My wife works for a multi-billion dollar hospital network you all will know. Every time she signs into their mandated VPN and MFA solution she curses out, "How annoying it is to have to do this each time to do anything!" I was the only "IT guy" in earshot to hear her frustration. I politely explain to her again and again why all of this is necessary. She grumbles and goes back to her work.
In one of our school district security audits, I found a single Android mobile phone inside the district office wireless network! I was told that was a known device, "It was the Superintendent's personal phone!"
Late last week it was disclosed that Russia had hacked some Microsoft Executives to see what Microsoft knew about the Russian hacking organization. It sounds like these executives were not using basic, multi-factor authentication for their accounts making them susceptible to a "password spraying" attack.
Yesterday it was announced that a different Russian hacking organization did the same thing to some accounts and cloud storage at HPE.
There is a theme here.
You are only as strong as your weakest link. Bypassing basic security rules creates blind spots and security weaknesses because you are circumventing or eliminating one or more layers of protection. An unmanaged Android device is a dangerous threat. Honestly, any unmanaged device inside your network is a serious threat.
It doesn't matter whether you are the Superintendent, or the classroom teacher, *EVERYONE* must adhere to district security policies. There can be no exceptions.
Each time I ask a school district about implementing MFA at least for web-based applications and hear about "Union issues" blocking implementation I shake my head. A district implementing MFA is for the protection of the district as well as the direct protection of all of the staff and students. Attackers are going to steal everyone's personal information and they are most likely going to contact the individual staff members for ransom beyond whatever the district does. They also may just release the information anyway. I don't want that for your district or for your staff and students. Your staff should do everything in their power to help prevent this from happening vs. creating a contrived roadblock to prompt implementation
The only gaps that should be in your network are the "air gaps" between your network and your backups.
However, I realize that the concept of "all" is an elusive one in a K-12 environment. Managing endpoints is like herding cats.
CSI's CyberCNS Vulnerability Advisory Service is one tool that can help quickly identify gaps in your security posture through something called Application Baseline. For instance, we can say that every endpoint needs our CSEDR SentinelOne agent, the Huntress agent, and the SCCM or KACE agent installed. Then the system will produce an exception report showing all the endpoints that don't conform to our accepted deployment model and are thus creating blind spots and bottlenecks preventing us from maximizing patching, visibility, and network protection.
I am more than happy to speak with any Superintendent, Board of Education, or Union and directly explain to them the extreme risk they are putting themselves, their peers, and the students, by not conforming to these foundational security requirements.
Wishful thinking and cute passwords will not keep you safe.
A well-thought-out process with clear-cut procedures and requirements will go a long way towards making your district "too much work to hack" and cause the attackers to move along to easier targets.
If you need help sorting through all of this, give us a call.
-Scott Quimby, CISSP
You must be logged in to post a comment.