5 Steps to Stronger K-12 Chromebook Security

As a second installment related to October’s Cybersecurity Awareness Month, we wanted to highlight the fact that we’re two months into the new school year and focus on the mobile security implications of both the hybrid and in-person models that educational institutions are grappling with protecting. 

While so many educators, educational institutions, and school districts are focused on keeping their physical environments sanitized and safe for students, it’s equally important to remember that their technological environments need to be just as safe.

In the last 18 months, school systems with restricted budgets have turned to Chromebooks as a cost-effective, easy-to-use solution. Chromebooks are easy enough to navigate that younger students can manage the technology. For middle school and high school use, managed Chromebooks have administrative functions so schools can enforce policies, including blocking social media. Unfortunately, as schools went digital in 2020 to increase access to educational resources, malicious actors also began targeting these devices. 

With that in mind, and in keeping with Cybersecurity Awareness Month, as school systems increasingly look to secure their students and to protect student data, here are five controls they can put in place for stronger K-12 Chromebook security. 

Step One: Patch Chrome OS Regularly

Schools love the Chrome operating system (OS) because they can set auto-update policies. These policies allow Chrome administrators to manage the every six week OS updates as well as the every 2-3 week security and software updates. With Google’s announcement that it was extending automatic update support to six years and that devices launched would have up to eight years of support, schools do not need to worry as much about older devices.

However, Chromebooks’ affordability also means students may bring their own devices which can create a risk for school networks. Establishing and enforcing a Bring Your Own Chromebook (BYOC) policy is one way to prevent risks. As part of the BYOC policy, schools should be incorporating both automatic updates and notifications around student privacy. 

Some suggestions for ensuring that all devices, whether district- or student-owned, can be updated regularly include:

• Add student-owned devices to school asset inventory
• Install management console on all devices
• Provide parents with policies explaining management console’s in-school and out-of-school visibility into device use

Step Two: Manage Installed Applications

Chromebooks offer students and schools the ability to enhance educational experiences by incorporating learning applications into in-class and homework assignments. However, not all applications are equally secure. 

Spyware or malicious applications downloaded to a Chromebook can expose sensitive information or act as a way for malicious actors to take over the device. Additionally, risky apps might share private information without students or teachers realizing it. This can violate student privacy laws and increase a school district’s data breach risks. 

Generally, applications available in the Google Play Store are secure. The App Defense Alliance works with partners to detect Potentially Harmful Applications (PHAs) and remove them from the store. Google Play Protect’s Verify Apps service scans enrolled devices every day, then sends users notifications suggesting that they remove PHAs. 

Similar to pushing through OS updates, managing student-owned Chromebooks still presents a challenge. As school administrators work toward enforcing their BYOC policies, schools should set the appropriate App controls within the Management Console. 

Best practices for ensuring that students only download approved applications include:

• Creating an “approved application inventory” across the school
• Allowing only approved applications to be downloaded to Chromebooks
• Allowing downloads only through the Google Play Store
• Blocking applications that don’t comply with the school’s permissions policies

Step Three: Limit Browser Extensions

Browser extensions can support schools’ learning objectives. For example, some browser extensions that reinforce classroom lessons might include dictionary, grammar, voice-to-text, and text highlighting features. 

Similar to applications, malicious actors can also use extensions. For example, in March 2021, researchers at Cato Networks discovered two dozen malicious Google Chrome browser extensions. Quantifying the total number of malicious Chrome extensions is difficult, and a Chromebook only needs one installed to impact a school’s networks. 

To limit students’ ability to install extensions that could increase data security risks, school IT administrators should consider:

• Review the permissions that each extension requires 
• Review and restrict extension permissions to the ones needed for the extension to work properly
• Using the Chrome management user and browser settings to allow approved extensions
• Set policies that block all other extensions
• Monitor devices for risky extensions that may have been installed and remove them 

Step Four: Install Anti-Virus

Phishing attacks and malicious websites pose another risk to school systems and their Chromebook users. Chromebooks incorporate built-in security. Each page and application runs in a restricted environment called a sandbox. The sandboxing reduces the likelihood that an infected website will have an impact on other tabs or apps. Since Chromebooks have their own OS, they can’t run the .exe files that malicious actors often use to execute their malware. 

On the other hand, malware types like viruses, spyware, and trojans can evade these security protections. Moreover, malicious actors recognize that students may be less cyber aware than adults and try to use phishing attacks as the first step to a successful attack. 

School districts should use a mobile security solution to reinforce the native Chromebook capabilities as a way to stop phishing and malware attacks. If they choose to add this additional layer of defense, they should look for a solution that can:

• Identify phishing sites
• Block access to phishing sites
• Scan for known and unknown threats on device

Step Five: Prevent Risky Wi-Fi Access

Whether the Chromebook is school- or student-owned, public Wi-Fi poses a risk to the device. “Learn from anywhere” means that both students and teachers can take their devices wherever they go. For example, students can access their classroom documents from home or while at an afterschool event. 

However, this mobility also means that devices may be connecting to unsecured Wi-Fi. Malicious actors can engage in man-in-the-middle (MITM) attacks or access data across unencrypted connections. This places the students’ information and the school’s networks at risk. 

IT administrators can manage network configuration through the Management Console. Best practices for restricting access include:

• Defining allowed wireless networks for auto-connecting
• Allow only managed networks to auto-connect
• Restrict access to Wi-Fi networks not included in the school’s configurations

School IT teams struggle because often home wireless networks have different configurations, meaning that these restrictions can prevent students from accessing the needed information. In the end, many schools find that giving students the access they need becomes more critical than limiting Wi-Fi access. 

Mobile Device Security for Protecting Students and Chromebooks

Using Chromebooks in the classroom and at home provides students with consistent technology and educational experiences. However, school districts still need to mitigate the risks associated with these devices. While Chromebooks offer enhanced security over more complex operating systems, malicious actors will continue to target them because they know that school districts often suffer from limited security resources. 

Zimperium’s zIPS for Chromebooks gives schools a way to reduce their security and privacy risks. With zIPS on-device design, IT administrators can continuously assess potential risks without worrying that controlling the devices will compromise student privacy. Zimperium’s machine learning-based technologies identifies and blocks access to phishing sites, detects malicious Wi-Fi connections then alerts users to disconnect from them, and assesses all apps for potential privacy violations and unsecure development practices. 

For information about how Zimperium’s zIPS for Chromebooks can help your school district, contact us for a demo. 

Other recommended reading:

• A New Lesson for Remote Education: Chromebooks Need More Security Blog
• Zimperium Announces First and Only Comprehensive Security for Chromebooks Blog
• Ensuring Cybersecurity for Distance Learning and Instruction (whitepaper/report) – https://go.zimperium.com/ensuring-cybersecurity-for-distance-learning-and-instruction

About Zimperium

Zimperium, the global leader in mobile security, offers the only real-time, on-device, machine learning-based protection against Android, iOS, and Chromebook threats. Powered by z9, Zimperium provides protection against device, network, phishing, and malicious app attacks. For more information or to schedule a demo, contact us today.