Top 5 Effective, Yet Often Overlooked Cybersecurity Tools and Strategies

Daniel Eickhoff: Thank you everyone for joining us today. We'll be talking about the top five, K12 cybersecurity tools and strategies that are often overlooked, but really are very powerful and often very cost effective. My name is Daniel Eickhoff. I'm a K12 cybersecurity specialist here at Securus360, we are cybersecurity company, 100% focused on the education space, primarily on K-12 school districts, helping them with their cybersecurity operations their cybersecurity protection.

Jeff Teitelbaum: My name's Jeff Teitelbaum. I'm a senior solutions engineer here at Securus360.

Daniel Eickhoff: Let's take a quick look at some of the challenges impacting K12 school districts. K-12 is the number one target for ransomware attacks is K12 and it's only getting worse. There's tons of different studies and surveys out there and they all agree. And we created this map to tracking cyber security attacks against school districts, specifically from coast to coast. At least these are the ones that we have information on that we tracking. You can click those to expand you get news reports and details on the different incidents. But what we're seeing is that the frequency and the complexity, the sophistication of these attacks, are constantly increasing a day to day.

They're getting harder and more difficult to detect, more difficult to defend against. Even large districts like LA Unified a year ago with all their Resources and all their their solutions, they have in place got breached. And the hackers are after the children's data. And school districts have a lot of that sensitive information, which makes them prime targets.

And once that information gets out, it's devastating for these families. This is an example in the DC area, large district, Prince George's County public schools.
The data of 100,000 people, students and staff and parents got leaked, including full individuals names, financial account information, Social Security number, huge fallout in the community.

Minneapolis public schools is a good example. Medusa was responsible for this one and MPS to their credit, did not pay the $1,000,000 ransom demand, but unfortunately Medusa leaked all that information and sold it on the dark web.

So there's a couple different reasons why the number of attacks against school districts has gone up so much recently, and number one is due to the school districts limited budgets. Smaller IT teams certainly, compared to the private sector. Often school districts don't have a dedicated cybersecurity staff. You know, maybe the large districts, larger districts have but medium smaller districts don't.

What the hackers call soft targets, we already talked about that they are attractive targets, because of all the valuable information, all that the student data that the bad guys are after. But another thing that we're seeing in other key reason is that there's been a shift in the way that ransomware gangs are operating.
Before the old model, you had a ransomware operator, a ransomware gang, and of course it was a group of people, but they could only attack so many victims at any given time. A year or two ago, they started restructuring as ransomware as a service operators.

So and other ransomware gangs shut down and sold their technology to new emerging SaaS groups and one example actually is HIVE. Hive ransomware, they got under pressure from law enforcement and so they shut down and Hunters international bought them out. So Hunters international took over the hive technology and I was operating it as a Ransomware-as-a-service (RaaS) group, but now we have these ransomware as a service operators or groups.
And the key here is that they are leveraging a number of Affiliates each and these are basically independent ransomware contractors.
And each RaaS group has 10 twenty 5000 affiliates, and each of them is attacking their own group of victims.

So this means that now each RASK group can target hundreds of school districts simultaneously, and they do this in a more random and opportunistic approach, basically casting a wide net and seeing who they can catch.

Other groups, like Vice Society, for example, they are targeting school districts specifically. That's because of their data rich environment susceptible to pressure because of the nature of the data, often vulnerable like we talked about. As a result, any school district is now much more likely to be attacked than in the past and districts are unfortunately finding out the hard way that only you know, being smaller or being lower profile than that Shiny City district. It doesn't mean that they won't be attacked.

This is a huge game changer in in the in the industry we did our last Webinar actually was on that topic. So if you want to view that it's available on our website, no registration or anything required for that, you can just play it and Medusa. So to just highlight that you know that that whole shotgun approach casting a wide net just before Christmas, last Christmas and a couple of days, Medusa took down 3 school districts in just a couple of days. And interestingly, the sizes of these districts were three schools very small, five schools.

