Skip to content

Category: Cybersecurity

“Our Biggest Nightmare Is Here”

Originally Published:
Education Next

On the night of September 2, 2019, Assistant Superintendent for Compliance and Information Systems Bhargav Vyas received a system-failure warning for Monroe-Woodbury Central School District in Central Valley, New York. With his team, he chose to shut down the district’s entire computer network. Then, at 7:30 the next morning, he got a call from one of his leading techs, who was bringing the domain controllers back up after the previous night’s shutdown.

“Our biggest nightmare is here,” the tech said.

That was when Vyas knew a cybersecurity attack was happening.

* * *

Of the 17 industries studied by information-security company SecurityScorecard, the education sector ranked as the least secure in 2018, with the highest vulnerabilities present in application security, endpoint security, and keeping software up to date. Online learning, which has increased gradually over the past decade and significantly since March 2020, has only exacerbated the possibility of exposing staff and student data to unauthorized parties.

The 2020 calendar year saw a record-breaking number of publicly disclosed school cybersecurity incidents—a grand total of 408 across 377 school districts in 40 states, according to the K–12 Cybersecurity Center. This represents an 18 percent increase over the 2019 calendar year total and a rate of more than two incidents per school day throughout 2020. These cyberattacks impacted taxpayers, district staff, and students, leading to school closures, millions of dollars stolen, and data breaches linked to identity theft and credit-card fraud.

Though these attacks affected only a small fraction of the overall number of schools and districts in the U.S., the frequency may increase as more lucrative targets, like corporations and banks, mount a better defense. According to the Consortium for School Networking’s 2019 K–12 IT Leadership Survey Report, rather “than focusing on corporate targets, which are devoting increased resources to cyber defenses,” hackers are turning to “more vulnerable sectors such as school districts, universities, and nonprofits.”

School districts’ networks are the perfect target for cybercriminals because they house a large amount of personal data but exist in a milieu not necessarily attuned to the threat of attack. While hackers’ individual motivations run the gamut, most of the attacks on school districts have been tied to cybercriminals looking for low-risk, high-return financial payoffs—which embattled district decisionmakers are willing to provide if it means keeping student and staff information private.

How Cyberattacks Happen: Phishing and Distributed Denial-of-Service Attacks

According to the Consortium for School Networking, more than 90 percent of cyberattacks in schools start with phishing campaigns, which include “spear phishing” and business-email compromise attacks. Spear phishing is characterized by a focus on specific individuals or groups within a larger organization; these attacks usually get a user to reveal personal information or install malicious software, or malware, on their computer. In a business-email compromise attack, cybercriminals impersonate a trusted party, usually a senior executive, to obtain payments or financial information. In a school-district context, business-email compromise is sometimes known as “Superintendent Fraud.”

Phishing attacks have become more sophisticated and difficult to detect. During the 2019–2020 school year, the San Felipe Del Rio Consolidated Independent School District was hit by a business-email compromise attack. A news release from the U.S. Attorney’s Office in the Western District of Texas explained how the attack worked: The school district’s comptroller received phishing emails from cybercriminals posing as officials at the financial institution to which the district makes bond payments. Three of those bond payments were then diverted to the swindlers’ financial account, which cost the district more than $2 million, according to the release.

Schools and districts can also fall victim to distributed denial-of-service attacks, as the Boston Globe reported Boston-area districts Mansfield, Medfield, and Norton did during the 2020–2021 school year. In this type of attack, a targeted flood of internet traffic disrupts network availability by overwhelming the system and surrounding infrastructure. As a result, users are prevented from accessing payroll platforms, student schedules, and email applications, all of which are necessary to conduct the day-to-day operations of the school.

This disruption can be just as beneficial for cybercriminals as it is for students, who may want classes cancelled or a break from remote learning. In September 2020, a series of DDoS attacks targeting the Miami-Dade County Public Schools were traced to the IP address of a 16-year-old student at South Miami Senior High School, according to a news release from the school district.

