In July, Louisiana Gov. John Bel Edwards declared a state of emergency for almost a month after cyberattacks infiltrated four school districts’ IT systems, reported the Center for Digital Education.
Authorities cut off phone and internet services at schools as the districts attempted damage control. Edwards activated Louisiana’s Emergency Support Function 17, a cyber incident response team created in 2017. At stake was a treasure trove of sensitive data, including students’ personal information, districtwide financial metrics and, by extension, even the state’s security protocols.
The cyberattacks on Louisiana schools’ IT systems were among a flood of similar data breaches in 2019 on both K–12 and higher education institutions’ computer networks. In June, as many as 636 student and family records were breached in an attack on the computer network of Oregon State University, reported Corvallis Gazette Times. A university spokesman said an employee’s email account was hacked in May, and emails that appeared to be sent from the university to this account were likely used to phish for students’ information.
These infiltrations didn’t go unnoticed by the federal government, which saw them as signs of a deeper threat to the country’s security.
“Ransomware has rapidly emerged as the most visible cybersecurity risk playing out across our nation’s networks, locking up private sector organizations and government agencies alike,” said the Cybersecurity and Infrastructure Agency, in a statement two months ago. CISA is a stand-alone U.S. federal agency that operates under the Department of Homeland Security.
In response to these cyberattacks, the agency in August released a list of recommendations that institutions follow to prevent such attacks, to recover data when attacked and to guard against future data breaches. CISA noted that protecting institutions from such attacks is its “chief priority.”
Take These Steps to Respond to Ransomware
The federal agency’s top mantra in cases of attacks by ransomware? Don’t pay off the bad guys.
“We strongly urge you to consider ransomware infections as destructive attacks, not an event where you can simply pay off the bad guys and regain control of your network (do you really trust a cybercriminal?),” CISA stated as part of its recommendations.
The agency believes paying off cybercriminals does not guarantee data recovery — and may, in fact, lead to a cycle of repeated cyberattacks by criminals who want to perpetuate a steady flow of what they see as income.
“Recovery can be a difficult process that may require the services of a reputable data recovery specialist, and some victims pay to recover their files. However, there is no guarantee that individuals will recover their files if they pay the ransom,” stated CISA in a note that outlined how ransomware works.
CISA’s recommendations fall under three categories: basic prevention, how to react to an attack and how to prevent further attacks in the future
There are several steps nested within each of these categories.
Smart Cybersecurity Starts with Basic Prevention
Basic prevention, it would seem, is the most important category for the education sector, which was ranked last among 17 industries in cybersecurity preparedness, according to a SecurityScorecard study published in December 2018. This sector is particularly poor in instituting software patching updates, application security and network security, according to the study.
“This should be a cause for serious concern among students, parents, school boards, and the education industry as a whole. And yet, despite the ubiquity of data collection and the ever-increasing number of schools nationwide storing data digitally, the Education industry is not doing its part to protect its students (and, essentially, itself) from such risks,” the study states.
CISA’s basic recommendations to prevent cyberattacks are precisely what schools and universities don’t follow rigorously, according to SecurityScorecard’s study. For CISA, these measures form the foundation of cybersecurity.
Steps at this level include backing up data, and — more important — doing so offline. CISA also cautions against ignoring those system and security update notifications that pop up on screen.
The federal agency also believes all educational institutions must have a response plan in case of an attack by ransomware.
“Updating software to eliminate security vulnerabilities requires time and resources. However, the continuous access and use of electronic devices makes software updates an essential security practice. Despite IT departments recognizing the importance of a rapid patching cadence, updates are often scheduled when systems are inactive. A slow patching cadence or late patch installation, open systems up to unauthorized users,” the study noted.
Next Steps After a Ransomware Attack
In the event of an attack by ransomware, CISA advises contacting the FBI or Secret Service, or CISA itself. No attack is too small to be ignored, and all should be brought to the attention of a federal agency, CISA states.
After reporting the attack, ransomware victims should work immediately with a specialist to isolate the infected systems and prioritize what needs to be recovered. Concurrently, they take a good look at outside institutions’ or vendors’ products that have access to their networks.
How to Contain Cyberattackers
CISA notes that schools and universities should secure their networks going forward by developing containment strategies. Institutions should segment networks, making it tougher for cyberattackers to remove information or move around and infect multiple systems.
Data collection is vital for schools and universities, but the information gathered is highly sensitive and needs to be closely guarded. A student’s school file offers “a stereoscopic view of a child’s life, including the location of their home and personal health data, to increasingly personalized academic records like attendance, teacher assessments and observations, learning outcomes, and test scores,” the study states.
In the wrong hands, this personally identifiable student data can be extremely dangerous.
“The shift to modern data collection, while integral to a student’s growth and even a school’s standing, also invites incredible risk considering the sheer amount of personal data that’s being aggregated on networks,” notes SecurityScorecard’s study.
5 CISA-Recommended Best Practices for Cybersecurity
1. Restrict users’ permissions to install and run software applications, and apply the principle of “least privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its ability to spread through a network.
2. Use application whitelisting to allow only approved programs to run on a network.
3. Enable strong spam filters to prevent phishing emails from reaching end users and authenticate inbound email to prevent spoofing.
4. Scan all incoming and outgoing emails to detect threats, and filter executable files from reaching end users.
5. Configure firewalls to block access to known malicious IP addresses.