A couple of weeks ago, a story broke on our local news outlets involving a ransomware attack against the Smyth County Virginia school system. Smyth County is located in Southwest Virginia and is comprised of 3 towns (Marion, Chilhowie and Saltville) and approximately 32,000 residents. The focus of the majority of the news coverage for this cybersecurity event surrounded the fact that the ransomware attack forced the school system to shut down significant portions of their network including student Internet access as a precaution against the spread of the ransomware infection. Interviews with the school system’s Director of IT revealed that several Windows-based servers were encrypted and inaccessible. Recovery from backups was underway for those resources as the school system had wisely chosen not to pay the ransom.
Subsequent follow-up coverage of this event has revealed the continued efforts by the school system to recover data and rebuild servers, and the steps the school system has taken to mitigate the impact of a future ransomware attack. According to the system’s Director of IT, new anti-malware software is being deployed and a previously planned project to move additional systems to a cloud-hosted platform has been moved up on the calendar and expedited. All of this information has added to the overall ransomware narrative and the difficulties that any organization would face if infected by a ransomware attack. But as an IT security professional, I find myself incredibly frustrated by this event and the general emphasis of the news story that has been crafted and repeated. My frustration lies in the simple fact that two very important questions have not been asked and answered – 1) How did the ransomware infiltrate the school system’s network? and 2) What controls were in place to prevent this attack in the first place?
These two questions are at the heart of the “how” and the “why” of this event, and it is from the answers to these two crucial questions that we actually learn something of value from this painful experience. Everything discussed in the media to this point and everything shared by school system officials has been reactive in nature. The network was shut down and Internet access was disabled to prevent the spread of the infection after it had taken hold in the Windows environment. New anti-malware software is being deployed to prevent future attacks. Data is being moved to the cloud to limit future exposure. All of this work is important for Smyth County. But for the rest of us, and more specifically, for other school systems in the region, the conversation needs to be centered on how the infection started, which controls worked, which controls failed, and which controls were simply missing that led to downtime, system failures and the potential loss of critical data.
Many of the reactionary controls mentioned to this point may not be affective against future ransomware attacks based on the changes in attack vectors used by cybercriminals today. According to the 2019 CrowdStrike Global Threat Report, more than 70% of attacks against healthcare and education targets in past year were malware free. This means that the initial tactic used by the cybercriminal did not result in a file or file fragment being written to disk on the target platform. In other words, the bad guys used social engineering, stolen credentials or some other out of band mechanism to gain access to the information they were targeting. Technical controls like signature-based anti-malware software cannot defend against these types of attacks. Nor does moving data to a cloud-hosted platform fully mitigate the threat.
Some will ask why should we invest so much energy and money – and in the case of school systems we are talking about tax payer money – into combatting these types of threats. The biggest publicly disclosed impact of the attack on the Smyth County school system was the loss of Internet access for students and staff over a two- or three-day period. I have no doubt many parents in Smyth County were pleased to know their students had a break from the Internet for a few hours a day. But Internet access was the biggest publicly disclosed impact, not the only impact of this type of attack. Actual data exfiltration has not been confirmed, and data is often the biggest motivator for cybercriminals.
The 2019 Verizon Data Breach Investigations Report revealed that 80% of all breaches targeting the education sector were financially motivated, and of all reported breaches in the education sector, 26% resulted in some form of data disclosure. Think for a moment about the type of data a school system has under its control. For students, the school system maintains records including name, address, phone #, email address, social security #, and in many cases, medical records. For parents, the system has similar information and, in many cases it often has some form of payment-related information. For school system employees, the records are even more detailed. All of these data types are incredibly valuable for cybercriminals wanting to forge identities or generate other more targeted attacks. Consider too the fact that these students are typically under the age of 18 and do not have any form of identity protection in place or at their disposal.
I realize that the tone of this article can and may be seen as an indictment against the IT team in Smyth County, but that is far from the case. From all accounts, that team of IT professionals identified the threat and responded quickly to limit its spread. There were clearly requests and plans in place to strengthen the network that are now being green lit and expedited. I believe they did everything in their power to defend their infrastructure as best they could. Like many things in IT, success comes down to human resources and budget, neither of which tends to stretch very effectively. My goal is not to shine a light on any failures in Smyth County, Virginia, but to instead shed some light on the larger problem all of us face in terms of a lack of understanding and preparedness when it comes to these types of cybersecurity threats.