In addition to the complete paralysis of a school system, most criminal DDoS attacks have a second purpose: to breach data and expose confidential or protected information that can be viewed, shared, and used as ransom.

Ransomware

While school networks are offline during a DDoS attack, hackers use malicious software to encrypt districts’ data. Districts are then forced to pay hackers a ransom to regain access to their data—hence the term “ransomware.” As of August 2021, ransomware attacks have disrupted 58 education organizations and school districts in the U.S., including 830 individual schools, according to Politico. These attacks sometimes have devastating consequences: In March 2021, the Miami Herald reported that Broward County Public Schools could not pay a $40 million ransom, and 26,000 stolen files, which included student and staff Social Security numbers, addresses, and birthdates, were published online.

Most school districts lack strong security protocols because they have small IT teams and significant budgetary constraints, so it may seem from the outside that education organizations are not making cybersecurity a priority. This assessment, however, does not reflect the progress being made in districts across the country.

Thwarted Ransomware Attacks: Case Studies

Monroe-Woodbury Central School District

Back to Monroe-Woodbury Central School District. As soon as the IT team knew an attack was underway, they notified Superintendent Elise Rodriguez and the other assistant superintendents. Rodriguez informed the board of education, and then the public relations director and communications team contacted the business office, the district attorney, and the insurance company. Within an hour, the district had an incident response team working with Vyas to contain the attack, assess the damage, and develop a mitigation plan. The cybercriminals had just started targeting the district’s servers when the storage area network shut down, so, luckily, they had nowhere to go to do more damage.

Once the team determined that they had stopped the ransomware, the district focused on restoring weeks’ and months’ worth of data from offline and cloud-based backup systems. It took the district a couple of days to build up a Microsoft infrastructure, but by the end of the first week, 70 percent of mobile devices were up and running. At the end of the second week, all systems were up and running, and Wi-Fi was brought back online for 3,000 student and staff devices and computers.

Vyas reflected that it “was strategic on our part—not from the ransomware perspective, but a resources perspective—that we had an updated disaster recovery plan that identified the location of our data in all systems, as well as a robust redundancy system. This strategic move mitigated any further damage and communication.”

Prior to the attack, the district had also gotten an assessment of their network from the National Institute of Science and Technology. In January and March 2019, the IT team used the audit recommendations to “plug the holes,” which, in hindsight, could have been a factor in mitigating the effects of the cyberattack.

The IT team tried to learn from the attack. Though they had no proof, they believed that allowing personal devices to connect to the school network may have been a factor in the attack. The district therefore changed its policies: Only school devices were allowed to access the network, and guest networks were eliminated.

Rodriguez established scenario-based cybersecurity training, because “security is not just a technology concern; it’s a district concern.” Vyas continues to educate the school community, including the school board, about the latest trends in cybersecurity because, as he puts it, “people forget.”

Haverhill Public Schools

The attack on Haverhill Public Schools in Haverhill, Massachusetts, started shortly after midnight on Wednesday, April 7, 2021. By 2:30 in the morning, Director of Technology Doug Russell and Systems/ Network Engineer Don Preston had been alerted of system failures. They realized that this was more than just a standard system alert, and the team immediately shut down the network that connected all 15 district schools.

As soon as Russell and his team understood the extent of the attack, they notified Superintendent Margaret Marotta. Marotta then informed the Haverhill Public Schools School Committee and other critical stakeholders. She became the central communications person, thus enabling the IT team to focus on mitigating the problem. Within a few hours, the district had implemented its crisis-recovery plan and connected with its IT consulting company, which joined with local police, state police, the FBI, the Department of Homeland Security, and the Multi-State Information Sharing and Analysis Center, an organization that helps local, state, and tribal governments with cybersecurity-incident response and remediation, to assess the situation. After a few hours of evaluating the network, the Haverhill team determined that 140 of the 13,000 district endpoint devices had been infected with the ransomware. Much of the virus had been funneled into the districts’ virtual server environment, and most of those virtual servers had then detected the infection and shut down—exactly as they had been designed to do.

