91制片

Superintendents draw on their districts鈥� recent victimization to encourage expediency and strategic planning

On a Wednesday in January 2022, Albuquerque Public Schools鈥� technology team detected something fishy in the student information system. Hackers had breached the district鈥檚 Synergy Student Information System with a ransomware attack.

鈥淲e shut everything down immediately,鈥� says Scott Elder, superintendent of the 70,000-student district. 鈥淲e were forced to close Thursday and Friday鈥� before reopening after Martin Luther King Jr. Day.

The attack was part of an intensifying trend of cyber颅attacks on K-12 districts as criminals often perceive schools to be easy prey. Cyberthieves presume schools maintain low defenses compared with large corporations or federal government agencies. Hackers also recognize that public schools benefit from consistent, stable funding pipelines compared to many private companies.

Ransomware attacks last year impacted 1,981 schools across the U.S., almost double the 1,043 schools affected in 2021, according to a report by anti-malware company Emsisoft. Albuquerque was one of 45 U.S. school districts hit by ransomware attacks in 2022, the report said.

The uptick has challenged superintendents nationwide to respond more quickly and effectively to cyberattacks, to step out of their familiar comfort zone as educators and to prioritize tech defense at a higher level.

In Albuquerque, Elder says the cybersecurity contingency plan triggered the school shutdown as well as a process to review movement of students鈥� data. But because the district had no vendor contracts specifically for cyberattack response, the district made an emergency school board request for more than $250,000, to be paid to the cyber forensics company conducting the audit, the superintendent says.

The contract yielded immediate results, as auditors determined that hackers had encrypted students鈥� personally identifiable information without moving the data anywhere.

From the experience, the district learned future cybersecurity contracts should be executed before an intrusion occurs.

Assessing Vendors

Hackers often target school districts through their business vendors 鈥� such as Synergy SIS 鈥� as education companies store large tranches of teachers鈥� and students鈥� personal information, regarded as currency for cyberthieves seeking to profit from data theft. K-12 cyberattacks are so common the Consortium for School Networking released a tool for districts to before agreeing to a service contract.

The FBI and local police department advised the Albuquerque district to generalize descriptions of the cyberattack and to judiciously omit in public communications the more granular details of the law enforcement investigation, Elder says.

鈥淵ou don鈥檛 know what the bad actors are listening to,鈥� he says. 鈥淵ou want to make sure you just give them enough information to say, 鈥楾he data breaches occurred. At this time, it doesn鈥檛 appear that anything鈥檚 been compromised. We鈥檙e moving forward [with] mitigation, and as soon as we can open [schools], we鈥檒l let you know.鈥欌��

Because no data had been compromised, the attack did not force district officials to consider paying ransom.

In the aftermath of the incident, the district created a new position for a chief security officer to specifically focus on cybersecurity, a change from the district鈥檚 former treatment of cybersecurity as one among several information technology priorities.

Cyber-Protection Emphasis

For many superintendents, cybersecurity is a secondary consideration in a world of competing financial, academic and social priorities. Often, school districts don鈥檛 think to prioritize cybersecurity with any specific financial or strategic direction until an intrusion occurs.

Shannon Goodsell, superintendent of the 2,000-student Window Rock Unified School District, located in Navajo territory in Arizona, called the recent surge in K-12 cyberattacks 鈥渦ncharted waters,鈥� adding that it鈥檚 testing school leaders in new ways.

鈥淚鈥檓 an educator,鈥� Goodsell says. 鈥淚 teach kids. I don鈥檛 do cybersecurity. We hire people to do that, and I think that you鈥檒l find that with 95 percent of all the superintendents that you talk to.鈥�

But when Ivory Coast-based hackers launched a Trojan Horse attack on Window Rock鈥檚 financial data in August 2022, Goodsell entered the fray. The thieves put up a firewall around the data and held it for $1 million ransom.

鈥淲e told them no, and we kind of stalled,鈥� he says. 鈥淲e had our insurance company techies battle the internet pirate techies in what I call the 鈥楪reat Techie War鈥� of us trying to hack their firewall.鈥�

Window Rock鈥檚 cyber insurance company for two weeks couldn鈥檛 hack the thieves鈥� firewall. But then Goodsell devised a solution: a double firewall. 鈥淲hat I ordered then is [to] put up an encrypted firewall around their firewall, [which] sealed all of that financial data for forever,鈥� he says.

Neither Window Rock nor the hackers could access the data at that point, reflecting a kind of stalemate between the two sides. Window Rock worked with the FBI, CIA and Department of Homeland Security to ensure students鈥� and teachers鈥� data remained safe after the breach.

Though employee payroll and vendor payments were two weeks late because of the breach, no students鈥� or teachers鈥� personal data were compromised, according to Sheldon Yazzie, director of technology for Window Rock schools. Staff were reassured they would get repaid for any overdraft fees through the district鈥檚 insurance carrier.