So far in this post, I have provided a ton of critical feedback surrounding how this breach was covered in the news and how the school system did or did not respond, so allow me to stop and provide some applicable recommendations on how to help mitigate if not prevent these types of attacks moving forward:
- Deploy an Advanced Malware Protection Platform to replace traditional signature-based anti-virus software – Gone are the days when we can wait for and trust a downloaded signature file from an anti-virus vendor to defend us against malicious activity on our PC’s and servers. Threats are evolving too quickly for signature files to keep up and many threats do not involve detectable code. Organizations need a platform in place that can intelligently monitor, detect and remediate threats based on computer and application behavior, anomalous end user inputs, and unexpected or inappropriate network traffic. Many sound platforms exist, and many include 3rd party monitoring components that can increase response times to threats and reduce the potential impact of false positive detections.
- Implement modern UTM (unified threat management) controls and DNS-based content filtering on all ingress/egress points for the network – We can no longer rely on basic stateful packet inspection and port-based firewall rules to successfully filter our Internet traffic. Modern UTM can filter and inspect at the application level, and DNS-based content filtering can successfully identify and restrict access to those command and control servers so many ransomware platforms rely on for effectiveness. Some statistics give DNS-based content filtering a success rate against ransomware infections as high as 93%.
- Upgrade and patch your servers and PC’s – This sounds like an obvious statement, but far too many school systems still rely on donated hand-me-down hardware from businesses and higher education resources to survive. Those computers are often running outdated operating systems and have no mechanism in place for properly patching and security updates. It only takes a small toe hold on the network for the bad guys to land and expand and wreak havoc.
- Train your employees and students, all of them, frequently – Social engineering (phishing, vishing, in-person) is the biggest threat to most organizations. All the technical controls in the world cannot prevent an end user with authorized access from doing harm to a network. We have to educate everyone to the threat landscape. We have to teach individuals how to respond to social engineering and other observed unusual activity. People need to know who to inform and to do so quickly. And this education should span beyond the four walls of the organization to the home and personal IT security best practices. The threats are real whether we are at work sitting at our desks or at home sitting on our couches.
- Develop more than a backup solution. Build a disaster recovery plan and test it – During the initial interviews with school system officials in Smyth County, those officials indicated that server restoration processes were underway using backup data. In one follow-up print article nearly two weeks later, those same officials indicated that those restoration processes were still ongoing. Depending on the criticality of the system and data affected by an attack, most organizations cannot wait weeks for systems to come back online. It is incredibly important to consider and define a valid Recovery Time Objective for the organization. How long can you survive without access to your information and systems? Based on the answer to that question, deploy redundant servers and backup solutions that can have you back online and functioning before it becomes too late for the effective survival of your organization.
Over the last couple of weeks, I have been reading The Only Plane in the Sky – An Oral History of 9/11 by Garrett M. Graff. This book is a heart wrenching compilation of 1st person accounts from those people who lived through the hours and days surrounding that life altering day in our nation’s history. Through these personal stories and quotes, I am reminded that we as a nation responded to those attacks using emergency procedures and protocols that were largely born from the Cold War. Some of that training and some of those plans and procedures were effective and saved lives and restored some order to a chaotic situation. Other components of those plans and procedures were completely inapplicable to the situation, leaving many government officials and first responders groping in the dark for answers and developing strategies on the fly to cope with the disaster at hand. We need to learn from that horrific day.
I am wholly convinced that the next great threat to our country is not another series of plane hijackings or a terrorist with a bomb or even a nuclear weapon controlled by a hostile nation state. The next great threat we face is a cyber-attack against our infrastructure. It may come from a terrorist cell, a politically motivated activist group, a hostile nation or even a highly motivated disgruntled individual, but it will come, and it will wreak havoc on our way of life. I am far from convinced that we are properly prepared. Such an attack can be mitigated, but it will take each and every one of us. It will take IT professionals willing to work hard, deploy the right controls, and avoid the short cuts that make our computer networks vulnerable. It will take organizational leadership willing to invest the right amount of time and energy and funding to support those IT professionals. And it will take the rest of us, willing to train, build good personal security habits, and learn the signs of a cyber-attack and how to respond appropriately. The time for reactive responses is over. We need to become proactive. We need to prepare. And we need to continue the conversation loudly and publicly.