11 minute read
COVER FEATURE Going on the cyber offensive
Going on the cyber offensive
How districts should prepare for, respond to cybersecurity threats
By Jennifer Snelling
It was about 4:30 a.m. on a July Saturday in 2019. Lorrie Owens, chief technology officer for the San Mateo County Office of Education (SMCOE), was awake, but not expecting a work call. While on a weekend boating trip in the mountains, the district’s financial systems manager quickly looked to ensure the financial system backup was completed overnight. When the manager couldn’t log in, he used an alternative method to circumvent the block. Once in, he noticed that some of the file names had been changed. He knew something was wrong.
The SMCOE system was being hacked. The criminals were in the process of encrypting the financial system’s files. Owens immediately shut down the entire network, which includes 23 school districts that are all on the SMCOE’s financial systems.
Owens, a CASBO organizational member, and her team began to investigate. Over the next week, as the system remained down, they combed through every piece of network equipment and every end-user device. Without the network, none of the business departments in the county’s 23 districts could function. Plus, special education classrooms had no internet service, and some districts had no phone service.
“They had only been into our network a short time, but it was still a very costly event because we couldn’t bring up the network,” says Owens. “We had to check anything and everything that connected to the network. For us to do all that in a week was a miracle. It was lucky we caught it in time. If we hadn’t seen it until Monday morning, it would have been over.”
Cybersecurity has been in the news a lot since Los Angeles Unified School District (LAUSD) was targeted by the Vice Society, a ransomware organization, in early September. The attack took LAUSD’s website offline, causing staff and students to lose access to their emails and education management systems.
While the hacking of LAUSD has made a lot of headlines this year, the district is not alone. Brett Callow, threat analyst for the digital security firm Emsisoft, told the Los Angeles Times that hackers have attacked at least 27 U.S. school districts and 28 colleges. The stolen data from at least 36 of those organizations ended up online, and three organizations paid ransom to the attackers.
For years, bad actors largely ignored K-12 education. That’s changing as criminals realize that districts house large troves of valuable student information. Cybercriminals sell the data on the dark web, and students don’t know it for many years until they apply for a job or federal student aid. The data is
Going on the cyber offensive
particularly valuable because criminals use it for years before anyone realizes it was stolen.
“We have an added responsibility to protect our students,” says Owens. “We have this valuable data, but we don’t have the resources that banking or medical systems have. Bad actors know we are vastly underfunded and under-resourced for cybersecurity.”
The house metaphor
Thankfully, CASBO members and other experts can offer some pro tips to help you avoid some of the nightmare scenarios they’ve experienced.
Secure the house.
Owens thinks of her computer network as a house. Protect your systems by setting up effective security and ensuring that, if criminals do get in the door, the valuables will be hard to find.
Be careful who you let in your house.
Owens beefed up security after the SMCOE breech. She recommends ensuring you have appropriate software that logs what’s happening and alerts you if something unusual happens.
Data breaches often come from outside vendors, so ensure you’re contracting with responsible third parties and vendors. Attorney Gretchen M. Shipley of CASBO Premier Partner F3Law, and chair of the firm’s eMatters Practice Group, recommends that the technology department and purchasing department understand that contracts with outside vendors must have protective measures.
California’s laws are more restrictive than the rest of the nation, says Shipley,
so if the vendor is national, they may not conform to California laws. The contract should include a robust data privacy agreement that specifies what the cybersecurity framework needs to look like, holds subcontractors to the same standards and specifies indemnification, meaning if the contractor allows the data breach, they will pay the district for the damages incurred.
Two-factor authentication is an important method for verifying who is logging into the system. It is less convenient for employees, but the protection is worthwhile, says Joe Ayala, chair of CASBO’s Technology Professional Council and director of technology for Santa Clara Unified School District, a CASBO organizational member. The district is enacting a policy that requires anyone who can edit or touch student data to use two-factor authentication. Ayala warns this has to be worked out with unions since it requires employees to use their personal phones to log into work accounts.
Test the locks.
Shipley recommends that districts conduct annual penetration testing, either internally or with an outside forensics team. “While it can be expensive,” she says. “It’s worth the $15,000 so that you’re not spending $500,000 in damages.”
Hide the valuables.
The first thing bad actors do is encrypt your data so they can ask for a ransom. They target backups, so entities feel pressure to pay a ransom to retrieve their sensitive data.
Owens recommends using air gaps to protect your backups, meaning store them separately (from a virtual standpoint) from all your other data. “It’s kind of like having separate houses on your property,” she says. Because San Mateo’s backups were air-gapped, it slowed down the hackers, and they didn’t have a chance to get the data.
Thomas Tan, executive director of technology services for the Huntington Beach City School District, a CASBO organizational member, says backing up data and, just as importantly, testing the ability to restore the backup data successfully, is like insurance. Backups, especially off-site backups, can also help in the event of a disaster like an earthquake.
“Better to have multiple copies of immutable data backups, meaning that data cannot be corrupted after backup by malware or ransomware,” he says. “Back up to local servers on different parts of the network, backup data to the cloud with storage services like Wasabi, Backspace, Azure and Amazon Web Services. As the saying goes, ‘Backup religiously or prayer may be your only hope.’”
