One Saturday in March 2015, technical services operators at the Swedesboro-Woolwich school district in Gloucester County noticed a problem with the district’s computer system network. The system had been hacked by malware that was holding the network hostage. The cyber-attack disabled the district’s entire computer system network, interfering with staff access to student records, academic activities, lunch register systems, district email services – and with the administration of the PARCC tests.
The attackers demanded 500 bitcoins (a digital currency in which transactions can typically remain anonymous) as ransom to restore all the district computer systems back to normal. At the time, 500 bitcoins was worth roughly $125,000.
The school district didn’t pay the ransom, and, after several days, the district’s technology experts were able to restore operations.
Could this have been prevented? How can other school districts protect themselves from a similar attack? Here are a few notes that may help along the way.
First, it’s useful to understand a little background on ransomware.
Ransomware, a type of malware that restricts access to a computer system until a ransom is paid, is usually installed after a student or staff member clicks on an untrustworthy link in their email, or downloads some software from an untrusted source.
The unscrupulous software will then scan for access around the district’s network, such as file folders that can be accessed by several people, or use new, previously unknown “exploits” – programs or methods that take advantage of security holes in a system – to gain access to the district’s servers. They will also sometimes get in through known vulnerabilities that are commonly found in systems that are not regularly updated with security and critical patches.
Exploits are usually found when a bug or loophole is discovered in mainstream software that can be used to increase the level of access a user has to a computer system.
The ransomware will then encrypt anything it finds, and a message will appear demanding a payment to receive the de-encryption key.
Unfortunately, of course, there really isn’t a way to guarantee that these perpetrators will actually provide you with that key if you pay the ransom, or if they will strike again.
To thwart ransomware, it is essential to make sure your system is regularly backed up. If back-up procedures are followed, files can be simply restored after servers are cleaned of the spurious software, and no payment will be necessary.
Another type of back-door software that can be activated in a similar way, will instead enable remote access to your system without needing any password.
This will then be used as a stepping stone into your network.
These types of links will usually be sent to any email address an outside attacker can find, such as a directory on your school’s website. They only need one person to activate the link, and they are in.
It is not always clear what a hacker is trying to do, whether it is gaining access to the personal information of your staff and students, or locking your staff out of their systems and demanding money to regain access. Sometimes hackers want to use your network as a place to launch further attacks on other remote networks.
In a recent case in Jersey City, the school system’s system was compromised and someone obtained a listing of names and addresses of all students. That list was then obtained and used by a charter school to market its services to those students and their families.
Here are some tips that will help to prevent such attacks:
For Students and Staff Ensure each user’s passwords follow strict creation policies, such as mandating a password contain a minimum of eight characters, upper and lower case letters, at least one number and a special character. Districts should make sure a user’s password doesn’t contain his or her name or username, and should educate students and staff to refrain from using their birthday, a family member’s name or other easy-to-guess words as a password.
Passwords should be set to expire on a regular basis, and users shouldn’t be able to reuse a previous password.
Students and staff need to understand that they should log out of the computer every time they are finished with their work. This prevents other students using their accounts, and accessing the network under someone else’s name.
Users should not share their passwords with any other faculty member, teacher or students. Districts should tell students and staff members that if they believe someone else has their password, they should promptly change it and notify the network administrator.
As part of student and staff training, the above policies should be emphasized, along with other important information, such as not to click on a link or file in an unknown email. Even if an email recipient knows the sender, if that person doesn’t usually send attachments, it is worthwhile contacting him or her to confirm that the message and the attachment are authentic.
Network Administrators Do not allow students or staff to install any programs on their computers. An administrative password should be required for any installations, and administrators should regulate what can be installed. There is no reason for any student or teacher to install any programs.
Install an up-to-date firewall, one that provides live updates from the vendor – some will automatically add an extra layer of protection by scanning incoming e-mails for viruses and spam. These products need to be constantly updated so they will be able to catch the latest viruses and stop the newest spamming techniques.
Separate the student network from the administrative network, so no one from the student network can access the administrative network. Ensure firewall rules are in place to prevent this.
Enforce the password policy mentioned in the section above, and create another policy regarding the prompt removal of accounts for staff or students who have left the school.
Any wireless access given to students should require the use of their individual network logins, and not a shared password that is used by everyone. Again, this should be segmented, so anyone using a wireless account can only access what is necessary.
Any guest access to wireless should only allow access to the internet, and not any other segment of the network. If a shared password is used for this, it should be changed on a regular basis.
Ensure all servers have the latest anti-virus and malware detection software installed. Even servers that aren’t file servers, or don’t have any shared drives, should have this software installed. Remember – if an administrator- or administrative-level account is compromised, these servers can be accessed without an active shared folder.
Your email server must have specific anti-virus and spam filtering installed. It must not only scan incoming email, but also email between internal personnel and students. This prevents any local virus that distributes itself via email from reaching other users inside your system.
File permissions should be set to read-only for any staff member who does not need to modify a file on a particular shared drive, and they should not have access to any irrelevant files at all.
Ensure all files, databases, and if possible any virtual servers, are replicated off site with a reputable cloud provider on a regular basis – probably every two to four hours. Be sure they have a point-in-time restore facility; this enables your network administrators to restore any files or virtual servers from a previous version – specifically before any damage was done to files in the case of a ransomware attack.
Make sure any servers, devices and software are regularly updated, and any critical patches applied promptly. It is common for access to be compromised by an out-of-date, forgotten system which should have been shut down or removed.
Also be sure to upgrade any operating systems that are no longer supported by the vendor, as they probably will stop releasing security updates for those.
Third-party vendors should be given to the system only as needed, and that access should be disabled as soon as it is no longer needed. Ensure that vendor accounts follow the strict password complexity policy above, and that their accounts are set to expire regularly. There have been many cases where access was gained into the network via these types of accounts; Target was apparently hacked using an HVAC vendor’s account.
These, and all other active accounts, while not necessarily given administrative access by the administrator, are the first stepping stone to gain access into your network.
The bottom line is that attacks can be random, as in the case of most ransomware, or targeted specifically at your network.
In the case of the Swedesboro Woolwich school district, it turns out that hackers gained access to the network through a weak password used by a vendor doing work for the school. The vendor, according to the school, had used the same username and password when it worked on many of its client’s systems. The hacker attack originated from outside the United States, and apparently identified an open port in the system, then attacked the system thousands of times per minute with various password and username combinations until one worked. The district said that private student and staff information was not compromised in any way.
While no system is completely immune from attack, school districts should make sure they are doing everything they can to deter such an attack. The tips mentioned here are a good foundation for security.