Real World Risk Management Practical HR Resources
welcome
Are you a new user?
REGISTER HERE





RETRIEVE PASSWORD

Infiltration Of Malware Can Occur Even When Phishing Is Flagged

According to the Maryland Office of the Inspector General, Baltimore County Public Schools (BCPS) failed to act on several state recommendations to help mitigate cyber-attacks before a breach disrupted school operations and cost the school system millions of dollars in damages and repairs.

After a November 2020 cyberattack caused by a phishing email, operations at BCPS were impaired for several days, affecting the school system's website and remote learning programs.

The IG's report found that the initial network compromise occurred 15 days before the network disruption and came in as an e-mail. A teacher flagged the e-mail as suspicious, sending it to in-house tech support, who then forwarded the e-mail to a contracted tech support supervisor, according to the report. Unfortunately, the contractor mistakenly opened the suspicious email with the attachment using their unsecured BCPS email domain account rather than in a secured email domain. Consequently, opening the attachment in the unsecured environment delivered the undetected malware into the BCPS IT network.

Moreover, the OIGE report says BCPS did not fully implement several network recommendations from the Maryland Office of Legislative Audits in recent audit reports, including the relocation of publicly accessible database servers and the adequate maintenance of internal network servers. BCPS has implemented an array of new network security measures since the cyber-attack, the report says.

The report says the network upgrades and damages from the cyber-attack cost BCPS nearly $10 million. An investigation by the FBI and Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) is ongoing, the report says. Luke Barr "Baltimore schools cyber attack cost nearly $10M: State IG" abcnews.go.com (Jan. 25, 2023)

 

Commentary

 

Two lessons to take away from this incident merit examination.

First, the use of a malicious payload attached to an email remains the single most common way malware is introduced into a network system. Not selecting links, opening attachments, or downloading files from unknown or unexpected sources are some of the easiest ways of preventing a system infection.

In this matter, the employee who received the email did the right thing. Ironically, it was a contractor, an expert on the matter, who committed the error.

The second lesson is that recommendations were ignored to relocate publicly-accessible database servers to a more protected network segment and to better maintain internal network servers, presumably to keep them updated and patched. These oversights created risk.

When budgeting for educational institutions, monies spent on prevention, training, and upgrading equipment, software, and defenses will be far less of an expense than remediating, repairing, and replacing a compromised network or servers.

Finally, your opinion is important to us. Please complete the opinion survey:

"Juice Jacking" Alert: FBI Warns Of Bad Public Charging Ports

In an unusual move, the FBI warns the general public to stay clear of public USB charging ports. We explain why "juice jacking" is a threat.

read more

Biometric Authentication: Still Not Ready For Prime Time

A bank's choice to rely solely on biometric authentication was quickly shown to be a risk. We explain.

read more

Ask Jack: Is Password Sharing The Same As Password Stealing?

Stealing a password can be viewed as a crime, but what is wrong with sharing a password? Jack explains the problem.

read more

State Consumer Protection Laws Continue To Address Online Issues From Gamification To Data Privacy

Organizations that follow all general and industry-specific laws governing their website and online activities can avoid risk. We examine.

read more