Article by Lynda Sailor, Aspen Academy
Companies everywhere are reeling from the impact of cyberattacks, and educational institutions are by no means immune. In fact, the FBI in early June 2021 identified a specific malware that targets K-12 independent and public schools. The malware turns off antivirus protection on the network, systems, servers and services, and proceeds to encrypt all connected Windows and/or Linux devices and data, rendering critical files, databases, virtual machines, backups, and applications inaccessible to users. The threat is real, and the better prepared your school is, the better position you will be in to get your school back up and running should it experience a cyber-attack.
During the global pandemic, schools leveraged a layered risk-mitigation approach when reopening campuses. Consider adopting a multilayered approach to cybersecurity that addresses many aspects of your organization, including environment, employee awareness, proactive strategies and incident management.
Cyberattacks take a variety of forms that can range from spoofed emails and false error report emails to other, more serious attacks. These can include:
- Theft of school information: External hackers and dissatisfied employees steal school information and student lists.
- Website defacement: Hackers corrupt a website or initiate a denial-of-service attack that shuts down your website.
- Ransomware: Malicious software blocks access to or locks your system or data so that criminals can hold your data for ransom.
- Malware attack: Malicious software that cyber attackers develop to gain access or cause damage to a computer or network, usually without the victim’s knowledge.
- Theft: Business laptops containing unencrypted data might be stolen.
Data and Device Inventory
The first step in your cybersecurity efforts is to make a list of the assets you need to protect, such as connected devices, critical data and software.
To protect your school’s operations, you need to understand the value of your data and how it can be used. Criminals target data that has potential value to them — and your network is the means to that data. You may be required by law to protect certain types of information such as credit card and health information.
Some examples of data you will want to identify, inventory and protect:
- Credit card, banking and financial information.
- Personally identifiable information (PII), such as Social Security numbers, health information, user names and passwords, home addresses and birth dates.
- Student, staff and faculty lists and personal information.
- School “trade secrets,” methodologies, models, etc.
If the data is not there in your network, it cannot be taken. Use good governance and retention practices to limit what is stored on your server, what is sent by email and how long emails are retained.
Know which devices are connected to your network. This makes your environment easier to manage as you determine which devices need to be protected.
- Check your WLAN controller, which manages wireless network access points, to see which devices are connected and password-protected and use strong encryption (WPA2) for wireless networks.
- For larger schools, use a network scanner to identify all the devices on your network.
- Enable Dynamic Host Configuration Protocol (DHCP) for devices that are logging on to allow for easy tracking of all devices on your school’s network.
- Audit firewall access controls and port forwarding, which directs web traffic to the appropriate server in a local network, at least quarterly. Outbound traffic should be limited to prevent low-skill malware or viruses from communicating back to control over a non-standard port (such as HTTP 80 or HTTPS 443). If possible, port forwarding should be limited to only services that need it.
Software and Online Platforms
Rogue or unlicensed software pose risks, including legal liability, that can be mitigated. It is important to keep software up to date, as unpatched software can be a common way for malware to infiltrate and attack your systems.
Schools should inventory software and applications running on your school network and the web services or cloud solutions your school uses. Initiate a transparent process for controlling individuals’ ability to add software to your network and protect user accounts with administrative privileges.
Other actions to reduce both the likelihood and impact of cyber events include:
- Manually check the install/uninstall features of school devices’ system for a list of software that has been installed on the system.
- Periodically check what software is running on your systems using an inventory or auditing tool such as Spiceworks or Solarwinds NCM.
- Prevent general users from functioning as administrators and limit the number of people with administrator privileges to a very small group of trained personnel.
- Ensure administrators who can make system changes use unique, strong passwords for administrative accounts.
- Provide instructions for employees on developing strong passwords or use password managers.
- Ensure system administrators use a separate non-administrative account for reading email, accessing the internet and creating documents.
- Develop a school process for downloading software to your network and prevent the use of non-approved applications via applicant whitelisting tools which index, approve and allow applications to be present on a computer system.
- Monitor and maintain anti-virus protection.
