7 minute read
A VIRTUAL VIRAL PANDEMIC
by Dacia Rivers
When COVID-19 first made waves in the U.S., schools across the country were forced to move to remote instruction, taking classrooms to a virtual, online space. Most communities were eager to lend a hand, reaching out to help schools accommodate this sudden change. Local businesses allowed students to sit in their parking lots and log onto their wifi. Tech companies offered their services to school districts free of charge. People came together, at least virtually, with at least one notable exception. Hackers.
“The bad guys aren’t taking pity on schools, even knowing full well that they’re struggling,” says Martin Yarborough of Martin Yarborough and Associates, a Dallas-based consulting firm. “It’s the same type of cybersecurity problems we saw prior to the COVID-19 issue, it’s just escalated.”
Martin Yarborough Yarborough estimates that cyberattacks of school districts and businesses that offer services to schools have increased about 150% since COVID-19 began. He paints a grim picture for the future, but it comes from a wellinformed background, having spent 35 years working in education, serving as a technology professional in Fort Worth, Abilene, Granbury, Stephenville and Glen Rose ISDs before starting his firm. Mostly, Yarborough hopes his prognosis serves as a wake-up call — a warning that school districts need to prepare for a cyberattack, because it’s no longer an “if” situation, but a “when.”
The anatomy of an attack
First, a little good news: Zoom bombings are mostly a thing of the past. In March, when school districts turned to Zoom and similar online conferencing services, the providers simply weren’t prepared for the sudden jump in usage. Security loopholes were everywhere, and hackers rushed to exploit them, breaking into virtual classes to sew mayhem just for their own amusement.
The providers of these online meeting and conferencing systems were quick to close the loopholes and increase security, and because Zoom bombing isn’t financially lucrative, hackers didn’t find it worth the effort to keep trying. Yarborough suggests that the most competent hackers never really bothered with breaking into online meetings, anyway. They have their eyes on a far bigger prize.
Ransomware attacks are the biggest threat to school districts, cybersecurity-wise. These occur when a group gains access to an online system and infects it with malware, shutting it down and rendering the entire system useless. The hackers then reach out, asking for a ransom to remove their malicious code so things can get back to their normal working order, at least in theory.
In late September, Plano’s Tyler Technologies suffered a ransomware attack that affected not just them, but the hundreds of businesses that use their services, including many Texas school districts who were not able to access the systems for weeks afterward. Yarborough worked with a county office of education that fell victim to ransomware last year, affecting 15 school districts who were supported by the office and lost access to multiple software services for three weeks during the clean-up and restoration. Even then, data was never recovered.
In March, Sheldon ISD suffered a ransomware attack that left the district’s email service and security cameras unusable while compromising crucial private data, including employees’ personal bank account information. Rather than spend months rebuilding its servers, the district had no choice but to pay the hackers more than $200,000 to regain access to its systems.
In the vast majority of ransomware cases, at least 65 to 75%, according to Yarborough, hackers use phishing to gain access to these networks. Phishing is an email scam, where a hacker sends someone a message that looks legitimate but contains a link that once clicked infects the user’s system with malware. In a school district where every teacher has a tablet or a computer and they’re all connected to the same network, it only takes one person clicking a phishing link one time to allow that hacker access to every device on the system. It doesn’t matter how big your district’s IT team is, how many defenses they’ve put into place or how much money you’ve invested into security,
Yarborough says. In this way, everyone is equally vulnerable.
“The hackers pry on human behavior,” he says. “School district technology teams have done a good job in putting together all the technology they can, but they can’t keep people from clicking. I think more teachers probably communicate via email than they do by phone now.”
To make matters worse, Yarborough says in some 40% of ransomware cases, hackers don’t even remove the malware once they’ve been paid. This is why the FBI and DOD tell people not to pay the ransoms. But it can be tempting when the only other way to remove the malicious code is to spend weeks restoring data, some of which is still lost forever.
Following a ransomware attack, protocol says your first move should be to inform the FBI. Their job is to find the culprits. However, finding and prosecuting hackers is no easy task. By design, many U.S. ransomware attacks originate in countries with which we have no extradition treaty. While the FBI does its best to locate the bad guys, they aren’t able to help you get your system back up and running. That’s
a long and arduous process, where each piece of equipment in a district must be cleaned and sanitized. In large school districts, this can take weeks, even months, and at enormous cost, especially when the target is someone who wasn’t expecting the attack and who had not prepared for it.
Prevention through preparation
Treating a cyberattack as an inevitability might sound like giving up, but it’s actually the first step toward preventing the fallout.
“There is no immunization against a ransomware infection. It’s going to happen, and you just have to deal with it when it occurs,” Yarborough says. “I hate being the bearer of bad news, but you have to be prepared.”
Yarborough details three things school districts can do to prepare for a cyberattack and minimize the damage one can cause. First, he stresses the importance of creating a security incident response plan. Just like schools hold fire drills or prepare for other worst-case scenarios, they need to be ready for cyberattacks. This includes making a process of what steps to take and whom to contact in the event of an attack. It can be embarrassing to admit that you’ve fallen victim to a phishing attack, but it’s a necessary first step on the road to recovery. Reaching out to experts in the field before an attack can help you have a contact to call when the worst does happen.
Secondly, Yarborough stresses that you must back up your data. Having all of your private and necessary data in a safe place can aid and speed recovery following a cyberattack. Many school districts back up their data to cloud services, but Yarborough says the safest way to back up data is to have a physical copy on-site. This can be in addition to a cloud backup, a last line of defense in case your cloud provider falls victim to an attack itself. Large data companies are just as vulnerable as anyone else to ransomware, from huge insurance companies and banks to government systems and tech companies themselves.
The third step is the most proactive, but perhaps one of the most time consuming: training staff. Last year, Texas required that all school staff members go through training to prevent
phishing attacks, but Yarborough says a one-time training barely scratches the surface.
“Sitting down for a one-hour webinar just isn’t enough. It has to be ongoing, and it has to include real examples of what to look for.”
Ongoing training is crucial in this area because hackers are always evolving and changing their methods. School staff must be kept updated so they can learn to recognize phishing attempts as the hackers modify and improve them. To present the best line of defense, Yarborough suggests school districts hold four phishing simulations per year and a training class at least once per quarter. He says school administrators sometimes balk at this suggestion, saying their teachers are too busy teaching kids to go into training themselves. His response is that if a school’s systems go down due to one successful phishing attempt, all teaching will grind to a halt. Never has that been truer than now, with so many teachers using online systems to reach their students.
Overall, being aware of the realities, the possibilities and the likelihood of a cyberattack can only put you ahead of the game. Hackers are working overtime, sending out thousands of phishing emails to see who takes the bait. Thanks to COVID19, school administrators have their hands full now more than ever. But letting cybersecurity fall to the wayside can only make things harder in the long run. “Don’t let your guard down,” Yarborough says. “I know school districts are in a major world of hurt with this pandemic. Yet if we shift all of our resources to providing educational services and we forget about technological security needs, you’re opening yourself up for even more of a problem.” n
