Category: Cybersecurity

K-12 Cybersecurity in 2023: Ransomware, AI, and Increased Threats

K-12 Cybersecurity in 2023: Ransomware, AI, and Increased Threats

Published by Eileen Belastock, CETL on March 28, 2023

Originally Published: Tech Learning

Well into 2023, it is disheartening to know that K-12 institutions continue to be one of the primary targets of cybersecurity attacks. Cyberattacks such as DDoS, phishing, data breaches, password attacks, man-in-middle attack, and malware on school districts have resulted in monetary losses, the need for additional recovery resources, and loss of instruction time.

While all types of cyberattacks are increasing in districts, for the first time, ransomware incidents were the most frequently disclosed incident type in 2022, with percentages rising from 12% in 2020 to 62% in 2022, according to the Emsisoft 2022 report(opens in new tab). School districts hit by ransomware in 2022 represented 1,981 schools, almost double the number of K-12 schools potentially compromised in 2021. In addition, ransomware groups successfully exfiltrated data from U.S. schools at a rate of two-thirds in 2022, up from half that number in 2021.

“We must ensure that our K-12 schools are better prepared to confront a complex threat environment,” says Jen Easterly, Director of CISA(opens in new tab), the U.S. Cybersecurity and Infrastructure Security Agency, which is partnering with K-12 to bolster security. “As K-12 institutions employ technology to make education more accessible and effective, malicious cyber actors are working to exploit vulnerabilities in these systems, threatening our nation’s ability to educate our children.”

Ransomware Attacks on the Rise

Ransomware has the potential to access and exploit the sensitive data in K-12 institutions, including student records and other personally identifiable information, financial aid and transaction data, and healthcare information. As such, districts are continually at high risk. For example, bad actors recently released health records for about 2,000 current and former LAUSD students, publishing it on the dark web.

With the increase in classroom technology and personal digital data, district leaders and IT professionals need to acknowledge that ransomware will continue to be an evolving cybersecurity threat. It is typically seen as easy big money for many bad actors, as they understand that districts are more willing to pay a ransom than undertake a long recovery process with educational and administrative consequences.

Currently, many districts don’t have significant resources or budgets focused on cybersecurity, with an estimated less than 2% of operating budget allocated for staffing, training, and software. The State of EdTech District Leadership 2022(opens in new tab) highlights that more than half of the IT professionals (52%) said their schools lack adequate staffing to support and protect teachers, while 77% of districts reported not having a full-time employee dedicated to network security.

In addition, often unintentional, and non-malicious human errors are the top reason for school cyber attacks. Focusing on daily operations, staff and teachers are too quick to respond to phishing attempts, suspicious links, and unsecured access networks. With easily hacked passwords, unsecured devices, and software available with one click, accessing user data is an easy lift for hackers.

Cybersecurity Help and Resources

Cybersecurity will keep edtech leaders up at night; however, many resources and organizations support the work done in school districts through educational programs, policies and initiatives, and training. Two organizations committed to cybersecurity and education are CoSN(opens in new tab) and the National Cryptologic Foundation(opens in new tab).

As a premier membership organization designed to meet the needs of K-12 education technology leaders, CoSN supports cybersecurity initiatives in many school districts. At the federal level, they are campaigning along with other organizations for FCC to expand E-rate eligibility for basic firewalls to include all current firewalls and related features without requiring cost allocations.

CoSN recently released the Blaschke Report(opens in new tab), a cybersecurity primer for any K-12 school district. This report identifies five actions a school system IT staff might take to defend IT infrastructure better, including:

Training
Technical expertise
Network security
Sustainability plans
Leadership buy-in and funding

Keith Krueger, CEO of CoSN, recommends that along with the actions in the report, K-12 organizations take a district-wide approach to cybersecurity by focusing on user education, increasing internal human capacity, and understanding what is at risk regarding cyberattacks.

The National Cryptologic Foundation focuses on a community approach to reach youth with vital cybersecurity concepts and tools. They provide the education community various resources including cybersecurity curriculum guidelines and the Outsmart Cybersecurity Collection, which guides students to build their foundation of data care principles and practices. Also available are interactive cybersecurity games and podcasts that provide expert advice. They also partner with Teach Cyber(opens in new tab) to offer pathways for students to explore careers in cybersecurity.

