Maryland's Office of the Inspector General for Education released its investigative report for the "catastrophic" Baltimore County Public Schools cyberattack revealing how it happened and areas where the school system is to blame.
The report reveals that the ransomware attack that crippled the school system was unleashed by a security contractor who "mistakenly" opened a suspicious email on the school's unsecured email system.
According to the report, an "education professional" received an email that appeared to be an invoice from a college official. It was actually a phishing attack, according to the report.
Phishing attacks target people by sending them emails from what appear to be well-known sources, according to the Federal Trade Commission.
The staff member was unable to open the attachment and asked for help from a Baltimore County Schools tech liaison, according to the report. The school system's tech liaison thought the email was suspicious, according to the report, and sent the email to the school system's security contractor.
According to the report, the security contractor opened the email attachment on their unsecured county school system email account instead of their secure email system. That act delivered the malware into the school system's computer network, according to the report.
The report also reveals that the anti-virus software used at the time of the attack was unable to detect the threat from the malware. The malware was also set to delay its execution, which allowed the malware to disable systems that would have blocked it.
According to Inspector General for Education Richard Henry, the school system has anti-virus software that is updated constantly but didn't have the malware that was used in the Baltimore County attack in it.
Nearly two years ago, Project Baltimore spoke with Brian Dykstra, the CEO of Atlantic Data Forensics in Elkridge, which specializes in defending against ransomware attacks.
He said ransomware attacks were on the rise during the COVID pandemic as students were learning virtually. He told FOX45 News it’s a criminal business that was thriving.
Days after the attack, FOX45 News reported a State of Maryland audit revealed Baltimore County Public Schools was aware of computer network vulnerabilities before the cyberattack brought school operations to a standstill, a detail reflected in the report by the report by the IG for education.
In its findings, the IG for Education addressed four allegations against Baltimore County Public Schools.
The investigation found the county school system disregarded some of the Maryland Office of Legislative Audits recommendations during their 2008, 2015, and 2020 audit reports.
It also determined that the recommendations from those audit reports had been partially resolved over each audit report or implemented due to network or system upgrades.
The OIGE did find that at the time of the cyberattack, the school system had not relocated its publicly accessible database servers as recommended by the OLA. Following the cyberattack, BCPS migrated its database servers into a cloud (encrypted) based computing environment.
The second allegation was that as a result of OLA’s published Audit Report dated November 19, 2020, the BCPS information technology system became the target of the cyberattack.
The OIGE did not find any evidence to substantiate this allegation. Based on the information reviewed and interviews conducted, the report concluded that the malware had been delivered before the release of the OLA report.
The third allegation claimed that repeated OLA findings indicated that the school system's Information Technology division was unprepared for the cyberattack and failed to protect the personally identifiable information of students, staff, and BCPS retirees due to this cyberattack.
The investigative report says the IG's office could substantiate this allegation in part and could not confirm it in others.
The OIGE’s review of the OLA’s 2020 Audit Report found that BCPS had similar repeat findings in 2015. Both audits found that the school continued to maintain internal network servers. However, the OLA analysis found that this configuration did not provide adequate network security.
The OIGE did find that since the cyberattack, BCPS has implemented an array of new security measures to ensure network integrity. Baltimore County Public Schools has also implemented Multifactor Authentication (MFA) standards for all staff, improved firewall technology, and enhanced device protections to detect and prevent malware. Additionally, the BCPS has migrated all essential network functions to a cloud-based environment and implemented security updates to ensure devices receive real-time security patches.
The final allegation claimed school system failed to disclose the cost associated with ransomware demands, information recovery, and IT network improvement following the cyberattack.
Based on the information-sharing restrictions put in place by federal law enforcement at the time of the cyberattack, the OIGE could not substantiate the allegation regarding ransomware demands.
The IG for Education found that school system IT staff were requested by federal law enforcement not to discuss the cyberattack with anyone, including local officials. The OIGE further determined that BCPS staff were advised that the FBI would coordinate with local law enforcement due to the seriousness of the cyberattack.
The report notes that the malware had not corrupted the county school's backup files. Unfortunately, when BCPS attempted to use the latest backup version to recover affected network information, they found that specific sectors contained within the backup file were unreadable or damaged, according to the report.
The OIGE determined that the cost to recover from this cyberattack, implement system upgrades, and migrate to the new platform has exceeded $9,682,437 million so far. This cost includes initial emergency recovery, transition and tape recovery, and other system upgrades. The OIGE also determined that BCPS has reduced prior IT operating expenses by approximately $1 million because of system upgrades.
In its final analysis, the report listed several recommendations:
- Follow the 3-2-1 backup rule. This industry-standard rule directs organizations to keep/retain three copies of their data on two different devices/mediums with one off-site storage solution.
- Use cloud backup with intelligence. The cloud could enable the school system to meet rapid recovery requirements and lower on-premises infrastructure costs
- Perform periodic recovery tests regularly. The mere existence of a backup does not imply that it can be recovered. Storage media can easily be corrupted, but most IT users are unaware of it. The backup system should include an automated process that automatically validates each new backup and warns of any problems.
- Plan for recovery times. By having multiple backup strategies in place, you can avoid unnecessary delays.
- Staff training. Training cannot be an annual event but must be an ongoing process. The best way to protect against ransomware is to prevent it with a comprehensive security awareness training program. Since phishing is the most common and effective method to spread ransomware, an effective ransomware training program should include ways to mitigate phishing attacks and how phishing can specifically lead to ransomware attacks.
- Develop procedures to report and respond to threats. It is critical to develop a robust training program for staff to avoid opening phishing threats and alert their IT department to take appropriate action before any damage occurs.
- BCPS Executive Leadership should develop and implement a process to immediately resolve the benefits and payroll irregularities resulting from using outdated backups to restore its human resources data affecting staff and retirees.