Report Comes as District Struggles With Ransomware Attack
The Baltimore County Public Schools system was notified by state auditors of several cybersecurity weaknesses the day before the district was hit with a crippling ransomware attack (see: Ransomware Attack Targets Baltimore County Public Schools).
The general audit conducted before the Nov. 24 ransomware attack found the school system ignored warnings in a 2015 state audit that the lack of security for its IT infrastructure made personally identifiable information and critical databases vulnerable to attack. The Baltimore Sun published the audit.
“Significant risks existed within BCPS computer network,” the audit stated. “For example, monitoring of security activities over critical systems was not sufficient, and its computer network was not properly secured. In this regard, publicly accessible servers were located in BCPS internal network rather than being isolated in a separate protected network zone to minimize risks.”
Doug Levin, president of the consulting firm EdTech Strategies and the K-12 Cybersecurity Resource Center, notes: “The state audit of BCPS was only the latest disclosure of security shortfalls in the district. Like many districts, Baltimore County’s security practices seem to be substandard, but especially so for a tech-centric district of their size.”
Although coping with the challenges posted by the COVID-19 pandemic makes maintaining adequate information security even more challenging, Levin says: “District cybersecurity practices in general have not kept pace with the adoption of technology. This attack is only the latest indicator of how serious the consequences of that gap are.”
As it continued to recover from the Nov. 24 ransomware incident, the Baltimore County district canceled virtual classes for 115,000 students Monday and Tuesday.
(1/3) Due to the recent ransomware attack, Baltimore County Public Schools will be closed for students on Monday, November 30, and Tuesday, December 1. BCPS offices will be open and staff will receive additional information about Monday and Tuesday.
— Baltimore County Public Schools (@BaltCoPS) November 28, 2020
The district issued instructions allowing students to use their BCPS-issued Chromebooks, but not any Windows devices, to access district accounts. In a post on its Facebook page, the district gave students and staff the go-ahead to use their personal devices to access virtual learning and online tools.
The district’s IT staff is telling students and staff to avoid opening emails from suspicious sources. It is also blocking all emails coming from Baltimore County, and all incoming emails are being monitored for suspicious messages.
The 56-page state audit report found four IT areas in which the district followed poor cybersecurity practices before the ransomware attack hit.
The most grievous oversight was placing 26 publicly accessible servers improperly within the internal network. Additionally, the intrusion detection prevention system only checked unencrypted traffic while ignoring encrypted traffic entering the district’s network.
“We identified 21 firewall rules that allowed encrypted traffic from any source to 29 unique network destinations within BCPS’ internal network without IDPS coverage,” the report states.
This included giving access to the district’s automated financial systems to unauthorized employees and elevating privileges to others to allow them to make purchases without receiving the required permission from a superior. This resulted in $1.1 million spent on more than 3,000 purchases made between 2017 and 2019 that did not receive an independent review or approval, the report states.
In another instance, five employees handling payroll transactions were inappropriately given access to human resource records and functions that they did not need to conduct their jobs.
Auditors found sensitive personally identifiable information was stored without adequate safeguards on at least two databases, with one containing 92,000 unique records that could have been accessed.
Auditors also found two critical systems’ databases had inadequate security and audit event logging and monitoring procedures, and numerous employees were given unneeded elevated privileges to access these records.