“You don’t have to have a background in cybersecurity to teach our youth and provide future opportunities in the cybersecurity space,” says Dr. Alisha Jordan, Director of Education for the National Cryptologic Foundation. She recommends that any educator interested in learning more should sign up for an account and newsletter on their website(opens in new tab).

What’s Ahead in Cybersecurity

With the avenues of attack growing, districts cannot rely on outdated methods to stay secure. The 2022 CiSA report(opens in new tab) recommends that districts explore several strategies to meet the increased demands of the cyber risk landscape, including:

Making all employees part of the district’s security defense
Keeping patches up-to-date
Restricting unnecessary access
Implementing multi-factor authentication
Following industry best practices

Educators also need to stay abreast of cybersecurity trends. For example, cybercriminal gangs and sophisticated advanced persistent threat (APT) groups(opens in new tab) are actively recruiting AI and ML specialists who design malware that can evade current-generation threat-detection systems. While developing these AI capabilities is a lengthy process, they already can facilitate easy and undetectable network access with malware-free intrusions and valid credentials.

In addition, cyber criminals have tapped into the highly popular ChatGPT AI to refine malware, personalize phishing emails, and finely tune computations to steal highly sought access credentials. On the plus side, we are seeing some noteworthy cybersecurity developments. Leading cybersecurity vendors such as AWS, Google, and Microsoft are prioritizing investment in AI and ML research and development in response to increasingly complex threats.

AI may also be a game changer for districts against cyber-attacks, with its potential to help build automated security systems, support natural language processing, refine face detection, and be a part of predictive threat-detection systems.

While not a substitute for committed experienced IT personnel, robust infrastructures, and knowledgeable users, AI technology will soon be able to help districts fight the good fight regarding cybersecurity.

Keeping Bad Actors Out of K–12’s IP Surveillance System

Keeping Bad Actors Out of K–12’s IP Surveillance System

Published by Eileen Belastock, CETL on December 30, 2022

Originally Published:EdTech Magazine

K–12 districts are investing a larger portion of their budgets in new security technologies to create safer environments for their school communities.

A 2020 study conducted by Omdia on behalf of the Security Industry Association showed the market for physical security equipment in K–12 and higher education was $716 million in 2020. The K–12 sector accounted for about 56 percent of that amount.

IP Cameras Have Benefits and Drawbacks

Before the introduction of IP video surveillance cameras in schools, physical and digital security were typically separate. Now, however, technology is intertwined with every aspect of school security.

As school districts upgrade their video security systems, some are moving away from closed-circuit TV cameras to more robust IP security systems. These network cameras have far more capabilities than traditional CCTV cameras, using network devices to integrate access control, communications, mass notifications, door locks and security cameras.

Unfortunately, along with the benefits of accessibility and ease of use, these highly sophisticated network video systems come with the constant threat of cyberattacks.

Click the banner to discover resources from CDW to help protect your district from cyberattacks.

IP cameras are not dissimilar from other network devices exposed to attack scenarios. As districts transition to IP security systems, they face the same data breach risks. The systems are highly vulnerable and easy to hack, and they present a considerable surface area cybercriminals can use to access a district’s network.

In addition to common threats — malware, ransomware, distributed denial of service, man-in-the-middle and brute-force attacks — video cameras are susceptible to third-party eavesdropping. As recently as May 2021, Eastern Hancock County Community School Corp. in Indiana suffered a cyberattack on its camera system, resulting in a day of lost instruction.

Best Practices for Securing IP Cameras

Fortunately for Eastern Hancock Schools, no personally identifiable information was stored on its network, and thanks to regular backups, no data was lost from the attack. Yet, this remains an example of why district CTOs and data security officers must address the vulnerabilities of their IP security cameras. The goal is to prevent unauthorized access to the system that could compromise other devices in the network.

Here are several security strategies schools can implement to prevent or mitigate attacks on their IP camera systems:

Proactive steps include partnering with an Internet of Things solution provider to discover every IoT device connected to a district’s network and assess each device’s security risk. Districts should also invest in technology that integrates IoT security into a broader solution that protects the data center, network, mobile devices, endpoints and cloud assets.

