Schools may have a long way to go to protect against cyberattacks | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

Below: Hackers breached the U.K.’s voter registry, and a key tech agency rolls out a new cybersecurity framework. First:

Schools may have a long way to go to protect against cyberattacks

On the same day education and technology leaders came to the White House to discuss cyberattacks on schools and commitments from industry, a ransomware gang calling itself Medusa appeared to add the 1,000-student Emerson, N.J., public school district to its hostage list. 

The board of education office declined to confirm the incident to me. But Medusa thus far “hasn’t made any empty claims” about its ransomware postings, Emsisoft threat analyst Brett Callow told me.

Continuous cyberattacks on schools like Emerson and elsewhere, even amid a high-profile government-industry event yesterday, underscore the challenge for school systems and cyberattacks: The commitments made this week could move the needle on boosting schools’ cybersecurity defenses; however, as schools take advantage of these new resources, school cyberattacks will probably keep coming.

• Recent cyber incidents at school districts like in Minneapolis this past spring saw hackers publish troves of sensitive student data, including psychological reports. White House officials have also confirmed incidents in Arizona, California, Washington, Massachusetts, West Virginia and New Hampshire.
• The private sector announced several voluntary commitments ahead of the summit, including grant programs and free or subsidized cybersecurity offerings for schools. Representatives from those companies also spoke in detail about them at the event.

At the White House, top officials — including first lady and professor Jill Biden, Education Secretary Miguel Cardona and Homeland Security Secretary Alejandro Mayorkas — stressed the need for immediate improvements to school cyber resilience. 

• As Biden put it: “Every family should know its information will stay safe and secure” so their children can keep learning in schools, she said to an audience of administration officials and educators. 

The commitments that the Biden administration secured from industry came together in just the past few weeks, according to senior administration officials (who spoke on the condition of anonymity under the ground rules of a news conference) and industry executives who spoke with The Cybersecurity 202.

As of now, the initiatives are indefinite, and that doesn’t seem to bother these companies.

• PowerSchool, for instance, will provide K-12 schools free or subsidized cybersecurity resources like training and coursework. The company said its clients include districts representing 80 percent of students across the United States and Canada. The company’s latest commitment this week will allow school systems outside that 80 percent realm to ask the company for help, CEO Hardeep Gulati told me after the White House event.
• The commitment lasts “at least for the foreseeable future,” Gulati said. “We’re not going to solve cybersecurity today. This is going to take a lot of investments and support from everybody.”

Cloudflare CEO Matthew Prince gave a similar answer. The IT management company committed to providing small school districts services that help prevent malicious emails from coming in, as well as guardrails to help prevent students, staff and administrators from accessing malicious websites. “I think that if we can help schools be more secure that’s something that we’re happy to do indefinitely,” he said in an interview. 

Budgets, tracking and disclosures

Any cybersecurity investment in school systems is a good thing, but the cyber promises made this week are not going to make a significant difference in the overall school ransomware ecosystem, Emsisoft’s Callow said, calling it a “drop in the ocean.”

The issue: Schools have been hemorrhaged with cyberattacks since at least 2019, he said. And they are already forced to make tight budget decisions in areas like lunch programs. “Spending on cyber isn’t necessarily always popular when [school districts] could spend it on things to better educate kids,” he said. 

Recorded Future senior security architect Allan Liska said that an added challenge is whether schools are willing to disclose cyber incidents.

• In an ideal world, the Biden administration would need at least six months to see if this week’s commitments would help drive down school cyberattacks, which have climbed steadily since 2020, he said.
• But there are “too many schools that refuse to confirm anything,” he said, adding that the lack of disclosure begs the question of whether the United States needs to mandate school disclosure requirements for cyber incidents (the Biden administration has required other critical infrastructure sectors to swiftly report hacks, and the tactic has been a key component of its national cyber strategy). If cyber officials can’t track the number of incidents against schools, it makes it harder to fully assess the effectiveness of this week’s attentiveness to the matter, Liska added.

Still, the voluntary private sector resources are “most welcome” for schools in need of low-cost support to shore up cyber protections, said Doug Levin, co-founder and national director of the K12 Security Information eXchange in an email. But the sector “lacks resources and absent cybersecurity compliance standards for school systems and their vendors” and “too many school communities will be left behind by wholly voluntary efforts,” he added.

Biden administration officials were unavailable to speak by press time. In emailed remarks, the Education Department’s Cardona said “to make the most of these benefits, we must effectively manage the risks.”

“Just as we expect everyone in a school system to plan and prepare for physical risks, we must now also ensure everyone helps plan and prepare for digital risks in our schools and classrooms,” Cardona said. “The Department of Education has listened to the field about the importance of K-12 cybersecurity, and today we are coming together to recognize this and indicate our next steps.”

Hackers breached U.K. voter registry, commission says

The United Kingdom’s Electoral Commission said that unidentified hackers gained access to emails and voter information in an attack the organization discovered in October after sitting 14 months undetected, our colleague Sarah Dadouch reports.

“While the data contained in the electoral registers is limited, and much of it is already in the public domain, we understand the concern that may have been caused by the registers potentially being accessed and apologise to those affected,” Shaun McNally, the agency’s chief executive, said in the statement.

