Wed | Sep 7, 2022 | 4:11 PM PDT

Oh, September. The weather is changing, football is back, and kids are returning to the classroom. Which means it's time for malicious cyber actors to start targeting educational institutions again.

It's well known that threat actors like to use important dates to target organizations, like a long holiday weekend or a big merger or acquisition. The beginning of the school year is no different.  

The Los Angeles Unified School District (LAUSD), the second largest school district in the United States, confirmed earlier this week that it "detected unusual activity in its Information Technology systems" over Labor Day weekend. After review, the District defined the incident as an external cyberattack that was "likely criminal in nature." 

LAUSD says it has engaged law enforcement to investigate the situation and implemented a response protocol to mitigate district-wide disruptions, including email access, computer systems, and applications. 

The statement from the District makes it clear to thank the "immediate and comprehensive response from the federal government." After contacting  authorities, the White House got involved and brought in the Department of Education, the Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agency (CISA).

It is because of this response that the District was able to open on Tuesday, September 6, as scheduled. While the cyberattack would not interrupt any instruction or transportation, LAUSD did say that things such as food services and business operations may be delayed or modified.

The District also shared how it plans to prevent incidents like this in the future, with nine immediate adjustments it plans to make:

  1. Independent Information Technology Task Force: Charged with developing a set of recommendations within 90 days, including monthly status updates

  2. Additional Human Resources: Deployment of Information Technology personnel at all sites to assist with technical issues that may arise in the coming days

  3. Technology Investments: Full scale reorganization of departments and systems to build coherence and bolster District data safeguards

  4. Advisory Council: Charged with providing ongoing advisement on best practices and systems, including emerging technological management protocols

  5. Technology Advisor: Directed to focus on security procedures and practices, as well as to conduct an overall data center operations review that includes an assessment of existing technology, critical processes, and current infrastructure

  6. Budget Appropriation: Directed appropriation of any necessary funding to support Information Technology Division infrastructure enhancement

  7. Employee Training: Develop and implement mandatory cybersecurity responsibility training

  8. Forensic Review: Expand ongoing assistance from federal and state law enforcement entities to include a forensic review of systems

  9. Expert Team: Creation and deployment of an expert team to assess needs and support the implementation of immediate solutions

Why target public schools with ransomware?

While every ransomware case is different, they do follow similar trends. Was the attacker looking to target a specific organization, or was the organization just vulnerable to an attack?

Many schools and universities lack the necessary resources to defend against cyber threats. Their resources are focused on more immediate needs, like getting kids the proper tools they need for an education, and not on some cyberattack that may or may not happen down the road.

While they lack proper cyber defense, they also lack money to pay to a cybercriminal if faced with a ransomware extortion. While they might be an easy target, there might not be too much of a reward. So why attack?

Matthew Warner, CTO and Co-Founder at Blumira, discussed why threat actors choose to target schools:

"Schools are attractive ransomware targets for a variety of reasons. Most IT leaders in education operate on a shoestring budget. Balancing operational IT spend as well as classroom edtech, dealing with pressure from public audits, and navigating administrative politics all points to the fact that obtaining sufficient budget for cybersecurity products is more challenging for IT leaders in education than other industries.

Lack of staffing is also an issue. Most school districts don't usually have a dedicated, full-time staff member focused on cybersecurity. Plus, lower budgets in education make it difficult to hire and retain cybersecurity talent without a competitive salary to offer.

The number of endpoints is also increasing in educational institutions, increasing the attack surface for adversaries. Besides school-issued devices, most students and staff often connect their personal devices to the school network, which makes the environment particularly difficult to secure. Colleges, in particular, have many personal devices on their network, since students bring both personal laptops and mobile devices."

Follow SecureWorld News for more stories in cybersecurity.