PHOTO CREDIT: JAMES THEW/STOCK.ADOBE.COM
The internet was a lifeline for school districts during the pandemic. Online education allowed districts to continue to function when health concerns of students and staff prevented in-person learning. However, the connectivity of our school districts and their dependence on computers, social media, and the penetration of the internet into most aspects of society raise significant risks for both school districts and school board members. You’ve likely thought about the first issue but may not have considered the second.
Your school system could be a target. So could you personally.
You already are familiar with the threat of hackers breaking into your district data and stealing personal information. You certainly also have heard about the risks of ransomware, which is when an attacker encrypts some or all school records and demands a fee to return the data to you. And even paying the ransom does not guarantee the hacker will honor the agreement to free up your data. According to antivirus software company Emsisoft, 62 school districts and 26 colleges and universities—a total of 1,043 schools—were affected by ransomware in 2021.
If you haven’t heard about ransomware, consider what the Deputy Director of the U.S. Cybersecurity and Infrastructure Security Agency, Nitin Natarajan, had to say on the topic recently: “We had an incident with a small school district that was a victim of ransomware. They called the number and said, ‘We don’t have any money. We’re just this tiny school district. You don’t understand.’
“And the attackers said, ‘No, we know how much money you have. We have your bank account statements. We know how much you have. And we know how much you can pay and what we’re asking you is pretty commensurate to how much you’ve got in the bank.’” (Read the entire interview with Natarajan at https://future.com/cisa-deputy-director-cybersecurity-ransomware.)
To be sure, protecting the district and its students is the job of the district’s information technology (IT) and security staff, under the guidance of the superintendent. However, you as school board members set the policies under which these activities take place, including an acceptable use policy and a policy on the privacy of student records. You also provide oversight.
To help you exercise your responsibilities, I wrote a set of questions for school IT staff, superintendents, and school boards to consider. Some of these questions are technical, but as school board members, your focus will be asking whether the superintendent and staff have considered them.
Questions to ask right now
Do we have a full inventory of devices, hardware, software/applications, and cloud services that we use? How do we keep that up to date?
Is all our software current and “in support” by the publisher? For example, are all of our Windows end-user computers on Windows 10 or 11, or on at least Windows 8?
What is our patch management policy? How quickly do we patch critical and severe vulnerabilities? Are we fully patched right now?
How do we authenticate users? How broadly do we use authentication stronger than just a username and password? Is multifactor authentication required for computer administrators and anyone with access to sensitive student data?
How do we address malicious software on our systems? Do we depend just on antivirus software? Do we use a “Protective DNS Service” like Quad9 (https://www.quad9.net) to detect and prevent installation and operation of malicious software?
How do our security protections work in a remote learning environment, if we are use that approach widely again? How well do our security tools work when devices are not on the schools’ network and may not be on site for months at a time?
Is our data backed up? Are the backups offline or online? Could our backups be erased or encrypted by an intruder? How often do we back up? If we were hit by ransomware, could we restore our systems, or is it possible that our backups would be encrypted, untrustworthy, or unavailable?
How do we defend against phishing attacks? If a principal’s username and password were phished, how would we know it?
Questions to ask as soon as possible
Are our devices and software/applications securely configured? What standards do we use to configure endpoints and servers? How do we lock down those configurations so users can’t change them?
Do we scan our network for vulnerabilities? Do we scan both externally facing systems like websites and our internal network (servers, endpoints, applications)?
How do we monitor and log activity to detect attacks and system abuse? How long do we retain logs? How would we detect inappropriate use of our systems by insiders, such as students or staff?
What is our incident response plan? How would we respond if we were attacked, such as through ransomware? Do we have any arrangements with third parties, such as the state or private companies, to help? If student data were exposed, how would we handle it?
Have we locked down video-conference capabilities? Are we making sure that uninvited guests can’t join, and if someone disrupts the learning environment, we can immediately stop the misbehavior and identify who is responsible?
Do we protect our community against attacks that use our reputation and domain? Have we deployed Domain-based Message Authentication, Reporting, and Conformance (DMARC) to prevent spoofed emails being sent to students and parents? This point is easily forgotten: Students or their families could be attacked by sending spoofed emails from the school system, such as “please install this software” (where the software is actually malicious). This can harm students, families, and the school system.
Are we worried about denial-of-service attacks? Do we have defenses in place, and if an attack occurred, how would we respond?
Other important questions
How do we select third-party and cloud services? Do we look at their security practices?
Have we examined the privacy and other policies for our software and service providers (including cloud services and applications) so that we are confident our sensitive data, particularly student and staff data, are not being used inappropriately?
