ATLIS Cyber Threat Assessment February 2018

ATLIS views cybersecurity as a critical area of concern for technology leaders in independent schools. In this post, you will find the February 2018 update of the ALIS Cyber Threat Assessment. Are you ready for a deeper dive into professional development designed specifically for independent schools? securing your school from cyber threats? Learn more about our two-day cybersecurity workshop designed specifically for technology leaders and risk management professionals, to be held this summer, July 19-20, at Trinity Valley School in Fort Worth, Texas. -- SD

[10-min read]

The ATLIS Cybersecurity Advisory Panel, comprised of ATLIS members and cybersecurity professionals, has identified and prioritized the top nine threats currently facing independent schools. To compile the list, the panel reviewed the 2017 Verizon Data Breach Investigation Report, ATLIS member surveys and data, the experiences of Compass Cyber Security’s clients, and RSM, LLC’s 2017 Cybersecurity Outlook and Key Considerations for Nonprofits.

1. Email Inboxes

Email is the source of over 80% of successful cyber attacks. The attacks tend to take the form of Ransomware, Phishing Attacks, and Business Email Compromise. The most effective defense against these attacks is employee training, particularly

● simulated phishing attacks;
● email filtering;
● enabling multi-factor authentication.

2. Employee Mistakes

Employees at schools have accidentally disclosed sensitive information to third-party vendors, have broken policies by storing sensitive data in unauthorized locations, and have been duped into sending money and protected data to criminals.
Protect against employee mistakes by

● regularly reviewing school policies;
● discussing policies with users of sensitive or protected data;
● providing ongoing professional development around cyber threats.

3. Out-of-Date Software

The Wanna Cry Ransomware attacks of May 2017 highlighted the issue that out-of-date and unpatched operating systems make schools vulnerable to a variety of attacks. The exposure of National Security Agency hacking tools increases the importance of keeping school systems up-to-the-minute current.

To minimize risk, keep computers up-to-date by adopting these practices:
● use patch management systems like Meraki or Windows Update Servers;
● consider limiting end-users’ administrative rights on issued computers;
● maintain an application/program whitelist;
● establish a new application vetting process;
● conduct periodic vulnerability scanning to identify unpatched systems and provide prioritized remediation steps.

4. Unencrypted Drives

When an unencrypted drive is lost or stolen, the school must consider its data to be “out in the open.”
The panel recommends that schools encrypt drives containing school data. Drive encryption allows schools to reasonably conclude that no data was released into the open and saves the time, pain, and expense of forensically accounting for and reporting any data as potentially released

5. Malicious Software

Malware is a general term that encompasses many types of online threats including spyware, viruses, worms, trojans, adware, ransomware, and more. These types of software range from nuisances to serious threats.
To minimize individual computers becoming infected with malware:

● install comprehensive antivirus software on every machine;
● ensure that the protective software is updated regularly and automatically; ● consider restricting end-users’ ability to download and install software.

6. Unauthorized Network Access

Criminals and vandals want to access school networks to steal valuable data, damage school equipment, and erase or encrypt files.
To reduce the likelihood of unauthorized access, address these essential practices:

● use a firewall;
● segment network traffic;
● scan the network regularly;
● review configurations, scans, and policies quarterly, (or at the very least annually), to assess the potential for unauthorized access, keeping in mind the ingenuity and skill of bad actors;
● monitor logs and analyze critical assets (firewalls, routers, servers) for suspicious behavior.

7. School Affiliations
If a school is affiliated with a national, religious, or cultural identity that is frequently a target of cyber attacks, or if the school enrolls children from high-profile families, the school may be at increased risk for the above threats as well as for denial of service attacks and other purely disruptive or destructive events.

In these scenarios, the panel recommends subscribing to threat intelligence feeds from the Department of Homeland Security (see resource 3, below) and other federal agencies that can provide an early warning system. Parent organization networks may also prove valuable in assessing risks.

8. Doxing

Criminals have recently demanded extortion payments from schools to prevent the publication of sensitive information stolen from compromised systems. One of most infamous examples involved an attack on Iowa’s Johnston Community Schools District in October of 2017. While still a relatively small threat, doxing highlights increasingly sophisticated and creative ways hackers are finding to make money from targeted schools. Taking the steps listed above, particularly in 1,2,4, and 5, should help keep sensitive information out of the wrong hands.

9. Acts of God

Storms, power outages, and fires can disrupt school data and IT services and make everyday operations difficult. To address this possibility, the panel recommends these practices to help schools get up and running as quickly as possible after a disruption:

● equip the school with redundant systems, batteries, and generators;
● procure secure off-campus storage for data and essential server configurations.

This document contains general information for the use of our members. It is not a substitute for professional advice or services. This document does not constitute legal, technical, or other professional advice and you should consult a qualified professional advisor before taking any action based on the information included. ATLIS, its affiliates, and related entities are not responsible for any loss resulting from or relating to reliance on this document by any person or organization.

Resources

  1. Verizon, “How long since you took a hard look at your cybersecurity?” Video; 2017 Data Breach Investigations Report: Executive Summary, 2017. 

  2. RSM,“Cybersecurity Outlook and Key Considerations for Nonprofits,”  2017.

  3. US-CERT (Computer Emergency Readiness Team) offers mailing lists and feeds for a variety of products, including the National Cyber Awareness System and Current Activity updates. The National Cyber Awareness System was created to ensure that you have access to timely information about security topics and threats. 

  4. Linh Ta and Jason Clayworth,“‘Dark Overlord' hackers posted stolen student info, Johnston officials say,” Des Moines Register, Oct. 5, 2017.

For more information, please contact Susan Davis, Prof. Development, ATLIS, [email protected]

© 2018 Association of Technology Leaders in Independent Schools, All Rights Reserved. Inquiries regarding this document should go to [email protected]

Share this post:

Comments on "ATLIS Cyber Threat Assessment February 2018"

Comments 0-5 of 1

Bill Freitas - Wednesday, March 21, 2018
1004386944

This is a very timely post, and an area that we as IT Directors should be more focused on. The new reality is that many of these attacks are not targeted, so the fact that we are small schools is not enough to provide us protection - the "security by obscurity" approach. In addition to the great references provided above, the Center for Internet Security (CIS, founded by SANS) just released version 7 of their cybersecurity controls, designed to "secure your organization against the most common attack vectors": https://www.cisecurity.org/controls/ It's interesting that by security we often think "firewall". But the prioritized list of controls has boundary defense as #12. The first two are Inventory and Control of Hardware Assets and Inventory and Control of Software Assets. CIS estimates that implementing only the first 5 controls will prevent ~85\% of attacks. Well worth reading.

Please login to comment