How three K-12 IT leaders prepare for school ransomware protection, detection, and response
When was the last time you woke up at 3 a.m. in a panic that your network was down? Unfortunately, if you’re like many K-12 IT leaders, it’s probably a frequent occurrence. School ransomware is on the rise, and many districts are woefully under-prepared for detecting and responding to these sophisticated attacks.
The latest State of K-12 Cybersecurity: 2020 Year in Review reports that cyber incidents impacting U.S. school districts have increased in frequency and severity since measurement first began in 2016. The report tracked 400 publicly-disclosed K-12 cyber incidents in 2020 alone—a 15% increase over the previous year.
To dig into the underlying issues causing this disturbing trend and get insights and advice from K-12 IT leaders living this reality every day, we recently hosted a live panel discussion.
Doug Levin, National Director of K12 SIX and the author of the State of K-12 Cybersecurity: 2020 Year in Review report; April Mardock, IT Operations and Cybersecurity Manager at Seattle Public Schools; and David Termunde, Chief Technology Officer at Arbor Park School District, were kind enough to share their time and expertise to help us all understand what is going on and help us be better prepared. Here, we’re taking a look at some of their top school ransomware protection advice for other K-12 IT leaders.
6 School Ransomware Protection Tips from K-12 IT Leaders
The advice provided by April, Dave, and Doug spanned concepts of both school ransomware protection and response. Ultimately, both come down to being prepared and working toward getting incrementally better at protecting, detecting, and responding to K-12 ransomware or other types of cybersecurity incidents.
1. ”Spring cleaning” for your data
“An important point to know about data breaches is that, in many cases, when a school system is exposed, it’s not just current students and staff that are at risk. Historical records of former students and employees have also been exposed. Some of the largest recent breaches affecting schools have included five, sometimes ten, years of data because they were kept in systems that threat actors were able to breach.”
Effective K-12 cybersecurity starts with good data hygiene. Data that isn’t there can’t be abused. Your district likely has a data retention policy, some of which the law requires. But you don’t have to save all data into perpetuity. Identifying data to purge can save a lot of time, money, and effort in the event of ransomware or another type of data security incident.
April mentioned that her district is going through a bit of a “spring cleaning” on their data systems. They are identifying what data to retain and what data to delete.
“The ‘bad guys’ are intentionally looking for large volumes of data. So we’ve started a process of identifying data that we should’ve dumped long before and got rid of it. And for the stuff that we legitimately need to retain, we’re identifying that and putting stringent controls around it, as well as a way to detect when those files are touched.”
Dave also recommends having a process for identifying where data is living. He mentioned that when he first started at Arbor Park, there was a lot of data residing on local drives. Now that they mainly have a centralized system for storing files in SharePoint and OneDrive, he can put policies around access to files, protecting and purging data.
“We have MFA set up for all staff. For higher-level access staff, we have three-factor authentication set up,” says Dave. “We also have policies that they must be on a district device to access certain types of files and data. We also only let students log in to their Microsoft accounts from a district device unless there is a specific request to use a personal device.”
2. Practice good data access policies
Related to good data hygiene is good data governance. This means appropriately managing who has access to what data.
Audit and categorize your data into sensitive and non-sensitive categories, and determine who needs access to their seniority level and functional area. A very select few users should only access the most sensitive and valuable data.
A good summer project is to audit user access privileges and re-configure where necessary. For example, I’ve heard stories about superintendents requesting admin-level access to the district Google account, which should not be allowed. They don’t need this level of privilege—nor would they know what to do with it. Superintendent accounts are often targeted for phishing and account takeovers. If a threat actor could gain access to their account, they would have unfettered access to your whole system. And, if you don’t have sufficient monitoring and detection tools in place, it’s unlikely you will know that an attack is underway until it’s too late.
This example illustrates why ransomware in the cloud is on the rise due to the open nature of cloud computing. Ensure your Google and/or Microsoft 365 user accounts access permissions are properly configured to protect your district’s sensitive data.