The hackers would have been able to access some things but not others, according to the commission:

• They could access reference copies of electoral registers, which the commission holds for research purposes and to check on political donations.
• Those registers contained the name and address of anyone in the United Kingdom registered between 2014 and 2022, as well registered overseas voters.
• However, the registers did not contain details of those who registered anonymously.
• The commission’s email was accessible during the attack.
• The breach “has no impact” on “voters’ ability to take part in the democratic process” and won’t affect “current registration status or eligibility,” according to the commission.

That said, McNally acknowledged it couldn’t determine conclusively which files the attackers might have accessed.

The commission reported the incident within 72 hours to the Information Commissioner’s Office, which is investigating. The U.K.’s National Cyber Security Center said that names and addresses alone wouldn’t present a high risk to anyone.

“It is possible however that this data could be combined with other data in the public domain, such as that which individuals choose to share themselves, to infer patterns of behaviour or to identify and profile individuals,” according to the center.

Overarching voluntary cyber guidelines get long-awaited draft update

The National Institute of Standards and Technology (NIST) has released a draft of its revision of the widely used Cybersecurity Framework (CSF), its voluntary guide to helping critical infrastructure security sectors manage cyber risks.

The goal is to make CSF 2.0 apply to all sectors, not just those deemed critical, according to NIST.

The new draft is “a highly anticipated publication that reveals the full details of the agency’s plans to address governance with a new function and incorporate content on supply chain risk management,” as Sara Friedman writes for Inside Cybersecurity.

The first version of the framework, in 2014, sprung from a failed Obama administration bid to pass comprehensive cybersecurity legislation. Its main pillars emphasize identifying risks, detecting threats, protecting services, responding to incidents and recovering from them.

“With this update, we are trying to reflect current usage of the Cybersecurity Framework, and to anticipate future usage as well,” said NIST’s Cherilyn Pascoe, the framework’s lead developer.

• “The CSF was developed for critical infrastructure like the banking and energy industries, but it has proved useful everywhere from schools and small businesses to local and foreign governments,” Pascoe said. “We want to make sure that it is a tool that’s useful to all sectors, not just those designated as critical.”

Another major change includes a sixth pillar, “govern,” with guidelines on how to implement cybersecurity strategies.

The agency is taking public comment through Nov. 4 and plans to release the final version of the revised framework early next year.

Intel chips subject to ‘Downfall’ vulnerability

A vulnerability in models of Intel chips that in some cases stretch back at least eight years has rendered them subject to data leaks that would allow hackers to access data that shouldn’t be accessible to them, a researcher revealed Tuesday.

Generations of Intel CPUs are affected by the vulnerability, “exposing billions of chips to an attack that can easily be used to steal sensitive data, including encryption keys,” Elias Groll writes for CyberScoop.

Intel released a fix Tuesday in advance of a presentation today at the Black Hat conference in Las Vegas. The Google researcher who discovered the vulnerability, Daniel Moghimi, dubbed it “Downfall.”

Intel downplayed some of the impact in statements to news outlets.

• “For most workloads, Intel has not observed reduced performance due to this mitigation. However, certain vectorization-heavy workloads may see some impact,” Intel said in a statement, per Lily Hay Newman of Wired.
• An Intel spokesperson told CyberScoop that recent Intel processor generations aren’t affected.
• Vivek Tiwari, Intel’s vice president of remediation and response engineering, said in a story by Ionut Ilascu of Bleeping Computer that “trying to exploit this outside of a controlled lab environment would be a complex undertaking.”

GAO flags IRS cybersecurity improvement for fifth straight year (MeriTalk)

How a ProtonMail FBI search led to a suspect threatening a 2020 election official (Forbes)

Threat actors abuse valid accounts using manual tactics, CrowdStrike says (Cybersecurity Dive)

Meet the brains behind the malware-friendly AI chat service ‘WormGPT’ (Krebs on Security)

98 arrested in child sex abuse probe launched after FBI agents’ killing (Victoria Bisset)

Northern Ireland police officers’ details exposed in ‘monumental’ breach (The Guardian)

MOVEit hack spawned over 600 breaches but is not done yet -cyber analysts (Reuters)

After feeding explosion of facial recognition, China moves to rein it in (Wall Street Journal)

Chinese hackers targeted at least 17 countries across Asia, Europe and North America (The Record)

Radiation spikes at Chernobyl: A mystery few seem interested in solving (Zero Day)

Interpol takes down 16shop phishing-as-a-service platform (Bleeping Computer)

Are you smarter than a scammer? Play this game. (Heather Kelly)

Meet the brains behind the malware-friendly AI chat service ‘WormGPT’ (Krebs on Security)

Custom Yashma ransomware crashes into the scene (Dark Reading)

• The Black Hat USA conference continues throughout this week in Las Vegas.
• The Institute of World Politics convenes a seminar on international cybersecurity law at 6 p.m. 
• NSA Director Paul Nakasone speaks at the Center for Strategic and International Studies tomorrow at 10 a.m.

Thanks for reading. See you tomorrow.