- Chester County Intermediate Unit
- CCIU Blog
Four “How To’s” for Building Your Ransomware Defense and Response
Posted by Bryan Ruzenski, Director of External Technology Services & Molly Schwemler, Digital Media Specialist on 9/30/2021 1:00:00 PM
Ransomware: the scourge of modern information technology. In the span of a few years, Ransomware attacks have gone from a fringe concern to the primary cyber threat facing organizations worldwide. Ransomware poses a particularly dangerous threat to education agencies because of the more open nature of our networks, relatively lower cybersecurity funding and legacy systems as compared to the private sector.
How do these specific challenges impact technology professionals and those in education? It means that educators, administrators and education technology professionals bear the weight of an immense amount of responsibility. We are entrusted with the safety, both physical and emotional, of our children. In addition, we also must ensure that tax dollars are used efficiently and not wasted. In an increasingly digital society, these needs for safety and financial stewardship also include the security of our children’s information and the financial responsibility to protect digital data from malicious attackers. The safety and security of critical school district data, files and records and district systems are a top priority for all technology professionals in education. Neglecting these crucial areas can leave sensitive district and student information vulnerable to cyber threats, including malicious software attacks, intentional server or website overloads, social engineering, accidental deletion of critical records and, of course, ransomware.
As we strive to protect the security of student information and financial resources and Ransomware attacks remain on the rise, we’re bringing back of few of our trusted “how to” strategies for ensuring the security of vital district and school data.
1. HOW TO PROACTIVELY DEFEND DATA
Regularly scheduled backups of all data over a secure infrastructure are critical for avoiding data loss in the event of an attack, server failure or deletion. To save on bandwidth following an initial full backup, incremental backups can be set up so only changed data is backed up after a full backup. Our Rubrik solution uses an "incremental forever" backup model to ensure fast backup times, efficient use of storage and appropriate bandwidth usage. Ideally, you want multiple backup copies. It is best to backup data to an offsite location and replicate to a remote location so that it is securely accessible in two places.
2. HOW TO PREVENT CORRUPTION
Now that you’ve scheduled your backups and made multiple copies in secure locations, that must be enough to ensure your information is safe, right? Not yet. Your backups themselves could still be vulnerable. The data that you stored in an offsite and remote location needs to be encrypted and protected from changes. Creating encrypted and protected backups enhances the safety of your data as it is now immutable (unable to be changed) once in storage.
3. HOW TO RECOGNIZE A RANSOMWARE ATTACK
Backing up data that is already corrupted doesn’t do any good. You can develop customized actions and monitoring to help protect against Ransomware attempts. Consistent monitoring, as well as the attention of technical professionals, can detect and report potential signs of a Ransomware attack, like unusual file changes (files added, deleted, changed, encrypted). Our Rubrik solution uses machine learning over time to distinguish unusual file activity from normal file usage.
4. HOW TO RECOVER FROM AN ATTACK
In the unfortunate event of an attack, be prepared for the recovery process. If the previous strategies have been implemented, it will be much easier and faster for your team to recover compromised files, either to their original location or to a completely new location. With a detection system like the one included with Rubrik, you will be notified of a suspected compromise and can begin taking steps to recover right away. Your first action would be confirming if the alert is a true attack or a false-positive. If it is an attack, you would move to recovery and restore the last “known-good” backup to a standby server. Then you can resume normal operations while you work with your incident response team to investigate the attack.
Although cyber attacks can impact our systems when we least expect it, practicing and incorporating these strategies and tips into our usual security process can help us to not only react more effectively when our cybersecurity is threatened but also to prevent issues before they occur. If you are specifically concerned about any of the cybersecurity threats or lack of existing districtwide solutions to the issues detailed in this post, you might also benefit from discussing Rubrik as a potential solution!
If you would like to learn more about how Chesconet can help you detect and recover from a Ransomware attack, please contact Bryan Ruzenski, the Director of External Technology Services at the CCIU. Bryan can be reached at 484-237-5026 or firstname.lastname@example.org.