• HOME

  • ABOUT

  • SOLUTIONS

  • PAPERS AND PUBLICATIONS

  • CONTACT

  • Blog

  • More

    washingtoncybercenter.com

    © 2023 by Marketing Solutions. Proudly created with Wix.com

    Cybersecurity and Connected Vehicles

    December 11, 2019

    Cybersecurity, the Holiday Season and the Grinch

    December 6, 2019

    Cybersecurity, Vendors and Stolen Laptops

    December 2, 2019

    Cybersecurity and Dental Services

    November 29, 2019

    Cybersecurity and IT Firms

    November 25, 2019

    Cybersecurity and Small Town Attacks

    November 22, 2019

    Cybersecurity and Online Gaming

    November 18, 2019

    Cybersecurity, Backup Services and Ransomware

    November 15, 2019

    Cybersecurity, PLCs and DoS

    November 4, 2019

    Cybersecurity and Student Loans

    November 1, 2019

    Please reload

    Recent Posts

    I'm busy working on my blog posts. Watch this space!

    Please reload

    Featured Posts

    Cybersecurity and High School Attacks

    August 12, 2019

    |

    Charles Parker II

    High schools are much like universities and colleges, in that these hold a mass amount of data which may easily be sold. This assists in making them more of a target. This coupled with their budgetary constraints makes InfoSec difficult at times, much like this recently especially was for the San Diego USD.

     

    Attack

    This compromise is a bit different than most of the others. The reports are the school district is not sure of the attack vector, however, they believe this was the effect of a relatively simple, yet effective, phishing attack. The attackers gained access through securing the authorized user’s credentials. For this case, the attackers gained and maintained their access for 11 months (January through November). This is odd. Seemingly, the school district’s SIEM would note the access from odd hours, the number of accesses being odd, the IP being unique to the other general log ins, and the amount of data being exfiltrated. This would be the case, unless the school district did not have one in place during the attack. The school district finally became aware of this in October 2018.

     

    Data

    Generally, data is the end goal for the attacker. With this, they are able to generate revenue through
    sales of the data, use this as leverage for the target, etc. Through the compromise and process, the attackers were able to exfiltrate a significant amount of data. This encompassed 10 years of data, from the 2008-2009 school year to 2019, when the attack was detected. There were approximately 500k of students and staff affected. In addition to the length the breach was open, and the number of years of data exfiltrated, there is also the depth of data per affected person. This includes the first name, last name, date of birth, mailing address, home address, telephone number, student enrollment information (schedule, discipline incident information, health information, schools of
    attendance, transfer information, legal notices on file attendance dates), social security number or state student number, emergency contact information, staff benefit information, and staff payroll and compensation data.

     

    Notification

    The notice for the affected parties was filed the Friday before Christmas in 2018. The breach would probably be one of the last things they would want to hear about just before the holiday. The post stated the school district had reason to believe their system was breached and the attackers may have accessed the data. This could not have been what the students and staff were hoping for as their Christmas gift!

     

    Detection

    With a phishing attack, the timing of the attack may be delayed based on the attacker’s code. The staff began to note emails that appeared to be odd. They naturally, and appropriately, reported these to their IT Department. As the next step should go, this was addressed by the IT Department as they recognized this really should not be happening. They ended up discovering the breach in October 2018.

     

    The school district, once they knew of the breach, did not immediately shut down the attack. This does seem counter-intuitive. Once you know the attacker is in and exfiltrating a mass amount of data, seemingly prudence would dictate shutting down the attack vector. There was a rationale reason for this. The school district wanted not only to clear the access, but also identify the attacker and allow
    law enforcement to do their job. The did later reset the compromised accounts. From this point forward, they have been working to prevent unauthorized access.

     

    Thoughts

    The attacker had access for approximately 10 months. The SOC or in the least any SIEM they had in place should have noted some abnormal activity as the mass amount of data was being removed from their servers. Since the SIEM is automated, possibly the search parameters had not been put in place. This compromise emphasizes the need for phishing training for the staff. This should not be the once a year training where staff nod off while the canned presentation is playing. These need to be periodic (e.g. quarterly) and with current information. Without some form of connection, the staff will probably view this as yet another mandatory training session, and start working on other things
    instead of listening. 

     

    About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.

     

    Share on Facebook
    Share on Twitter
    Please reload

    Follow Us

    I'm busy working on my blog posts. Watch this space!

    Please reload

    Search By Tags

    December 2019 (3)

    November 2019 (7)

    October 2019 (7)

    September 2019 (9)

    August 2019 (10)

    July 2019 (8)

    June 2019 (9)

    May 2019 (10)

    April 2019 (9)

    March 2019 (10)

    February 2019 (8)

    January 2019 (9)

    December 2018 (8)

    November 2018 (9)

    October 2018 (9)

    September 2018 (7)

    August 2018 (9)

    July 2018 (9)

    June 2018 (11)

    May 2018 (6)

    April 2018 (9)

    March 2018 (9)

    February 2018 (8)

    January 2018 (6)

    December 2017 (8)

    November 2017 (7)

    October 2017 (10)

    September 2017 (9)

    August 2017 (10)

    July 2017 (8)

    June 2017 (10)

    May 2017 (8)

    April 2017 (7)

    March 2017 (8)

    February 2017 (7)

    January 2017 (8)

    December 2016 (11)

    November 2016 (14)

    October 2016 (14)