2022 was a rather troublesome year for K12 schools across the country, no matter their size. One of the most prominent incidents was the ransomware attack on Los Angeles Unified, the second-largest school district in the nation, which sent a chill down the spines of smaller, less resourceful school districts. And according to one expert, school districts are likely to be the number one target for finance-driven cybercriminals in 2023.
The education sector was revealed to be the most-targeted sector for cyberattacks in 2022. One of the most prominent groups behind these attacks was Vice Society, a “mid-level” cybercriminal organization, as described by one expert. The spike in cyberattacks against K12 schools prompted a joint advisory from the FBI, the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC). At the time, they advised school districts to anticipate continued attacks against districts and educational institutions. Now, in 2023, that awareness needs to be amped up.
Reflecting on 2022
TJ Sayers, cyber threat intelligence manager at the Center for Internet Security (CIS), says the past year revealed the top vulnerabilities in the education sector.
“Cyber threat actors displayed a pervasive and continuous interest in K12 throughout 2022, particularly as schools are information-rich targets that often have severely limited cybersecurity resources,” he says. “The secret is out: K12s are a target-rich and resource-poor sector. When it comes to ransomware operations, organizations with sensitive data and critical operations are key targets, as these two factors put significant pressure on victims to pay the ransom demand to restore operations and ensure their data isn’t exposed.”
“There certainly is no guarantee of either of these when dealing with criminals, of course, and indeed we have observed a rise in double and triple extortion over time,” he adds. “Given the trends we have observed year over year, the overall increase in the volume of cyberattacks was not unexpected. However, the apparent increase in K12 as a specific target, the rate of success, and the broader impact of ransomware attacks in the sector were unexpected.”
How cybersecurity prevention has evolved since the pandemic
With the pandemic came an abundance of technological innovations. While we saw major improvements in access to equitable education, for example with most schools going 1:1, it also created more avenues for cybercriminals to attack. Unfortunately, according to Sayers, prevention methods have hardly changed to combat the issue.
“Given the resource constraints within the K12 sector, existing funds were largely expended to establish hybrid and fully remote learning environments precipitated by COVID-19,” he explains. “In many K12 environments, the cybersecurity budget is but a small percentage of the overall IT budget which is itself a small fraction of the school’s overall operating budget. As with many other organizations that have availability requirements, security can be an afterthought to things like remote access to internal resources and applications. This is especially true when implementation is fast-tracked, which was certainly the case at the start of the pandemic.”
On the other hand, there has been a dramatic increase in focus on school security across the board.
“We expect to see more secure remote access policies, increased use of multi-factor authentication, better defined and managed network segmentation, improved identity management and associated trust decisions, more robust backups including offline backups that are regularly recovery tested (the single most effective recovery solution to ransomware), and even the increased adoption of low and no cost solutions through managed service providers (MSPs), the Federal Government, and organizations like ours,” he says.
Where is Vice Society?
As mentioned previously, Vice Society was one of the most dangerous cybercriminal groups to emerge in 2022. However, Sayers notes that districts shouldn’t focus solely on the entity but rather on their methods of attack, as they’re most likely to be repeated by other groups.
“The preeminent concern is the increased interest in K12s and the tactics, techniques, and procedures (TTPs) the cybercriminal community employs, not necessarily any one singular cybercriminal organization,” he says. “Cybercriminal groups and actors like Vice Society routinely crop up and conduct an array of attacks, then subsequently dissolve. The actors in the ‘name brand’ often move on to the next group where they employ similar TTPs against similar targets. This is especially common when groups like Vice Society gain media notoriety, as this infamy is almost always coupled with significant interest from federal law enforcement, not just in the U.S. but internationally.”
Common mistakes made by school districts handling cyberattacks
To put it simply, some mistakes are inevitable for resource-poor districts. However, Sayers says there are several avoidable mistakes that districts frequently make:
- Not having an incident plan, leaving schools to “figure it out” during the crisis
- Inadequate logs, which can delay response and recovery time
- Schools either have no backups, incomplete backups, or they’re corrupted, making true recovery “impossible”
- Asset inventory is outdated, incomplete or nonexistent
- Declaring victory without fully ensuring the threat has been resolved
- Lack of “after-action analysis,” including staff training to prevent similar issues in the future
Predictions and recommendations for 2023
As schools tread onward through 2023, Sayers says outlines his three predictions for schools and administrators to be aware of.
- “K12s are likely to continue being a primary target for financially motivated threat actors.”
- “Ransomware groups are highly likely to remain the dominant threat with continued use of double and triple extortion tactics.”
- “Cyber insurance will become increasingly restrictive and inaccessible to resource-poor organizations like K12 schools.”
Districts can prepare by adhering to his threefold recommendation: backups, backups, backups!
“The critical need for backups and the complexity of properly implementing them is not trivial, but maintaining complete, secured, and offline backups is the single-most effective way to recovery from most attacks, including ransomware,” Sayers says. “The offline component is critical, as ransomware operators specifically aim to encrypt online or connected backups given that the ability to recover on your own means you’re less likely to pay the ransom. Once proper backups are in place, give a close look at effectively segmenting the network and ensuring that logs are stored in a centralized and out-of-band area on the network.”
More from DA: K12 cyberattacks rose last year, and so too did legislative efforts to combat the issue
