If cybersecurity seems like a never-ending, continuous process improvement effort, it is. There are many ways to reduce risk and improve your school system’s cybersecurity posture. Want to make significant improvements in a short period of time? You can take three steps to reduce your risk of being subject to the kind of Ransomware attacks perpetrated against K-12 organizations.brett jordan 0jiovxjj7py unsplash

1. Emphasize Backups: Make sure you have multiple, secured backups that are validated (regularly tested?), and at least one is stored offline, off your school system network (not connected to anything, even the cloud). Can’t afford an expensive air-gapped cloud-hosted backup solution? No problem, you can back up to encrypted hard drives and store them in a safe.

2. Eliminate the Use of Print Spoolers: It is time to rethink printing in light of the Print Nightmare vulnerability identified by Microsoft in print spoolers.

a. Reduce the amount of printing. In a heavily digital environment, do you need that many printers?

b. Restrict printers’ access to other systems by removing access to the internet and placing printers on an isolated VLAN just for print services.

c. Turn logging on for print spoolers and set up a flag and alert to notify you of any efforts to initiate printing outside the school system network.

3. Update Firewall Rules: Review your firewall rules and make sure you take the following actions:

a. Block cobalt beacons to block cobalt strike attacks. Remove the green listing of cobalt strike beacons on your firewalls. While Cobalt Strike can legitimately be used for penetration testing, it does not need to be enabled on your network.

b. Deny all access to print spoolers from any external devices. The Windows Print Spooler service uses a high numbered TCP port range, including ports 49152 through 65535

c. Block international communications at the firewall level. Implement a deny-all, and then add exceptions for approved devices on an as-needed basis.

d. Monitor outgoing traffic for suspicious patterns, as well as incoming traffic. (Not sure on this one – feel free to delete or change.)

There is no set of tools or security solutions that replace the hard work of doing the security basics, and tools alone will not reduce your risk. However, these basic steps can add layers of protection and reduce your risk with a relatively short time commitment.

invictus tailoring sneaker socks bpzjkcnmyqw unsplash

For more information and additional resources, check out these links:
-Defining Cobalt Strike Components So You Can BEA-CONfident in Your Analysis: https://www.mandiant.com/resources/blog/defining-cobalt-strike-components
-Removal Process for Vice Society Ransomware: https://www.pcrisk.com/removal-guides/21962-vice-society-ransomware
-CISA Alert: Alert (AA22-249A) #StopRansomware: Vice Society: https://www.cisa.gov/uscert/ncas/alerts/aa22-249a
-Look for indicators of compromise https://go.recordedfuture.com/hubfs/reports/mtp-2021-0914.pdf

Authors: By Amy McLaughlin, Rod Russeau, Tony Harvey, and Ryan Cloutier.
CoSN Cybersecurity Advisory Committee Members

Published on: Sept. 27, 2022

CoSN is vendor neutral and does not endorse products or services. Any mention of a specific solution is for contextual purposes.