You are here

District CIO

How schools outsmart the hackers

Strategies for protecting your K12 school district from ransomware, phishing and other cyber-threats
  • “Districts must be careful to fully vet and evaluate a [cloud] service.” —Keith Bockwoldt, director of technology services, Arlington Heights Schools
  • “Cybersecurity is not an IT problem. It’s a human capital problem.” —Brian Harvey, superintendent, Oxford School District

Operations at Oxford School District in Mississippi came to a halt on February 7, 2016, when a ransomware attack shut down the district’s computer network. Hackers infected 80 computers with malware, and then demanded $9,000 in bitcoin to remove it.

The district did not pay the ransom, instead opting to wipe clean its servers and re-install software and operating systems. No physical damage was done, but a tremendous amount of time and energy was needed to rebuild everything. The debugging and troubleshooting that had been done over the years had to be recreated.

“It really put us back a decade in how we were doing things,” says Oxford Superintendent Brian Harvey. “We had to get the system back up in a compressed amount of time, all while school was going on. It was a terribly frustrating month and a half.”

Nationally, ransomware attacks surged from 4 million incidents in 2015 to nearly 638 million last year—a jump of 15,850 percent—according to a report from network security firm SonicWall.

How to move to the cloud

Questions to consider when seeking to move student-data storage to the cloud, according to the U.S. Department of Education:

1. Does the cloud solution offer equal or greater security capabilities than those provided by your organization’s data center? To determine this, review and compare available solutions, including firewalls, patch management procedures, and security monitoring and response methods.

(Continued.)

Another major threat is distributed denial of service (DDoS) attacks, in which a hacker intentionally crashes a network. There have been numerous incidents of students paying hackers (sometimes as little as $20) to stage such attacks on school networks to postpone tests.

To defend against DDoS, some districts employ backup internet service providers to keep networks running and instruction uninterrupted.

Phishing, also known as zero-day exploits, represents nearly 70 percent of all cyberattacks. It involves fraudulent emails that fool users into disclosing passwords or other private information, providing unauthorized access to a network or unleashing malware.

Hackers also use the internet of things (IoT)—the network of internet-enabled devices such as thermostats or lighting controls—to break into computer networks. Many IoT devices don’t have built-in defenses against cyberattacks and can be hacked if not properly protected.

A good practice is to reset factory-installed passwords, making devices more difficult to compromise.

Ultimately, K12 education is among the most-targeted sectors for cyberattacks, according to the most recent “Internet Security Threat Report” from cybersecurity consultant Symantec. School districts maintain thousands of personal records, the protection of which is at the heart of all network security efforts.

Districts also often have older networks regularly accessed by young, inexperienced users on various unsecured devices.

How to move to the cloud (cont.)

2. Have you considered the risks of cloud solutions? Cloud services are an increasingly attractive target for hackers. Some services have been victim to malicious attacks, potentially exposing any information stored there.

Best defense: Smart users

On any given day in 2014 in Arlington Heights, Illinois, the Township High School District’s computer network experienced about 6,800 attempted cyberattacks, says Keith Bockwoldt, director of technology services. In 2017, nearly 38,000 attempts are occurring daily on a network relied upon by 12,300 students and 1,675 staff.

DDoS attacks account for most activity, which also includes infected off-site computers known as “zombie bots” trying to infect district computers. To repel such an onslaught, the district preaches user awareness as the best defense.

“We tell staff, ‘If you feel you have an email that’s not legitimate or is a phishing scam, send it to the help desk,’” Bockwoldt says. “We look at it right away and confirm if it is, and then we can send out a mass email to alert staff.”

The district has installed technology to identify and repel spoofed or forged email addresses popular in attacks.

Some districts employ cybersecurity consultants to provide awareness training that includes simulated phishing attacks.

“If you can train your students, teachers and administrators what to look for in a phishing attack, you’re going to solve a lot of cybersecurity issues,” says John Wood, CEO of Telos Corporation, a cyber security consulting company. See, “How schools can avoid phishing attacks.”

Hackers excel at writing password-guessing scripts, so instructing users how to create strong network passwords—involving more than a six-digit mix of letters, numbers and symbols—is a must. Regularly changing passwords is also good practice, as is having users password-protect any personal devices they use to access district systems.

How to move to the cloud (cont.)

3. Have you considered that incident detection and response can be more complicated in a cloud-based environment? Evaluate district incident-response policies and determine if changes—especially regarding user access—are needed before deciding whether to move to the cloud.

Policy vs. products

“Cybersecurity is not an IT problem,” says Oxford superintendent Harvey. “It is a human capital problem. It’s a personnel problem.”

As such, purchasing the latest security products is not always a panacea. Keeping staff mindful of cybersecurity threats and consistently reviewing policies offer cost-effective protection.

For instance, districts should have a clear procedure for a ransomware attack. Oxford did not have a written plan beforehand. In addition to developing one, the district has system redundancy with offsite backup servers. If it falls victim again, the network can be rebooted within a day, avoiding paying ransom.

A ransomware response plan should include isolating infected computers, alerting other users, securing backup systems and notifying law enforcement, according to the U.S. Department of Justice. Afterward, all user and network passwords should be changed.

At Township, Bockwoldt created an internal cybersecurity advisory team from across the district that meets monthly to discuss policy and new threats, as well as improving security awareness. For example, the team partnered with the human resources department to overhaul a cybersecurity slide presentation, and then required all district personnel to watch it.

Superintendents may consider meeting annually with IT administrators to discuss staff responsibilities and necessary security upgrades. Written security policies, incident response plans and network backup procedures should be developed and regularly updated.

How to move to the cloud (cont.)

4. Have you considered that metrics collection, system performance and security monitoring are also more difficult in the cloud, due to a district’s inability to customize to specific needs? Understand key aspects of security-related metrics—such as data mitigation, integrity and confidentiality—before any move to the cloud.

Looking to the cloud

Following the lead of the Central Intelligence Agency and many businesses, districts are increasingly moving vital student data to cloud-based platforms.

“The way forward for school systems is the cloud,” says Wood, of the Telos Corporation cyber security firm. In addition to increased security, he touts the cloud’s scalability, reliability and cost-effectiveness.

Many districts deal with legacy systems that are not connected, creating access management problems, says Wood. For instance, if a teacher leaves, multiple systems must remove that person’s credentials so they can no longer log in and access student files. With a cloud-based option, such an update can be made across all systems at once.

The cloud also supports multifactor authentication—a multistep login process that increases security. Also, updates in state or federal cybersecurity standards get applied automatically.

“While most cloud systems are redundant, and have different security mechanisms, districts must be careful to fully vet and evaluate a service,” says Bockwoldt. “Contracts must be reviewed to ensure the systems will in fact be safe and keep student data private.”

On the downside, hackers have begun targeting cloud-based networks in efforts to steal data. District tech staffs also have less control over a cloud service—they may not know if there has been a breach or have any ability to make customizations.

When considering any new product, it always comes down to measuring protection expenses against the financial impact of an extended loss of network service.

“People think, ‘It can’t happen here,’ but odds are, it will at some point,” says Harvey, Oxford’s superintendent. “Being proactive and prepared for it is a much easier process than cleaning up after the fact.”