Best practices for managing staff email passwords, guarding against phishing, protecting student data privacy and restricting access to school and district networks need to extend to IP cameras. Like other vulnerable access points, IT departments must enable multifactor authentication, limit access by IP address and create a video client account to reduce the risk of compromising the device administrator password.

Penetration tests are used by many districts to evaluate network security. These simulated attacks are often carried out by trusted third parties authorized by districts to attempt a breach of their systems. However, IP cameras are often overlooked as vulnerabilities. Schools should ensure that pen tests are performed on these IP devices, using the same tools, techniques, and processes attackers would use to pinpoint weaknesses in the security system.

Software updates and patches must be installed, whether the district uses CCTV, IP cameras or a hybrid approach. Access to the latest software can prevent security holes within the camera systems. Most cloud-based IP systems automatically push out updates and patches. However, for on-premises storage, IT must be sure to choose a product that requires scheduled updates and patches.

Video data storage must be secured, either on-premises or in the cloud, to avoid data loss in the event of a breach. The cloud is ideal for backing up sensitive information saved on local servers. One of the cloud’s security advantages over on-premises servers and infrastructure is its ability to segment storage away from user workstations, where most attacks enter.

LEARN MORE: What is Backup as a Service, and how can it protect K–12 districts?

The principle of least privilege limits a users’ access to what is required to do their jobs. Users are granted permission to read, write or execute only those files or resources specific to their work. This applies to network and IP camera system access as well.

Strengthen the Digital Security Chain with Collaboration

CTOs and data security officers understand the critical need to secure all elements of the digital chain: data, infrastructure, devices, endpoints, applications and identity. IP cameras include all of these elements and represent a potential gateway to cybersecurity breaches.

CTO Marlo Gaddis and her team at the Wake County Public School System in North Carolina work with security, maintenance and operations staff to manage a security chain for the district’s digital resources, data center and network systems.

“By collaborating as a group, we are making sure that we have best practices all the way around to guarantee the safety of our school community,” Gaddis says.

“Our Biggest Nightmare Is Here”

“Our Biggest Nightmare Is Here”

Published by Eileen Belastock, CETL on January 11, 2022

Originally Published: 
EducationNext

On the night of September 2, 2019, Assistant Superintendent for Compliance and Information Systems Bhargav Vyas received a system-failure warning for Monroe-Woodbury Central School District in Central Valley, New York. With his team, he chose to shut down the district’s entire computer network. Then, at 7:30 the next morning, he got a call from one of his leading techs, who was bringing the domain controllers back up after the previous night’s shutdown.

“Our biggest nightmare is here,” the tech said.

That was when Vyas knew a cybersecurity attack was happening.

Of the 17 industries studied by information-security company SecurityScorecard, the education sector ranked as the least secure in 2018, with the highest vulnerabilities present in application security, endpoint security, and keeping software up to date. Online learning, which has increased gradually over the past decade and significantly since March 2020, has only exacerbated the possibility of exposing staff and student data to unauthorized parties.

Though these attacks affected only a small fraction of the overall number of schools and districts in the U.S., the frequency may increase as more lucrative targets, like corporations and banks, mount a better defense. According to the Consortium for School Networking’s 2019 K–12 IT Leadership Survey Report, rather “than focusing on corporate targets, which are devoting increased resources to cyber defenses,” hackers are turning to “more vulnerable sectors such as school districts, universities, and nonprofits.”

School districts’ networks are the perfect target for cybercriminals because they house a large amount of personal data but exist in a milieu not necessarily attuned to the threat of attack. While hackers’ individual motivations run the gamut, most of the attacks on school districts have been tied to cybercriminals looking for low-risk, high-return financial payoffs—which embattled district decisionmakers are willing to provide if it means keeping student and staff information private.

How Cyberattacks Happen: Phishing and Distributed Denial-of-Service Attacks

According to the Consortium for School Networking, more than 90 percent of cyberattacks in schools start with phishing campaigns, which include “spear phishing” and business-email compromise attacks. Spear phishing is characterized by a focus on specific individuals or groups within a larger organization; these attacks usually get a user to reveal personal information or install malicious software, or malware, on their computer. In a business-email compromise attack, cybercriminals impersonate a trusted party, usually a senior executive, to obtain payments or financial information. In a school-district context, business-email compromise is sometimes known as “Superintendent Fraud.”

