Category: management

Cybersecurity Part 4: Surviving Ransomware

Tony DePratoLeave a comment

ransomware-3998798_1280

By Tony DePrato | Follow Me on LinkedIn

The scope of all the following arguments is for equipment owned by the school, or equipment approved to use at school. This post is not promoting policies for personal devices used solely at home, nor is this post addressing devices that may be used for entertainment or non-academic purposes.

Ransomware, in its most basic form, is self-explanatory. Data is captured, encrypted, and held for ransom until a fee is paid. The two most common forms of ransomware delivery are through email and websites.~ https://insights.sei.cmu.edu/sei_blog/2017/05/ransomware-best-practices-for-prevention-and-response.html

Ransomware is scary. Ransomware, once it begins to propagate, becomes more about survival and mitigation and less about prevention.

I have thought about how to advise K12 schools around the world how to prepare for ransomware. I have concluded that there are only two approaches everyone can follow: Reduce or Completely Remove Windows and Create Very Inconvenient Backups of Data. 

Reduce or Completely Remove Windows

I decided to compile known types of ransomware. I stopped at 106 identified types. Here is a graph, and link to the sources, that demonstrate what operating systems are vulnerable:

Screen Shot 2020-02-19 at 8.58.44 AM

Data Link

If you want to do the math:

  • 106 Ransomware programs
  • 100 Target Windows Operating Systems
  • 93%-94% of Targets are Windows Operating Systems
  • Using Windows is Riskier than Using other Systems

“Riskier” is a little weak in this case. It is very likely that Windows users will be a target, it is very unlikely that Apple and Chromebook users will be a target.

If the goal is to live in a relatively peaceful ransomware free environment, then the majority of end-users need to be using Apple or Chrome-based devices (Linux varieties are also an option for a subset of users).

There are tools for Windows that help defend and protect against ransomware. However, nothing is better than not being attacked at all.

Create Very Inconvenient Backups of Data

Every time I ask an IT director or IT manager about backups, they claim they are 100% compliant and 100% able to deal with any problems. I have never believed my planning was close to 100%, nor have I ever believed I could restore 100% of all data. I would say, at my best, I am 60%-70% certain that I can restore 80%-90% of data.

Data. Not operating systems and settings. Data. Not the software that was installed. Just all the data consisting of but not limited to documents, databases, movies, music, pictures, special configuration files, scripts and code, and the inclusive content of all websites.

There is only one question a person needs to ask to confirm if backups are safe from ransomware: “Can the backup be accessed right now if we need it?”.

If the answer is ‘Yes’, then backups are going to be vulnerable.

There should be at least two layers of backups. Layer one can be data that is backed-up and accessible on the network, in the cloud, and/or from normal workstations. Meaning, someone can sit down and create or restore a laptop, database, etc by following a workflow at their desk.

Layer two backups are inconvenient. These backups are stored outside of the normal network. These backups are scheduled and not even accessible by network administrators without taking extra steps. These backups require some level of multifactor authentication or even a physical lock and key.

Backup

Layer two backups also need to be tested at least monthly (this is only recommended for K12 schools most businesses need to test more frequently; school districts would need to test very often and on a predetermined schedule).

Tests need to include:

  1. Data restoration
  2. Data access and use
  3. A scan for malware, ransomware, etc
  4. An iterative process to consistently reduce the size of backups
  5. An archival process to store data that will most likely never be needed, but is legally required to store
  6. Imagination. Because you never know where you will be and what the situation will be when you need to access these backups

A very low tech approach to a layer two back-up could include someone taking an external drive to the data source, moving the data manually, and then locking the drive in a safe. Do not overthink this, just start doing it and keep improving the process. If you can access these backups from your workstation, then those backups are vulnerable by definition.

If ransomware happens, and the data cannot be decrypted, this layer two data would be safe as it would be offline. Layer one backups may stay secure, but layer two backups will be secure unless you are victim of very bad timing.

The cybersecurity industry is rapidly developing better protocols for handling ransomware. Staying educated and studying cases is not only essential, but it should also be scheduled into the cycle of work at least once every 6-8 weeks.