But beyond this possibly extreme example, there are many cases where teachers and others who shouldn’t have high-level access to sensitive data gain more access than necessary to do their jobs. Often, it starts as a one-off project or request where access is given and then forgotten.
3. 24/7 monitoring and detection
Whether you’re using a set of tools and/or a managed service to monitor your systems, you need the ability to monitor access and activity with your data 24/7.
“We’ve moved to 24/7 coverage. My team couldn’t do it alone, so we’ve hired a vendor that keeps an eye on alerts and can isolate both users and devices without our intervention. Because the ‘bad guys’ time it for weekends and holidays to wreak havoc.”
The first ransomware early warning signs are often related to abnormal data behavior, such as sensitive data downloads and/or sharing to outside users. And/or access to data from outside normal geographic locations.
“We’ve had some stuff happen, but it’s a matter of how quickly you can lock it down,” says April. “It’s a matter of when it’s going to happen, not if it’s going to happen. You have to be able to detect and respond and stop it. That’s really the key.”
4. Block macros from the internet
“Please, please, please block macros coming in from the internet. That tends to be a fairly common entry vector,” says April
Macros are essentially bits of computer code that can run actions when they are downloaded. Macros are run in many popular applications, most notably Microsoft Word and Excel. These can be malicious, but the riskiest macros are those downloaded from the internet.
Blocking macros from being downloaded from the internet to your schools’ devices is a simple yet often overlooked solution that will close a big cybersecurity gap.
5. Cybersecurity drills
“We’re going to have to start doing cyber drills where we’ll have to work through a scenario like what if we have a power outage or a ransomware attack, how do we continue to function. It’s almost no different than a fire drill and active shooter drill,” says Dave. “We’re going to test out our first one next school year sometime where we’ll unplug the servers and practice our response plan.”
Both Dave and April agree that being prepared, talking over the process, and running drills is essential to responding to an incident.
“I think of it like you have the sprinkler head going off in the building and you have water gushing out,” says Dave. “You’re going to be in the middle of it, and you’re soaked, but there’s a process. You’re going to have about 20 minutes of chaos where you’re trying to figure out what is going on and how to stop it.”
That this should happen on a technical level with the IT team is a no-brainer. But, you should also include discussions with the legal and communications teams.
“Talk it through as if the event happened and have as much of the response worked out as you can in advance. It will save time, energy, and probably some of your exfiltration risks,” April advises. “The faster you can move because you have practiced, the less likely it is that you are going to have a problem Or, at least, reduce the size of the problem.”
6. 3rd party vendor security & privacy assessments
SOPPA is a state law in Illinois that requires schools to publish a list of vendors they use to access their data systems. David has found it helpful—though challenging—to audit and identify who has rights to what data.
Whether you’re in a state with a similar law or not, school vendor security is an essential element of your data security and ransomware protection plan. Doug’s research found that vendor incidents represent nearly 75% of all data breach incidents publicly disclosed in 2020—for the second year in a row.
Though not nearly as common as phishing and macro vectors, third-party apps ransomware threats can impact schools. When IT admins audit OAuth apps, many are blown away by the apps connected to their domain. These apps present ransomware and data security risks and should be strictly controlled, whether you’re legally required to or not.
The amount and scope of cybersecurity threats that school IT teams need to manage is, frankly, untenable. School ransomware protection should be viewed as a responsibility for all, not just the few IT members. And, while much of the focus recently is on ransomware, everyone in the school community needs to keep in mind that K-12 cyber safety and security are related.
School ransomware protection is related to protecting children. And it requires preparation, detection, and response. Unfortunately, even the most sophisticated organizations in the world with huge budgets have fallen victim to ransomware attacks. We can’t hold our understaffed and underfunded schools to the same standard, but we can do everything to make your data look less enticing to cybercriminals.