Cybersecurity and Community Colleges
C’mon now! Even community colleges are compromised
By Charles Parker
With bad actors, these days, everything is a target. Many years ago, the primary compromises were with the big companies. These had the big wallets and ample data to liberate. This would be sold in build or cut up for specific buyers (e.g., users in a specific area code or zip code, ones having credit scores above a certain level, and other criteria). Data became the new gold or oil. Well, things changed a bit.
With the explosion of data across the board, more companies have become targets, large and small, across nearly all industries. This became more apparent after more of these incidences were published. Now there are churches, universities, municipalities, and other industries being successfully pwned.
To this discussion, let’s focus on community colleges. Like many other institutions, higher learning, and others, may not have the most advanced tools or other resources (e.g., staffing) to really focus on cybersecurity like they should. It’s not their fault, but a condition of their environment. The budget can only be stretched so far. I worked as a CISO at a municipality, so I understand and appreciate the deal at a much greater depth than most. It’s easy to say what should have been done the week after an issue, but when you don’t have the staffing and budget, things don’t always get done. You only have so many hours a day to work. There is also the political aspect that frequently is overlooked and not given enough attention. The case at hand involves a community college.
LCC
Lansing Community College (LCC) is one of the largest community colleges in Michigan. In mid- March 2023 the college was shut down starting on the Wednesday and continuing through the Tuesday of the next week. This was due to the illusive “ongoing cybersecurity incident”. From the beginning this started to smell like a RUE (resume updating event). The college was processing the incident and processing their strategy. One of the first steps was to disconnect the network from the internet. Suspect individual systems were also disconnected from the network. This removed the opportunity for re- or continuing infection.
Effect
To give the administration time to react and investigate, the college suspended nearly all classes and activities from the Wednesday through Friday. This was for the in-person and online classes. There were a few exceptions to this. This was mostly handled on Friday and events on Saturday were still going to take place. Until this was resolved, LCC students and employees were asked not to work in or log into LCC’s systems. The staff was asked not to report to work unless they were necessary staff. The in-person classes resumed on Tuesday, March 21 st . The online classes did not start back up until later. At this point, there was no evidence staff or student data, or information had been accessed by unauthorized persons. This is the usual response early on. When detected, LCC contacted the FBI and the Michigan Cyber command.
Targets
Initially the attack was focused on the college’s website and the network. As a secondary effect, the WIFI was also shut down. As much fun as this was, the data was probably the main target. Per LCC, “Right now we have no indication that personal information was at risk…”. This is double-speak for “I don’t know”. The LCC President made this statement on approximately March 20 th . At this point, he and the staff would be clueless about this. A full forensic review from making the call to getting data logs to the team takes more than a couple of days. This isn’t making a hamburger at a fast-food place.
Another disturbing aspect with this was the LCC President (i.e., Senior Management) knew other schools in mid-Michigan had experienced similar attacks. Wouldn’t it seem prudent, since you are in a shallow pool of geographic targets to do a bit more with cybersecurity and not hope everything would be fine?
Lastly, let’s think about this. Am I going to risk jail time and having officer’s running up to mydoor for shiggles (it’s a contraction; you can google it) in compromising a large college’s network and shutting them down for over three days? No, no, no! I’m going to compromise your system to steal something I can sell or leverage you to pay me for not doing (e.g., releasing the data to the world). Beyond the fluff and “This was an advanced attack (blah, blah, blah)”
What started this whole adventure was I received a letter on July 3, 2023, dated June 30, 2023. By the way, their printer truly is not in good condition. The edges around the letters in college (of all words to be affected) were not straight and but jagged. This really isn’t germane, but notable. For the letter, the subject line was, in all caps and bold (this must really be important) “NOTICE OF SECURITY INCIDENT”. That certainly got my attention. Once the investigation got traction, they realized a few things past the usual initial fluff and smokescreen. Per the letter, there was an incident that “may” affect the privacy of some of my information. I wanted to write back that nearly everyone’s private information probably has been stolen with the big compromises already. They wouldn’t listen so I didn’t waste my resources.
On or about March 14, 2023, LCC detected suspicious activity on the network. At this point, they naturally began the investigation. The bad actor compromised LCC’s perimeter defenses on or about December 25, 2022 (Merry Christmas!) and maintained this until March 15, 2023. The bad actors had full access or nearly for three months. Of course, they “may” have had access to certain systems, meaning they probably did. Just imagine what data and the amount of data you would have access to for three months. The bad actors probably got bored after a while. You could cruise around their network, looking in all the nicks and crannies for whatever data they wanted. The data that “may” have been involved were the person’s name and SSN. I would go down the rabbit hole with everything you could do with this, but it would take too long. Also, with three months, is this really the extent of what they were going to access?
Sorry about that! Here you go! Well golly, the administration felt bad about this error and oversight/goof/etc. and potentially not having the appropriate security measures in place (<> cough, cough, negligence</>). Per their letter and press release, they have updated their measures, which should have been done well before the compromise. Fortunately for us, they are even reviewing their “policies procedures and process” (yes there’s a grammar error there, and yes this was from a community college). All of this is likewise noted in their press release. They are also offering 12 months of complimentary access to identity monitoring services through Kroll. While this appears to be helpful, it really isn’t for the most part. Your SSN follows you for life, not just 12 months. The bad actors can use this anytime, especially after 12 months and a day. The press release also notes you can put a security freeze on your credit. This keeps anyone from pulling a credit report and getting data.
For those who haven’t had the joy of using this, the process can be painful to unfreeze your credit history. Also, don’t lose your PIN ever. Unfreezing your credit history without your PIN is like having a tooth removed without painkillers.
This level of ignorance and apathy is going to continue and on until people are held accountable. The “I’m sorry” doesn’t cut it anymore and it hasn’t for years. It takes a massive screw up to fix what should have been done years before. Until there are lawsuits that hit them in the wallet, this isn’t going to change, and we are going to continue to see this. We need to try harder, push for the budget to fix this, and stop saying and accepting “I tried really hard”. This has the potential to mess with people’s lives for decades. Bill Garlick (CIO of LCC) please get the security system updated or dial your SIEM in better.
Resources
Black, D. (2023, July 3). US college cyberattack probe reveals 700k affected.
Burrell, J. (2023, March 20). Lansing community college ensures cybersecurity following attack.
Lansing Community College letter dated June 30, 2023. “Notice of Security Incident”.
Lansing Community College. (2023, June 30). Lansing community college (“LCC”) notice of data event.
Palmer, K. (2023, March 16). Lansing community college suspends most classes for ‘ongoing
cybersecurity incident’.
college-suspends-classes-cybersecurity-incident-fbi/
Polo, M.J. (2023, March 16). Classes remain cancelled at lansing community college following
cybersecurity attack. https://www.wkar.org/wkar-news/2023-03-16/classes-remain-cancelled-
at-lansing-community-college-following-cybersecurity-attack
Tunison, J. (2023, March 17). After ‘cybersecurity’ event, lansing community college to resume classes
Tuesday.
Comments