With the availability of easily accessible attack tools, everyone is at risk - including school districts. New vulnerabilities and exploits are discovered on a daily basis. Incidents are on the rise and a substantial percentage of cybersecurity incidents involving schools are due to the actions of school staff and/or students of those schools - sometimes resulting in criminal charges.
Let’s explore the some of the top threats for today’s schools:
Phishing is the practice of an attacker sending emails, text, and telephone messages with the intent to represent a legitimate entity and lure it’s victims into divulging sensitive information or inadvertently installing malware. Over 90%¹ of significant cyber attacks begin with a phishing campaign. While technical countermeasures are a step in the right direction, user-awareness will be your most powerful tool in combating such an attack.
Training users to detect and report suspicious emails is the first and most important step in dealing with these phishing emails. Ensure that you have a well-documented process in place for recognizing and reporting suspicious emails. A quick response is critical to the containment and mitigation of such an incident. Often times, incidents will go unreported for fear of embarrassment or reprimand, so it is crucial that users are encouraged to and feel safe reporting such incidents. There are many solutions, both paid and free, that allow organizations to safely perform phishing campaigns against its users to get a better understanding of their current risk. Utilizing these types of services helps to increase user-awareness and better prepare users for possible real-world attacks.
DDoS | Distributed Denial-of-Service Attack
A distributed denial-of-service attack occurs when multiple remote systems overwhelm the bandwidth or server resources of the district. Unfortunately, these attacks can be purchased for as little as a few dollars a month and often times are difficult to mitigate due to the distributed nature. While there are services that provide DDoS protection, they are usually limited to web application protection and still leave you open to network-based attacks.
There are two strategies we recommend to better prepare an organization against this type of attack. First, form a good working relationship with your internet service provider. They are going to be your best ally. Discuss your concerns with them, ask about what services they provide, and how those services work for your environment. Secondly, deploy some time of bandwidth monitoring solution. There are multiple free open source solution available so start with something simple. This will allow you to get better insight into your traffic and help you to develop a baseline for your network. Once this baseline is established, it will be much easier to spot potential issues in the future.
A data breach is the release of confidential information. Even before discussing first steps in the case of a data breach, It's best for districts to begin looking at the concepts of a data governance policy. This policy will help school districts attain a better understanding of what data they currently hold, decide what is confidential, and define who needs access to that confidential data. Only when this policy is in place can you start to discuss what constitutes a breach.
Many districts house multiple disparate systems that each hold a subset of the district's data. Often times, each system has different administrators and users in their specific job functions. “To each their own” they say, and more often than not this applies to system administrators. Each having their own ideology for managing their system and almost certainly differing from the next. While this may work in practice, it makes it nearly impossible for the district as a whole to get a handle on its data. Taking inventory of this data is the first task to complete.
Once the data has been inventoried, it's time to decide what data is to be considered private/confidential. As the “tech guy” this is the part where we defer to the expertise of the school administrators. This is your “customer” data we are talking about here. What information do you have to protect at all costs? Once this data has been marked as such we proceed to the next step.
Now that we have classified our data, it’s time that we decide who is responsible for that data. Who is ultimately responsible for the accuracy and security of this data? This person will be responsible for district-wide adherence to the data governance policy and working the various departments to develop policies and procedures concerning that respective data.
The final item to talk about is the one you hope you never need and that is the breach. Once you have followed the outlined steps above, you should have a pretty good roadmap for deciding if a breach has occurred.
Ransomware is a type of malicious software that encrypts the district’s data and requires a ransom to be paid in order to regain access to the data. You’ve likely read a news article in the past year about some entity having this occur. In most cases, the best protection against this type of attack is user-education and training.
A great deal of these incidents occurs as a result of a successful phishing attempt against an employee. From a technical standpoint, there are a few things we can do to help combat against a crippling attack. Having a good antivirus installed on all devices accessing school data is key. While antivirus software will not catch them all, it will stop the more well-known variants.
Auditing accounts and permissions is also a good way to help limit the scope of the incident. Too many times we respond to an incident only to find that a classroom teacher was a domain administrator and had the ability to infect every file on the district’s network. With a thorough audit, you can catch these types of issues and limit the reach of the malware.
Last but not least, and hopefully not at all, are backups. Should you find yourself in a spot where none of the aforementioned suggestions have worked, restore from backups. The key to this step working is MAKING SURE YOU HAVE GOOD BACKUPS. There is nothing worse than telling someone they have lost all of their data because the backups they thought were running, in fact, were not. If you are not backing now, stop reading right here and go talk to a trusted IT partner, vendor, etc and find a solution that works best for you. If you are backing up, but you are not 100% confident you could recover from a district-wide malware incident, I would suggest that you initially do some test restores to ensure you receive the expected results. If you still have concerns, talk with the backup vendor and discuss those concerns with them. They are there to support you so take advantage of it.
¹PhishMe Enterprise 2016 Phishing Susceptibility and Resiliency Report
What is your district’s state of security readiness? How reliable are your operations plans? How well does your district protect data? Contact us to collaborate on a no-charge quick snapshot survey of your overall security posture.