Superintendents draw on their districts' recent victimization to encourage expediency and strategic planning

On a Wednesday in January 2022, Albuquerque Public Schools' technology team delected something fishy in the student information system. Hackers had breached the districts Synergy Student Information System with a ransomware attack

"We shut everything down immediately," says Scott Elder, superintendent of the 70,000-student district "We were forced to close Thursday and Friday" before reopening after Martin Liither King Jr. Day.

The attack was part of an uilensirying trend of cyber-attacks on K-i 2 districts as criminals often perceive schools to be easy prey. Cyberthieves presume schools maintain low defenses compared with large corporations or federal government agencies. Hackers also recognize that public schools benefit from consistent, stable funding pipelines compared to many private companies.

Ransom ware attacks last year impacted 1,981 schools across the U.S., almost double the 1,045 schools affected in 2021, according to a report by anti-mahvare company Emsiwft. Albuquerque was one of 45 U.S. school districts hit by ransomware attacks in 2022, the report said.

The uptick has challenged superintendents nationwide to respond more quickly and effrc-tivt'ly to (yb Titlarks, to step out of their familiar comfort zone as educators and to prioritize tech defense at a higher level.

In Albuquerque, Elder says the cybersecnrity contingency plan triggied the school shutdown as well as a process to review movement of students" data, But because the district had no vendor contracts specifically for cyberattacfc response, the district made an emergency school board request for more than $250,000, to be paid to the cyber forensics company conducting the audit. the superintendent says.

The contract yielded immediate results, as auditors determined that hackprs had encrypted students' personally identifiable information without moving the data anywhere.

From the experience, the district learned cybersecnrity contracts should be execute An tntrminn or-mrsT

Assessing Vendors

Harkers often target school districts through their business vendors - such as Synergy SIS - as education companies store large tranches of teachers' and students' personal information, regarded as currency for cybecthieves seeking to profit from data theft. K-12 cyberattacks are so common the Consortium for School Networking released a tool (tern· \coan.org/toola -and-resou rcfa/resource/k-12 evat) for districts to assess the strength of vendors· information, data and cyberseenrity policies before agreeing to a service contract

The FBI and local police department advised the Albuquerque district to generalize descriptions of the cyherattack and lo judiciously omit in public communications the more granular details of the law enforcement investigation, Elder says.

"You don't know what the bad actors are listening to," he says. "You want to make aire you just give them enough information to say. The data breaches occurred. At this time, it doesn't appear that anylhings been compromised. We're moving forward fwith] mitigation, and as soon as we can open [schools], we'll let you know,"

Because no data had been compromised, the attack did not force district officials to consider paying ransom.

In the aftermath of the incident, the district created a new position for a chief security officer to specifically focus on cybersecurtty, a change from the district's former treatment of cybersecu-rity as one among several information technology priori ties.

Cyber-Protection Emphasis

For many superintendents, cyberseeurity is a secondary consideration in a world of competing 6nancial, academic and social priorities. Often, school districts don't think to prioritize cyberseeurity with any specific financial or strategic direction until an intmsiun occurs.

Shannon Goodsell, superintendent of the 2,000-student Window Rock Unified School District, located in Navajo territory in Arizona, called the recent surge in K-12 cyberattacks ""uncharted waters," adding that Us testing school leaders in new ways.

"I'm an educator,' Goodsell says. "I teach kids. I don't do cyberseeurity. We hire people to do that, It rid 1 think that you'll fiml that with 9' percent V.1 itu· supt'riiiierit'.ents thnt you LiK to.

But when Ivory Coast-based hackers launched a Trojan Horse Attack on Window Rock's financial data in August 2022, Goodsell entered the fray. The thieves put up a firewall around the data and held it for $1 million ransom.

"We toH them no, and we kind of stalled" he says. "We had our insurance company techies battle the internet pirate techies in what I call the "Great Techie War' of us trying to hark their firewall."

Window Rock's cyber insurance company for two weeks coiildn't hack the thieves· firewall But then GoodseU devised a solution: a double firewall. 'What I ordered then is [to] put up an encrypted firewall around their firewall [which] sealed all of that financial data for forever,' he says.

Neither Window Rock nor the hackers could access the data at that point, reflecting a kind of stalemate between the two sides. Window Rock worked with the FBI. CIA and Department of Homeland Security to ensure students' and teachers· data remained safe after the breach.

Though employee pajToU and vender payments were two weeks late because of the breach, no students' or teachers' personal data were compromised, according to Sheldon Yazzie, director of technology for Window Rock schools. Staff were reassured they would get repaid for any overdraft fees through the district's insurance carrier.