Phishing attacks have become more sophisticated and difficult to detect. During the 2019–2020 school year, the San Felipe Del Rio Consolidated Independent School District was hit by a business-email compromise attack. A news release from the U.S. Attorney’s Office in the Western District of Texas explained how the attack worked: The school district’s comptroller received phishing emails from cybercriminals posing as officials at the financial institution to which the district makes bond payments. Three of those bond payments were then diverted to the swindlers’ financial account, which cost the district more than $2 million, according to the release.

Schools and districts can also fall victim to distributed denial-of-service attacks, as the Boston Globe reported Boston-area districts Mansfield, Medfield, and Norton did during the 2020–2021 school year. In this type of attack, a targeted flood of internet traffic disrupts network availability by overwhelming the system and surrounding infrastructure. As a result, users are prevented from accessing payroll platforms, student schedules, and email applications, all of which are necessary to conduct the day-to-day operations of the school.

This disruption can be just as beneficial for cybercriminals as it is for students, who may want classes cancelled or a break from remote learning. In September 2020, a series of DDoS attacks targeting the Miami-Dade County Public Schools were traced to the IP address of a 16-year-old student at South Miami Senior High School, according to a news release from the school district.

In addition to the complete paralysis of a school system, most criminal DDoS attacks have a second purpose: to breach data and expose confidential or protected information that can be viewed, shared, and used as ransom.

Ransomware

While school networks are offline during a DDoS attack, hackers use malicious software to encrypt districts’ data. Districts are then forced to pay hackers a ransom to regain access to their data—hence the term “ransomware.” As of August 2021, ransomware attacks have disrupted 58 education organizations and school districts in the U.S., including 830 individual schools, according to Politico. These attacks sometimes have devastating consequences: In March 2021, the Miami Herald reported that Broward County Public Schools could not pay a $40 million ransom, and 26,000 stolen files, which included student and staff Social Security numbers, addresses, and birthdates, were published online.

Most school districts lack strong security protocols because they have small IT teams and significant budgetary constraints, so it may seem from the outside that education organizations are not making cybersecurity a priority. This assessment, however, does not reflect the progress being made in districts across the country.

Thwarted Ransomware Attacks: Case Studies

Monroe-Woodbury Central School District

Back to Monroe-Woodbury Central School District. As soon as the IT team knew an attack was underway, they notified Superintendent Elise Rodriguez and the other assistant superintendents. Rodriguez informed the board of education, and then the public relations director and communications team contacted the business office, the district attorney, and the insurance company. Within an hour, the district had an incident response team working with Vyas to contain the attack, assess the damage, and develop a mitigation plan. The cybercriminals had just started targeting the district’s servers when the storage area network shut down, so, luckily, they had nowhere to go to do more damage.

Once the team determined that they had stopped the ransomware, the district focused on restoring weeks’ and months’ worth of data from offline and cloud-based backup systems. It took the district a couple of days to build up a Microsoft infrastructure, but by the end of the first week, 70 percent of mobile devices were up and running. At the end of the second week, all systems were up and running, and Wi-Fi was brought back online for 3,000 student and staff devices and computers.

Vyas reflected that it “was strategic on our part—not from the ransomware perspective, but a resources perspective—that we had an updated disaster recovery plan that identified the location of our data in all systems, as well as a robust redundancy system. This strategic move mitigated any further damage and communication.”

Prior to the attack, the district had also gotten an assessment of their network from the National Institute of Science and Technology. In January and March 2019, the IT team used the audit recommendations to “plug the holes,” which, in hindsight, could have been a factor in mitigating the effects of the cyberattack.

The IT team tried to learn from the attack. Though they had no proof, they believed that allowing personal devices to connect to the school network may have been a factor in the attack. The district therefore changed its policies: Only school devices were allowed to access the network, and guest networks were eliminated.

Rodriguez established scenario-based cybersecurity training, because “security is not just a technology concern; it’s a district concern.” Vyas continues to educate the school community, including the school board, about the latest trends in cybersecurity because, as he puts it, “people forget.”