The data above could change. An uptick in ransomware for Chrome or Apple of even 1% is enough to review internal processes and procedures. Until then though, get the number of Windows OS users down and make better backups.

businessman hand holding money banknote for paying the key from

Start Your Research Here

Ransomware: Best Practices for Prevention and Response

https://insights.sei.cmu.edu/sei_blog/2017/05/ransomware-best-practices-for-prevention-and-response.html

Run Self Hosted Tech Without Your School Building

Tony DePratoLeave a comment

By: Tony DePrato | Follow me on Twitter @tdeprato

Imagine you have had to evacuate your high school. Could you facilitate your classes and business processes without physically being in your building?

If most of your infrastructure is  in a cloud based environment, odds are you can maintain business continuity without your building. You might need an office or some type of staging area, but your organization can still meet it’s core requirements.

But what if you are self-hosted? What if most of your systems rely on infrastructure and data that is on premises?

This is an important conversation senior management and all the creative thinkers in your organization need to have. Here are some ideas to help guide you through the process and make (or test) your plan.

Choose a Secondary Location

Before anything technical happens, choose a secondary location to run your operations. Assume that the current location, and immediate area around the current location, are off-limits. Where can you affordably establish and maintain an operational space?

The space would need to include:

  1. Enough space for the core team to work
  2. Basic communication resources
  3. Hardcopies of data that is required to contact parents, students, and teachers
  4. Hardcopies of schedules and other data that are needed for basic school operations
  5. Basic supplies and consumables (even food and water) for the team to work for at least 14 days

Remember, this requires some minimalism. People could rotate in and out, but the core team should be as small as possible. Anyone who can work from home, should work from home.

If you can maintain business continuity without technology, then by all means try to achieve this. Every new requirement will only add complexity to the situation.

If you need technology, keep reading.

Create a Portable Network

For any data to flow inside or outside of the secondary location, a computer network is required. Here are some core items that would be required in a normal metropolitan/urban/suburban area where the mobile service has not been disrupted:

  1. One 4-5G router (if these are not available, then two or three 4-5G hotspots/wifi eggs)
  2. One high speed router to allow network and wifi customization
  3. 5-10 individual LAN cables; 1-3 Meters each; longer cables look messy but add flexibility
  4. 5-10 power extensions with sockets; avoid cheap ones
  5. Cable ties, double sided-tape, duct tape, and a few box knives

This setup will connect to the internet, and allow the small group of users to get online.

The environment will most likely be small, so maintaining basic safety when rigging equipment is essential. Damaged equipment will be difficult to manage during any type of emergency. Preventing trip wires prevents damage.

Create Portable Data

Many organizations have offsite servers that mirror their data. These organizations can keep operating without their normal infrastructure.

Most schools do not do this. Most schools cannot afford to do this. If the school is using an online classroom environment, then maintaining classes will be fairly simply as long as there is a protocol to follow. For all academics functions, creating a protocol. This should include:

  1. Attendance for teachers and students (time stamped, and strictly followed)
  2. Mimic the course schedule; when a teacher should be in math class, they should be online answering questions about math; they need to follow their schedule
  3. Establish office hours and lunch to provide some break time and organization
  4. Assign administrators to contact teachers for daily feedback and summaries
  5. Assign administrators to randomly contact students for daily feedback and summaries
  6. Send parents status updates on the situation at the same time everyday, unless a critical time sensitive issue presents itself

Using an online classroom system for your day-to-day teaching is not a requirement to have an online classroom system. A school can setup a Google Classroom or Microsoft Classroom environment for emergencies. These are usually free with educational licensing. These classroom environments need to be kept up-to-date with enrollment and scheduling.

There are a few other ways to run online classes without these cloud services, the cost is higher, but it is totally feasible. If you need this type of information, please email me: tony.deprato@gmail.com

Data files, such as spreadsheets and text documents, will be required for business functions. You may have an emergency where going into the campus is not prohibited. Retrieving hardware will be difficult and the outcome uncertain. Relying on external drives is not a great idea unless a set of those drives is stored off campus on a regular schedule.

Offsite storage is easy to manage using systems like Resilio Sync. The assumption is that the school does not want to use any cloud services. Using a peer-to-peer system would send copies daily from one location directly to the next.

There are other ways to sync files from one private location to another. Feel free to email and inquire.

