Forget flat networks--tighten your security

If you heard about the attack on the Los Angeles Unified School District in early October, you probably heard that 400,000 students’ private data was put at risk and that the hackers demanded a ransom. When speaking about the attack, the police chief made a point of saying that cyberattacks are “the number one threat to our safety” and that everyone is vulnerable. Even so, the education sector seems to have an especially large target on its back, with LAUSD being the 50th education entity to be hit with ransomware in 2022. If you want to avoid being next, there are a few key steps to take – including getting rid of flat networks. The status quo has to go.

Are You Prepared to Pay the Costs of Convenience?

All too often, schools blend their guest and student networks together. Such a move flies in the face of every single, basic security recommendation ever made, so why do they do it? Convenience. Yes, it’s more convenient but that’s because it’s insecure.

If your network is flat because of convenience, then ask yourself: Are you prepared to pay the costs of that convenience? The costs of an attack like the one at LAUSD are many, ranging from student safety to financial, operational, reputational, and more.

A Properly Segmented Network is a Must

If someone doesn’t know much about computer networks, they won’t know that a flat network is bad. Similarly, anyone without knowledge about security won’t know the importance of network segmentation. Still, ignorance doesn’t excuse inaction. A properly segmented network reduces the speed at which a cyber criminal can move across your network, making it a key priority.

In order to segment your network, you need to develop a route, which involves creating an access control list. This is the point at which many schools and districts balk. They don’t want to have an access control list, so they end up having no idea who’s coming and going. Once again, it’s more convenient. But it’s dramatically less secure.

To avoid being in this position, take the time now to focus on improving your network segmentation (by separating them into appropriate VLANs with access control rules and proper port control) and firewall geo-blocking. If you don’t have an information security professional on staff who knows how to do this, enlist the help of a third-party expert.

Time is of the Essence

A properly configured network that’s adequately monitored can alert you to any suspicious cyber activity early enough to intervene and significantly reduce and/or prevent a ransomware attack from taking hold of your data. This is important to note, because some people mistakenly assume attacks happen in an instant or a matter of hours. The average time to detect and contain a breac h is 287 days. That’s 100 more days than the average school year of 180 instructional days. And the bad news – that’s if you have a properly configured network that can help you identify threats, not a flat network that further hides attacks.

Close the Back Door

All cyberattacks require a round trip through the firewall, so think of it like this: when you have a flat network, it’s like you have a thousand security guards at the front door to make sure nobody can come in (keep in mind, though, that these are untrained security guards and half of them are asleep). What about the back door? Absolutely no one is paying attention to anyone coming and going. This is another critical piece of the security puzzle. Administrators must remember that your ingress is just as important as your egress. In other words, it’s just as crucial that you know what’s leaving your firewall as it is to stop things from coming into it.

Reevaluating Your Third-Party Relationships

Working with an external security advisor is a smart and responsible measure for districts and schools to take. But not all of these relationships are created equally. For example, some districts rely on a third-party but have zero internal knowledge themselves. This might be all fine and well when things are going smoothly, but what if disaster strikes and you can’t reach your partner? In such a case, seconds matter. You don’t have time to waste.

So, whether you’re responsible for managing the network or you do it in partnership with a third party, it’s critical that there are at least two people within your organization who have an appropriate level of knowledge of the network and are readily available should they be called upon. This is important because the vast majority of cyberattacks happen during off hours when fewer people are watching for them. For schools, this could be in the evenings, weekends, or over extended holiday breaks. Because of this, you need to have two plans – one for a middle of the night attack and one for securing help over a holiday weekend.

Be Sure About What You’re Getting

Many school networks were built on grant money, or through donations, with no support budget built in. So, a school might receive an equipment donation, which they’re more than eager to snap up. But, if it doesn’t come with ample budget for support, it could end up doing more harm than good from a security perspective. If you’re being offered something for free (or without ongoing budget for support and maintenance), take the time to gain appropriate knowledge about it and ensure you have enough resources to support it moving forward.

When it comes down to it, an attack like the one at LAUSD doesn’t need to be successful. Your school and entire district can gain a lot of ground on the preventive front by going back to basics. Forget flat networks, instead setting up your network to segment and protect your data. This doesn’t have to be super complex or expensive; it just needs to be done thoughtfully. Once you do, your security will be tightened up and you’ll be able to breathe more easily.

Author
Recent Posts

eSchool Media Contributors

Ryan Cloutier, CISSP, President, SecurityStudio

Ryan Cloutier, CISSP, is the president at SecurityStudio, which works to fix information security industry problems through simplification. A passionate cybersecurity thought leader Ryan can be reached at rcloutier@securitystudio.com.

Latest posts by eSchool Media Contributors (see all)

5 obstacles AI can help schools overcome - April 16, 2024
Guidance counselors could help female high schoolers erase the STEM gender gap - April 16, 2024
How video coaching inspires teacher self-reflection - April 15, 2024

Sign up for our K-12 newsletter

Crunch the Numbers: New Data on Student Wellbeing, the Skills Gap Crisis, and Tech Usage in Utah

Reflecting on the Parkland tragedy, its lasting impacts, and work still to be done

Missouri Makes the Most of Student Data

It’s not business, it’s personal: Building a culture of trust to protect personal data

The importance of the ITS and Facilities relationship

CoSN IT Leader Spotlight: Don Wolff

2024: The year of generative AI

3 things to consider when designing digital learning experiences

EPS Learning Programs Selected by Virginia Board of Education as Recommended Literacy Solutions

Vernier Science Education Selects 10 Inspiring STEM Teachers to Join Its New Vernier Trendsetters Community

Vivi for Teachers Launches to Bring Free Classroom Technology to Educators

Cecilia Cruse Joins MiEN Company as a Special Needs Consultant

Discovery Education Offers New Financial Literacy Resources Supporting National Financial Capability Month Activities

Sign up for our K-12 newsletter

Login