One day you click on a folder and a message appears on your screen, telling you that access has been denied to your files until you pay a certain sum of money for a key to unlock them. You try another folder, but the message reappears. After several attempts on different folders, a colleague appears and says she is getting the same message. Together, you call IT Support. To your horror, you are told they have the same problem. They inform you that the school has been hit by ‘ransomware’. Nobody in the school is now able to access their files until (a) the hackers are paid, or (b) the school’s data can be wiped and fully restored.
To some people, this sounds far-fetched. It isn’t. Our work in schools shows that it’s very real.
What is Ransomware?
Ransomware is a particularly unpleasant variant of malicious software (shortened to ‘malware’). This malware infiltrates your network - usually embedded within an innocent attachment or download - then finds and takes control of files critical to the operation of your systems. It might deny access to them (as in the example above) or threaten to leak them. Either way, control of those files is not returned to you until demands for payment are met.
Am I Vulnerable?
Almost all schools we work with have some systems that are accessible externally, whether using remote access or a designated web portal. With access possible from anywhere in the world, the systems and servers used to provide these services are susceptible to attack in the form of hackers and malware. In many cases these are not appropriately protected, or set up in a way which does not provide separation from the school's internal network, leaving vital data vulnerable. In these situations, backups and disaster recovery planning is key to getting services back up and running smoothly.
3 Actions to Protect Yourself:
Luckily, there are some steps you can take to significantly reduce the risk of your school falling victim to ransomware. Here's our top 3:
1. Segregate your services
In many cases, schools are not aware of either the risks posed to their systems, or of best practice approaches to protecting systems and data. One problem with externally accessible systems is that there is often no segregation between these and internally hosted services, meaning that an Infection can often spread to other devices quickly. Where possible, these systems should be set up in a way which prevents direct access to user data by segregating network traffic. To limit what access is available externally, the firewall should be configured to prevent access on any ports which are not required by the service.
2. Beef up your security policy
An attack can sometimes be the result of compromised user credentials as a result of unsecured connections or weak passwords. These can be targeted by automated attacks which target accounts to gain access to systems. Any externally accessible systems should require users to authenticate to access personal data with authentication taking place over a secured connection. In order to reduce the likelihood of accounts being compromised, the school should have a comprehensive security policy. This should detail a password policy which ensures users are using sufficiently complex passwords and changed regularly. Any leavers and legacy accounts should be disabled and deleted as appropriate in line with the school data retention policy. Generic system accounts should not be used as these may be targeted by brute force attacks and be compromised.
Account permissions should regularly be reviewed, specifically those with administrative access. If one of these accounts were to be compromised the impact on systems could be extensive.
3. Regular monitoring and reporting
System management and monitoring is essential to minimise the risk of an attack. One of the most important areas of consideration is antivirus. It is essential to ensure that antivirus software is installed and regularly updated across all computers and servers. Regular antivirus scans should be carried out and logs reviewed to ensure any suspicious items are dealt with appropriately. A centralized antivirus solution allows for easy monitoring and reporting and should be checked regularly.
Attacks may focus on known bugs and issues with a system, which is why regularly checking and applying updates and patches is essential. It is also good practice to regularly review system logs, specifically security logs of externally facing services. When looking at these logs any system errors and authentication requests should be reviewed to understand if a system has been targeted.
What if I fall victim to an attack?
Although there are a variety of measures that can be taken, it is not always possible to prevent all attacks. This is why there is such an importance in having a working backup strategy with regular restore testing and a clear disaster recovery process. The disaster recovery process should include steps to recover systems in the event of infection.
9ine works as an independent, trusted partner to schools. For advice on how to plan for disaster recovery, secure your network or even to discuss your ideas for improving your IT planning and provision, get in touch: