Learning
This round of the newsletter is late. I promised myself I wouldn't miss deadlines for this particular resource, but last week I was deep in the weeds when trying to get this newsletter to you. I kept researching and reading trying to find the best information to provide to you and in turn got lost. Ransomware continues to be an enormous threat and a hot topic in the news and was brought up in the halls of Congress last week multiple times.
Submit a google news search for "ransomware". In the past month, just 30 days, these ransomware attacks are listed: Foxconn, Kmart, Vancouver public transport, Greater Baltimore Medical Center, Baltimore County schools, Lubbock TX City Hall, Texarkana municipal, Huntsville City schools (Alabama), Kopter helicopter company, Capcom video game company, and Managed.com. By no means is this list exhaustive.
Last week, Senators addressed ransomware attacks on K-12 with the Cybersecurity and Infrastructure Security Agency (CISA) and it's new acting director, Brandon Wales. In a way, Mr. Wales dodged questions about what the agency will do to help schools in the future by explaining that ransomware is a problem that is affecting all industries and focus needs to be on ransomware as a whole and not just one industry. Wales then mentioned the available resources at CISA that already exist.
A recent survey of state chief information security officers found that the three leading barriers to better cybersecurity in the states were a lack of sufficient budgets, inadequate staffing and a surplus of legacy technology more susceptible to emerging threats. This is the same story in local government and school districts across the nation as well.
Additional national efforts to funnel money and resources to state and local entities have gone without resolution. NASCIO recommendations have been unaddressed. While massive procedural changes were made to E-rate and Category 2 funding in 2019, there is still no authorized funding specifically for cybersecurity. This year, we saw the FCC bend the rules and make allowances for additional Category 1 funding to support 1:1 virtual learning and provide connectivity. Maybe next year, the same sense of urgency can be applied to cybersecurity.
In response to CISA's statements last week, I posted an open letter on LinkedIn and used the power of my people network to attempt to get more information and resources for you. I posted that we, all of us in educational technology, are ready to receive more guidance and resources from CISA. I posted that I was ready to be a conduit for information flow to our 132 school divisions. I suggested that we talk, share, and collaborate.
Alas, this post caught the attention of many vendors at first. I love the vendors, but they can sometimes swoop too fast. After a few days, I started getting messages from school leaders, state education CISOs like me, and from people I admire in EdTech across the country. Everyone agrees that there is a void not being addressed. Everyone agrees that action needs to occur. Everyone agrees that it would be nice. Well, I'm going to push forward with trying to make Virginia an example of what K-12 cybersecurity can be. I was looking for answers and no one has them. I'm going to have to answer my own questions. I promise you that 2021 will make a difference in Virginia.
With a major ransomware attack occurring almost every day, how can we possibly expect to defend ourselves? Large organizations that spend millions on cyber are still getting successfully attacked. What hope does a school division with over-taxed employees have?
I attended a virtual training session this month taught by the first appointed CISO of the United States, Brigadier General (retired) Gregory J. Touhill. In his presentation, and repeated in other presentations I have heard in the past few months, is the idea to treat our defense posture differently. For years we have been putting up walls trying to keep people out. Many leaders in the defenders realm take the stance that we are already breached and attackers are already in the network. Once you allow that thought, you can focus on resiliency and stop damming the ocean.
Resiliency, as we have learned, is the ability to bounce-back, to shift, to adapt, to continue. Resiliency is different from Business Continuity. The International Standards Organization defines Business Continuity as "the capability of an organization to continue the delivery of products or services at acceptable predefined levels following a disruption." Resilience is defined as "the ability of an organization to absorb and adapt in a changing environment to enable it to deliver its objectives and to survive and prosper." Survive and prosper. I like to think of it as "Live long and prosper." That's how I remember resiliency. Continuity keeps us going today in the face of a power outage. Resiliency keeps us going for a lifetime in the face of a constantly changing environment.
Current guidance from experts everywhere claim that the best defense against ransomware is backups of data and critical systems. It sounds defeatist when you are focused on putting up walls. But, when you are focused on resiliency, you adapt, trap, restore, and move on. The business doesn't become a hostage, for long.
Here are things you can do right now, based on guidance from national authorities, to continue to protect your data and your environment from ransomware. Each one of these suggestions have been addressed in previous newsletters with more depth.
-
Backup your data, servers, and critical configurations
Backup data stores, virtual machines, configurations, database dumps, etc. If you have physical servers now is the time to consider virtualization or having a hot/cold spare ready to go. Test your backups and back up everything you can.
-
Segment your network
Segmenting protects lateral infections. Physically and logically break up your network to prevent ransomware from spreading across everything. Example: A classroom lab computer will never need access to your financial database or payroll system. Make sure it never can.
-
Transfer risk to cloud providers
Cloud is no longer a novelty. It is the standard and the future. If you can move your servers or applications to cloud hosted environments, you should. Let providers and vendor share in the cybersecurity.
-
Patch and deploy security fixes
Unpatched software is the evil-doers playground. Create a vulnerability management program.
-
Retire legacy equipment
Establish policies for replacement schedules with your admin team and Board and then stick to those schedules and use them as your excuse for retiring a "perfectly good" printer or server. Use those schedules to justify budget requests.
-
Deploy MDM, proxy, and internet filtering services
Think about MDM for staff devices as well. Expand MDM to cover laptops and not just mobile devices. Filter all internet access. Use known lists of ransomware domains and filter them all from available access.
-
Monitor your network and devices
Record logs. Read logs. Employ IDP/IPS services on your firewall. Experiment with basic SIEM tools that can automate alerting you to suspicious activity.
As I'm typing this, I am also listening to a meeting in the background from the KLIP Advisory Group. KLIP is a statewide technology group that shares best practices and relays information. I know that the priority of your school division may not be security. Instead you are focused on virtual school, internet access, 1:1 device damage and troubleshooting, and the daily changing needs of your division. Please, as you adapt and apply resiliency to all of your efforts, make sure security is part of your decision making and your efforts.
|