EXECUTIVE SUMMARY:
Earlier today, US agencies released a joint advisory pertaining to ransomware attacks on American schools. The advisory arrives on the heels of a recent ransomware attack that resulted in the unprecedented shutdown of computer systems belonging the second largest school district in the US.
Over Labor Day weekend, Los Angeles Unified School District, which serves more than 640,000 students, reported disrupted access to systems, including email servers, later qualifying the event as a ransomware attack.
The District contacted officials, and the White House brought together the Department of Education, the Federal Bureau of Investigation (FBI), and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to offer rapid incident response support.
1,000 cyber attacks
High-profile ransomware attacks targeting US schools are becoming increasingly common. Last year, ransomware attacks disrupted learning across roughly 1,000 US institutions. Authorities anticipate that these types of attacks may increase with the commencement of the 2022/2023 school year.
Cyber attacks within the education sector can affect networks and data, result in exam delays, lead to canceled school days, and to the theft of students’ personal information, which hackers sometimes sell for profit. Stolen data can also be used in double-extortion attacks and for other nefarious purposes.
Although school districts with limited resources and cyber security capabilities are generally considered to be at the greatest risk of ransomware attacks, opportunistic hacker targeting can jeopardize the operations of school districts with strong cyber security programs, according to the joint advisory.
Network defense
Authorities advise network defenders to take measures that will limit the impact of ransomware attacks. These include prioritizing and remediating known vulnerabilities, training staff to recognize and report phishing attempts and enabling multi-factor authentication.
The Federal Bureau of Investigation and the Cybersecurity Infrastructure and Security Agency also recommend that education sector organizations establish and maintain strong liaison relationships with the FBI Field Office in their region and their regional CISA Cybersecurity Advisor. Such partnerships will assist analysts in identifying vulnerabilities and mitigating potential threat activities.
Further CISA recommendations
The Cybersecurity and Infrastructure Security Agency encourages education sector groups to take the following cyber incident preparedness measures:
- Maintain offline data backups. These backups should be maintained and restored on a regular basis.
- Ensure that backup data is encrypted and immutable.
- Examine existing data backups to ensure that they are not already infected.
- Review the security posture of third-party institutions and organizations whose security weaknesses could potentially compromise your systems.
- Implement listing policies for applications and remote access, only enabling systems to execute known and approved programs.
- Document and monitor external remote connections and solutions applied.
- Implement a recovery plan that will assist with any potential data loss induced by a cyber attack.
Education sector groups should follow these identity and access management measures:
- All accounts should comply with National Institute of Standards and Technology standards in relation to password policies.
- Passwords should consist of at least 8 characters and no more than 64 characters.
- Passwords should be stored in hashed format using industry-recognized password managers.
- Implement failed login attempt account lockouts.
- Refrain from requiring password changes more often than once per year unless a password is known to have been compromised or suspected of such.
- Require administrator credentials for software installation purposes.
- Apply phishing-resistant multi-factor authentication for all services.
- Explore domain controllers, servers, workstations and active directories for new and unrecognized accounts.
- Create regular user account audits and ensure that access controls are configured in accordance with the principles of least privilege.
- Implement time-based access for accounts logged at the admin level or above.
For the comprehensive list of CISA’s recommendations, please see the recent advisory page.
Closing thoughts
For education sector groups, lack of funding and resources can make cyber security a challenge. But the increase in volume and complexity of attacks indicates that cyber security technology investments are well-worth the costs.
If your education sector organization is looking for robust ransomware protection, Check Point’s Anti-Ransomware technology uses a purpose-built engine that defends against the most sophisticated, evasive zero-day variants of ransomware and safely recovers encrypted data, ensuring business continuity and productivity. Learn more here.
Lastly, to receive more timely cyber security news, insights into emerging trends and cutting-edge analyses, please sign up for the cybertalk.org newsletter.