Nine schools, 39 and 33 schools, so really across the board and this is a copy of the actual. Ransomware, ransom note and I redacted the name of the district here, but we were actually we were talking to these guys at a couple of months before this attack and the breach and we were discussing on a high level our services, what we could do for them, how we could help them be more secure, specifically in the areas of MXDR detection, response Remediation and and basically they said uh, you know, thank you, but no thanks.

So they felt sufficiently protected, which unfortunately in retrospect, we know it was a miscalculation. I don't know if they if they underestimated the threat or if they overestimated their defense, their the level of of their protection, but unfortunately they were breached and subsequently.

So the question is, how can school districts protect themselves? And there there's a many different technologies and tools and strategies today will be looking at the top 5 that are often overlooked and are are still extremely powerful and often affordable so with that Jeff why don't you take it away.

Jeff Teitelbaum
Before we dive into the Overlooked security measures, we first want to talk about some of the more obvious ones here. And that's going to be you should have a robust antivirus, but keep in mind that only protects you against known threats, but it's still absolutely essential. Additionally, you hopefully have full coverage EDR, so full coverage on all the systems possible or at least the critical ones and we do recommend having it managed that way.

That task is taken off of view, and that's even though that's still a good solution, just with those two, that's still not enough. There's still tons of events happening on your system every single day, and that's why an MXDR or MDR solution is absolutely recommended to threat Hunt and get some additional info and coverage and make sure that those blind spots are being covered.

Similarly with network switch monitoring, all kinds of activity, either lateral traffic or the North South traffic going out to different locations got a monitor that traffic as well and no one is really a full on Prem shop anymore. You're going to have some type of cloud solutions, even if that's O365 or G suite. We need to get those monitored as well. If they're not, and integrating into a seam is strongly recommended. Email you probably have some type of content or DNS filtering and hopefully SPF and demark on your email for additional security.

And a SIEM, we do recommend a managed one, but there should be some kind of SIEM regardless, to aggregate all that data. And on top of that, just having a SIEM  isn't enough. There needs to be continuous rule development that keeps up with all the latest threats on the digital landscape, tapping into intelligence sources like NIST, miter or SISA.

And a SOAR additionally for autonomous Response. Firewalls and you probably have a endpoint firewall, typically a Windows firewall or with inter VLAN rules.
That way it's traffic that shouldn't talk to, shouldn't talk to any other networks, is not is not able to get there, and you have your perimeter firewall as well, and vulnerability scanning definitely very important. We personally use we implement qualis with that, but we found that one to be the best but internal and external scanners. We recommend checking both. You want to check your outer perimeter as well as what's going on inside and remediating those vulnerabilities, and ideally MFA implemented wherever possible. So most people probably have it on their email, or at least hopefully.

But if you can get that on the endpoints as well, that is ideal.
All right.

So those are the more obvious ones.

Well, let's take a look at some more strategies that are a bit Overlooked compared to the others breaching attack simulation. For testing specific vectors in your environment.

Honeypots and Canaries. This lures attackers away from your most critical assets, such as your SIS. If you self host it or your domain controller.

Incidents response planning. This ensures you have a solid plan in place in the event defenses somehow fail. You have a plan to hit the ground running.

Security awareness training. We really can't stress the importance of this enough to reduce your attack surface.
The human element is important to take into consideration, and we'll touch more on this as we go through the presentation and immutable backup which ensures you can always recover your data from encryption events.

So we'll begin with breach and attack simulation tools.

And you may have an EDR firewalls and I've virus. That's great. You absolutely should, but are they doing their job?

This is something that bass Tools very much help with. They check and make sure that your security solutions that you're expecting to perform a specific task are actually doing that task and protecting you the way that they're advertised.

There's tons of new threats that come on to digital landscape every single day. New EDR evasion tactics, things like that. So absolutely critical to stay ahead of the threat and make sure that the tools are doing their job and or executing the tasks that you think they're doing.