Not Complete But Enough to Get Started

There are many options when designing these plans. Even if you feel the ideas here are not feasible, the questions raised are worth answering. The thought exercise should help develop policies and procedures for all stakeholders.

Administrators should be engaging their IT teams to find out how data is saved, where it is saved, and how it can be accessed. IT teams should be engaging administrators to determine the minimum core requirements for maintaining business continuity, and the total amount of downtime the organization can withstand.

 

If You Don’t Have Electricity, You’re Gonna Have a Bad Time

Tony DePratoLeave a comment

By: Tony DePrato | Follow me on Twitter @tdeprato

 

Many schools are still self-hosting the majority of their information systems instead of using cloud-based solutions, co-location solutions, or data centers offering more traditional hosting.

The question has to be asked, are these schools taking the proper steps to protect their data, their systems, and the integrity of their entire architecture?

Recently, my ITBabble co-host Patrick went to a fairly popular tech conference and stumbled upon two schools that are regularly affected by power outages in their self-hosted data centers. These schools reported to Patrick that they did not only have power failures, but lacked business continuity plans.

Without a business continuity plan (BCP), business operations come to a halt when power outages happen. For example, if accounting and payroll systems are offline, employees would not be paid on time. In some states, this BCP failure would result in the school receiving a fine for missing payroll.

After hearing this story, I decided to write a couple of blogs posts focused on risk management.

Systems Need Electricity

If your school is going to host any core system internally, then the school needs to plan for power outages. There are very few places in the United States immune to power outages. I compiled and condensed a spreadsheet to demonstrate how common outages are based-on 2017 data. The spreadsheet below represents this data.

Link to Spreadsheet: https://docs.google.com/spreadsheets/d/e/2PACX-1vSd-zIhs8sNH7doMsrnwkEGMtRwGkbDWnc0Q8GSpNUEECmSyKd6bu-ldjbI1P6oAzU6Rc40Ye5NXQEu/pubhtml

Link to Original Data Source: https://www.eia.gov/electricity/data/eia861/

Since the data is available for previous years, those who are self-hosting should download the historical data and confirm the median number of minutes per year their region is impacted by power outages. They should also find the median amount of time per outage they are impacted.

From that analysis, a school can determine what their requirements are to be reasonably prepared for a power outage.

Being Reasonable

Risk management does not require a school to prepare for a threat that is historically unlikely to occur. For example, and school in Utah would not draft a plan for a hurricane.

In the official data, power outages are reported by state and by provider. If a school determines their median value and frequency is 60 minutes 3 times a year, then they need to ensure all their critical systems can run for 60-120 minutes when the power is out. This is enough time to shut everything down and protect system integrity. However, it is not enough time to execute a complex process like payroll.

If a school is internally running services like payroll, I would suggest the power backup standard be set to the task execution time, of the most critical task. For example, if payroll takes 4-5 hours to complete every Friday, then the systems needed for payroll need to be powered for 4-5 hours in the event of an outage. This often means the majority of the core infrastructure needs to also be up and running for 4-5 hours.

Supporting the Business Continuity Plan

Aside from setting-up backup power systems and standards, here are some tasks that the IT department should be completing (or overseeing) to support the overall BCP in the event of a long term power outage:

  1. Creating hard copies of core demographic data for all students, parents, and employees
  2. Creating hard copies of all schedules, including after school programs and transportation
  3. Creating hard copies of phone lists (phone trees)
  4. Organizing all hard copy backups into folders that are available in multiple locations; shredding outdated documents
  5. Creating portable backups of data needed for core school operations; this includes a full backup of all databases in at least two formats
  6. Testing all electronic backup systems responsible for power and data backups
  7. Connecting with a similar school, and forming a good relationship, for additional tech support when emergencies happen; this should be symbiotic
  8. Contracting and maintaining a portable 4G-5G router for ad-hoc network deployment
  9. Building an offsite data backup system that is immune to any local threats; this data can be compressed
  10. Annually reviewing all risk management policies and procedures with a team from every major department

If a school is self-hosting, they should be mostly immune to power outage threats with proper planning.

If the equipment needed to provide backup power is not available, or simply too expensive, then reconsidering cloud services would be the next step in mitigating future problems.