Safety First

K-12 Tech Leader Shares Best Practices for Cybersecurity

April Mardock
April Mardock
CISSP – Chief Information Security Officer, Seattle Public Schools

April is a long-time security expert, having held her CISSP ((Certified Information Systems Security Professional) since 2002, and is currently working with Seattle Public Schools as the chief information security officer. April’s responsibilities also include site-based technology audits, infosec policy management, disaster recovery and business continuity consulting, penetration testing, email spam and web filtering, and cloud forensics.

What are the primary challenges that K-12 schools face in implementing multi-factor authentication (MFA) for their systems, and how can they overcome these obstacles effectively?

MFA is becoming mandatory for most school districts as their cybersecurity insurance providers are requiring it. As such, deployment planning will be key. Start with the IT administrators and work out the glitches, then move on to the most high risk staff—IT administrators, payroll, accounts payable, principals and executive/superintendent staff. Then move to all remaining staff, including teachers and facilities staff.

Although unions are often named as a challenge for MFA, we’ve found proactively working with the unions to identify individuals with special needs, and having the union craft and manage the exception process works well. Even if a few users need to be exempted, having 99 percent of staff covered is better than zero!

How can schools educate staff and students about phishing awareness, and what measures can be put in place to limit the impact of phishing attacks?

Phishing is a cunning form of cyberattack that’s continually evolving. It attempts to trick people into sharing sensitive information, often through misleading emails.

First off, limiting user admin rights is crucial. Even if someone falls for a phishing attempt, without admin rights, the potential damage can be significantly reduced.  Second, consider restricting email and internet access for sensitive accounts. When these accounts are used for specific tasks, like managing bank accounts, they become high-value targets. By blocking their regular internet access, you make it less likely for them to fall victim to phishing attacks. Also, think about applying similar restrictions to IT “domain-admin” style accounts. These accounts rarely need unrestricted web access, and limiting this can reduce the risk of attacks.

In terms of education, keep everyone informed about emerging threats, such as the recent spike in fake DocuSign emails. Encourage staff and students to report any suspicious activity they encounter. When someone reports a cybersecurity concern, acknowledge their contribution with a letter of thanks and let their supervisors know. This promotes a culture of vigilance and encourages everyone to play an active role in maintaining cybersecurity.

Could you provide some examples of specific vulnerabilities that unpatched critical servers may have, and how school districts can ensure a timely and comprehensive patch management process to safeguard these servers?

It’s not just servers. Take, for example, the Barracuda email firewall. If left unpatched, cybercriminals could potentially take control of the device and use it as a launchpad to attack the rest of the school district’s network. The same risk exists with Fortinet firewalls if the district exposed the management port to the internet—even without a valid username or password, malicious actors could seize control of the device. A server vulnerability example is the CVE-2022-21907. This flaw, if not patched, doesn’t even require a username or password for an attacker to gain complete control over the server.

From an attacker’s perspective, what makes K-12 schools an appealing target for ransomware attacks compared to other sectors?

K-12 schools are sometimes seen as “easy targets” for a few reasons. First, they often lack strict regulations mandating strong cybersecurity measures. Second, they rarely have staff solely dedicated to managing cybersecurity, and third, there’s often limited cybersecurity coverage during weekends, holidays, and school breaks. This leaves long periods when their systems could be more vulnerable to attacks.

In the event of a successful ransomware attack on a school district, how can schools effectively respond to minimize damage and swiftly recover access to their systems and data?

School districts should be proactive and prepared for possible ransomware attacks. Immutable backups, which can’t be altered or deleted, are a good start. They’ve become more affordable and should be in place and tested regularly.

An incident response plan is another crucial tool. It outlines the steps to take in the event of an attack, and schools should practice it regularly through mock events or tabletop exercises. This helps identify potential weaknesses and refine the response.

When an attack occurs, don’t hesitate to isolate the network. Shutting down switches and routers can prevent attackers from spreading across the network. Additionally, automating individual computer isolation, especially for any device flagged for ransomware, can limit damage even if the attack occurs outside of working hours.

Beyond the technical aspects of cybersecurity, what role can school administrators, teachers, and parents play in fostering a culture of cybersecurity awareness and preparedness among students in K-12 schools?

Everyone in a school community can play a part in promoting cybersecurity. For students, make cybersecurity relevant to their interests. Many students play online games where they may have experienced losing valuable in-game items or game coin due to cyber-attacks. These experiences can be used to teach them about the importance of online safety. For example, students should be taught to verify download hashes before installing new games to avoid malware. Using real-world examples, like the first log4j attack appearing in a Minecraft game chat, can also make the lessons more relatable. It’s also important to create an environment where students and the broader community feel safe to report cybersecurity concerns. This could be facilitated by adding a security.txt reference file to your school’s website, providing clear instructions on how to report potential issues.