Earlier this year an employee in Gilbert Public Schools’ accounts payable department received an email from one of the district’s known vendors.
The employee opened the attachment with no reason to believe anything was wrong.
But there was.
“When they clicked on the attachment, it delivered a virus into our network,” said Ward Heinemann, district system administration coordinator. “It was a worm that spread itself from computer to computer within that department.
“They actively read our directory information and uploaded account names and attempted to break into those over the weekend until they locked the accounts sequentially or one after the other. We came back Monday morning and had a whole series of accounts locked out because of the attack.”
The hacker attempted to break in either to steal information to sell or lock up the district’s system for ransom, Heinemann said.
Ransomware is a $1-billion-a-year criminal enterprise, according to the FBI. Crooks demand money from the victims of such attacks in return for unlocking access to data or systems.
The March incident was not out of the norm for Gilbert Public Schools, which is under attack daily in cyberspace, the district’s technology staff recently told the GPS Governing Board.
School districts have become prime targets of cyber crimes because they lack the means to protect themselves like the Fortune 500 companies, according to Jon Castelhano, executive director of technology.
“School districts don’t have the resources, they don’t have the security officers, they don’t have the proper tools,” Castelhano said. “But even the Fortune 500 companies are still hit, so throwing money at it is not necessarily the answer.”
What makes school districts especially appealing to hackers is that they have access to sensitive data and finances that can be used for identify theft or other bad intentions and school officials generally don’t prioritize cybersecurity, according to Diligent Corporation, a governance software provider.
Not all attacks come from viruses. Some are simple emails that are scams, the company said, pointing to a Kentucky school district that in April lost — and later recovered $3.7 million — in a wire-fraud scam after it received a fake unpaid invoice.
Diligent advised that district to take safeguards, including protective software and training on cybersecurity standards.
Ransomware, malware, social engineering and phishing are a common everyday occurrence at the district, according to Castelhano.
“It’s a never-ending, ongoing battle,” he said. “The particular thing is it’s not just a problem in GPS. It’s everywhere, even at your homes with local Wi-Fi routers.”
When a hacker is successful, the damage can be steep.
The Maricopa Community College District spent a reported $26 million to deal with the fallout of a 2013 security breach to its computer system.
Castelhano said the college failed to properly fix a hack to its system two years prior and as a result was still vulnerable — which hackers took advantage of.
In July, the governor of Louisiana declared a state of emergency and shut down phones and locked the computer systems at three of the state’s school districts after a cyberattack — the first time the state took such a drastic measure.
“They treated it like it was a hurricane or any natural disaster,” Castelhano said. “We don’t want to be in that position.”
The district has in place a 12-page “very strong” incident-response plan to deal with cyber threats and is working on a more comprehensive one, he said.
Once the incident response team is alerted to a problem, it is rapidly addressed, according to Castelhano.
The attack in the accounts payable department took about 10 days to resolve. That may seem long, but it took another school district that had the exact worm “months and months and months chasing it to completely eradicate it,” Castelhano said.
The district also is following the National Institute of Standards and Technology’s cybersecurity framework, which includes five core functions — identify, protect, detect, respond and recover from a cyberattack.
Within those functions are 108 sub categories that the district is implementing.
The NIST framework, a document of best practices, has been adopted by many companies and most educational institutions, according to Castelhano.
The district has in place measures such as a firewall, backups, content filters and an identity services engine to identify wireless clients in order to get a better understanding who is on the district’s network, said Scott Haase, network coordinator.
Heinemann said the district tries to stay current on its software and system updates “because it’s the very best medicine in this kind of situation.
“It’s better to keep it out before it happens,” he said. “Most attacks come against known vulnerabilities.”
He said the district is looking to improve on its security measures and add other tools.
The big piece is to identify gaps and weaknesses and attempt to address them, he said.
Castelhano said staff may not like having the software updates but it’s a necessity.
“Not updating a device for a whole year may make some people happy,” he said. “But that’s not realistic because that is an eternity in technology time.”
Going forward, the district plans to continue using outside consultants when needed, work on the comprehensive plan, provide educational opportunities for the technology team to stay current and continue to collaborate with other school districts.
“We are working closely with five other school districts in the Valley now, one is the same size as us, and with ASU their chief security information officer on some sort of partnership, letting them help us with threat detection in our school district,” Castelhano said.
“This is a massive, massive thing,” he added. “Without the tools we have no way of chasing these things down.”
Cybersecuity, however, is not just the networking piece.
“It starts with our doors locked,” Castelhano said. “I’m surely positive we can walk down the hallway during the weekend and find doors unlocked and computers left logged into and not locked.”
He said the district can educate staff about cybersecurity via email but it isn’t enough because not everyone reads their email.
Castelhano requested that the district require all employees to view a cybersecurity video — just like they do every year for sexual harassment and blood-borne pathogens.
“People won’t like it but maybe we need to do that,” he said.
For the first time this year, the district also allocated money for cybersecurity, $50,000, and that may increase in the future, depending on what tools will be needed, he said.
Board member Jill Humpherys suggested a study session for staff to train her and her colleagues on the proper use of emails.
Heinemann said prevention and education will help the district stay safe against cyberattacks and moving forward it needs to implement the best technology it can afford.
“They’re out there, they outnumber us, many to one,” Heinemann said. “And they don’t have to have a high percentage of success. They are like a fisherman who puts 100,000 hooks into the water. They only need one whale to bite on one hook to get what they want.
“So, they can tolerate trying over and over and over again and failing. One success is all they need.”