Tech Tidbit – Be Sure To Check That Your Door’s Are Locked Before You Leave For Spring Break

March 21st, 2024
Tech Tidbit – Be Sure To Check That Your Door’s Are Locked Before You Leave For Spring Break

Happy Spring!

As Spring break looms for most of you, I once again need to be a killjoy and remind you of a stark reality.

Whenever you and your team are enjoying some downtime and have more limited staffing, the bad guys are working extra shifts trying to break into your and your peer's networks.

I last wrote about this going into Christmas break. The next morning, Saturday of the holiday weekend, the bat phone went off and there was a security event at a school district in the region. Our CSEDR powered by SentinelOne with the Vigilance SOC saw the incursion, killed it, and saved the district from impending doom.

Then in the early hours of President's Day weekend, it happened again at another client in the region. The good news was that again, our CSEDR powered by SentinelOne with the Vigilance SOC again fought back and blocked what was on track to be another significant breach.

That brings up a couple of thoughts going into Spring break:

  • Our tools are very powerful in protecting and defending your district's most important assets. If you are not using them, you should talk to Lisa and get them on track to get installed and operational for your 2024/2025 school year.
  • The here-and-now reality is that you have whatever you have. You need to consciously make sure that those antivirus/EDR tools are operational across all your servers and endpoints. You need to make sure they are updated. You need to scan everything before you leave actively looking for anything that might be lurking.
  • The most recent security incidents were textbook misconfigurations by past or present IT staff that left major doors unlocked. Before you leave I need you to audit group membership in the following groups - Domain Admins, Administrators, Remote Desktop Users, and any VPN or MFA groups you have created. You should have extremely few names and you should be able to recognize and justify who is in those groups. Less is more here.
  • You should make sure that all unused, depreciated, or otherwise unknown accounts are minimally disabled or even better deleted once you know they are not required. There is a reason NYS beats up on school districts about these accounts.
  • You should make sure that *all* your administrator and similar passwords are at least 12 characters with complexity and that all your staff passwords are the same - starting with the central office, people who deal with money and personally identifiable information, and confidential information, and moving out across staff. Remember the estimated time to hack an 8-character password with complexity is 5 minutes!
  • Extra Credit - You have Microsoft Local Administrator Password Service (LAPS) implemented across your district so you can actively defend against a "pass the hash" attack.
  • Bonus - If you want to really impress me, implement MFA on all your back-end servers and all your key workstations for people who deal with money, personally identifiable information, and confidential information. Do it for all local and remote (i.e. RDP) logins, and UAC prompts.

Everything can be hacked and there is no such thing as 100% safe. There is always a way. Most of what I asked for is not long or hard to do.

However, if you worked through my list the statistical likelihood that you can easily breached goes dramatically down.

You have to start somewhere. Strengthen your base defenses. Reduce your attack surface.

Enjoy your holiday time away.

We are here if you need us.

Scott Quimby, CISSP