Ransomware has resulted in payments of millions of dollars in recent years as desperate users cough up the money to regain access to crucial files and data.
A cyber thief infiltrated a Vermont supervisory union’s computer network and made a $50,000 transfer out of a school bank account, but safe guards on the account alerted staff members to take action.
“A more sophisticated thief or hacker could have spent the time to turn off alerts, make all bank emails go directly to the junk folder, and give the crime time to be effective,” Phil Sussman, cyber security expert and president of Norwich University’s Applied Research Institute wrote about the stealthy attack.
School administrators in Vermont and across the country are on their own deciding the extent of cyber safety training and budget for their district’s technology, as they face a growing crime wave and limited funds. Pownal School District’s encounter with cyber crime won’t be the only school system in Vermont fending off hackers, according to experts its not a matter of if but when and how prepared staff is to work with law enforcement.
“If we ever tell people what they should do, the first thing they do is hold out their hand and say who’s going to pay for that,” state technology expert Peter Drescher said about community demands for local control over school district budgeting which includes technology upgrades.
Descher is the director of education technology for the Vermont Agency of Education. He helps to raise awareness about cyber crime and threats and said Wednesday that school technology administrators should be continuously learning to protect data. But the agency has no mandates for and does not oversee cyber security. Bank accounts and student data are guarded by district policy and the wisdom of whomever is tasked with network updates.
Chart from Vermont’s Annual Survey on Technology 2017. (Photo: Courtesy)
Vermont’s Agency of Digital Services was formed in April 2017 to consolidate budgets and manage the statewide transition the executive branch into the 21st century. A plan for educating employees and citizens on cyber security and the need to defend network data is set to roll out in increments by 2022.
Security in the executive branch, which does not include the Agency of Education, has begun with awareness training and by the end of 2019 the agency security training for technology professionals will be increased by 25 percent, according to John Quinn III, Vermont’s chief information officer and secretary of digital services.
Cyber crime meanwhile continues to be a growing threat to small businesses and learning institutions.
A number of schools in Vermont experienced cyber crime incidents in just over one year. Most were cyber threats made on social media or school email accounts. Then in May the Pownal School District’s bank account was hacked to the tune of $50,000.
Regionally, hackers traced to North Korea used ransomware held public school data hostage this April in Loeminster, Massachusetts, and returned it the school data for $10,000 in bitcoin. School systems across the country, according to an online search, have experienced incidents including threats, stolen data and student hacks. The U.S. Department of Education released a bulletin in October 2017 warning that cyber criminals have targeted schools and other educational institutions “seeking to extort money” by threatening to publicly release sensitive data from student records.”
More: Student hackers change grades, lunch balances in Bloomfield Hills
More: ‘Dark Overlord’ hackers posted stolen student info, Johnston officials say
Sussman, a cyber security expert with 30 years in the industry, responded to the Burlington Free Press about the dangers facing networks run by administrators who are not technology experts, like those maintained by some school districts.
“Every day we see more exploits and more sophisticated tools,” Sussman, president of Norwich University’s Applied Research Institute wrote about data theft.
Sussman got serious about educating the Norwich community about cybersecurity after students hacked the university’s network in 1996. Now he consults for Wall Street. He said in June that online hackers don’t care who you are or what you do. They hunt for the easiest target available.
“Good cyber hygiene is the key,” Sussman said in a June interview referring to one best first defense: strong unique passwords.
High school students from across the country are at the Leahy Center for Digital Investigations learning how to thwart hackers with Champlain College instructor Jonathan Rajewski, a computer forensic examiner with the Vermont Internet Crimes Task Force in Burlington. (Photo: NICOLE HIGGINS DeSMET/ Free Press media)
The thief was stopped
“There is no concern that a member of the staff or treasurer are at fault or responsible,” Southwest Vermont Supervisory Union’s June statement said of the electronic theft from the Pownal bank account. Malware from outside the district was thought to be the culprit. The statement did not indicate which specific type of malware or phishing scam infected the supervisory union’s system.
The Southwest Vermont Supervisory Union staff contacted People’s United Bank as soon as alerts popped up indicating unscheduled bank account activity, according to a press release. People’s then contacted Bank of America where the fraudulent transfer of $50,000 was destined. The thieves might have been able to transfer even more, according to the union, but staff chose to set a cap on transfers from the bank account.
The union has since been made whole. The funds were fully recovered according to a July 6 news release.
Neither the superintendent nor the technology director for the school union made themselves available for comment after a half dozen calls and emails. The union’s statement failed to specify whether the money was restored by the bank or The Rowley Agency, an insurance company, both of which were thanked in the supervisory union’s statement.
The supervisory union’s statement said the FBI was investigating. Kraig LaPorte, a spokesman for the U.S. Attorney’s Office in Burlington, said he could not comment on what happened in Pownal.
Vermont does have a Security breach Notice Act requires businesses and state agencies to notify the Attorney General of a “security breach” within 14 days so information on phishing scams and bugs can be shared with the greater community.
Students take in a lecture at Norwich University’s week-long GenCyber pre-college program where participants learn and experiment with basic concepts of forensics and cryptography. (Photo: Courtesy)
Here to help
John Quinn III, Vermont’s chief information officer and secretary of digital services, said on Thursday that at the end of July he will be presenting a plan to the legislature for a security operations center in partnership with Norwich University. The plan will implement 24/7 monitoring of the state’s data.
“We hope to offer this service to municipalities and schools for a low cost once the system is worked out” Quinn said. Few schools and small towns have the resources to monitor systems around the clock.
Leahy Center for Digital Investigation in Burlington is currently offering a free consultation call for managers of small towns, nonprofits and school districts who need help getting computer software into compliance with safety standards at low cost or no cost, according to Jonathan Rajewski, a computer expert with the Vermont Internet Crimes Task Force. Those interested can call: (802) 865-5744.
Drescher said there is a state-wide meeting on July 25 of school information technical personnel. An FBI expert and a professor led last year’s discussions on best practices following cyber threats made to South Burlington and Essex schools. A handout about how information technology and law enforcement should coordinate was introduced, which read: “things to consider before, during and after a critical incident.”
“You can never really be prepared or prevent these things from happening,” Drescher said. But having tools to mitigate the impact of a hack is important.
Sussman at Norwich said in June that practicing good cyber hygiene was key. If hackers find barriers like strong unique passwords and they probably won’t waste time knocking.
“You and your friend are in the woods and you come across a bear,” Sussman said. “You don’t have to be faster than the bear. You only have to be faster than your friend.”
Contact Nicole Higgins DeSmet email@example.com or 802-660-1845. Follow her on Twitter @NicoleHDeSmet.
Read or Share this story: https://bfpne.ws/2uxwqHs