Moreno Valley school system shores up ransomware defenses
Moreno Valley Unified School District officials discuss the steps they've taken to better protect sensitive data and critical applications against the growing threat of ransomware.
As the education sector faces mounting pressure from a surge in ransomware attacks, data isolation and advanced backup and recovery tools are becoming more integral than ever.
Those two main areas of focus make up the on-premises cybersecurity posture for California-based Moreno Valley Unified School District. MVUSD serves more than 30,000 students across 40 schools with an annual cybersecurity budget of just under $1 million.
Aside from DDoS attacks that caused minimal disruptions and a rise in phishing emails over the last year, Moreno Valley has not experienced a significant attack. However, due to the rise in ransomware attacks against the education sector over the last few years, MVUSD has taken precautions to minimize the consequences of stolen personally identifiable information and extended downtime that ransomware commonly creates.
TechTarget Editorial's ransomware database, which has tracked public disclosures and confirmed reports of ransomware attacks each month this year, showed the threat continues as attacks slightly increased in October, with education remaining a popular target for cybercriminals.
While MVUSD employs additional partners and technologies such as Chromebooks, all its data center systems are from Dell Technologies. TechTarget Security spoke with MVUSD officials and representatives from Dell and ConvergeOne, an IT services provider and Dell partner, about how the school system bolstered its cyber defenses. MVUSD superintendent Martinrex Kedziora and Glenn Alegre, executive director of technology, innovation, and assessment at MVUSD, discussed which tools and services from the two companies have been the most useful, particularly related to ransomware threats.
Even prior to the COVID-19 pandemic – which caused an caused an uptick in ransomware attacks against the education sector and created new remote security needs -- the threat was a priority for MVUSD.
"When I first moved into my role [in 2019], one of the neighboring districts was hit with a ransomware attack that knocked it offline for two weeks," Alegre said.
Even more alarming to Alegre was how the district didn't fully recover for months, which can be common. For example, an October ransomware attack against Kenosha Unified School District resulted in prolonged downtime. In September, Los Angeles Unified School District -- the second largest public school system in the U.S. -- suffered an attack that forced its email, computer systems and applications offline.
Eric Jansta, senior solutions architect of the data center practice at ConvergeOne, said that in Southern California -- where MSUVD is located -- several school districts have been hit by ransomware. Many of them were ConvergeOne customers that had deployed Dell PowerProtect Cyber Recovery suite, which includes the Cyber Recovery vault, CyberSense and PowerProtect Data Manager.
"For one of them, we did a deployment of the Cyber Vault solution, and they were able to fully recover after they were hit," Jansta said. "Education is a primary target, so everyone is more concerned about this."
Jansta also said MVUSD implemented the suite ahead of other districts in the area.
Strengthening cybersecurity defenses
Two and a half years ago, MVUSD implemented PowerProtect appliances to protect its data and ability to restore from clean backups. One massive problem that can occur from a ransomware attack is the corruption of backups, which contributes to extended downtime.
PowerProtect Cyber Recovery includes a logical air gap to isolate data in the Cyber Recovery Vault from the network. The product suite also includes CyberSense, which is the analytics and AI component that helps search for anomalies. Jansta said the analytics help identify each of the systems to verify which one is a valid backup so companies can recover immediately.
Rob Emsley, director of data protection solutions at Dell Technologies, said investing in isolated copies of its critical applications -- which is paramount for successful ransomware recovery -- is a primary reason MVUSD's cybersecurity posture is successful.
"[PowerProtect] changed the game for backups in that backup security was a consideration. But the protection and isolation of the backup data was what Dell brought to the party. And the analytics involved were important to increase recovery time," Jansta said. "Every time in the last two and a half years that we are talking about backups, we're not just talking about backing up data. We're talking security of their data."
While the pricing for Dell's offering varies, Jansta said the suite is cheaper than having to pay a ransom.
Additional partnerships
Alegre said PowerProtect is just one layer of security. The district has other defenses and partnerships in place to ensure it is not the low hanging fruit.
"In order to really monitor what's going on with the cyber world, you really need to have a security operations center. Like a lot of districts, we aren't big enough or don't have the resources to have our own center. So we have different partners from different partnerships that help monitor our logs and help us know whether attacks are happening," Alegre said.
That includes weekly or monthly vulnerability scans with Tenable's Nessus scanner that provides email alerts to the district. Additionally, MVUSD works with the Multi State Information Sharing and Analysis Center (MS-ISAC), which is run by the nonprofit organization Center for Internet Security. The MS-ISAC searches for suspicious activity with the district's logs. Still, MVUSD is currently looking to fully outsource all SOC services but has yet to secure a contract.
If an issue arises, Alegre said he has a team that remediates it as much as possible. Alegre's team has other responsibilities as well. One aspect Kedziora highlighted was Alegre's cybersecurity education initiatives that include weekly communication on topics such as phishing to help employees avoid falling victim.
"I think what he's done is prevented it from happening, so we don't have serious breaches," Kedziora said.
Another critical factor in the works is developing an incident response (IR) plan in the case of a ransomware attack. For now, the district uses runbooks, which are customized to MVUSD and provide steps to take following an attack. Jansta said ConvergeOne has a maintenance contract and provides day two support in IR cases.
However, Alegre said the district is in the process of building out a full IR plan. The school system has other pending security improvements. These include implementation of multifactor authentication, which vendors urgently advise, and increased cybersecurity awareness training, particularly to educate teachers on phishing campaigns.