One thing that became very clear to me over the summer is that the bad guys are being very intentional in formulating attacks against your districts and more specifically your users. If you have been to past CSI Cybersecurity Events, you have heard the FBI and others talk about how the ransomware business is in fact a business with helpdesks, updates, processes, etc. This summer I had school districts tell me stories about administrators who have access to personally identifiable information (PII) or money, being explicitly targeted.
Last week I mentioned the direct texting of a teacher with "helpful links". Texting is the wild west. It is completely outside our control. We can't put a spam filter in front of the interaction.
Attackers are picking up the phone and actually calling your users to provide "technical support".
The most recent casino ransomware attacks in Las Vegas are purported to have been launched because the attackers tricked Casino staff into letting them into their network!
There is absolutely nothing CSI or any other vendor can sell your district to plug this security gap.
This is pure end-user security awareness training. You should be continually educating and reminding your users of what the threats are and what your policies and procedures are. Studies have shown that if you haven't reminded your users in the last 30 days of what is going on, many will believe that you've never told them what they should be doing! Security Awareness Training is also a requirement of NIST CSF and EdLaw 2-d.
I have always recommended every district have a simple, defined list of how you will and will not communicate technical issues and information with users.
Examples would be:
- The district will never communicate with you via personal emails.
- The district will never send an email asking for a password or sign-in information.
- The district will never text you on your phone asking or offering technical information.
- The district will never have anyone contact you via phone, email, or text to obtain remote access to your system.
And that should always be followed up with, "See something. Say something."
CSI has been asked by many districts to participate in Superintendent Conference Days for end-user Security Awareness Training. If you are interested, reach out to Lisa for details.
-Scott Quimby, CISSP
P.S. The next CSI Cybersecurity Event is Wednesday, December 6th. Contact Lisa for details.