When asked why he robbed banks in the 1930s, the notorious Willie Sutton replied, “Because that’s where the money is.” That was true back then, but in today’s connected world, the money is everywhere. It’s even in schools — and that means that thieves have your school in their sights.
Hackers, long a nuisance and disruption to organizations all over the world, have learned to monetize their efforts. Hacking has become big business, a profession that costs the global economy billions of dollars, and school are now increasingly targeted. A recent Wall Street Journal article covered the growing attacks on schools, and our own forensic investigators have been involved with several school district cases.
The attacks fall into three main categories:
- Theft of personal financial information (PFI) of students
- Online banking malware that results in fraudulent wire transfers and ACH transactions (so-called corporate account takeover)
- Ransomware attacks (the most common being CryptoLocker)
Before I offer some tips for protecting your school from these types of cyberattacks, it’s helpful to review what they are and how they work.
Theft of personal financial information
Organized crime groups (primarily in Russia, Eastern Europe, and China) have created a high demand for personal financial information, including names, addresses, social security numbers, drivers licenses, bank accounts, and credit cards. Hackers steal this information and then sell it to organized crime outfits, who use it to commit various forms of identity theft. The more complete the information is, especially if it’s directly linked to a named individual, the more valuable it is on a “wholesale” basis. Payroll databases, customer sales records, and supplier/accounts payable records are also common targets for this type of attack.
The hackers behind the infamous breaches of Target, Neiman Marcus, and the University of Maryland were after this type of information. As the price being paid the hacker escalates, smaller businesses are becoming victims, too.
Online banking malware
Zeus, Citadel, Spyeye, and Gozi are just a few examples of the new breed of sophisticated online banking malware. Once a network is infected with this type of malware, the online banking credentials (user ID, password, challenge questions, etc.) are harvested by the attacker, who then logs into the online banking server and executes fraudulent wires or ACH transactions. More devious malware, such as advanced versions of Zeus, can even be used to bypass multi-factor authentication (such as RSA) tokens. This type of attack is often called corporate account takeover.
The malware code is often delivered via email, either by a file attached directly to the message or, more commonly, by use of a website link directing the user to a rogue website. In the latter case, the malware returns with the web page and attempts to install itself on the victim’s computer. This has been dubbed “spear phishing” because often only one email is sent to the victim organization.
Spear phishing emails have improved significantly in their cleverness and effectiveness and can be very difficult for users to identify as fraudulent. They often use carefully crafted scripts included in the message to entice the user to click the link. In some cases, the emails are even “spoofed,” that is, they are crafted to appear to come from someone inside the victim organization (e.g., the company president). In other cases, the emails are spoofed to look like they come from a legitimate business or organization, such as UPS, American Express, PayPal, the IRS, etc. These spoofing tactics are designed to increase the likelihood that the recipient will act quickly, clicking on the link without much thought.
More recently, the attacks have turned to simple trickery. The attackers send a spoofed email with a pretext, such as the purchase of equipment, the payment of an invoice, etc. The recipient trusts the email and wires the funds, never suspecting that the email is a ruse. We have seen losses in excess of $1 million in some of these cases.
Ransomware attacks also involve delivering malware to the network. The malware very aggressively encrypts virtually all data and files that it can find, both on the local machine and on every network device that it can connect to. This renders the data unusable by the victim organization. Typically, after the malicious payload is delivered, the hacker sends instructions on how to provide a payment (the ransom) in order to purchase then encryption key necessary to decrypt the affected data. This is how the hacker hopes to make his money.
Having tested, working backups are critical to surviving such attacks. This allows the victim to wipe the affected machines and reinstall both systems and data. Be aware, however, that for those companies with high reliance on technology, even the downtime required to wipe and reinstall can result in costly losses and potential reputation damage.
How to protect your school from cyberattacks
Preventing such attacks is no small task and it requires a multi-layered approach. Schools should consider each of these tactics:
- Educate users to spot potentially fake emails and to be very wary of website links and file attachments, especially zip file attachments.
- Technical defensive measures such as firewalls, intrusion detection systems, and spam filters should be kept up to date.
- Anti-virus software on each device should be kept updated. Regular scans should be completed.
- Keep all network servers and PC workstations updated with the most current security updates and patches.
- Users should never have administrator privileges on their local machines.
- Network segmentation should be used to isolate access to sensitive data, such as PFI.
- Encrypt sensitive data, such as intellectual property, personal financial information, etc.
- Utilize all key bank security tools for online cash management, including:
- Multi-factor authentication
- ACH blocks and filters
- ACH positive pay
- Daily and individual transaction limits
- Out-of-band verification (such as wire call back features)
- Limit the number of PC’s used to conduct online cash management. If possible, isolate them from the rest of the company network.
- Monitor activity and balance online accounts daily.
- Read and thoroughly understand your agreements with your bank related to online activity. Identify your primary contact at the bank who will be your first call for help in the event of a breach.
- Have an incident response plan so that users know whom to contact immediately if they suspect malicious activity on their computers.
- Make regular backups of key data and systems and store them in a secure off-site location.
- Establish a relationship with local law enforcement agencies that are familiar with such crimes.
- Perform periodic vulnerability or penetration assessments to validate that controls believed to be in place are functioning as intended.
How we can help
CLA’s charter schools professionals join forces with our firm’s information security consultants to develop best practices for preventing and responding to cybercrime. Our IT security consultants are trained and equipped with the most advanced software and tools to perform assessments on your system, root out vulnerabilities, and shore up security.