Introducing Guest Blog Author:
Being a School Safety Professional can be daunting at times. Parents and peers look to us for answers and solutions, and sometimes, we just aren’t able to provide the information that they seek. When I don’t have answers on a specific topic, I look to the network of experts I know and trust. Josh Gelman, Owner and Principal Consultant at Gelman Integrative Consulting, LLC. has an incredible multidisciplinary background in Emergency Management, Cybersecurity, Data Science, Software Engineering, and Meteorology. His breadth of technology knowledge is astounding, and when asked, Josh graciously agreed to create this blog full of tips and resources with no questions asked. I thank him for his work and recommend his services to all of my colleagues. You can connect with Josh, and learn more about him and his work on LinkedIn by clicking HERE.
According to a report issued by Sophos, in 2020, the education sector as a whole experienced more ransomware attacks than any other industry. As many schools went online or hybrid in response to the novel coronavirus (COVID-19) pandemic, cybersecurity controls often went unused or improperly implemented. This provided cyber criminals weakly defended targets with the potential for large payouts, as schools would need access to their systems to continue providing education. In addition, cyber criminals often employed “double extortion” tactics, threatening to leak or sell stolen personal information if the ransom wasn’t paid. As if a global pandemic wasn’t enough of a concern for school administrators, now they had a ransomware epidemic on their hands.
Some schools that fell victim to ransomware attacks were unable to stay open, even virtually, until the threat was neutralized. Some schools even referred to these as “cyber snow days”. Those who paid were not guaranteed to receive the decryption keys. They may have been able to decrypt some, but not all data. And just a quick scan of dark web marketplaces shows that cyber criminals are still profiting off of stolen data, even if the victim paid the ransom. After all, these are criminals we’re talking about. There is truth to the old saying “there is no honor among thieves”.
One would think that most schools have now figured out the best way to protect their networks. But cyber criminals aren’t ordinary criminals. They’re often several steps ahead, figuring out new ways to circumvent security controls and gain unauthorized access to systems. These criminals are intelligent, sophisticated, and often sponsored by enemy nations.
On Monday, March 21, President Biden warned businesses and organizations to prepare for potential Russian cyber attacks. There is intelligence indicating that Russia may be gearing up for cyber warfare in response to Ukraine-related sanctions. And while businesses may be one of the largest targets, it’s unlikely that schools will enjoy any kind of safe haven from these attacks.
What can schools do to prepare?
There are entire programs and services dedicated to this topic. But at a minimum, you may want to consider the following:
Conduct Security Awareness Training
Phishing is often reported to be the most commonly used vector for ransomware. Phishing is a type of social engineering where attackers send fraudulent messages to trick a person into downloading malicious software, revealing sensitive information, or performing some other dangerous activity. This frequently occurs via email. By training users what to look out for, we can prevent users from falling victim to these attacks. Furthermore, it’s important to include all users in security awareness training. Not just administrators and educators, but also students who might use or be issued devices by the school. Users can often be the weakest link in your networks, but it’s not their fault! Training them is a critical component to hardening your systems.
Implement Network Segmentation
The idea behind network segmentation is to divide a larger network into smaller subnetworks with limited interconnectivity between them. This way, if an attacker gains access to one segment of the network, it becomes very difficult for them to affect the entire network. It’s especially important to segment parts of the network where sensitive data resides. There are many different approaches to network segmentation, and a qualified cybersecurity professional can help you determine the best approach for your systems.
Keep Systems and Applications Up-to-Date
As security researchers and users discover security flaws in software, developers push out updates to patch these vulnerabilities before they’re exploited by attackers. Unfortunately, patching and updating can be disruptive to system operations. It’s important to have a comprehensive vulnerability management program that balances security needs with system availability.
Keep Good Backups and Test Them
If you do get attacked, having good backups are crucial. But just taking backups isn’t enough. You should be testing these backups to make sure they can be restored when needed, and include all of the data your users need. These backups should also be kept separate from the rest of the network so they, too, don’t become compromised (see network segmentation above)!
Use Reputable Security Software
This includes firewalls, antivirus, antimalware, endpoint detection and response, unified threat management, and all cybersecurity software. Sometimes the cheapest or free solution isn’t the best. Make sure the software you’re using to defend your systems is reputable and appropriate for your school’s needs.
Make a Plan and Test It
You should have a Cybersecurity Incident Response Plan in some form. This may be an annex to a school-wide Emergency Operations Plan, a Cybersecurity Incident Response Playbook, or some combination of plans. The plan should focus on operations: namely, what the function is and who is responsible for carrying it out. But just having a plan isn’t enough. It’s important to test the plan through discussion-based and operations-based exercises to make sure everyone is ready in the event a cyber incident occurs.
What happens if you still fall victim to ransomware?
- The most important thing, as in any emergency, is DON’T PANIC!
- If you don’t have your own team or plan in place to handle the incident, reach out to a qualified incident response team for assistance. If you don’t know of one, now is the time to do the research to find one. If you do have a team and plan, it’s time to put it in action. But don’t be afraid to reach out for help if you need it.
- Disconnect affected systems from the network, but don’t turn them off unless there’s no other way to do this! In addition to losing valuable forensic evidence, your data may become unrecoverable.
- Authorities usually advise against paying a ransom. Not only can it just encourage future attacks, but there’s no guarantee you’ll actually get your data back, or that the attackers won’t leak any data they’ve stolen. But sometimes organizations don’t see any other option. If this is the case, find out if you have a cyber liability insurance policy that might cover the ransom, or your losses, should you decide to pay. You may also need to consider purchasing identity theft protection for any users whose data was compromised.
- Report the attack. Congress recently passed the Cyber Incident Reporting for Critical Infrastructure Act of 2022. This will require critical infrastructure entities to report material cybersecurity incidents and ransomware payments to the Cybersecurity and Infrastructure Security Agency within 72 and 24 hours, respectively. But even if you’re not subject to these reporting requirements, all incidents should be reported. This not only helps you, but can help others who may fall victim to the same attack. You can report online at ic3.gov.
Finally, there are several good resources schools can refer to in order to prepare. Here is a list of some of my favorites:
- CISA Stop Ransomware Campaign: cisa.gov/stopransomware
- CISA Cyber Essentials: cisa.gov/cyber-essentials
- K12 Security Information Exchange (SIX): k12six.org
- K12 CyberSecure: k12cybersecure.com
- Cyber Readiness Institute Ransomware Playbook: cyberreadinessinstitute.org/
- CISA MS-ISAC Ransomware Guide: https://www.cisa.gov/sites/
default/files/publications/ CISA_MS-ISAC_Ransomware% 20Guide_S508C_.pdf