K-12 Cybersecurity Webinar Recap

For years, the K-12 education system has been plagued with limited resources, shrinking budgets, and increasing classroom size.  Now, with the growing threat of cyberattacks, schools have become a prime target for cybercriminals.  Managing the threat and recovering from attacks is an increasingly difficult burden for IT administrators in the education sector.  As more administrative and teaching processes transition to digital resources, under-staffed IT departments struggle to keep up with demand.  Thankfully, there are those who recognize these dangers and diligently seek to improve the situation by sharing their stories and resources with the community.

In case you missed or were unable to attend our recent K-12 Cybersecurity webinar on June 16, 2021, we were fortunate enough to be joined by several experts who shared their knowledge and experiences on K-12 cybersecurity.  Tons of great information was presented throughout the webcast, and I'd encourage any of those who work in this field to watch the recorded session.  Below are some highlights shared by the presenters, as well as some of my own thoughts.

Jaren Nichols

Jaren Nichols is the Chief Revenue Officer for PDQ.com and did a fantastic job hosting the webinar.  Jaren led with a poll to highlight key statistics about the group in attendance.

K-12 Poll

Question 1:  Has your district experienced a cybersecurity incident in the last 5 years?

1. 36% yes

2. 64% no

Question 2:  How prepared do you feel your district is for a cyber attack (1 = very unprepared, 10 = very prepared)?

1. The vast majority of responses were between 5 & 7, though quite a few fell into the 2-4 range.

Question 3:  Which of the following is most challenging for you?

1. 15% Patch management

2. 54% Training and awareness

3. 23% User authentication / password management

4. 8% Backup strategy

Question 4:  How many system administrators are in your school district?

1. 64% 1-2

2. 22% 3-5

3. 5% 6-10

4. 7% 11-15

5. 2% 16+

This information underscores many of the struggles IT departments in K-12 are facing.   Question 4, in particular, is an obvious pain point as 64% of those who participated in the poll indicated their school district only has 1 to 2 system administrators.

Doug Levin

Doug Levin serves as national director of the K12 Security Information Exchange (K12 SIX), the first non-profit dedicated solely to helping to protect schools from emerging cybersecurity risks.  He is also the creator of the K-12 Cyber Incident Map, the definitive database of publicly disclosed U.S. K-12 cybersecurity incidents.

Since 2018, Doug has been producing The State of K-12 Cybersecurity Year In Review report, which covers in detail the statistics and information regarding publicly disclosed cyber incidents that occurred that calendar year.  This report is freely available, and Doug encourages those involved in education technology to review it to help them better understand the threats and tactics being used by cybercriminals to attack school districts. In addition, the year in review report is also a powerful tool for administrators to use when presenting the dangers of cyber incidents to school boards.  Often, district leaders are unaware of the true risks and costs associated with cyber incidents.  With this information, leadership is more likely to take cyber threats seriously and provide sysadmins with the resources necessary to keep their schools, employees, and students safe.

Doug continued by highlighting the growing use of technology in all school functions.  Testing and other educational resources are hosted online.  Back office processes such as HR, payment processing, facilities, and security systems have transitioned to digital systems.  Each process that transitions to a digital environment becomes another potential vulnerability and entry point for threat actors.

Next, Doug dove into the different types of attacks occurring in districts, including data breaches, ransomware, phishing, denial of service, and more.  An important takeaway is that not only is the number of attacks increasing, but the severity of the attacks is also getting worse.

Lastly, Doug highlighted what we can do collectively and individually to better protect our schools.  I've summarized his thoughts as well as others in the What Can We Do section below.

Barrett Puschus

Barrett Puschus is the Director of Information Technology for Brevard Public Schools, one of the nation's largest school districts.  Barrett shared his experiences with a recent cyber incident that afflicted his school district.

In 2020, Barrett received a call from the Microsoft Detection and Response Team (DART) on Halloween night informing him that signs of ransomware activity had been detected on their network.  Barrett and his team immediately took action and started taking systems offline.

