Attack Surface: School shooters and hackers use the same methods

In cybersecurity, an attack surface is the total set of points (hardware, software, and human) that an attacker can use to try to gain unauthorized access to a system.

In 2017, the credit reporting giant Equifax was hacked. The attackers didn’t need to invent new malware or an advanced method to getting into the system. They just found one server running outdated software, exploited the gap, and stole the personal information of 147 million people. That one forgotten update was all it took.

The same problems with easily exploitable vulnerabilities plays out in schools. Last week in Minneapolis, a former student fired through the windows of the school’s church while the students were inside for morning mass. At Uvalde, a door that should have been locked was left unsecured. At The Covenant School in Nashville, the attacker shot through the glass next to the locked entrance and walked in. At Central Visual and Performing Arts High School (CVPA) in St. Louis, the shooter reached through an open window to press the panic bar and unlock a fire exit from the inside. At the Edmund Burke School in Washington, DC, a sniper fired from an apartment across the street from the school as students were walking across a glass bridge between buildings.

Kids in Crosshairs: Sniper Attacks on Schools

These weren’t sophisticated attacks. They were simple exploits of the attack surface which is the total set of entry points into a system. In cybersecurity, that means login portals, apps, servers, firewalls, and employee accounts. In schools, it’s doors, windows, visitors, staff procedures, and even aspects of the school day like predictable schedules when students will be moving in and out of the building.

In both cybersecurity and school security, a larger attack surface is more difficult to defend. The parallels between schools and cybersecurity exist across these different attack surfaces with insider threats, predictable vulnerabilities, exploitable weaknesses, and the necessity of having visitors and public access.

Ironically, “defense in depth” or multiple layers of security (see: The Layered Security Fallacy) can actually enlarge the attack surface it’s meant to shrink. In cybersecurity, every new firewall, intrusion detection protocol, or third-party vendor integration adds layers of complexity which multiplies the chances of a new vulnerability. At schools, installing more cameras, keycard readers, ballistic doors, visitor management kiosks, and emergency alert apps may seem like risk reduction, but each component is also another system that must be maintained, staffed, and monitored in a resource constrained environment. Just as the “Fortress Problem” shows, more barriers can paradoxically create new vulnerabilities because every additional wall also means there is a new doorway that has to be protected too.

Insider Threats

One of the biggest data breaches happened in 2013 when an insider credential was used to attack Target. Cybercriminals were able to steal 40 million credit and debit records by exploiting the systems trust in valid credentials which the hackers accessed through a 3rd party contractor. The system security didn’t fail at the firewall, it failed because the system unknowingly trusted a bad actor.

While billions of dollars are being invested to fortify schools, the most common school shooting scenario is a surprise attack by a current student (insider) who is allowed to be inside the building. When the attacker is someone who is allowed to be inside the school (like the valid credentials in the Target hack), physical fortifications are defeated before the attack starts. Former students (e.g., Minneapolis, Uvalde, Parkland, CVPA) can further exploit the system with insider knowledge of schedules, procedures, and layouts.

The biggest challenge is that insiders don’t need to defeat the physical security because they already have the keys to the castle. As a result, security must anticipate trusted users being the bad actor (which creates a huge challenge when armed school staff can be the ‘bad guy’ too). When insiders are a real risk that can’t be eliminated because insider are allowed at the school, this is a risk that needs to be accepted.

Predictable vulnerabilities

Hackers also exploit “known vulnerabilities” like the infamous WannaCry ransomware in 2017, which took advantage of an unpatched Microsoft Windows flaw. The ransomware infected over 200,000 computers across more than 150 countries within days, crippling hospitals in the UK’s National Health Service, disrupting transportation, factories, and government offices, and causing an estimated $4–8 billion in global damages. This was all from one vulnerability in Window’s security!

Patterns and predictability are equally exploitable. The Uvalde school shooter knew the backdoor would probably be propped open by observing the campus. Bell schedules, arrival and dismissal times, published active shooter procedures, and posted evacuation routes are essentially the “system vulnerability documentation” of schools. Even without inside access, attackers can gather all the intel they need by watching the website, the parking lot, or the daily rhythm of the building.

Predictability is a vulnerability meaning that schools should assume their routines are visible to adversaries. Because a school day is structured around arrival/dismissal times, class periods, and regular activities like lunch, recess, outdoor gym class, and sporting events with set schedules, the predictability to an adversary is a risk that needs to be accepted.

Exploitable weaknesses

Public-facing websites and Wi-Fi networks are necessary but risky. In 2015, the U.S. Office of Personnel Management was hacked after attackers gained access through a contractor’s public-facing portal, leading to the theft of 22 million federal employee records.

At CVPA in St. Louis, the shooter (a former student who knew the layout of the school) broke a window and reached in to press a panic bar meant for evacuation. This mandated safety feature (NFPA codes require that all exit doors have an easily operated push bar that allows for rapid evacuations) was exploited as an entry point.

Every system has a weak point that can be exploited. If a vulnerability can’t be mitigated (like the practical and legal requirement to have push bars on exit doors), this is another risk that need to be accepted.

Visitors and Public Access

APIs (application programming interfaces) let external systems connect, search, and pull data from websites (e.g., news feed app is API pulling headlines from multiple news websites). If they are poorly secured, they’re prime entry points. In 2018, the Facebook-Cambridge Analytica scandal showed how third-party apps could pull vast amounts of user data through permissions that seemed minor but actually left seemingly private info wide open for scraping.

Chances are you never heard about the shooting at North Park Elementary School in San Bernardino, California when a teacher’s husband was allowed into an elementary school to see his wife who was a special ed teacher. Her husband served in the military for 8 years and had no criminal convictions so staff at the front desk had no reason to see him as a threat. He walked into her classroom, pulled out a .357 handgun, and fired 10 shots. His wife (Karen Elaine Smith) and a student (eight-year-old Jonathan Martinez) were killed. Another student was critically wounded. Both students were behind their teacher when the shooting started, and neither were intended targets. He paused to reload his gun, killed himself, and the attack was over within seconds.

Nobody at the school was expecting any trouble that day and a teacher in an adjoining classroom thought the gunshots were construction noise. The situation seemed so ordinary that 7 minutes passed before police even arrived at the school. Every visitor (authorized or unauthorized) is a potential vulnerability but when visitors are a necessary part of the school environment, this is a risk that needs to be recognized and accepted.

Mapping the Attack Surface

The Equifax breach didn’t happen because hackers were brilliant. It happened because the company didn’t fully understand, map, or patch its attack surface. The school shootings in Minneapolis, Uvalde, Nashville, and St. Louis weren’t all out strikes on the physical security infrastructure, they were failures of exposure. One propped door, one easily breakable window in an exit, or one pane of glass at the front entrance became the entire point of collapse.