Haverhill Public Schools

The attack on Haverhill Public Schools in Haverhill, Massachusetts, started shortly after midnight on Wednesday, April 7, 2021. By 2:30 in the morning, Director of Technology Doug Russell and Systems/ Network Engineer Don Preston had been alerted of system failures. They realized that this was more than just a standard system alert, and the team immediately shut down the network that connected all 15 district schools.

As soon as Russell and his team understood the extent of the attack, they notified Superintendent Margaret Marotta. Marotta then informed the Haverhill Public Schools School Committee and other critical stakeholders. She became the central communications person, thus enabling the IT team to focus on mitigating the problem. Within a few hours, the district had implemented its crisis-recovery plan and connected with its IT consulting company, which joined with local police, state police, the FBI, the Department of Homeland Security, and the Multi-State Information Sharing and Analysis Center, an organization that helps local, state, and tribal governments with cybersecurity-incident response and remediation, to assess the situation. After a few hours of evaluating the network, the Haverhill team determined that 140 of the 13,000 district endpoint devices had been infected with the ransomware. Much of the virus had been funneled into the districts’ virtual server environment, and most of those virtual servers had then detected the infection and shut down—exactly as they had been designed to do.

Authentication and rostering servers were up and running by six o’clock in the evening on the day of the attack. Five days after the incident, the internet had been restored in all 15 buildings, with 98 percent of the systems fully functioning. The email system took two and half weeks longer to be fully restored.

“One of the things that saved us was the transition to laptops for staff during the pandemic,” Russell said. Most staff members’ computers were not on the district network when the attack happened.

Russell added that another helpful mitigating factor was “a change that we made a couple of years ago” to “our whole virtual environment,” which meant there was no clear path for the ransomware to follow. Also, the cyberattack did not impact district financial records because the payroll system was hosted by the City of Haverhill on a completely different network. Finally, Russell explained that moving many systems to cloud hosting made the attack less severe than it would have been if the district had hosted all of those systems internally.

The Multi-State Information Sharing and Analysis Center’s investigation of the attack is ongoing, and the district has yet to confirm if any personal data was compromised. The team at Haverhill Public Schools did learn that they needed to upgrade existing systems and backup options, though. Before the attack, they had data snapshots, and the district operated with two different systems running at the same time. “So even though everything was still being snapshot and backed up, we realized that some of those systems, if they were to shut down, or if they would have been infected the wrong way, wouldn’t have gotten the last couple snapshots that we needed to recover,” Russell said.

Working with an IT consultant and the district crisis response team, as well as Marotta’s support and additional funding from the Haverhill School Committee, Russell and his team determined the need to increase redundancy and upgrade their anti-malware software and anti-ransomware software.

“I feel like if that would have been running, or something would have been running better, it probably would have stopped it even sooner, and we would have had fewer servers to restore,” reflected Russell.

What Can Districts Do?

Cybersecurity training

According to the October 2020 IBM Education Ransomware Study, which involved interviews with 1,000 educators and 200 administrators, administrators were “20 percent more likely to receive cybersecurity training than educators” though they were “still unaware of critical information relevant to protecting their schools.” Eighty-three percent of administrators expressed confidence in their school’s ability to handle a cyberattack, for example, but more than 60 percent of them did not know if their school had a mitigation plan.

About 90 percent of the time, cyberattacks happen due to human error, said Haverhill’s Russell. The source of the Haverhill Public Schools attack was a phishing email, which allowed the hackers to access a virtual remote server. In the wake of the attack, the school community took action and recognized the need for more cybersecurity training and, specifically, for secure password protocols through standardized requirements, such as making sure passwords are a certain length or have special characters.

Back up, back up, back up

A robust backup system is the best protection against an attack, and the most effective backup systems are a) cloud-hosted or offline, b) not tied to a district’s domain, and c) inaccessible from the district network. The Monroe-Woodbury and Haverhill districts have used secure backup systems with redundancy for years, so when their virtual servers were attacked, they were assured the recovery of their data. Russell added that “a backup is vital” and that “if districts are not backing up correctly, they will never be able to recover” from an attack.