With the help of the Microsoft DART team and a cyber forensics firm, they discovered that the threat actor had gained access to the network about 40 days before the detection.  It started with the threat actor gaining access to one computer through a simple phishing attack.  Once they had that access, they easily infected other systems by monitoring the user's behavior, usage, and who they communicated with.  As more of the network became infected, decoy systems were used to flood audit logs in an attempt to cover up LDAP queries and other aggressive behavior.

Barrett says one of the biggest hurdles they faced was that they didn't know what the threat would look like. For example, you often read about ransomware attacks that encrypt your systems, and you assume that recovering from a backup is going to be the answer; however, that hardly reflects the actual scope and potential damages of the attack.

In the end, months of work and countless hours were spent recovering from the intrusion. In addition, the district's million-dollar cybersecurity insurance policy was almost completely maxed out with this one incident, even though the team was able to take action and prevent the actual attack from ever happening.  Much of the policy was spent on a cybersecurity law firm, the DART and forensics team, and systems that were brought in to thoroughly and intensively scan the network for lingering threats, which maxed out their network bandwidth for weeks.  The insurer and law firm were instrumental in knowing what steps to take and which resources to engage, once the incident was reported.

Barrett emphasized the importance of taking all phishing attacks very seriously.  Be diligent in analyzing all the logs and activities after a phishing incident has occurred, as most severe attacks start with this simple intrusion method.

Kacey Sensenich

Kacey Sensenich is the Chief Technology Officer for Rockingham County School.  Kacey shared her experience with a cyber incident that affected their schools in 2017, just before students and staff left for winter break.

Kacey and her team received reports about equipment in their central office that began showing unusual behavior and had a sluggish performance.  The team decided the quickest action would be to re-image and re-deploy the devices.  After the devices were re-deployed, they once again began showing signs of unusual and sluggish behavior, which is when Kacey and her team started to suspect that something wasn't right.

As the team took a deeper dive into the situation, they noticed unknown files were being dumped onto the machines.  They took the weekend to wipe clean all the systems in their central office, working almost nonstop for 72 hours.

Come Monday, the team felt confident they had resolved the issues, but soon, reports started coming in that other systems in the district began to show unusual behavior.  Kacey and her team knew at this point that the situation was more severe than they initially realized.  They decided to bring in an outside consulting firm to help evaluate the situation, which helped them discover they had been infected with the EMOTET malware.

The EMOTET malware is one of the most harmful malware in recent years, as it allows threat actors to access systems, steal data, and deploy other attacks such as ransomware and banking trojans.  The malware is usually disguised as a legitimate attachment in a spear-phishing email attack.  In this case, the attachment was disguised as an invoice and targeted at individuals who commonly deal with invoices.

Because of the way the malware had spread, the team and had decided they couldn't be sure that they would be able to remove every piece of malware and were afraid of missing dormant files.  They also weren't confident that their backups hadn't been compromised.  The team decided the best course of action would be to take the winter break to rebuild the entire network from the ground up, including replacing older equipment that didn't have the resources to run the new image efficiently.  The team ended up working 42 days straight, including Christmas and New Years.  Most days were 12 to 18 hour shifts.  The end result of the attack was an estimated cost of  $1.2M.

Jason Hanks

Jason Hanks is a Sales Engineer for PDQ.com and worked as a system administrator for the K-12 system prior to joining PDQ.  Jason is still heavily involved in the education sector, working with customers and providing guidance with patch management and deployment solutions.

Jason emphasizes how drastically the information technology scene has changed over the past 20 years.  K-12 IT departments often cannot keep up with the ballooning adoption of digital trends and technology, leaving many sysadmins struggling to stay afloat.

One of the biggest challenges facing system administrators is keeping up with patch management.  As more digital devices and systems are adopted, the list of devices that IT has to update grows.  Often, administrators are required to drop everything to deploy zero-day patches.  If teams don't have a patch management solution, this process can become overwhelming very quickly, easily taking days to accomplish.  When team sizes are limited, automation becomes key for handling these processes.