Authentication and rostering servers were up and running by six o’clock in the evening on the day of the attack. Five days after the incident, the internet had been restored in all 15 buildings, with 98 percent of the systems fully functioning. The email system took two and half weeks longer to be fully restored.

“One of the things that saved us was the transition to laptops for staff during the pandemic,” Russell said. Most staff members’ computers were not on the district network when the attack happened.

Russell added that another helpful mitigating factor was “a change that we made a couple of years ago” to “our whole virtual environment,” which meant there was no clear path for the ransomware to follow. Also, the cyberattack did not impact district financial records because the payroll system was hosted by the City of Haverhill on a completely different network. Finally, Russell explained that moving many systems to cloud hosting made the attack less severe than it would have been if the district had hosted all of those systems internally.

The Multi-State Information Sharing and Analysis Center’s investigation of the attack is ongoing, and the district has yet to confirm if any personal data was compromised. The team at Haverhill Public Schools did learn that they needed to upgrade existing systems and backup options, though. Before the attack, they had data snapshots, and the district operated with two different systems running at the same time. “So even though everything was still being snapshot and backed up, we realized that some of those systems, if they were to shut down, or if they would have been infected the wrong way, wouldn’t have gotten the last couple snapshots that we needed to recover,” Russell said.

Working with an IT consultant and the district crisis response team, as well as Marotta’s support and additional funding from the Haverhill School Committee, Russell and his team determined the need to increase redundancy and upgrade their anti-malware software and anti-ransomware software.

“I feel like if that would have been running, or something would have been running better, it probably would have stopped it even sooner, and we would have had fewer servers to restore,” reflected Russell.

What Can Districts Do?

Cybersecurity training

According to the October 2020 IBM Education Ransomware Study, which involved interviews with 1,000 educators and 200 administrators, administrators were “20 percent more likely to receive cybersecurity training than educators” though they were “still unaware of critical information relevant to protecting their schools.” Eighty-three percent of administrators expressed confidence in their school’s ability to handle a cyberattack, for example, but more than 60 percent of them did not know if their school had a mitigation plan.

About 90 percent of the time, cyberattacks happen due to human error, said Haverhill’s Russell. The source of the Haverhill Public Schools attack was a phishing email, which allowed the hackers to access a virtual remote server. In the wake of the attack, the school community took action and recognized the need for more cybersecurity training and, specifically, for secure password protocols through standardized requirements, such as making sure passwords are a certain length or have special characters.

Back up, back up, back up

A robust backup system is the best protection against an attack, and the most effective backup systems are a) cloud-hosted or offline, b) not tied to a district’s domain, and c) inaccessible from the district network. The Monroe-Woodbury and Haverhill districts have used secure backup systems with redundancy for years, so when their virtual servers were attacked, they were assured the recovery of their data. Russell added that “a backup is vital” and that “if districts are not backing up correctly, they will never be able to recover” from an attack.

Cybersecurity insurance

In 2020, the average cost of a data breach was $3.79 million for districts and other education organizations in the U.S., according to IBM’s annual report on data-breach costs. When the Manor Independent School District, a small district in Texas, was compromised by a phishing scam in January 2020, CBS Austin reported that it cost the community $2.3 million.

Most insurance companies now offer cyber liability insurance to school districts, for an average of $1,600 a year, according to AdvisorSmith. Though the cost varies based on size and location, districts could end up saving millions by adding this insurance to their yearly operational budgets. In November 2019, when Port Neches-Groves Independent School District in Texas was hit by a ransomware attack, a cybersecurity insurance rider on their district policy covered the $35,000 ransom demand, reported KBMT news. The district ended up getting back access to their systems—at the relatively low cost of a $2,500 insurance deductible. Cybersecurity insurance often covers not just the cost of the ransom itself, but of IT experts to analyze the breach, a marketing firm to manage the district’s response, and lawyers to advise the best next steps, as well lost revenue. The insurance also provides credit monitoring for the students and staff whose records were exposed by the breach.