Fortunately and proactively, the district had purchased cyber insurance the third week of July 2022, about two weeks before the attack, according to a CoSN blog post by Goodsell. Though the insurance was in place, the superintendent said he would give his district a cybersecurity rating of 4 out of 10 at the time of the breach.

Window Rock USD had reached out to all K-12 districts in Navajo and Apache counties to get advice on responding to the breach, yet 90 percent of those districts didn鈥檛 have a cybersecurity response plan in place, Yazzie says. Neither did Window Rock.

But even as districts look to nestle cybersecurity into their ever-evolving priority lists, Yazzie recommends that districts take several baby steps to shore up their IT networks.

These baby steps include some form of domain name system, or DNS, protection, which filters unwanted traffic and puts suspicious URLs on a blacklist. Yazzie also suggests the use of local administrator password solutions, which randomize passwords on servers, minimizing the ability of cybercriminals to access entire networks if they somehow gain access to these passwords.

Further, districts can fortify their cybersecurity through routine use of multifactor authentication and through strengthened endpoint detection and response services, which are installed on users鈥� devices and essentially merge antivirus and malware detection functions.

Spear-Phishing Detection

The 39,000-student Beaverton Public Schools, located in a suburb of Portland, Ore., was alerted to a spear-phishing attack about seven years ago after the manager for a high school construction project noticed none of the applications on her district-issued laptop were working correctly.

The hackers crafted a fake e-mail posing as one of the companies she did business with, according to Beaverton鈥檚 chief information officer, Steven Langford. The e-mail requested the manager approve some adjustments for the $180 million project and took her to Adobe鈥檚 sign-in page. Her login failed, but cybercriminals now had her credentials.

The Nigeria-based hackers hoped that obtaining the credentials would set the stage to wire-transfer some project funds into their account.

But Beaverton benefited from sound accounting practices that prevented wire transfers at the time, Langford says. The district policy requires that bank information is never provided over the phone, even if a caller identifies him or herself as an employee of a district vendor.

With the stolen credentials, the hackers鈥� 鈥渜uick score鈥� would have been the finance account numbers, Langford says, and the FBI had informed the district that the hackers hunted hundreds of victims this way. 鈥淭hey were monitoring, waiting for the [money] to come in, so they could make the transfer, make the switch, pull the money and go,鈥� he says.

The school district already was using role-based security at the time, but since then has implemented virtual private network access for critical applications, intrusion-detection applications to monitor anomalous traffic and multifactor authentication, among other measures.

Cloud Data Transfers

Though it鈥檚 never good when a cyberattack hits a school district, the summer 2019 timing of cyberterrorists鈥� intrusion into the financial system of Coventry Public Schools, located southwest of Providence, R.I., blunted the potential educational impact on the district鈥檚 5,000 students.

The district鈥檚 insurance company paid about $300,000 in ransom to Eastern Europe-based cyber thieves after the hackers encrypted the district鈥檚 financial system in July 2019, according to Craig Levis, who was Coventry鈥檚 superintendent at the time. As soon as he became aware the attack was ransomware-based, he gave the cyber insurance company broad control over the technical and tactical aspects of the response.

The ransom payment and negotiation yielded a digital key that allowed the district to regain access to its financial system. To independently troubleshoot the problem without paying ransom would have taken months, Levis says.

鈥淭he state police [told] us not to pay their ransom for attack,鈥� he says. 鈥淏ut we needed our financial data back.鈥�

Despite the criminals鈥� loathsome activities, the hackers had an 鈥渉onor amongst thieves鈥� reputation, wherein their victims regularly reported they received their data back following the ransom payment, Levis says.

The timing of the mid-summer attack allowed the district to fully rectify the data issue before students returned to school in the fall. But unanticipated issues arose in the days after the breach. Coventry鈥檚 servers went down for five days, catalyzing a shutdown of the digitally controlled HVAC system in the district鈥檚 middle schools. Black mold spread throughout the facilities, Levis says.

Insurance covered $500,000 in mold remediation during the following three weeks.

Summer break gave the district ample time to wipe clean all of its Chromebooks and desktops of 鈥渁ny information or any software鈥� after the intrusion, Levis says. Those devices were reloaded with proper software before the start of school.

Coventry transferred all financial data from physical servers to the secure cloud because bad actors had poked around those physical servers for several months, Levis says. It鈥檚 quite easy for hackers to gain access to targets鈥� personal data residing in physical servers that have already been breached.

鈥淎ll it takes is somebody opening up an attachment,鈥� Levis says. 鈥淭hat bad actor has access to everything.鈥� 

Brian Bradley is a freelance education writer in Bunker Hill, W.Va.