“Smaller school districts are absolutely at a disadvantage. The smaller and mid-tier school districts, especially the K-12s, really need to band together.”
So says James Turgal, vice president of Optiv’s Cyber Risk, Strategy and Transformation and former chief information officer for the FBI, in response to a ransomware attack targeting the second-largest school district in the country.
The Los Angeles Unified School District, like many others, was targeted by what Turgal calls a “mid-level ransomware organization” called Vice Society on Saturday, Sept. 3. As a result, it caused LAUSD’s website to go offline, in addition to staff and students losing access to their emails and education systems that employees use to take attendance and upload lessons.
A joint advisory was soon released by the FBI three days after the attack had happened, warning districts that they should anticipate an increase in cyberattacks this school year. “School districts with limited cybersecurity capabilities and constrained resources are often the most vulnerable; however, the opportunistic targeting often seen with cybercriminals can still put districts with robust cybersecurity programs at risk,” the advisory reads.
In an effort to #StopRansomware, the #FBI and @CISAgov issued a joint #CybersecurityAdvisory about the Vice Society ransomware threat. It recommends steps organizations should take to reduce the likelihood of ransomware incidents. https://t.co/APJRyz2eTx pic.twitter.com/qHgeQBBns5
— FBI (@FBI) September 6, 2022
This incident has cyber criminology experts like Turgal concerned for smaller districts that inevitably don’t have the same IT capabilities as larger districts. “LA Unified is what, the second-largest in the country?” he asks. “So they have probably a fairly significant—comparatively speaking—IT budget.”
For districts that don’t have a strong security network, building a cohesive information network with other districts is imperative. “There’s a lot to be gained and a lot to be learned if you basically band together,” Turgal says.
He encourages districts to join The K12 Security Information eXchange (K12 SIX). “It is basically an information-sharing exchange for K-12 types of schools,” he says. “I’ve been involved throughout my FBI career in a number of different information-sharing and analysis centers, and it’s basically that industry getting together and sharing data about the tactics, techniques and procedures that they’re being attacked with.” Doing so, he says, allows law enforcement agencies that are also members of these groups to identify and respond to these incidents.
Preventing a ransomware attack
“You don’t know what you don’t know, and you can’t protect what you can’t see,” Turgal notes. He recommends that schools professionally assess their security network to identify weak points as their first step in mitigating a cyberattack.
“The first thing you have to do is understand what are the vulnerabilities and gaps on your networks in your ecosystem,” he says. “Have a cyber-risk assessment done. Very first thing. Because once you know, you now have a roadmap so you know what those vulnerabilities and gaps are. You can then prioritize, ‘O.K. what’s the most important data I’m trying to protect?”’
For K-12 districts, schools must prioritize the confidentiality of their students’ personal information, such as their medical information, grades and others. According to Turgal, that information is what makes the education sector such an easy target. “There’s a ton of organizations out there, like threat organizations, that love going after PII from schools because they can then sell that to organized crime groups that are then starting to basically build profiles based on all that PII and create massive amounts of fraud.”
Responding to a ransomware attack
Unfortunately for many schools, he explains, obtaining sophisticated backup systems isn’t an option. In the event of a ransomware attack, he advises every school to immediately contact the authorities.
“If they have backups, more likely than not their ecosystem is not mature enough to have segregated or segmented those backups to the point where they also won’t be infected,” he says. “These guys know what to look for. They’re always looking for backup systems to infect everything. You absolutely need to call the FBI. That’s the first thing you need to do. And then start to have that forensic examination done as to how they entered your system.
What’s driving an increase in cyberattacks?
The bottom line, Turgal emphasizes, is that K-12 is an easy target for newer cyber criminal organizations. He argues that several well-known organizations have moved on to larger targets, thus paving the way for up-and-coming ransomware actors.
“There are probably more actual ransomware threats actors out there now than there were before,” he says. “And those smaller groups are going to hit the easy targets first because, let’s face it, the Contis and the REvils of the world have moved on to bigger targets, right? Conti hit the country of Costa Rica. They ransomed an entire country’s infrastructure and held it hostage for $20 million bitcoin.”
These high-profile organizations, he adds, have paved the way and opened up the market for smaller and opportunistic organizations to start with easy targets, which unfortunately are K-12 and higher education.
“No matter how young or how old, most of these institutions have been around for a very long time,” he says. “Their security has been, in my opinion, bolted on over the years, and they were never designed with security in mind. Most education, even higher ed to this day, their whole purpose is to share information.”
“There’s an inherent conflict between cybersecurity protecting information and locking it down versus education’s goal to share information. It’s a real struggle.”