And so there's various approaches. BAS Tools Solutions, but at minimum it should be able to protect you against things like credential dumping through LSASS.
No malicious file tools or downloads or malicious PowerShell scripts (Kerberoasting or Esentuti) and I just want to mention that implementing security solutions doesn't mean that you're protected testing your security solutions against attacks means you're protected.

And honeypots and Canaries very often overlooked. And we'll start with a brief definition here to to kind of break up these terms a little bit.

What is the difference between a honeypot and a Canary? So a honeypot is the part of it that emulates a typical system more a typical system that would be an environment. So you can spoof all kinds of things, whether it's RDP or IIS, or even an OWA portal, and that's going to ideally lure the attacker, making it an attractive target so that they don't go toward your most critical asset. They go toward that honey pot, but the Canary portion?

We use things to Canary for that. We have a partnership with them and they basically what that's going to do. The Canary is the portion that actually alerts you and lets you know that the honeypot was interacted with in some way, and that way you're aware that there has actually been a breach.

You can think of that as the Canary singing or chirping. A good honeypot solution will integrate both of these components in one. That way you don't have to do 2 different implementations and bridge those together, and we do strongly recommend having one honey pot or Canary deployed per VLAN. That way you have full coverage no matter where the attacker breaches. If they do some kind of discovery scan, then that whatever Canary is there will pick that up and alert.

Incident response planning. Absolutely critical. This is a example of one that we did for SIM Marino Unified School District.
They allowed us to share. This is very nice and so really the point of this is in the event that your security solutions somehow fail and there has been some sort of breach, you don't wanna be trying to figure out what to do, who to contact as this is happening and running around panicking, having a cohesive incident response plan in place where if something detrimental happens, you can refer to that piece of paper and go through the motions that you need to go through to contain that as much as possible and reduce the damage.

And security awareness training. Uh, definitely. Want to harp on this Quite a bit.
We partner with CyberReady for that.
And really, the human element is just very important to keep in mind, especially when it comes to social engineering attacks.
It's not always that there's gonna be some highly technical way of breaching the environment.

Oftentimes it is still social engineering, so the more users that are educated and know the red flags to lookout for phishing scams, things like that, the more protected overall you're going to be.

Because the reality is, the larger your organization is, the more holes you have. Each user unfortunately has to be thought of as kind of a weakness in the organization, because any one of those could inadvertently let an attacker in. So by training users, you're reducing your attack surface that way.
In addition to all these security solutions that are being implemented and protecting you in a holistic fashion.

And security awareness training. It used to be kind of droll and dry to be honest. It really has come a long way. It's far more engaging and it's a lot more welcoming for users of all skill levels to hop in and protect themselves. Not only while they're in your environment, but in their personal life as well.

And immutable backup. This one is unfortunately ignored quite a bit. Most are probably aware of the 321 rule keeping 3 backup copies with two on two different devices and one that is off site. But one thing that this doesn't actually account for is immutable backups. Backups that are essentially written in stone is how you can think of it. Kind of like when you burn a CD you you're writing to it once and then reading to it thereafter.

This is why it's called worm storage. Write once, read many.
And so just to kind of give a practical example here, let's say that any town Unified School District, they suffer some kind of breach.
Their primary backups they or their local backups rather get encrypted and they're normal.

Cloud backups get encrypted as well via something like lock bit for instance, and if they had implemented worm storage, there's still able to recover because those backups, even if the attacker were to somehow get access to those, they can't actually modify it once they're written, they can't be modified.

So it's a very good strategy to implement that way, no matter what happens, you can always at least recover your data.
And so for immutable BLOB storage, Amazon S3 or Azure or wasabi, those are just some examples of providers where you can implement that.

Daniel Eickhoff
Thanks, Jeff and yeah, so umm we always try to keep these short on the first run through here, but that's what Q&A is for. So if you have any questions, if you want to dive in or want to know a little bit more on any of these topics, submit your questions using the Q&A tool and yeah, hope we inspired some of your the folks on the call here to implement some of these things.

