The Cybersecurity and Infrastructure Security Agency (CISA) has recognized that Industrial Control Systems (ICS) and Operational Technology (OT) environments represent one of the largest threats to
Clark County School District in Nevada, the fifth-largest school district in the United States, recently experienced a massive data breach. Threat actors gained access to the school district’s email servers, which exposed the sensitive data of over 200,000 students. The district is now facing a class-action lawsuit from parents, alleging it failed to protect sensitive personal information and take steps to prevent the cybersecurity attack. According to the lawsuit, that personal information includes student and employee records, medical information, Social Security numbers and health insurance information.
The class action lawsuit identifies the group that initiated the cyber attack as SingularlyMD. Alarmingly, the hacker group claimed to use weak passwords — in this case, students’ dates of birth — and flimsy Google Workspace file-sharing practices, to access a multitude of sensitive data. Hackers stated the breach began on TikTok, where a student shared their birth date. The student used their district email address to create a TikTok account and their student ID became their username on the social media platform. This same method was also reportedly used to compromise records maintained by Jeffco Public Schools in suburban Denver.
Unfortunately, cyber attacks at K-12 school districts continue to worsen. In February 2023, the Los Angeles Unified School District disclosed that approximately 2,000 student assessment records were posted on the dark web, including an unspecified number of driver’s licenses and Social Security numbers. And in March, hackers posted data stolen from the Minneapolis public school system. A recent cybersecurity report noted that there has been an 800% rise in ransomware attacks against K-12 institutions since 2021, and K-12 education is now the single most targeted industry for ransomware attacks.
What can organizations learn from the Clark County breach and others like it?
Lesson 1 – Cyber Attacks Are Not Always Complex
Oftentimes attackers use stolen or weak passwords to gain access. One of the primary methods used by hackers in the Clark County School District attack was exploiting weak passwords, specifically students’ dates of birth. School IT administrators should enforce strong, complex passwords for all users within a network. A password should not include personal information or dictionary words.
Hackers can also employ various tactics including malware installation, phishing, social engineering and brute force attacks, to gain access to passwords. To mitigate this risk, school IT administrators must educate users on the importance of not reusing passwords and not clicking on any unsolicited links or attachments.
Lesson 2 – Remove Friction from Security Processes
Implementing Multi-Factor Authentication (MFA) is crucial in adding an extra layer of security to school networks. MFA requires users to provide more than one form of authentication to access a service or application. This is typically something you have (like a smartphone or a hardware security key) and something you know (like a password or a PIN).
While MFA may be perceived as cumbersome, it significantly reduces the risk of unauthorized access resulting from phishing, malware, social engineering and brute-force attacks. However, to ensure adoption, it is essential to balance security with user experience. Requiring staff to use strong passwords means your IT team will likely receive additional requests for password resets, for example. One way to mitigate security/usability issues like this is to deploy a secure password manager that stores passwords and autofills logins for employees, making the process simple and reducing help-desk tickets.
Single Sign-On (SSO) is a popular user convenience solution that streamlines the login process, allowing end-users to log in to multiple websites or cloud applications with a single set of login credentials. However, SSO is not primarily a security solution and depending on how SSO is deployed, it may leave significant security gaps. Additionally, SSO should not be used for the most critical “crown jewels” systems or databases. Access to these systems should be limited to only “privileged users” and managed via a Privileged Access Management (PAM) solution.
A comprehensive identity and access management strategy should use a layered approach that combines SSO, PAM and a password manager to enhance security without causing excessive inconvenience to end users.
Lesson 3 – Review Sharing Rules and Practice Least Privilege
The Clark County School District breach also highlighted the importance of reviewing and enforcing sharing rules. Implementing a PAM solution can help control access to sensitive files by enabling granular permissions and Role-Based Access Control (RBAC). It’s critical to separate employee and student networks and ensure students only have access to systems needed for classwork. The Principle of Least Privilege (PoLP) is a cybersecurity concept in which users are given just enough network access (aka user privileges) to the information and systems they need to do their work, and no more.
The hackers in the CCSD breach also claim to have exploited poor data-sharing practices in the district’s Google Workspace to access sensitive files. Many schools use Google Workspace, so system administrators need to pay particular attention to their Google Workspace sharing rules and configurations to avoid unauthorized access.
Cybersecurity education for students, families, and staff is key to preventing breaches. All users should avoid sharing passwords in unencrypted formats (such as text or email) and system administrators should limit the number of individuals who can share sensitive data. Teachers, staff and students should be trained on best practices for creating and protecting passwords, and sharing files. This is particularly important because hackers often gain access to schools via apps utilized or emails opened by staff or students.
Lesson 4 – Responding to a Breach
In the unfortunate event of a data breach, schools must have a well-defined response plan. This includes prompting students and staff to change passwords immediately, monitoring accounts for suspicious activity and alerting officials as soon as possible. Fast and organized response and communication can significantly mitigate the impact of a cybersecurity incident.
Anyone affected should be advised to change their usernames and passwords on their personal devices if they are reusing the same login information that they use for district devices and systems. Schools should have a cybersecurity incident response team in place to determine the full scope of any breaches and determine what personal data may be at risk. Once that is done, existing policies should be reviewed and additional safeguards should be implemented. Schools should also work with state and federal regulators as required.
Mitigating Risks With Keeper Security Government Cloud
Having robust controls and security practices in place, such as requiring multi-factor authentication for district logins and using a password manager, can significantly improve the cybersecurity posture at school districts. Password managers help all employees create strong, unique passwords for all their accounts and store them in a secure location.
Keeper Security Government Cloud (KSGC) uses delegated administration and role-based enforcement policies to provide complete visibility and control over identity security risks within your school’s networks. Keeper’s PAM solution simplifies how schools manage and secure access to highly sensitive systems and data. Traditional PAM solutions are often cost-prohibitive, difficult to deploy and contain unused features. KeeperPAM® addresses the key pain points and requirements in organizations to prevent data breaches with just the features you need.
- Cost Effective: A single platform with minimal IT staff required to manage it
- Fast Provisioning: Seamlessly deploys and integrates with any tech or identity stack in just a few hours
- Easy To Use: Unified admin console and modern UI for every employee on all device types – average training time is less than 2 hours
The Clark County School District cybersecurity attack is just one of many attacks that continue to happen at schools all across the country. By implementing robust cybersecurity measures, schools can create a safer digital environment for students, staff and families. Strengthening password security, adopting multi-factor authentication, reviewing sharing rules and having a well-defined response plan are crucial steps in protecting against the evolving landscape of cyber threats in the education sector.