Education is the best prevention
The best prevention efforts will not be successful if someone lets a bad actor in through the front door. Tan’s county office of education, Orange County, has a team dedicated to cybersecurity. They provide a network security evaluation report that contains the top network security items that need attention.
“Cybersecurity is most effective in layers, similar to how increased layers of armor offer more protection,” Tan says. “The first layer of defense is user education and awareness.” The district sends monthly online safety reminders and educates and sensitizes users to recognize different kinds of cyberattacks. For instance, check to ensure the email matches the sender, and avoid clicking on links or opening attachments. If in doubt, call the sender for verification.
Going on the cyber offensive
“Sophisticated phishing tactics can deceive even vigilant users into giving their sign-in credentials to the bad guys,” he adds.
One Huntington Beach user reported that an email from their school principal had a suspicious file attachment. The email asked for the user’s cell phone number so they could text them back.The text link could have activated or downloaded malware and collected personal information.
Two things protected the Huntington Beach system: Google Gmail displayed a warning alert message, and the user was suspicious because the email address was not recognized as a district email.
These types of attacks, called social engineering attacks, use something or someone familiar to the user to try and gain access. Another common social engineering attack asks users to change their direct deposit paycheck information.
Santa Clara has seen this type of deposit scam. An entry-level payroll person pulled an email from the spam folder without checking where it was from. Someone else in the office caught it because the request was for the new superintendent.
Santa Clara USD has a central email connected to the help desk, called the Phish Bowl, where staff can send any questionable email for an extra look.
“Technology is viewed as something separate instead of a tool that’s integrated into all our existing systems such as curriculum, financial services, etc.” says Ayala. “We strive not to make the person feel silly. We just give positive reinforcement when they are careful.”
Owens herself almost fell for one of these direct deposit scams. She got an email saying there was a problem with her account. Because it was payday and the logo was from her bank, she thought something had gone wrong with her paycheck. Luckily, she realized that her bank should not have had her work email and avoided clicking on any links. San Mateo conducts regular phishing tests for users to remind them what to look for. People don’t always like it, but Owens says it’s an important educational tool.
It can be difficult for smaller districts to have the resources to devote to cybersecurity education. Smaller districts can join The K12 Security Information eXchange (K12 SIX), an organization where districts can share tactics, techniques and procedures for attacks as an early warning system for similarly sized districts.
In the event of …
Despite the best preventive measures, there is a chance that you will have to deal with an attack at some point. What should you do?
Prepare an incident response plan.
This plan can be a part of your overall agency’s emergency response.
The plan should include knowing your insurance coverage and navigating
the investigation and insurance claim. Shipley says many people don’t realize that general liability insurance covers cybersecurity. They will do the investigation, put you in touch with the FBI, provide any required notices and participate in your response team.
Owens says to be aware that you or an outside company may want to do your own investigation to get things up and running before insurance can step in. To get back to business more quickly, be sure to know how you can preserve evidence while you do the investigation.
“I had 23 districts with no internet and people with no phone service,” says Owens. “We had to get that up and running. I would recommend knowing the steps that will get you business continuity and preserve the evidence you need.”
Determine legal requirements or notification.
Owens had an outside company that determined no data was removed during the SMCOE breech. As soon as possible, determine if the event meets the legal definition of a data breach because an unauthorized data breach triggers notification requirements. Shipley says it is not a data breach if someone steals a laptop but can’t get into it.
If it is a data breach, you need to determine who must be notified. If you sent out 15,000 emailed invitations to set up an account and only 10 students set up accounts, then you only need to do 10 notifications, not 15,000.
The district must provide credit monitoring for anyone whose data has been compromised, including both current employees and employees receiving retirement benefits.
Communicate with stakeholders.
Owens recommends having a unified, clear and honest dialogue with your stakeholders. SMCOE held briefings every morning and met twice daily to ensure they were all hearing the same thing. She recommends having one point person for your stakeholders and the media.
“If you have people saying the same thing differently, it can get out of hand very quickly. Even with what I thought was a very well-coordinated communication strategy, there were rumors out there,” she says. “We were able to quell them pretty quickly.”
LAUSD kept stakeholders updated on Twitter and set up a hotline. “Their public information officer was being very responsible,” says Shipley. “All you’re required to do is put a letter in the mail (notifying stakeholders of the breach). Outside of that, a robust communication program can help calm the nerves of people affected.” z z z
Jennifer Snelling is a freelance writer based in Eugene, Oregon.
What is your district doing to shore up cybersecurity? Share your suggestions at LinkedIn/CASBO.
Get moving on critical projects
Let us take care of the financing, so you can focus on the project at hand.
The Certificates of Participation and Lease Program can assist you with raising the capital funds you need to get moving on your highest priority property acquisitions, classroom construction projects, equipment purchases and more.
Contact us to find out more
800.266.3382 ext. 2603 | www.csba.org/cop
Our program offers:
» Fast and efficient financing » Non-bonded debt
» Competitive interest rates
» Tax-exempt payments » Full asset ownership