And as you as you tackle those maybe in the future, in the next few days or weeks, always feel free to reach out to Jeff if you have any questions at that time.
But while we give you a minute to submit your questions on Q&A, let me tell you briefly about Securus360, who we are, what we do.

We are a company 100% focused on working with case for 12 school districts and we offer managed extended detection and response services MXDR and I'll just run through a real quick overview just to it's one of the most comprehensive solutions in the space and we offer multi vector monitoring.

So true MXDR, meaning we go way beyond your endpoints. We look at servers and cloud and cloud application SaaS applications. You're cyber security devices, user behavior.

All of these things includes managed EDR Managed seam key part is the 21st 7365 SoC, meaning we have a team of security analysts that continuously pour over the data from your environment and then when they see something they investigate, verify these threats and then work with the client on Remediation.

They offer guided or autonomous remediation after hours available or 24/7. They active threat hunting. They do that as well as we leverage AI and machine learning algorithms.

Hundreds of them looking for anomalies and potential indicators of compromise in behavior patterns and things like that. Vulnerability assessments critical Jeff mentioned it briefly in the beginning.

We that's a key part we do with all of our clients and depending on the size of the school district, sometimes we find thousands and you heard that right.
Thousands of critical vulnerabilities that then we help prioritize and remediate, and we also offer a Cyber Warranty, which is kind of a different angle because it offers financial protection, which goes a long way.

So just wanted to give you a quick idea of what we do and we did get some questions. Great. Keep them coming.

Question number one is it's about BAS tools. How do bass tools compare to traditional pen testing?

Jeff Teitelbaum
So with the with traditional pen testing, you usually have some kind of company come out. They'll go on site and you have to open up a lot of stuff to kind of let them in typically. And there's a there's a couple problems with that. For one, we there are certainly cases where when that was done, the whole that they opened up may not always be a closed back up, which is is a big problem. It depends on the bass tool solution, but often or end. Ideally you don't need to open any holes in your network if they leverage some type of the dissolvable agent. The other thing is it's generally cheaper than the traditional on site on site pen testing.
A few other advantages there that that I can think of off the top of my head here.

It's going to be a lot faster to get you the results with the runtime simulations that run a report is generated, whereas if you have some company come out, they're going to have to typically cobble that report together, which can take a while. So you get your results faster, and it's generally cheaper than the alternative.

Daniel Eickhoff
Can I customize the honey pot to make it look like a school environment?

Jeff Teitelbaum
So we we actually do that for you. So we have catered a we created a K12 specific honey pot Canary template. It's going to make it look very much like a typical system that you would find in a K12 environments. So it's there's a lot of strategy involved when it comes to the honeypots and Canaries cuz you want to strike a balance, you don't really want a for lack of a better term, a Christmas tree lit up with every single service listening. If the attacker comes across that, they're gonna say, well, that's obviously a honeypot. And then they're just going to sideline it. So we put a lot of thought into catering that making it look like a very enticing target, but not too enticing, such that the attacker will avoid it. So we simple answer, we take care of that for you.

Daniel Eickhoff
Yeah, that was a good question. I was wondering that myself.

How often do you recommend testing IRP protocols?

Jeff Teitelbaum
So I'm at at a minimum every six months. If people wanna do it more often, they can, but at least by annually.

Daniel Eickhoff
Will immutable backups help protect me against data exfiltration?

Jeff Teitelbaum
Oh, I'm actually really. I'm really glad that was asked cause to be really frank. No, they will not protect against that. That would fall more toward possibly your IPS would would get that, or maybe your maybe the EDR, but immutable backups are really more for for encryption based events.

So, because there's really a couple main threats, you got to look out for, one is the encryption, the other is exfiltration. So the encryption immutable backups will at least allow you to get your data back if the data is already been exfiltrated, then it's not going to prevent that, and it's not going to somehow get it away from the attackers of course.

So it is an encryption based protection. Data exfiltration will fall toward other solutions that will mitigate that.