By Jason Starkweather

Like many schools and businesses alike, we are constantly looking to improve our cybersecurity posture… keeping the ‘bad guys’ out is more and more of a challenge, with large-scale data breaches hitting the news almost daily.

During the fall of 2021, we partnered with one of our trusted vendors and completed a network security assessment as part of our network security roadmap.  A few weeks later, we were running a trial of a next-gen antivirus solution in a few of our buildings, when we received an alert in the middle of the night that there was suspicious activity on our network.  We investigated, found the affected PC, and remediated.  The next night, another alert on a different PC.  Another remediation.  We decided to expand our two building anti-virus trial to all buildings for more complete visibility into what was happening.  Night three, I was waiting.  Sure enough, around the same time of night, another alert.  Upon further investigation, we thought it was best to take the entire school district of over 10,000 students and 1,200 staff members offline as we and our vendor partners determined the extent of the intrusion.

If you’ve not had a discussion of what a total technology shutdown would look like in your district, I would highly encourage you chat with your administration team and include that information in your disaster recovery plan.  For us, it was important to be the ones controlling access, as we were not sure what would come if the game of cat and mouse were to continue.  While our teachers rely heavily on technology for their daily instruction, this event encouraged them to return to some of their earlier teaching practices and school remained open and teaching continued during this event.

The proactive nature of our ‘technology lockdown’ allowed us to control what services remained online during our investigation.  Thinking back, I cannot imagine not having this option. Accommodations were made for some of the operational functions (payroll, bus routing, nutrition services) to continue.  Telephones, security cameras, copiers, A/V systems all may be affected in the event of a true ransomware situation.  As we were not in that situation, all of these systems were operational.  A communications backchannel was established through our district’s mass communication system.  All passwords were reset and had to be distributed to all staff and students in-person in an efficient manner.  Over 13,000 stickers with new, temporary user credentials were strategically deployed. Schools utilized PA announcements in a way that they hadn’t in many years and went back to distributing printed copies of things that may have been emailed in the past.   While it was important to let school families know that their students were not accessing technology at school, the messages could not be incredibly detailed as the investigation began. Families were informed that the access didn’t include the student information system.

While school life continued as normal as possible, the investigation involved conversations with a local partner recommended by the Indiana Department of Homeland Security and our school administration. At the conclusion of the investigation, it was determined that no sensitive files were accessed, and no ransomware was discovered on the network.  It showed that the perpetrator seemed to attempt to use our network to make fraudulent purchases online, and most-interestingly, the initial access coincided with the date and time of our network security assessment.  We engaged in a strategic restart of the network to minimize the risk and isolate any further attempts to compromise the network.  After a few days, the district was back online with the next-gen anti-virus software fully in place.

Hearing of other districts’ incidents involving ransomware and encrypted files, I know we were fortunate in our case. In the weeks and months after our intrusion, many ‘what if’s…’ followed:  What if this ‘system’ or that ‘tool’ was also affected, etc.?  How would we take attendance if our student information system became inaccessible?

All of this helped us further re-shape our disaster recovery plan, and the year-long security roadmap we were following was accelerated to about five weeks with nearly total buy-in from our staff.

If you’ve not had a chance to develop a disaster recovery plan for your district, I would highly recommend you complete that.  Many resources beyond the Technology Department need to be involved in the planning for and execution of such plan.  The Indiana Cybersecurity website contains some great resources to incorporate into your plan.  Purdue CyberTAP offers no-cost cybersecurity assessments, which we took advantage of last year.  This assessment gave us additional ideas for our plan as well.  IN-ISAC also publishes timely notifications of threats and vulnerabilities which you can sign up for here.