Feb 04 2021

TCEA 2021: A Texas District Tackles Security from the Inside Out

Penetration tests launched a four-year initiative to address security systems, policies and practices for Pflugerville ISD.

Four years ago, IT leaders at the Pflugerville Independent School District, just north of Austin, were like many of their peers: believing the district was reasonably protected against cybersecurity risks, but not entirely certain. Their effort to reduce that uncertainty led to a multiyear effort to make PfISD fully secure — and to keep it that way.

CTO Victor Valdez, Senior Systems Engineer Ben Smith and Senior Network Engineer Michael Bohler discussed the initiative in “The Art of Making a District Safe,” at this year’s virtual TCEA 2021 conference.

The impetus for analyzing and improving PfISD’s security was the increasing number of cyberattacks that Valdez saw happening in 2017.

“I was really concerned that school districts were going to be the next big target,” he said. “Around the same time, several school districts in Texas were hit with a fake W-2 scam.”

Valdez knew he needed to understand PfISD’s vulnerability in order to address it, so he turned to CDW, a longtime partner, to conduct a penetration test.

“I felt we needed to have someone ethically hack us, to truly come in and do their worst,” he said. “We didn’t tell the staff or the network or server guys. We thought it’d be really fun and interesting to see how it played out.”

Penetration Tests Reveal Surprising Security Vulnerabilities

CDW’s mock attack included firewalls and outward-facing servers, together with phishing exercises via email. When CDW shared its findings, Valdez said, “what they found was incredibly disturbing. They were able to find a lot of information that shouldn’t have been there, and they were able to get to it pretty quickly.”

That included financial information, signatures and data from the student information system — all as a result of a handful of users clicking on a malicious email.

“They were able to access an insane amount of high-risk information,” Valdez recalled.

While he wasn’t surprised users fell for phishing emails, it was eye-opening that doing so could enable attackers to access so much information.

PfISD’s IT team spent the next year or so shoring up firewall, active directory and email defenses, and in 2018, they asked CDW back again to assess internal security, including data center access and the Wi-Fi network.

Once again, the test revealed vulnerabilities, including the ability to gain root-level access to servers. The exercise highlighted the necessity of protecting internal systems as well as external, said Valdez.

“It’s one thing to keep people out, but what do you do when someone’s already in?” he asked.

PfISD went to work: isolating data centers, establishing privileged access levels and dedicated workstations, and strengthening access management for virtual environments and physical devices.

After that, PfISD addressed the wired network and the IT organizational structure (among other changes, the district supported Smith becoming a Certified Information Systems Security Professional). The district revamped its entire network, Valdez said, including replacing more than 900 switches and deploying Aruba ClearPass to secure both wireless and wired networks.

DISCOVER: The importance of teaching cybersecurity to a 5-year-old.

Security Priorities Should Include Privilege Escalation and Ransomware

As part of the security initiative, IT staff made numerous changes to password strategies, access controls, network segmentation and security, and other areas, said Smith and Bohler.

“Two of the biggest threats I see that continuously come up in our environment are privilege escalation and ransomware,” said Smith.

To address them, he recommends that districts conduct internal and external penetration tests every one to three years at least, and step up password controls significantly. Among other best practices, he said, districts should use multifactor authentication for any access to critical infrastructure, including VPN access; leverage tools such as Microsoft’s free Local Administrator Password Solution; and routinely run privilege and password reports to see who has access to what.

The district also imposed a much greater level of isolation, said Smith, including hypervisors, backups, and devices such as cameras and printers. “Your end user workstations should not be communicating to each other,” he said.

Privileged-access workstations, for example, have no internet access and no inbound connections; instead, they connect to a privileged-access manager, a web-based application to control tiered access to necessary applications.

“A PAW is nothing more than a workstation that’s dedicated as a very restricted footprint that is used for managing more secure devices,” Smith said.

MORE ON EDTECH: How to protect student data when using online and emerging tech.

Comprehensive Security Includes Both Wired and Wireless Networks

From a networking perspective, PfISD imposed greater segmentation, capped the number of network switches per stack, applied an access control list to all data virtual LANS (denying unnecessary access to HVACs and similar systems) and blocked all incoming access from other countries, Bohler said.

The district also established different access controls for staff, students and guests, Bohler said, including role-based authentication for the wireless network.

Palo Alto Networks’ WildFire threat prevention tool filters network traffic and prevents file-based threats; it works hand-in-hand with the URL Filtering product that protects users when they try and visit an infected website. “It has been a big help for a lot of crypto and malware and stopped a lot of it,” said Bohler.

He also focused on wired network controls, an area that he said many organizations miss.

“This is often the biggest security risk or hole that’s overlooked,” he said. “If a user were to connect to a port, they get full access to the network, they get access to the server — anything they want on there — unless there’s actually security restrictions placed on those.”

To address that, Bohler said, the district leveraged the same firewall, segmentation and other security strategies they applied to the wireless network and extended them to the wired network.

Finally, said Valdez, PfISD also addressed the human aspect of security. In 2017, for example, a phishing test of staff had a 53 percent failure rate, with 737 employees clicking an email that purported to be a Google password reset request. When IT staff conducted another test in 2020, only 12 percent clicked on the email, said Valdez, adding that the district planned to ramp up its training even more.

“We think school districts and the K–12 environment are very behind in the realm of cybersecurity,” he said, encouraging peers to reach out to PfISD and to other districts for help. “I believe we have an opportunity to provide a lot of information and feedback to people who are now where we were four years ago, because it’s taken us every bit of four years to get to this point.”

Read all of our TCEA 2021 coverage.

ElenaMist/ Getty Images