Cybersecurity insurance

In 2020, the average cost of a data breach was $3.79 million for districts and other education organizations in the U.S., according to IBM’s annual report on data-breach costs. When the Manor Independent School District, a small district in Texas, was compromised by a phishing scam in January 2020, CBS Austin reported that it cost the community $2.3 million.

Most insurance companies now offer cyber liability insurance to school districts, for an average of $1,600 a year, according to AdvisorSmith. Though the cost varies based on size and location, districts could end up saving millions by adding this insurance to their yearly operational budgets. In November 2019, when Port Neches-Groves Independent School District in Texas was hit by a ransomware attack, a cybersecurity insurance rider on their district policy covered the $35,000 ransom demand, reported KBMT news. The district ended up getting back access to their systems—at the relatively low cost of a $2,500 insurance deductible. Cybersecurity insurance often covers not just the cost of the ransom itself, but of IT experts to analyze the breach, a marketing firm to manage the district’s response, and lawyers to advise the best next steps, as well lost revenue. The insurance also provides credit monitoring for the students and staff whose records were exposed by the breach.

Other best practices

Districts can reduce infections by filtering at the email gateway, maintaining updated antivirus and anti-malware software, and using a centrally managed antivirus solution. In addition, because some attacks are accidental, districts should apply the principle of data governance, or giving users access only to the data they need to do their jobs. It is also critical that districts maintain a robust asset-management system, retain and secure logs from network devices and local hosts, and baseline and analyze network activity to determine behavioral patterns. While districts may feel vulnerable and helpless in the wake of an attack, these proactive, rather than reactive, actions will determine the overall impact of a cybersecurity attack.

The Work of Many

Districts cannot fight off the hacker hordes alone. Though the ESSER fund provides billions of dollars to school districts for support in the wake of Covid-19, the money allocated to support broadband access, equipment purchases, and remote-learning infrastructure does not cover districts’ cybersecurity needs, such as upgraded firewalls. In June 2021, Senators Mark R. Warner and Susan Collins wrote a letter to Education Secretary Miguel Cardona advising the department to make Covid-19 relief funds available for cybersecurity resources. The letter also recommends that the U.S. Department of Education engage with school districts to increase awareness of the need for more robust cybersecurity measures.

On October 8, 2021, President Biden signed the K–12 Cybersecurity Act of 2021. This bill authorizes the Cybersecurity and Infrastructure Security Agency to study the specific risks impacting K–12 institutions, develop recommendations for cybersecurity guidelines, and create an online toolkit districts can use for implementation. Additionally, a bipartisan group of four House members introduced the Enhancing K–12 Cybersecurity Act in June 2021. This law would direct the Cybersecurity and Infrastructure Security Agency to create a cybersecurity information exchange, a K–12 incident reporting registry, and a $10 million, annual technology-improvement program. Organizations such as the Consortium for School Networking, State Educational Technology Directors Association, and National Association of State Chief Information Officers supported the bill.

When it comes to a cyberattack on a school district, it is no longer a matter of if but when. No longer does the danger zone start at the perimeters of district infrastructure and network. The danger zone now lies within the walls of school districts themselves. We must assume that, whether they are malicious or accidental, bad actors exist within our own systems.

Best Practices for Stopping Ransomware Attacks

Best Practices for Stopping Ransomware Attacks

Published by Eileen Belastock, CETL on June 16, 2021

Original Published:
EdTech Magazine

A vetted, strategic cybersecurity plan helped one school district successfully push back against cyberattackers.

The annual back-to-school superintendent conference day on Sept. 3, 2019, at New York’s Monroe-Woodbury Central School District should have been one of excitement and reconnection for staff and administrators. But that wasn’t the case for Bhargav Vyas, who serves as the district’s assistant superintendent for compliance and information systems as well as its data protection officer. Instead, the night before, his team got a system failure warning that caused them to start troubleshooting early in the morning.

It started at 7:30 a.m. When bringing up the domain controllers, one of the leading techs called and said, “Our biggest nightmare is here.” Vyas knew then that a cyberattack was underway.

