San Diego USD
By Charles Parker, II; Cybersecurity Lab Engineer
High schools are much like universities and colleges, in that these hold a mass amount of data which may easily be sold. This assists in making them more of a target. This coupled with their budgetary constraints makes InfoSec difficult at times, much like this recently especially was for the San Diego USD.
Attack
This compromise is a bit different than most of the others. The reports are the school district is not sure of the attack vector, however, they believe this was the effect of a relatively simple, yet effective, phishing attack. The attackers gained access through securing the authorized user’s credentials. In this case, the attackers gained and maintained their access for 11 months (January through November). This is odd. Seemingly, the school district’s SIEM would note the access from odd hours, the number of accesses being odd, the IP being unique to the other general logins, and the amount of data being exfiltrated. This would be the case unless the school district did not have one in place during the attack. The school district finally became aware of this in October 2018.
Data
Generally, data is the end goal for the attacker. With this, they are able to generate revenue through sales of the data, use this as leverage for the target, etc. Through the compromise and process, the attackers were able to exfiltrate a significant amount of data. This encompassed 10 years of data, from the 2008-2009 school year to 2019, when the attack was detected. There were approximately 500k of students and staff affected. In addition to the length, the breach was open, and the number of years of data exfiltrated, there is also the depth of data per affected person. This includes the first name, last name, date of birth, mailing address, home address, telephone number, student enrollment information (schedule, discipline incident information, health information, schools of attendance, transfer information, legal notices on file attendance dates), social security number or state student number, emergency contact information, staff benefit information, and staff payroll and compensation data.
Notification
The notice for the affected parties was filed the Friday before Christmas in 2018. The breach would probably be one of the last things they would want to hear about just before the holiday. The post stated the school district had reason to believe their system was breached and the attackers may have accessed the data. This could not have been what the students and staff were hoping for as their Christmas gift!
Detection
With a phishing attack, the timing of the attack may be delayed based on the attacker’s code. The staff began to note emails that appeared to be odd. They naturally, and appropriately, reported these to their IT Department. As the next step should go, this was addressed by the IT Department as they recognized this really should not be happening. They ended up discovering the breach in October 2018.
The school district, once they knew of the breach, did not immediately shut down the attack. This does seem counter-intuitive. Once you know the attacker is in and exfiltrating a mass amount of data, seemingly prudence would dictate shutting down the attack vector. There was a rational reason for this. The school district wanted not only to clear the access but also identify the attacker and allow law enforcement to do their job. They did later reset the compromised accounts. From this point forward, they have been working to prevent unauthorized access.
Thoughts
The attacker had access for approximately 10 months. The SOC or in the least any SIEM they had in place should have noted some abnormal activity as the mass amount of data was being removed from their servers. Since the SIEM is automated, possibly the search parameters had not been put in place. This compromise emphasizes the need for phishing training for the staff. This should not be the once a year training where staff nod off while the canned presentation is playing. These need to be periodic (e.g. quarterly) and with current information. Without some form of connection, the staff will probably view this as yet another mandatory training session, and start working on other things instead of listening.
About The Author
Charles Parker, II has been in the computer science/InfoSec industry for over a decade in working with medical, sales, labor, OEM and Tier 1 manufacturers, and other industries. Presently, he is a Cybersecurity Lab Engineer at a Tier 1 manufacturer and professor. To further the knowledge base for others in various roles in other industries, he published in blogs and peer-reviewed journals. He has completed several graduate degrees (MBA, MSA, JD, LLM, and PhD), completed certificate programs in AI from MIT and other institutions, and researches AI’s application to InfoSec, FinTech, and other areas.