What is our strategy for protecting smart devices (IoT) on our network? If we installed a smart device on our system, and it had a vulnerability, how would we know and what would we do?
Other things to question that are not on the technical side:
Is the superintendent aware of the risks and what we are doing? Does the superintendent know their role in an incident? Has the school board been briefed and has it been asked for any additional resources needed to help provide cybersecurity and privacy?
Have we talked to students and the community about the risks, to obtain their help to spot problems, and to emphasize that securing the schools (and remote learning, if ever again necessary) is a responsibility we all share?
Last, and perhaps most important, the Multi-State ISAC, part of the Center for Internet Security and funded by the federal government, offers free services to K-12 public school districts. Have your IT staff take a look: www.cisecurity.org/wp-content/uploads/2020/12/MDBR-K-12-Handout.pdf.
PHOTO CREDIT: ANDREY POPOV/STOCK.ADOBE.COM
While being on the school board has never been an easy job, the last few years have made it considerably more difficult. The pandemic and remote education exacerbated tensions over school name changes, school violence, mask mandates, and critical race theory and equity. Many boards have had meetings dissolve into shouting matches.
As a school board member, you will receive very candid feedback. It goes with the territory. Parents protect and advocate for their kids, as they should, and we all need to listen. Sometimes that passion goes pretty far and occasionally too far. Although I have been in the public eye for much of my life, I received my first and only death threat when the Falls Church City School Board unanimously renamed two of our schools. Fortunately, that threat was a moment of bad judgment for one individual, and the school district and the police responded quickly and appropriately.
The risks we must consider as board members not only concern physical safety but also safety online. You can expect to receive a lot of feedback at your school board email, but what if you start to receive aggressive communications via your personal email, or calls or texts to your mobile phone or home number? What about harassment via social media? Targets of online harassment have long been confronted by “doxing,” which is publishing personal information about a target, and “denial of service” attacks that overloading your accounts (email and social media) with messages. Worst of all, what if someone breaks into your email or social media accounts, or your school or home computer, and leaks or destroys information you consider confidential or important?
Fortunately, there are some relatively easy things that you can do to make yourself more resilient to attack. The first, and by far the most important, is to set up your accounts and services to use more than just passwords. This means you don’t just enter a username and password to gain access but also, for example, receive a code by text or from an app on your phone to be able to log onto an account. The U.S. Cybersecurity and Infrastructure Security Agency has an entire webpage dedicated to these precautions: www.cisa.gov/mfa.
Even if you use more than a password, do NOT reuse passwords on more than one site. For some fun, visit https://haveibeenpwned.com to see how many of your passwords have already been compromised by hackers breaking into other websites and online services.
Second, keep all your computers, phone, tablets, and devices up to date with new versions and patches. If there is a problem with your web browser, for example, it might be possible to take over your computer as you browse the web. For some computer software problems, simply having your computer turned on and connected to the internet is enough to allow an attack. So just say “yes” to updates as soon as you possibly can.
The third thing makes just as much sense, although it’s a bit harder to do. Back up your data. Especially with the rise of ransomware, the need to back up has reached critical levels. Schools aren’t the only target of ransomware attacks—individuals are vulnerable as well. There are tools built into your computers to help with this, such as iCloud backup on iPhones, and other sites can help you see what you need to do, including this one: https://gcatoolkit.org/individuals/backup-and-recover.
My fourth suggestion is perhaps the easiest thing of all but is likely the one that you haven’t heard about. Use a “protective DNS service.” DNS is the phonebook of the internet. It’s how a computer figures out the site you really want to visit when you type in a website name. Some DNS services will block access to malicious sites, so if you click on a malicious link, for example, there’s a good chance you won’t suffer the consequences. You can set up these services on your home computer in less than two minutes by following simple directions, and some are free. Take a look at Quad9 (https://www.quad9.net).
Finally, free services are available to help identify these and other steps with the tools you need to do these things. The Global Cyber Alliance, where I work, has produced a free “Cybersecurity Toolkit for Individuals,” and all the tools in it are free: https://gcatoolkit.org/individuals.
Consumer Reports produces “Security Planner,” a tool designed to help secure your devices with advice for each. https://securityplanner.consumerreports.org. And although you are a school board member, and not a journalist, there is a great collection of resources for dealing with online abuse from the Committee to Protect Journalists at https://cpj.org/resources-for-protecting-against-online-abuse.
The most important thing to remember is that you can do this. It’s easy to get lost in the jargon, but doing a few key things can significantly reduce your risk and that of your district.