Hackers love soft targets. So, when cybercriminals began to inventory potential victims for everything from sophisticated ransomware attacks to annoying phishing strikes over the last decade, K-12 school districts felt the immediate impact. In fact, the playing field for these cybercriminals has only expanded over the last 20-plus months during the COVID-19 crisis. A widened threat landscape initiated by a forced move to virtual classrooms and remote learning increased the risk to students, teachers and parents, along with the schools themselves. The vulnerabilities revealed last year are vividly clear in a recently released report from the K-12 Cybersecurity Resource Center that K-12 schools experienced an 18% increase in cyberattacks in 2020 over 2019, and that 377 school districts across 40 states suffered a record-setting 408 publicly disclosed cybersecurity incidents, with phishing, data breaches and ransomware being the most common attacks.
The ramifications of a successful cyber attack can be catastrophic. In 2018, more than 500,000 students and staff at San Diego’s Unified School District had their personnel data, including social security numbers, phone numbers, addresses, private health records and dates of birth, compromised by cybercriminals. The tangible consequences may result in online harassment of students and teachers, financial and identity fraud and may even negatively affect future college admissions and special education grants.
Cybersecurity is Now the Golden Rule
For large school districts around the U.S., cybersecurity has emerged as a top-of-mind issue despite most schools still scrambling to find budget dollars to fund critical physical security needs. The security concerns for the Lewisville Independent School District (LISD), a fast-growing suburb outside Denton in the Dallas–Fort Worth metroplex, mirrored the uptick in cybercrime seen across the country since 2020. According to Chris Langford, CISSP, Director of Network, Infrastructure and Cybersecurity for LISD, his district saw a major increase in phishing attacks in the first months of the 2020-21 school year, with his system blocking more than 16 million malicious email threat messages during that stretch.
Langford, who has been with LISD for five years and mainly entrenched with the K-12 sector his entire career, directs a team of IT security professionals that are responsible for all of the wired and wireless network connectivity for the district. The district encompasses about 120 square miles and houses 69 school campuses and a total of 75 locations that have staff or students. The district employs approximately 6,500 staff and teachers and has more than 50,000 students enrolled.
“The emphasis on technology and cybersecurity has really ramped up in the last 10 years in the K-12 space. However, in the last five or six years, most school districts have made an extra effort to focus on cybersecurity. Things have definitely changed, and school districts are a huge target now,” says Langford. “Especially when you're looking at ransomware. The school districts are a massive target for ransomware and extortion from the threat actors. So yeah, things have definitely changed in K-12 and a lot of school districts, especially larger school districts that have the financial capability to do so are putting a larger emphasis on cybersecurity.”
When the school district opted for remote learning beginning in March 2020 through the end of its school year, it had more than 91,000 devices assigned to students and staff. This fall, Lewisville schools opened with 100% of its students still remote for the first two weeks, and over the next nine weeks, close to 50% of its students were still taking classes from home. For the past nine years, the district has issued one-to-one electronic devices to students in fourth through 12th grades, but over spring break they began configuring other Chromebook devices for pre-K through third graders who previously had none and also began migrating staff from desktop computers to Windows laptops.
As Lewisville started updating its networks and invested in new hardware and software, along with training for staff and teachers, Langford worked with administrators to deploy Cisco Umbrella and Cisco Secure Email Cloud Gateway solutions.
“For us, emphasis on upgrading our cybersecurity posture started about three years ago. We passed a bond in the spring of 2017 and cybersecurity was a big emphasis within that bond. Starting in the spring of 2018 was when we had the funds available and were able to start the projects. We were looking at how our schools could holistically improve their cybersecurity posture. As we looked at these companies, one of the things that intrigued us the most about the Cisco Security Portfolio and their Enterprise License Agreement was it enabled us to purchase an enterprise license agreement and the different timeframes you could use all of the products within that enterprise license agreement, which was the majority of their cybersecurity products,” Langford says, adding that LISD opted for a five-year initial commitment.
“You could use the ‘all you can eat' option for that five-year period with no true-up costs, no increase of licensing. You pay five years upfront and you're done. That was extremely appealing for us,” says Langford, explaining that LISD also liked how the ease of integration of the Cisco products fit the myriad solutions across the existing networks, along with the accessibility of granular controls.
According to Langford, the seamless operations of the entire software suite have been a huge factor in the school system mitigating risks associated with an increase in email phishing threats. There is the Cisco Advanced Malware Protection (AMP), that provides a security solution that addresses the full lifecycle of the advanced malware problems, which integrates with the Cisco Identity Services Engine (ISE), a network administration product that enables the creation and enforcement of security and access policies for endpoint devices connected to the company's routers and switches. This integration simplifies identity management across diverse devices and applications. The platforms are tied into the Stealthwatch program that provides continuous real-time monitoring of, and pervasive views into, all network traffic, creating a baseline of normal web and network activity for a network host and applying context-aware analysis to automatically detect anomalous behaviors.
“They've recently rolled out a new product called Cisco SecureX, which is really the dashboard or the control center where all of the different products that send that information, everything comes into this. For us, the AMP, Umbrella, Stealthwatch, combined with our existing Cisco Cloud Email Security, all feed into SecureX. So, if we want to look for indicators of compromise, for example, we can take those indicators of compromise and just put them in one place in SecureX, then simply paste in an IP address or the domain names, or whatever we're looking for. It will search all of those different platforms within our environment to see if there are any indicators of compromise from any of those things,” says Langford. “We’re looking at the endpoints with AMP, at our domain logs through Umbrella to see what people have tried to access on the internet. We are also looking at the network intelligence that Stealthwatch provides and then going through email with our Cloud Email Security to see if any of those indicators of compromise have hit anywhere. It's really a slick system.”
Having a Plan
While Langford’s team had a solid strategic game plan and implemented it well, he knew that any security program, whether it's physical or cyber, needed to have a framework of training and buy-in from employees -- and in this case, student support.
“We also stepped up our game pre-pandemic at the same time we were trying to increase our cybersecurity posture. We started doing more intense end-user training and especially on the phishing side of things, where we had been doing simulated phishing emails once a month since 2018. And we still do those where all staff gets a simulated phishing email. They don't know if it's real or if it's from us. We track who clicks on those, what our failure rate is and analyze our vulnerabilities,” Langford explains.
“We had been doing that for a while before the pandemic. A lot of our staff is already leery whenever they receive emails anyway, which is good. We'd also stepped up our training too at the same time. The state of Texas had passed a law that every school district employee has to go through a {cybersecurity} training program that's been certified by the State once a year. Our employees go through that plus the additional training that we do throughout the year and the simulated phishing tests. So thankfully our staff was already kind of used to it so having the same type of filtering when they were at home really wasn't an adjustment for them. The steps we took prior to the crisis positioned us well,” concludes Langford.
About the Author: Steve Lasky is a 34-year veteran of the security industry and an award-winning journalist. He is the editorial director of the Endeavor Business Media Security Group, which includes magazines Security Technology Executive, Security Business and Locksmith Ledger International and top-rated webportal SecurityInfoWatch.com. Steve can be reached at [email protected]