Cybersecurity Incidents Spike During the Pandemic

According to “The State of K-12 Cybersecurity: 2020 Year in Review” from the K-12 Cybersecurity Resource Center and the K12 Security Information Exchange, what happened at Monroe-Woodbury is becoming increasingly common. The 2020 calendar year saw a record-setting 408 publicly disclosed cybersecurity incidents. These attacks, which affected 377 school districts across 40 states, resulted in temporary school closures, millions of stolen taxpayer dollars and student data breaches linked to identity theft and credit card fraud.

Schools moving to remote and online learning environments in March 2020 only exacerbated the problem. With the rapid shift to remote learning putting more devices into students’ and teachers’ hands, a lack of cybersecurity training, and plenty of enticing free apps to download, cracks in schools’ cybersecurity were almost inevitable.

IBM’s Education Ransomware Study, released in October 2020, surveyed 1,000 K–12 and college educators and 200 K–12 and college administrators. It found that “while administrators are 20 percent more likely to receive cybersecurity training than educators, they are still unaware of critical information relevant to protecting their schools.”

Pre-Emptive Protocols Lead to Faster Recovery

When Monroe-Woodbury faced down its cyberattackers in 2019, it was ready. Well before the attack, the district had established both internal protocols and a disaster recovery plan.

As soon as the IT team became aware of the attack, it notified Superintendent Elsie Rodriguez and the other assistant superintendents. Once Rodriguez informed the Monroe-Woodbury board of education of the situation, the communications team and the public relations specialist contacted all key stakeholders, including the business office, the district attorney and the insurance company.

Within an hour, the district had an incident response team working with Vyas to contain the attack, assess the damage, and develop a mitigation plan. The attackers had just started targeting the servers when the storage area network was shut down, so there was nowhere to go to do more damage.

We had an updated disaster recovery plan that identified the location of our data in all systems, as well as a robust redundancy system. This strategic move mitigated any further damage and communication.”

Bhargav Vyas Assistant Superintendent for Compliance and Information Systems, Monroe-Woodbury Central School District

Once the IT team finished restoring data from the snapshots cleared by the incident response team, it took a few days to build up a Microsoft infrastructure. By the end of the first week, 70 percent of the district’s mobile devices were back up and running, including those for transportation services. At the end of the second week, the IT team had all systems up and was able to bring Wi-Fi back online to connect mobile devices for 3,000 students and staff.

Plug the Holes with Internal Security Lessons

Looking back, Vyas says, “it was strategic on the district’s part, not from the ransomware perspective but from a resources perspective, that we had an updated disaster recovery plan that identified the location of our data in all systems, as well as a robust redundancy system. This strategic move mitigated any further damage and communication.”

The district made another strategic move that may have hindered the attack. It signed up for a National Institute of Standards and Technology cybersecurity assessment that reviewed risks and threats to the district’s entire network.

Months before the attack, the IT team used the assessment’s recommendations to “plug the holes,” which, in hindsight, could have been a factor in a much more significant cyberattack. It was essential for the district’s IT team to build up goodwill and support, so staff and teachers were educated on cybersecurity and best practices for keeping their data safe. While not everyone understood the technology, they recognized the importance of cybersecurity and trusted the process.

Finally, the team placed great emphasis internally on implementing an electronic inventory and ensuring that record-keeping was accurate and secure. As a result, when reimaging all devices and computers after the cyberattack, the IT team knew the device location and count within 5 percent.

Training Ensures Everyone Stays Educated

After the attack, the Monroe-Woodbury IT team focused on lessons learned. The district changed its policies so that only school devices could access the network, and guest networks were eliminated. Noting that “security is not just a technology concern, it’s a district concern,” Superintendent Rodriguez established scenario-based cybersecurity tabletop training.

Critical stakeholders such as the disaster response team, IT department, business office, and support staff continue working together to ensure they’re well prepared for the future. Because people forget, Vyas continues to educate the school community, including the school board, about developments in cybersecurity. He adds that, even in a cyberattack or pandemic, with the right people on your team and a willingness to do what is best for students, you can work together to give technology back to the school community.

District Leaders Take on the New Reality of Cyber Security in Schools

District Leaders Take on the New Reality of Cyber Security in Schools

Published by Eileen Belastock, CETL on November 17, 2018

This cyber security incident shut down Columbia Falls SD 6’s 25 schools for three days and impacted 1600 students, staff, and local sheriff and police departments.

