Jeremy Kirk, the editor over at ISMG reported on Twitter last night that the Vice society was claiming responsibility for the LA School District cyberattack. The Vice Society is a “double extortion” ransomware group, meaning they encrypt the data and also threaten to publish it.
Most public school districts are notoriously under-funded. They can barely pay their teachers, so how much do you think they are spending on cybersecurity? This under-investment in cybersecurity makes them prime targets for amateur hackers; the ransomware pros won’t go after the public school districts because they know they have no money to pay a ransom.
Cybersecurity is very much fought on the defensive and rarely fought on the offensive, especially within the K-12 space. If an organization is taking the time to run internal audits on their security infrastructure, then you are already fighting half the battle. Additionally, if you’ve run those infrastructure audits and actually find vulnerabilities within your system, congratulations! You have successfully placed your organization ahead of any bad actors who might take advantage of those vulnerabilities and potentially stop a planned attack in its tracks.
As a Cybersecurity professional, I understand the lack of training that exists for the endless amount of tools organizations seem to gather in hopes of a “hardened” security posture. I also understand that organizations like our K-12 districts don’t have endless amounts of funds. We cannot predict when or what the next attack is going to be. However, if I may offer a place to start (re-start rather). Three first steps:
While there’s been a lot of speculation about the attack targeting the Los Angeles Unified School District, it’s unclear when the attackers gained initial access to the network and if the report accurately reflects the school district’s network’s vulnerabilities as it exists today. Network environments change from day to day as users are added or removed, and technologies are adopted or sunset. While it is possible that attackers could have exploited various vulnerabilities or misconfigurations over two years ago and waited until now to conduct an attack, it is more likely that they gained access relatively recently.
Furthermore, the exact vulnerabilities or misconfigurations exploited by the attackers are still unknown. This is why it’s so important for organizations to constantly apply patches and fixes when they are made available, and then proactively pentest their network from an attacker’s perspective. This can help them find, fix, and verify any vulnerability or misconfiguration that was in their environment is no longer exploitable. Taking these steps makes it far less likely that an attacker can gain access to a network and move across it to steal data or bring it down, and ensure that organizations are continuously verifying their security posture.