Just when we thought 2020 couldn’t get any worse, cyber attackers are finding new ways to capitalize on our highly technology-dependent society. They’ve always looked to industries like medical and manufacturing as an attack surface, but in the era of COVID, the landscape is rich with fresh targets that are ill-prepared to fend off attacks.
The latest victims gaining publicity since August are our educational institutions. Specifically targeting the often under-funded and short-staffed K-12 systems, attackers are leveraging ransomware to disrupt, now primarily internet-based, learning platforms in use by 100,000’s of students across the United States.
One of the most recent attacks came the day before Thanksgiving against Baltimore County Schools, causing a total outage for around 115,000 students. While this attack is still under investigation, it’s believed to be Ryuk ransomware. Typically delivered by Trickbot, Ryuk can also be delivered via email or by attacking poorly secured network perimeters. While the goal of Ryuk is typically to receive ransom payment via Bitcoin, other attacks are more nefarious.
Another attack on Fairfax County Public Schools in Virginia didn’t seek to apply pressure via disruption, but instead disclosure. The MAZE threat group has gained notoriety lately because of their exfiltration tactics wherein the data encrypted by the ransomware is also uploaded to the attacker, where it can be leveraged for ransom payment. If the ransom isn’t paid, they publish the information stolen.
Just this week Huntsville City Schools also had a ransomware attack that closed the 24,000-student school system. The Federal Bureau of Investigation is still working to determine the exact information that was compromised.
With the rate of these attacks going up, what are school systems to do?
- Perform an assessment. Have a 3rd party perform a full assessment on existing security posture. Identify security controls that are in place, audit the configuration of security tools, and assess the policy and procedures in use.
- Develop a roadmap. With the assessment complete, identify primary areas of risk to the organization and mitigation techniques to lower the risk. If a risk is unacceptable, but the resources aren’t available for mitigation, look to transfer the risk to a 3rd party like a Managed Security Service Provider (MSSP) or Managed Detection and Response (MDR) service.
- Leverage the recent attacks, and subsequent fallout, to petition for additional funding. School boards have no desire to end up in the news for being breached, especially during the times of COVID-19, and they’re paying attention to those who are breached. Present the current risk to the organization, the plan to mitigate the risk, and the associated cost.
- Implement and operationalize security controls. It’s not enough to buy products — the same way you can’t get in shape from buying a gym membership. Products without people, policy, and procedure are shelfware. Develop an action plan for each mitigation control to ensure proper response measures can be taken should a true-positive be detected. This is another area where working with a Security Partner, MSSP, or MDR could be handy.
- Test again. An untested security program provides a false sense of security to the organization. Reassess to determine if the mitigations put in place are sufficient for the organizations risk tolerance.
Learn more about how CRITICALSTART is helping educational institutions across the nation put in place MDR best practices that fit the needs of their environment. CRITICALSTART provides a technology-agnostic approach to MDR that offers complete transparency and flexibility, resolves all alerts and stops breaches.