Fortunately and proactjvery. the district had purchased cyber insurance the third week of July 2022, about two weeks before the attack, according to a CoSN hlog post by GoodseE Though the insurance was in place, the siiperimerulent said he would give his district a cybersecurity rating of 4 oirt of 10 at the time of the breach.

Window Rock USD had reached out to all K-12 districts in Navajo and Apache counties to get advice on responding to the breach, yet 90 percent of those districts didn't have a cybersecurity response plan in place. Yazzie says. Neither did Window Rock.

But even as districts look to nestle cybersecurity into their ever-evolving priority lists, Yazzie recommends that districts take several baby steps to shore up their IT networks.

These baby steps include some form of domain name system, or DNS, protection, which filters unwanted traffic and puts suspicious I 'KI.; on a blacklist. Yazzie also suggests the use of local administrator password solutions, which randomize passwords on servers, minimizing the ability of cybercriminals to access entire networks if they somehow gain access to these passwords.

Further, districts can fortify thfir cyberseairily through routine use of inulufactor authentication and through strengthened endpoint detection and response services, which are installed on users' devices and essentially merge antivirus and maJ-\vare detection functions.

Spear-Phishing Detection

The 39,000-student Beaverton Public Schools, located in a suburb of Portland, Oie., was alerted to a spcar-phishing attack about seven years ago after the manager for a high school construction project noticed noneof the applications on her district-issued laptop were working correctly

The hackers crafted a fake e-mail posing as one of the companies she did business with, according to Beaverton^ chief information officer, Steven Langford. The e-mail requested the manager approve some adjustments for the $180 million project and took her to Adobes sign-in pnge. Her login failed, but cybercriminals now had her credentials.

The Nigeria-based hackers hoped that obtaining the credentials would set the stage to wire-transfer some project funds into their account.

But Benverlon benefited from sound accounting practices that prevented wire transfers at the time, Langford says. The district policy requires that bank information is never provided over the phone, even if a caller identifies him or herself as an employee of a district vendor.

With the stolen credentials, the hackers' "quick score· would have been the finance account numbers, Langford says, and the FBI bad informed the district that the hackers hunted hundreds of victims this way. They were monitoring, waiting for the [money] to come in, so they could make the transfer, make the switch, pull the money and go," he says.

The school district already was using role-based security at the time, but since then has implemented virtual private network access for critical applications, intrusion-detfction applications to monitor anomalous traffic and multifar-tor authentication, among other measures.

Cloud Data Transfers

Though it's never good when a cyberartack bits a school district, the summer 2019 timing of cyberterrorists' intnision into the financial system of Coventry Public Schools, located southwest of Providence, R.I., blunted the potential educational Impact on the district s a,ooo students.

The districts insurance company paid about $300,000 in ransom to Eastern Europe-based cyber thieves after the hackers encrypted the distrirt's financial system in July 2QT9, according to fJitusJu-v^, who was Coventry's superintendent n< ho Whiiip «w«r» tht» n't^A was ransomwaie-based, he gave the cyber insurance company broad control over the technical and tactical aspects of the response.

The ransom payment and negotiation yielded a digital key that allowed the district to regain access to its financial system, lb independently troubles hoot the proHcra without paying ransom would have taken months, Levis says.

The state police [told] us not to pay their ransom for attack," he says, "But wr needed our financial data back."

Despite the criminals' loathsome activities, the hackers had an "honor amongst thieves" reputation, wherein their victims regularly reported they received their data back following the ransom payment, Levis says.

The timing of the mid-summer attack allowed the district to IWly rectify the data issue lief ore students returned to school in the faU. But unanticipated issues arose in the days after the breach. Coventry's servers went down for five days, catalyzing z shutdown of the digital v controlled HVAC system in the district's middle schools. Black mold spread throughout the facilities, Levis says.

Insurance covered $500,000 in mold remediation during the following three weeks.

Summer break gave the district ample time to wipe clean all of its Chromebooks and desktops of "any information or any software" after the intrw-sion, Levis says. Those devices were reloaded with proper software before the start of school

Coventry transferred all financial data from physical servers to the secure cloud because bad actors had poked around those physical servers for several months, Levis says. It's quite easy for hackers to gain access to targets' personal data residing in physical servers that have already beer, breached.

"All it takes is somebody opening up an attachment," Levis says. That bad actor has access to everything."

BRIAN BRADLEY is a freelance education writer in Bunker Ml. WVa E-ma· bnantyadley8&ea(rnaleom