School implementing most cyberattack report recommendations
A draft report released recently gives School District 6 several recommendations on how to tighten its server security after the school was hacked last fall and hundreds of student and personnel files were stolen.
The school has already implemented several of the suggestions, IT Director Bob Mears told the school board last week.
The draft report offers a host of advisories, from controlling access to sensitive servers to simple password policies that help keep accounts like Gmail from being hacked.
Last September, a group called the Dark Over Lord Solutions hacked into school servers and stole personal information on students and staff. Once they obtained personal cell phone information, they also sent threatening and vile text messages to school staff and students.
The group initially asked for a ransom of more than $100,000. The school never paid, but it did provide people who had been hacked a free year of identity theft protection.
Columbia Falls was not alone — several schools across the country were hacked — and the FBI helped investigate the case.
The draft security report, by LMG Security offered the school more than a dozen recommendations.
Some key points included:
- Contracting with a monitoring service to help detect malicious network activity, like Dell SecureWorks, Alert Logic and Cybereason. The report suggested the district consider joint contracts with other districts to reduce costs of the service.
The school looked into the service, but it was cost prohibitive, with a price tag of more than $60,000, Mears noted.
- The school should restrict account privileges and improve access control. The investigation found that, in short, too many people had access to sensitive information and, even if they needed that access, it should have been restricted used when “privilege elevation is specifically required.” Mears said the school has cut down drastically the number of people who have access, with only four people who currently have access, including himself.
- The school should develop a data retention policy. It noted that the school had databases that were available online that dated back several years. Old data should be moved offline or simply deleted, the company recommended. The school has started to do that, Mears said. They only retain one year worth of information on a drive on the network. The other data is taken offline. He suggested the school get a safety deposit box to securely store drives off premises.
- Use better passwords. LMG recommended that passwords be at least 14 characters long so they are not susceptible to “brute force” attacks. In addition, multi-factor authentification should also be in place. For instance in Gmail, Google sends out a separate code to a person’s cell phone before they can log into an email account. Mears said that the school was currently using a 12 character password. Staff had a tough time remembering those.
- Use software that allows IT managers to see who is on the network and what software they’re using. That allows them identify vulnerable software versions and roll out security patches on a regular basis. Mears said the IT department is doing that.
- Put more resources into the IT department. In short, the report notes that many of the measures, particularly monitoring and continued security of the network, cost money in both software and staff.
Mears said the school is also taking other measures. It’s drastically reducing the number of “thin clients” — which are servers that run an entire classroom, for example. The hackers broke into the school servers through one of its thin clients.
He said one of the biggest problems right now is teachers and staff who leave their desks or their classrooms at the end of the day and leave their email open — that could lead to hacks easily, he noted.
Overall, he said the message to staff was one of help.
“We’re not trying to control the district,” he said. “We’re trying to take care of it and make it safe.”