The third in the Super-Connected: Empowering Superintendents & District Leaders CoSN and edWeb.net series, “Cyber Security: A Critical School District Priority,” took place on November 12, 2018. Moderated by Ann McMullan, Project Director, CoSN Empowered Superintendent Program, this webinar spotlighted the cybersecurity concerns rapidly becoming part of the school district’s daily operations. According to CoSN, the fastest growing and most common cyber incidents in K-12 schools are phishing attacks and unauthorized data breaches. McMullan warned that district leaders couldn’t “just check it off” regarding policies and procedures around cybersecurity. She emphasized that “it is an ongoing issue that needs to be looked at in new ways that are comprehensive, strategic, and persistent.” The three guest panelists Steve Bradshaw, Superintendent, Columbia Falls SD 6, Columbia Falls, MT, Juan Cabrera, Superintendent El Paso ISD, El Paso TX, and Dr. Gary Lilly, Director of Schools, Bristol Tennessee City Schools, Bristol TN, don’t just check it off when it comes to cybersecurity.

It is not hypothetical.

McMullan affirmed that “while school districts are very familiar with closing schools due to weather, we never expect to have to close schools for cyber-attacks.” Yet that is exactly what happened in Columbia Falls, SD 6. What began as one strange text message quickly turned into a physical threat created by a remote access breach. This cybersecurity incident shut down Columbia Falls SD 6’s 25 schools for three days and impacted 1600 students, staff, and local sheriff and police departments. Bradshaw reflected on one action that he felt helped get his school district to get through the cybersecurity attack. That action was the school district’s transparent communication approach with the community and the “honesty and integrity that went along with it.”

“Some lessons you have to learn the hard way” were how Lilly described the Bristol Tennessee City Schools’ cybersecurity breaches. The district was completely taken by surprise once an HVAC controller was hacked and again when 20% of the district’s employees failed a phishing test. His takeaway from these two events was that liability will always be an issue, but as long as a school district “takes reasonable steps to mitigate the exposure, then they can weather the breaches and hacks.” According to Lilly, these reasonable steps include the cybersecurity education of faculty, staff, students, and administrators and the awareness of all potential “holes” in school buildings’ infrastructure systems.

Cabrera conveyed that, as El Paso ISD tried to be more accessible for students and employees by giving them 24/7 access to their systems, they inadvertently created access points for potential data breaches. His district’s vulnerability point did not impact student data but impacted another critical data group’s PII – employees. He described how the El Paso ISD payroll system had been hacked twice, and it took an FBI team involvement to recover over $100,000 in payroll. His suggestion for other district leaders is to elevate the district’s level of cybersecurity importance to protect both students and employees. He also recommended that school districts create a cybersecurity team that includes the CTO, the IT department, and the HR department to collaboratively allocate resources, train staff, and heighten school boards’ awareness.

The New Reality

Cabrera affirmed that “people may think that they are late to the party, but it’s ok because we are all late to the party. As our school districts are becoming more dependent on cloud technology and remote access, the safety and security of our schools have become extremely critical.” When Lilly testified at the Committee on Education and the Workforce at the US House of Representatives, he focused on this new reality with the legislators. “I wanted them to know that cybersecurity and privacy are massive deals as school districts are collecting a tremendous amount of information on students, faculty, and staff. While most districts are taking steps to protect that information, district leaders need the federal government to take a look at the laws and update those laws for the world that we live in now.”

Don’t Wish This On Anyone.

While these three superintendents hope that no other school districts experience cybersecurity breaches and hacks as they described in this webinar, they understand that all school districts are vulnerable to these types of attacks. Even though Bradshaw felt as though he was the “poster child of cybersecurity,” he explained that it also opened the doors to the reallocation of resources within the district for employee training and the creation of an experienced IT staff with cybersecurity. Lilly recommended that other school district leaders communicate with all stakeholders about their cybersecurity needs, expectations, challenges, and issues. “After you think you have said it, you need to repeat it. People need to hear it more than once.” Cabrera urged school districts to hire good leaders who understand that both the infrastructure and the learning and teaching aspect of technology need to be under the umbrella and protection of cybersecurity.”

Source: District Leaders Take on the New Reality of Cyber Security in Schools. Tech and Learning Magazine December 2018