What Can We Do

Here is a list of several suggestions about what we can do to prevent cyber incidents that were provided throughout the webinar.  I'll first list some suggestions about what we can do collectively that Doug Levin presented, followed by what we can do individually.  These are in no particular order, though some recommendations may have more importance than others.

What we can do collectively

• Invest in greater IT security capacity dedicated to the unique needs of schools

• Enact federal and/or state school cybersecurity regulations

• Invest in the development of K-12 specific cybersecurity tools

• Support K-12 specific cybersecurity information sharing and research

• Share your experiences and knowledge with others

What we can do individually

• Disable administrative rights:  This should be non-negotiable.  This one change will drastically lower your threat profile.

• Turn off internet-exposed ports and services, including RDP

• Develop an aggressive patch management policy:  Patches should be regularly deployed within 2 to 3 weeks of becoming available.  Zero-day patches should be tested and deployed as soon as possible, often within 24 hours of release.

• Invest in a patch management solution:  We at PDQ.com are obviously very passionate about patch management.  It's what we do.  While we encourage the use of our systems, we understand and recognize that our products aren't for everyone.  Regardless of which patch management solution works best for your environment, we recommend and encourage administrators to ensure that patches are deployed regularly and systems are maintained.

• Enable a strong password policy:  Passwords should be difficult to guess.  Require uppercase, lowercase, numbers, and symbols.  Many experts recommend setting the minimum password length to 8 characters, though trends have started to suggest even longer passwords.  Also, ensure passwords expire frequently.  Quarterly is often a good rule of thumb.

• Enable MFA/2FA where possible:  If you have a system with an MFA or 2FA option, enable it.  Multifactor authentication has proven tremendously successful in preventing cyber incidents.  At this point, if a system doesn't support MFA or 2FA, it may be worthwhile to look at alternatives.

• Ensure availability of immutable backups:  Backup can be a lifesaver in the event of an attack.  Ensure you have an adequate amount of backups that you can recover from and ensure they can't be compromised in the event of an attack.  Also, test your backups regularly.  This will ensure your backups are working properly and that sysadmins know how to recover in the event of an emergency.

• Understand that backups don't mean you are safe from attacks:  Many attacks often involve the theft of data and secure information that can be used for extortion purposes.  Backups will have minimal impact on these types of attacks.  Backups, while critical, do not mean you are safe from exploitation.

• Invest in proper protective technologies:  Firewalls, logging solutions, traffic analyzers, antivirus agents, etc.  These systems are critical to protecting your environment.

• Train your employees:  Question 3 in the above poll was very telling as 54% of those who participated in the poll said that training and awareness were the most difficult challenges for them.  Training users is one of the best ways to prevent phishing attacks.  As phishing attacks increase and become more sophisticated, training is more critical than ever.

My Thoughts

A huge thank you to Thomas Stone and Jaren Nichols, who diligently worked on the organization of this webinar together.  Special thanks to Doug Levin, Barrett Puschus, Kacey Sensenich, and Jason Hanks for sharing their knowledge and experiences.  I really appreciate everyone taking the time to share their thoughts and experiences.  Hearing about attacks firsthand really drives home the tremendous impact these situations have on schools.  The two experiences shared weren't even able to fully deploy their attack, and still, the damage was devastating.

The challenge for IT administrators is and will continue to be staying ahead of cyber threats.  Unfortunately, with limited funding and resources, this isn't always possible.  Requesting additional resources is a difficult task, especially when districts don't fully understand what's at risk.  It becomes the responsibility of education tech leadership to convey this message and ensure they get the resources necessary to protect their schools, their staff, and their students.

Remember, the key phrase in cybersecurity is that it's not a matter of if, but when there will be an attack.  When the worst happens, it's far better to be overly prepared than under-prepared.