High schools are much like universities and colleges, in
that these hold a mass amount of data which may easily be sold. This assists in
making them more of a target. This coupled with their budgetary constraints
makes InfoSec difficult at times, much like this recently especially was for
the San Diego USD.
Attack
This compromise is a bit different than most of the others.
The reports are the school district is not sure of the attack vector, however,
they believe this was the effect of a relatively simple, yet effective,
phishing attack. The attackers gained access through securing the authorized
user’s credentials. For this case, the attackers gained and maintained their
access for 11 months (January through November). This is odd. Seemingly, the
school district’s SIEM would note the access from odd hours, the number of
accesses being odd, the IP being unique to the other general log ins, and the
amount of data being exfiltrated. This would be the case, unless the school district
did not have one in place during the attack. The school district finally became
aware of this in October 2018.
Data
Generally, data is the end goal for the attacker. With this,
they are able to generate revenue through sales of the data, use this as
leverage for the target, etc. Through the compromise and process, the attackers
were able to exfiltrate a significant amount of data. This encompassed 10 years
of data, from the 2008-2009 school year to 2019, when the attack was detected.
There were approximately 500k of students and staff affected. In addition to
the length the breach was open, and the number of years of data exfiltrated,
there is also the depth of data per affected person. This includes the first
name, last name, date of birth, mailing address, home address, telephone
number, student enrollment information (schedule, discipline incident
information, health information, schools of attendance, transfer information,
legal notices on file attendance dates), social security number or state
student number, emergency contact information, staff benefit information, and
staff payroll and compensation data.
Notification
The notice for the affected parties was filed the Friday before
Christmas in 2018. The breach would probably be one of the last things they
would want to hear about just before the holiday. The post stated the school
district had reason to believe their system was breached and the attackers may
have accessed the data. This could not have been what the students and staff were
hoping for as their Christmas gift!
Detection
With a phishing attack, the timing of the attack may be
delayed based on the attacker’s code. The staff began to note emails that
appeared to be odd. They naturally, and appropriately, reported these to their
IT Department. As the next step should go, this was addressed by the IT
Department as they recognized this really should not be happening. They ended
up discovering the breach in October 2018.
The school district, once they knew of the breach, did not
immediately shut down the attack. This does seem counter-intuitive. Once you
know the attacker is in and exfiltrating a mass amount of data, seemingly
prudence would dictate shutting down the attack vector. There was a rationale
reason for this. The school district wanted not only to clear the access, but
also identify the attacker and allow law enforcement to do their job. The did
later reset the compromised accounts. From this point forward, they have been
working to prevent unauthorized access.
Thoughts
The attacker had access for approximately 10 months. The SOC
or in the least any SIEM they had in place should have noted some abnormal activity
as the mass amount of data was being removed from their servers. Since the SIEM
is automated, possibly the search parameters had not been put in place. This
compromise emphasizes the need for phishing training for the staff. This should
not be the once a year training where staff nod off while the canned
presentation is playing. These need to be periodic (e.g. quarterly) and with
current information. Without some form of connection, the staff will probably
view this as yet another mandatory training session, and start working on other
things instead of listening.
Resources
Allen, T. (2018, December 27). Notice of data breach.
Retrieved from https://www.sandiegounified.org/sites/default/files_link/district/files/
Cimpanu, C. (2018, December 25). Hacker steals 10 years’
worth of data from san diego school district. Retrieved from https://www.zdnet.com/article/hacker-steals-10-years-worth-of-data-from-san-diego-school-district/
Lilly, P. (2018, December 26). Hacker exploits san diego
school district school network, steals personal data on 500k students and
staff. Retrieved from https://hothardware.com/news/hacker-exploits-san-diego-school-districts-network-steals-data
Malafronte, K. (2018, December 27). San diego USD hacked, 10
years’ worth of data stolen. Retrieved from https://www.campussafetymagazine.com/technology/san-diego-school-district-hacked/
San Diego Unified School District. (2018, December). Data
safety. Retrieved from https://www.sandiegounified.org/datasafety
Security Woes Department. (2018, December 26). Hacker steals
ten years’ worth of data from san diego school district. Retrieved from https://it.slashdot.org/story/18/12/26/1248222/hacker-steals-ten-years-worth-of-data-from-san-diego-school-district
No comments:
Post a Comment