Other best practices

Districts can reduce infections by filtering at the email gateway, maintaining updated antivirus and anti-malware software, and using a centrally managed antivirus solution. In addition, because some attacks are accidental, districts should apply the principle of data governance, or giving users access only to the data they need to do their jobs. It is also critical that districts maintain a robust asset-management system, retain and secure logs from network devices and local hosts, and baseline and analyze network activity to determine behavioral patterns. While districts may feel vulnerable and helpless in the wake of an attack, these proactive, rather than reactive, actions will determine the overall impact of a cybersecurity attack.

The Work of Many

Districts cannot fight off the hacker hordes alone. Though the ESSER fund provides billions of dollars to school districts for support in the wake of Covid-19, the money allocated to support broadband access, equipment purchases, and remote-learning infrastructure does not cover districts’ cybersecurity needs, such as upgraded firewalls. In June 2021, Senators Mark R. Warner and Susan Collins wrote a letter to Education Secretary Miguel Cardona advising the department to make Covid-19 relief funds available for cybersecurity resources. The letter also recommends that the U.S. Department of Education engage with school districts to increase awareness of the need for more robust cybersecurity measures.

On October 8, 2021, President Biden signed the K–12 Cybersecurity Act of 2021. This bill authorizes the Cybersecurity and Infrastructure Security Agency to study the specific risks impacting K–12 institutions, develop recommendations for cybersecurity guidelines, and create an online toolkit districts can use for implementation. Additionally, a bipartisan group of four House members introduced the Enhancing K–12 Cybersecurity Act in June 2021. This law would direct the Cybersecurity and Infrastructure Security Agency to create a cybersecurity information exchange, a K–12 incident reporting registry, and a $10 million, annual technology-improvement program. Organizations such as the Consortium for School Networking, State Educational Technology Directors Association, and National Association of State Chief Information Officers supported the bill.

When it comes to a cyberattack on a school district, it is no longer a matter of if but when. No longer does the danger zone start at the perimeters of district infrastructure and network. The danger zone now lies within the walls of school districts themselves. We must assume that, whether they are malicious or accidental, bad actors exist within our own systems.

Best Practices for Stopping Ransomware Attacks

Original Published:
EdTech Magazine

A vetted, strategic cybersecurity plan helped one school district successfully push back against cyberattackers.

The annual back-to-school superintendent conference day on Sept. 3, 2019, at New York’s Monroe-Woodbury Central School District should have been one of excitement and reconnection for staff and administrators. But that wasn’t the case for Bhargav Vyas, who serves as the district’s assistant superintendent for compliance and information systems as well as its data protection officer. Instead, the night before, his team got a system failure warning that caused them to start troubleshooting early in the morning.

It started at 7:30 a.m. When bringing up the domain controllers, one of the leading techs called and said, “Our biggest nightmare is here.” Vyas knew then that a cyberattack was underway.

Cybersecurity Incidents Spike During the Pandemic

According to “The State of K-12 Cybersecurity: 2020 Year in Review” from the K-12 Cybersecurity Resource Center and the K12 Security Information Exchange, what happened at Monroe-Woodbury is becoming increasingly common. The 2020 calendar year saw a record-setting 408 publicly disclosed cybersecurity incidents. These attacks, which affected 377 school districts across 40 states, resulted in temporary school closures, millions of stolen taxpayer dollars and student data breaches linked to identity theft and credit card fraud.

Schools moving to remote and online learning environments in March 2020 only exacerbated the problem. With the rapid shift to remote learning putting more devices into students’ and teachers’ hands, a lack of cybersecurity training, and plenty of enticing free apps to download, cracks in schools’ cybersecurity were almost inevitable.

