The Maryland Office of the Inspector General for Education issued its investigation report into the “catastrophic” cyberattack on Baltimore County Public Schools, showing how it occurred and areas where the school system is responsible. According to the report, the ransomware attack that paralyzed the school system occurred because a security contractor “mistakenly” opened a suspicious email on the school’s unsecured email system. An “educational professional” received an email from a college official appearing to be an invoice, however, it was a phishing attack. Phishing attacks target people by sending people emails that look to be from well-known sources. The staff member was unable to open the attachment and requested assistance from a Baltimore County Schools tech liaison. The school system’s IT liaison believed the email was suspicious and forwarded it to the school system’s security contractor.
The security contractor, according to the report, opened the email attachment on their unprotected county school system email account rather than their secure email system. It allowed the malware to enter the school system’s computer network. The investigation disclosed that the anti-virus software utilized during the attack was unable to detect the malware threat. The malware was programmed to delay its execution, allowing it to disable systems that would have blocked it. The Inspector General (IG) for Education explained that the school system has anti-virus software that is frequently updated, however, didn’t contain the malware employed in the Baltimore County attack.
A State of Maryland audit indicated Baltimore County Public Schools was aware of computer network vulnerabilities before the cyberattack brought school operations to a halt, a finding that was reflected in the report by the IG for education. According to its finding, the IG addressed four allegations against Baltimore County Public Schools. The investigation discovered that the county school system ignored some of the Maryland Office of Legislative Audits recommendations in their audit reports from 2008, 2015, and 2020. Additionally, it assessed that the recommendations from the audit reports had been partially resolved or executed because of network or system upgrades. The OIGE discovered that the school system had not migrated its publicly accessible database servers as recommended by the OLA at the time of the incident. After the cyberattack, BCPS moved its database servers to an encrypted cloud computing environment.
The second allegation was that the BCPS information technology system became the target of a cyberattack resulting from the OLA’s released Audit Report dated November 19, 2020. The OIGE found no evidence to support the allegation. The research found that the malware was deployed prior to the release of the OLA report based on the facts analyzed and interviews conducted. According to the third allegation, repeated OLA findings revealed that the school system’s Information Technology division was unprepared for the cyberattack and failed to protect the personally identifiable information of students, staff, and BCPS retires because of the cyberattack. The OIGE’s analysis of the OLA’s 2020 Audit Report revealed that BCPS had similar repeat findings in 2015. Both audits discovered that the school was still running internal network servers. However, the configuration didn’t provide adequate network security.
Since the cyberattack, OIGE discovered that BCPS implemented a series of new security procedures ensuring network integrity. To detect and prevent malware, Baltimore County Public Schools adopted Multifactor Authentication (MFA) standards for all staff, upgraded firewall technology, and enhanced device protections. The BCPS also moved all essential network functions to a cloud-based environment and implemented security updates ensuring devices receive real-time security patches. The final allegation was that the school system, following the cyberattack, failed to disclose the cost of ransomware demands, data recovery, and IT network improvement. The OIGE was unable to corroborate the allegation of the ransomware demands based on the information-sharing restrictions imposed by federal law enforcement at the time of the cyberattack.
The Inspector General for Education discovered that federal law enforcement requested school system IT staff not to discuss the cyberattack with anybody, including local officials. The OIGE also ruled that due to the seriousness of the cyberattack, BCPS staff were informed that the FBI would work with local law enforcement. The malware didn’t corrupt the county school’s backup data. However, when BCPS attempted to retrieve affected network information using the most recent backup version, they discovered that specific sectors contained inside the backup file were unreadable or damaged. According to OIGE, the cost of recovering from the cyberattack, implementing system upgrades, and migrating to the new platform has topped $9,682,437 million. The cost includes the initial emergency recovery, transition and tape recovery, and other system upgrades. Additionally, the OIGE assessed that BCPS’s past IT operational expenses were lowered by roughly $1 million resulting from system upgrades.
The report made the following recommendations in its final analysis:
- Use the 3-2-1 backup rule. The industry-standard rule requires companies to keep three copies of their data on two different devices or mediums with one off-site storage solution.
- Use cloud backup with caution. The cloud can help the school system achieve rapid recovery requirements while lowering on-premises infrastructure costs.
- Periodically perform recovery tests on a regular basis. A backup’s mere existence doesn’t imply that it can be recovered. Storage media can be easily corrupted, however, numerous IT users aren’t aware of it. The backup system needs to include an automated process that validates each new backup and automatically alerts users of any problems.
- Avoid unnecessary delays by implementing numerous backup options. Have a plan for recovery times.
- Companies need to train their staff. Training must be a continuous process rather than an annual event. A comprehensive security awareness training program is the best way to protect against ransomware and prevent it. Because phishing is the most common and successful way for ransomware to spread, an effective ransomware training program needs to include strategies to mitigate phishing attacks and how phishing can lead to ransomware attacks.
- Create methods for reporting and responding to threats. It’s vital to create a thorough training program for employees to avoid opening phishing threats and notify their IT department to take the necessary action before any damage happens.
- BCPS Executive Leadership needs to establish and implement a procedure to quickly resolve the benefits and payroll inconsistencies caused by using outdated backups to restore its human resources data, which affects staff and retirees.
With ransomware groups continuously using various attack methods and techniques, including phishing attacks, to breach data networks, it’s critical for companies and educational institutes to remain vigilant of the current threat landscape and train their staff and employees to detect suspicious emails. At SpearTip, our pre-breach advisory services allow our engineers to examine companies’ security postures to improve the weak points in their networks. Our team engages with companies’ people, processes, and technology to measure the maturity of the technical environment. For all vulnerabilities our engineers uncover, our experts will provide a technical roadmap ensuring companies have the awareness and support to optimize their overall cybersecurity posture. Our ShadowSpear Threat Hunting is a critical pre-breach step that allows SpearTip’s Security Operations Center (SOC) to hunt for and identify advanced malware including ransomware.
If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.