Employee Awareness and Training
Human error remains the leading reason cyber criminals continue to succeed. Protecting your data requires not only technological solutions, but also employee awareness to prevent accidental damage to your systems. Educating your employees in cybersecurity is critical, and engaging on an emotional level can help them understand they are not only protecting your school but also their personal security.
Promote cybersecurity awareness through regular staff training. Encourage strong cybersecurity behaviors including the following:
- Identify and train those school staff who have access to or handle sensitive data to ensure they understand their role in protecting that information.
- Apply common sense. If something seems odd, suspicious or too good to be true, it is most likely an attempt to breach your system.
- Use strong, unique passphrases for every account and/or multi-factor authentication if supported.
- Encourage the use of a password manager or free password vault to create and manage strong passwords for services and sites.
- Use the screen lock on your mobile devices.
- Keep all staff devices and software updated.
- Ensure there is a clear escalation protocol if an incident occurs.
Creating and managing backups is one of the best ways to secure your data and recover after an incident. Current backups should be easily accessed while also segmented from your school’s general production systems that are used to process daily work. This can help you avoid business interruption without paying a ransom.
- A simple backup strategy to remember is “3-2-1”: three backup copies, with two on-site, and one off-site. This should be the minimum goal.
- Back up your network nightly to multiple locations and ensure that at least one backup destination is not accessible through the network. This will help protect against ransomware attacks since those backup files will not be accessible to the malware.
- Periodically test your backups by trying to restore the system using a backup.
- Consider using secure cloud solutions where available. It is still advisable to backup the cloud using Veeam or another tool to ensure data is protected from accidental deletion or for data retention longer than what the provider offers.
Some cost-effective solutions you may choose to explore:
- Microsoft’s Backup and Restore (must be purchased separately from Windows).
- Apple Time Machine (installed on Apple operating systems).
- Amanda Network Backups (free and open-source backup).
- Bacula (open-source backup and recovery solution).
Whether you have internal IT staff or a third-party incident management services provider, you should know — before an event occurs — the roles and expectations of the party responsible for incident management.
To prepare for a cyberattack, know what resources can be accessed in the event of an incident. Whether you have internal IT staff or a third-party incident management services provider, you should know — before an event occurs — the roles and expectations of the party responsible for incident management.
- Identify who at the school will serve as lead in case of an incident.
- Have contact information available for IT staff and/or third-party organizations.
- Keep a list of external contacts that could include legal counsel, security and crisis management teams, insurance agents for cyber-security coverage and security consultants.
- Review your cybersecurity policy and understand how to initiate a claim when an incident occurs.
- Familiarize yourself with your state’s data breach notification laws.
- Conduct a simulated phishing attack to fully understand how your plan will work or what areas need improvement.
Sometimes, despite your best efforts, a cyber incident will occur. Whether a school restores from backups or pays to obtain the encryption key, returning to normal operations often takes weeks, if not months. Should an incident occur, consider these steps.
- Inform your head of school so they may notify school trustees as appropriate when more information is obtained.
- Immediately contact your insurance agent and follow the necessary steps to file a claim. Most coverage includes the mobilization of cybersecurity experts and legal counsel who will guide you through an incident. Typically, they will assign a cybersecurity consultant to work with your IT staff to determine the nature and extent of the incident. Contact legal counsel if it appears that personal information was involved in the incident, if legal counsel is not provided through insurance.
- Ransomware attacks can also involve access to data that triggers contractual and legal notification obligations. In a rush to restore systems, some organizations wipe and reimage devices without preserving evidence. This can complicate the determination of what occurred after the attacker gained access to the network before ransomware was deployed.
Criminals are constantly finding new ways to exploit vulnerabilities, so it is imperative that schools continually evaluate and test their plans. A plan review and simulation tests should be conducted annually with designated team members, including your IT department, third party vendors, insurance agent, and appropriate members of your leadership or crisis team.
Creating and utilizing multiple layers of cybersecurity controls while training and consistently communicating the importance of cybersecurity to your employees is your school’s best defense in stopping or mitigating the risk of a cyberattack.