markers for measuring technical progress. However, this growth in the use of technology also creates new security challenges that need to be addressed.

In 2017, the education sector had, by far, the highest average number of applications detected at 274, along with the widest variety of applications running, which falls in line with trends about technology and application use by the iGen. While this number is impressive, it’s actually down from 2016, which saw an average of 324 applications detected. Part of the reason for this is that after the initial explosion in technology and application usage, some natural consolidation began to occur. Educational institutions also tend to utilize the most bandwidth, consuming nearly 20GB/day of use on average, which is almost double that consumed by most other industry segments.

Application Usage

And while the large number of applications running certainly translates into diverse skills being developed and new platforms for collaboration, learning, and sharing being tested, many applications can also introduce security risks. Many applications are home-grown or pulled off of application stores with little regard for whether they are secure, or might create a conduit for malware and data theft to occur. Most of these are self-selected, which means that IT teams are rarely consulted before an application is downloaded and put to use between peers or in a classroom.

To address this challenge, IT teams need to establish regular application inventories. The first should provide a baseline for subsequent inventories. Such inventories and assessments will not only help IT teams better understand traffic flows and usage, but also enable them to correlate application usage and risk. Once they have a handle on these they can effectively institute role-based authentication and SSO that provide teachers with elevated application access, but limit students to whitelisted sets of tested and approved applications.

Cloud Usage

The education segment is also experiencing a significant shift in cloud usage. For example, a growing number of IaaS applications are being detected, from an average of 39 in 2016 to 47 in 2017. This occurrence is much higher in Education, with most other segments averaging just 28 IaaS apps in 2017. This means that more educational workloads than ever are moving to cloud providers such as Amazon AWS, Google Cloud, and Microsoft Azure.

From a security perspective cloud infrastructures and applications often translate to limited visibility, which is why IT managers need to ensure that the same controls being applied on premises can be applied to cloud-hosted applications. This may mean rethinking security vendors, and choosing those with a common set of solutions available across multiple cloud providers. Cloud Access Security Broker (CASB) and Single Sign-On (SSO) technologies should also be leveraged to provide more visibility into these environments.

Data Encryption

As more traffic moves between local and cloud networks and applications, the volume of encrypted traffic also grows. In 2016, for example, HTTPS usage was at 54%, but by the end of 2017 it had grown to 68%. Historically, the percentage of encrypted traffic has always been higher in other industries, but in 2017 the Education sector finally caught up.

The challenge with encrypted traffic is that it can be incredibly CPU-intensive to inspect and secure. And since this trend is rather new for educational institutions, they need to ensure that the security solutions they have in place, such as NGFWs, can inspect SSL-based traffic at near line speed. These trends are unlikely to reverse, so the inability to adequately inspect encrypted traffic now will eventually lead to an inability to enforce network controls in general, thereby creating a new attack vector through encrypted tunnels.

Bandwidth Usage

It’s not just educational applications that account for the rise in bandwidth use. Netflix usage is up significantly in Education, now comprising nearly 1/3 of all streaming traffic. But that still lags behind YouTube streaming, which comprises 44% of all streaming traffic in the networks of educational institutions. Gaming bandwidth is also on the rise, with Steam (higher education) and Roblox (K-12) comprising a growing chunk of overall bandwidth usage.

Contrary to the beliefs of many users, bandwidth isn’t a limitless commodity. To address these growing demands, educational facilities need to be able to either scale up or put usage policies in place to limit bandwidth hogs like streaming services, gaming downloads, or P2P usage. In each case, security needs to be able to adapt to these changes, either through dynamic scalability or the ability to inspect and lock down traffic, especially traffic designed to bypass bandwidth or application controls. In terms of capacity planning, it is important to purchase solutions now that will provide performance assurance in the future through such things as dynamic scalability, the ability to span between physical and virtual security solutions, and/or purpose-built hardware designed specifically to do the heavy lifting that growing volumes of traffic demand.


We are now observing double the number of proxy applications in Education, especially in Higher Education, than we are seeing in other industries. Students are constantly trying to circumvent web-filtering controls in order to run these applications. This is especially concerning because Fortinet’s Threat Landscape Report for Q3 of 2017 found that organizations that allow proxy applications detect nine times as many threats as organizations that disallow them.

Two of the most common threats we are seeing on educational campuses are Adobe Flash exploits and the Pushdo botnet. Obfuscated.Flash.Exploit has been the #1 IPS attack for two years running, and was detected in 35% of all US Educational institutions both years. Likewise, Pushdo has been the #1 botnet for the past two years, but we have seen detections grow from just 16% of US Educational facilities in 2016 to 26% in 2017. Pushdo is commonly used to compromise a machine for later use in larger botnet attacks.

The first recommendation is to limit Adobe Flash usage wherever possible, as it (along with many browsers and browser plug-ins) tends to be susceptible to exploit kits. Most application providers are moving towards using HTML5 instead of Flash. One good way to address this is to create a standard build using patched and tested software versions, and then limit the variations of software allowed to run. IT managers should also restrict administrative rights to minimize the impact of an exploit against Flash.

For botnets like Pushdo, ensure that existing security solutions can detect C&C activity, and that there is a plan in place to root out client machines that have been compromised. And since botnet detection indicates a threat already inside the network, develop an incident response plan that documents how to detect, analyze, respond, and recover from a breach. Network segmentation also prevents malware and botnets from spreading laterally across the network, and should include isolating guest access and student BYOD networks.

Addressing Growing Risks

Given the rise in applications and bandwidth consumption within educational networks, and the related rise of cyber threats, it is essential that organizations focus on identifying all of the applications running in their environment and then making sure there is a legitimate business or educational need for them. Next, ensure that those needs outweigh the risk of that application’s existence in the environment. 

Finally, consider subscribing to a threat feed and establishing a Watch List for criminal activities and exploits to be watching for. Right now, that includes older attacks such as variations of the Apache Struts vulnerability, as well as emerging threats such as Cryptojacking.  So far in 2018 we are seeing a rise in Cryptojacking Trojans showing up in the US Education’s top 10 security trends. An ounce of prevention, or preparation, is always better than the pound of cure required to recover from a cyber event.

Check out Fortinets latest Quarterly Threat Landscape Report for more details about recent threats. Also, sign up for the weekly FortiGuard intel briefs or for the FortiGuard Threat Intelligence Service.