Ransomware attacks on school districts in Louisiana prompted Governor John Bel Edwards to declare a state of emergency on July 24. Schools in the state impacted by the attacks include Sabine, Morehouse and Ouachita parishes. CNBC reports that the attacks locked and encrypted data and shut down phone systems.
A statement on the Monroe City Schools website reads:
“On July 8, 2019, the Monroe City School System experienced a disruption to its computer systems. We immediately notified our information technology service providers and retained independent, third-party cybersecurity experts to investigate this matter.
While there are problems with system connectivity, we have no reason to believe there is any public safety issue. We also have no indication that there was any unauthorized access of sensitive or private information. We also believe that full connectivity will be restored in the near future.
We have notified law enforcement and are cooperating with authorities to assist their investigation. That investigation is ongoing.”
The governor’s declaration of a state of emergency means the school districts can use resources from the Louisiana National Guard, the Louisiana State Police, and the Office of Technology Services. In addition, the Governor’s Office of Homeland Security and Emergency Preparedness (GOHSEP) has activated its Crisis Action Team and the Emergency Services Function-17 to coordinate the response to the attacks, including with the FBI, state agencies and higher education partners.
Phil Richards, CISO of Ivanti, an IT asset and service management software solutions provider, comments, “The fact that the state of Louisiana has taken the significant step to call a state of emergency over cyberattacks on state school systems is a visible indication that they are taking remediation seriously. I expect other states may follow similar protocol should they be impacted in the same way. In fact, there have been 22 known public-sector attacks to date this year, outpacing 2018, and that isn’t counting those attacks the go unreported for months or years after they’re discovered.”
Take a Proactive Approach
Richards points out that there are steps that organizations must take to prevent the risk that they’ll be victimized by cyberattack.
He says, for most organizations, patching should be the first line of defense. “Ensuring that operating systems and third-party applications are up to date will limit or even prevent cyberattacks. Special effort should be made to ensure that all critical patches and updates for applications such as Adobe Flash, Java, Web browsers and Microsoft applications are kept current. Patches should be prioritized based on criticality and policy and applied so that they don’t disrupt users or operations,” says Richards.
He adds that testing patches is of critical importance to ensure all systems stay operable.
- Educate Users
He also points out that most ransomware is spread using phishing or spam emails. Criminals have a growing list of marketing and social engineering tools that improve their chances of tricking users into opening fraudulent emails, clicking on malicious links, or giving up user IDs or passwords.
“It is critical to train users to be savvy email consumers and careful web-clickers,” says Richards, “It is likely that even the most educated user will be tricked, so education isn’t enough. Users need to receive periodic drills of phishing email campaigns that provide immediate feedback when they click on a link. When users see themselves getting ‘caught’ is when they begin to change their behavior.”
- Limit Access
Richards adds that minimizing privileges is also an important tactic to mitigate the damage caused by many types of malware, including ransomware. For example, the Petya ransomware requires administrator privileges to run and will do nothing if the user does not grant those privileges.
He says, however, “Removing administrator rights is easy, but balancing privileged access, user productivity and enterprise security are not. Effective access control protects organizations against malware and ransomware. Access control that focuses primarily or exclusively on privileged user access rights will likely prove less than effective. Generalized access control can be highly beneficial for protecting files located in on shared drives.”
Prepare to Act
In addition to taking measures to prevent cyberattacks, it’s also important to plan for an effective response if one should occur. Louisiana established a cybersecurity commission in 2017, which is comprised of subject matter experts, cybersecurity professionals from the public and private sectors, and law enforcement professionals.
“The state was made aware of a malware attack on a few north Louisiana school systems, and we have been coordinating a response ever since,” said Gov. Edwards in the July 24 statement. “This is exactly why we established the Cyber Security Commission, focused on preparing for, responding to and preventing cybersecurity attacks, and we are well-positioned to assist local governments as they battle this current threat.”