With the increase in cyber attacks against school districts this year, I’ve had numerous vendors attempt to use fear to push their products as a remedy to my cyber woes. In communications with other districts, this seems to be a common thread where already cash strapped districts are being pushed to purchase more expensive, exotic products as a way to protect themselves. Unfortunately, this is basically what amounts to adding a turbocharger to a car with 3 tires, and sometimes the mechanic doesn’t even install it right.
The root of the issue is that we’ve been taking our focus off implementing the basic fundamentals, which aren’t fun or sexy, and instead, we’ve been buying expensive products that often aren’t fully utilized (you know that Palo Alto NGFW can do way more than any of us are using it for). It’s human nature to attribute more value to things that cost more, so we tend to think the more expensive these products are, the better they should be protecting us. The problem is, you are only as strong as your weakest link, so if you have added the “Domain Users” group to your “Domain Administrators” group for convenience, no amount of money or security tools is going to save you.
The rest of this is a (slightly modified) response to a mailing list thread that was talking about cyber incidents in K12. The most crucial thing I missed was pointed out by April Mardock: Do you have an offline or immutable backup with a BC/DR plan to restore in the event of an incident? If so, when was the last time you tested restoring everything to make sure it works? It seems antiquated to use tape to offsite, offline backup, but disk to disk to disk/cloud with everything online means all of it is easily targeted during something like a crypto-locker-attack.
Instead of focusing on specifics of attacks that others are experiencing, we need to be focusing on the security controls that we are all lacking that allow entire classes of attacks to happen in the first place. Do you know what is on your network, is it fully patched, and how does your network, systems, and identity architectures look? Next-gen firewalls, Next-gen AV / Endpoint Detection and Response, network security tools, etc. are a poor use of time and money if you don’t have basics like no shared admin across desktops or servers. That’s not to say these tools don’t have value, but relying on them is like building a house on sand – a poor foundation compromises everything built on top of it.
Here’s my short list of things to look at as a response to these ongoing incidents if you are just getting started:
1) Sign up for MS-ISAC (free) and use their workbench and CIS CAT tools to develop secure baselines for your stuff
Also look at Microsoft’s Security Compliance Tool to create baselines for Windows
2) Sign up for CIS’s CSAT to track your progress on implementing CIS’s Top 20 security controls
3) Most systems (especially Windows) come with inadequate audit logging
Turn up auditing using these cheat sheets: https://www.malwarearchaeology.com/cheat-sheets
LOG-MD and SysMon can both help with this too
Now pull those logs to a centralized logging server so an attacker can’t delete them and you can alert on them (look at Graylog, Elastic stack, or similar for a free solution)
4) If you are an AD shop, start walking through Microsoft’s guide for securing identities
I would specifically focus on separating accounts for tier 0, tier 1, and tier 2 accounts, remove local admin rights in favor of using LAPS, and enable Credential Guard / Device Guard.
Privileged Access Management, Conditional Access, and Multifactor Authentication are definitely worth the time investment and frustration of implementation (sometimes we need to have hard conversations).
Also, making it harder for attackers to move laterally, you should limit SAMR and netsessionenum:
https://gallery.technet.microsoft.com/SAMRi10-Hardening-Remote-48d94b5b (can also be done via GPO, just search it)
5) Start investing in vulnerability management (this is taking patching to a whole new level)
Patch management is a must and should be automated and reported on
OpenVAS is free but a bit clunky: https://github.com/greenbone/openvas
Nessus Pro, Rapid7, Qualys – pick something your staff will actually use
There’s just so many basic things we aren’t doing well, that diving into exotics like Man-in-the-middle to catch malware or doing Endpoint Detection and Response and Security Orchestration, Automation and Response platforms is a waste of precious time and money. We invest in these because we are hoping they will save us from having to do the not-so-sexy work, the hard work. The work that actually needs doing.
Feel free to email us with any questions (firstname.lastname@example.org) we are happy to help! Good luck!
One more thing…
We currently have an event open where industry ethical hackers employed by world class security teams can be scheduled to speak in your teacher’s classrooms for free. Please share the information with your teachers as it is an amazing opportunity!