IBM’s Education Ransomware Study, released in October 2020, surveyed 1,000 K–12 and college educators and 200 K–12 and college administrators. It found that “while administrators are 20 percent more likely to receive cybersecurity training than educators, they are still unaware of critical information relevant to protecting their schools.”

Pre-Emptive Protocols Lead to Faster Recovery

When Monroe-Woodbury faced down its cyberattackers in 2019, it was ready. Well before the attack, the district had established both internal protocols and a disaster recovery plan.

As soon as the IT team became aware of the attack, it notified Superintendent Elsie Rodriguez and the other assistant superintendents. Once Rodriguez informed the Monroe-Woodbury board of education of the situation, the communications team and the public relations specialist contacted all key stakeholders, including the business office, the district attorney and the insurance company.

Within an hour, the district had an incident response team working with Vyas to contain the attack, assess the damage, and develop a mitigation plan. The attackers had just started targeting the servers when the storage area network was shut down, so there was nowhere to go to do more damage.

We had an updated disaster recovery plan that identified the location of our data in all systems, as well as a robust redundancy system. This strategic move mitigated any further damage and communication.”

Bhargav Vyas Assistant Superintendent for Compliance and Information Systems, Monroe-Woodbury Central School District

Once the IT team finished restoring data from the snapshots cleared by the incident response team, it took a few days to build up a Microsoft infrastructure. By the end of the first week, 70 percent of the district’s mobile devices were back up and running, including those for transportation services. At the end of the second week, the IT team had all systems up and was able to bring Wi-Fi back online to connect mobile devices for 3,000 students and staff.

Plug the Holes with Internal Security Lessons

Looking back, Vyas says, “it was strategic on the district’s part, not from the ransomware perspective but from a resources perspective, that we had an updated disaster recovery plan that identified the location of our data in all systems, as well as a robust redundancy system. This strategic move mitigated any further damage and communication.”

The district made another strategic move that may have hindered the attack. It signed up for a National Institute of Standards and Technology cybersecurity assessment that reviewed risks and threats to the district’s entire network.

Months before the attack, the IT team used the assessment’s recommendations to “plug the holes,” which, in hindsight, could have been a factor in a much more significant cyberattack. It was essential for the district’s IT team to build up goodwill and support, so staff and teachers were educated on cybersecurity and best practices for keeping their data safe. While not everyone understood the technology, they recognized the importance of cybersecurity and trusted the process.

Finally, the team placed great emphasis internally on implementing an electronic inventory and ensuring that record-keeping was accurate and secure. As a result, when reimaging all devices and computers after the cyberattack, the IT team knew the device location and count within 5 percent.

Training Ensures Everyone Stays Educated

After the attack, the Monroe-Woodbury IT team focused on lessons learned. The district changed its policies so that only school devices could access the network, and guest networks were eliminated. Noting that “security is not just a technology concern, it’s a district concern,” Superintendent Rodriguez established scenario-based cybersecurity tabletop training.

Critical stakeholders such as the disaster response team, IT department, business office, and support staff continue working together to ensure they’re well prepared for the future. Because people forget, Vyas continues to educate the school community, including the school board, about developments in cybersecurity. He adds that, even in a cyberattack or pandemic, with the right people on your team and a willingness to do what is best for students, you can work together to give technology back to the school community.

District Leaders Take on the New Reality of Cyber Security in Schools

This cyber security incident shut down Columbia Falls SD 6’s 25 schools for three days and impacted 1600 students, staff, and local sheriff and police departments.

The third in the Super-Connected: Empowering Superintendents & District Leaders CoSN and edWeb.net  series,  “Cyber Security: A Critical School District Priority,” took place on November 12, 2018. Moderated by Ann McMullan, Project Director, CoSN Empowered Superintendent Program, this webinar spotlighted the cybersecurity concerns rapidly becoming part of the school district’s daily operations. According to CoSN, the fastest growing and most common cyber incidents in K-12 schools are phishing attacks and unauthorized data breaches. McMullan warned that district leaders couldn’t “just check it off” regarding policies and procedures around cybersecurity. She emphasized that “it is an ongoing issue that needs to be looked at in new ways that are comprehensive, strategic, and persistent.” The three guest panelists Steve Bradshaw, Superintendent, Columbia Falls SD 6, Columbia Falls, MT, Juan Cabrera, Superintendent El Paso ISD, El Paso TX, and Dr. Gary Lilly, Director of Schools, Bristol Tennessee City Schools, Bristol TN, don’t just check it off when it comes to cybersecurity.

It is not hypothetical. 

McMullan affirmed that “while school districts are very familiar with closing schools due to weather, we never expect to have to close schools for cyber-attacks.” Yet that is exactly what happened in Columbia Falls, SD 6. What began as one strange text message quickly turned into a physical threat created by a remote access breach. This cybersecurity incident shut down Columbia Falls SD 6’s 25 schools for three days and impacted 1600 students, staff, and local sheriff and police departments. Bradshaw reflected on one action that he felt helped get his school district to get through the cybersecurity attack. That action was the school district’s transparent communication approach with the community and the “honesty and integrity that went along with it.”  

“Some lessons you have to learn the hard way” were how Lilly described the Bristol Tennessee City Schools’ cybersecurity breaches. The district was completely taken by surprise once an HVAC controller was hacked and again when 20% of the district’s employees failed a phishing test. His takeaway from these two events was that liability will always be an issue, but as long as a school district “takes reasonable steps to mitigate the exposure, then they can weather the breaches and hacks.” According to Lilly, these reasonable steps include the cybersecurity education of faculty, staff, students, and administrators and the awareness of all potential “holes” in school buildings’ infrastructure systems.

Cabrera conveyed that, as El Paso ISD tried to be more accessible for students and employees by giving them 24/7 access to their systems, they inadvertently created access points for potential data breaches.  His district’s vulnerability point did not impact student data but impacted another critical data group’s PII – employees. He described how the El Paso ISD payroll system had been hacked twice, and it took an FBI team involvement to recover over $100,000 in payroll. His suggestion for other district leaders is to elevate the district’s level of cybersecurity importance to protect both students and employees. He also recommended that school districts create a cybersecurity team that includes the CTO, the IT department, and the HR department to collaboratively allocate resources, train staff, and heighten school boards’ awareness.  

The New Reality

Cabrera affirmed that “people may think that they are late to the party, but it’s ok because we are all late to the party. As our school districts are becoming more dependent on cloud technology and remote access, the safety and security of our schools have become extremely critical.” When Lilly testified at the Committee on Education and the Workforce at the US House of Representatives, he focused on this new reality with the legislators.  “I wanted them to know that cybersecurity and privacy are massive deals as school districts are collecting a tremendous amount of information on students, faculty, and staff.  While most districts are taking steps to protect that information, district leaders need the federal government to take a look at the laws and update those laws for the world that we live in now.”

Don’t Wish This On Anyone.

While these three superintendents hope that no other school districts experience cybersecurity breaches and hacks as they described in this webinar, they understand that all school districts are vulnerable to these types of attacks. Even though Bradshaw felt as though he was the “poster child of cybersecurity,” he explained that it also opened the doors to the reallocation of resources within the district for employee training and the creation of an experienced IT staff with cybersecurity.  Lilly recommended that other school district leaders communicate with all stakeholders about their cybersecurity needs, expectations, challenges, and issues. “After you think you have said it, you need to repeat it. People need to hear it more than once.” Cabrera urged school districts to hire good leaders who understand that both the infrastructure and the learning and teaching aspect of technology need to be under the umbrella and protection of cybersecurity.”

Source: District Leaders Take on the New Reality of Cyber Security in Schools. Tech and Learning Magazine December 2018 

 

Share on facebook
Share on twitter
Share on linkedin