Cyberattacks on school districts are not only a growing problem for school operations, they also pose a serious threat to the security of sensitive student and teacher data. Combatting cyberattacks is challenging and costly for school districts, potentially harmful to students and teachers in cases of data losses and can cause a serious breach of trust between schools and families. FCPS continues to strive towards a comprehensive cybersecurity plan.
As reported by K12 Cybersecurity, there were 408 publicly disclosed K-12 cyber incidents in 2020, an increase of 18 percent over 2019. Compare that to 122 publicized cybersecurity incidents of 2018, and you start to see how these attacks have dramatically increased over the last couple of years. This increase is partially attributed to the pandemic and the switch to remote learning, as incidents almost tripled in the latter half of 2020.
Cyberattacks on school districts are not only a growing problem for school operations, they also pose a serious threat to the security of sensitive student and teacher data. Combatting cyberattacks is challenging and costly for school districts, potentially harmful to students and teachers in cases of data losses and can cause a serious breach of trust between schools and families.
Taking Some Simple Steps
Cybersecurity is everyone’s responsibility. There are steps that everyone can take to reduce the risk of threats. As Doug Levin, National Director of K12 SIX put it: “Cybersecurity risk management can be described as a ‘wicked’ problem. It’s one that defies easy solutions and quick fixes, in part because cybersecurity risks are constantly evolving. For K-12 organizations, the cybersecurity challenge is compounded by limited resources and staffing, a lack of compliance mandates, and loosely coordinated, complex IT operations.” He shared that malicious actors often exploit common weaknesses in security controls, misconfigurations, and poor practices to gain initial access to schools’ systems. In many cases, the damage could be avoided, or at least mitigated, with relatively simple and low-cost (or free) steps that districts can take to better protect their data. These are:
- Control access
- Limit the ability of a local administrator account
- Harden credentials
- Implement multi/two factor authentication
- Establish centralized log management
- Use antivirus solutions
- Employ detection tools
- Operate services exposed on internet-accessible hosts with secure configurations
- Keep software updated
FCPS has implemented mutli/two-factor authentication (MFA or 2FA) for Microsoft and Google Workspace accounts used by division staff. This acts as a deterrent and obstacle if a bad actor has gained access to staff login credentials. Multi-factor authentication is extraordinarily effective. In fact, Microsoft famously reported, “By providing an extra barrier and layer of security that makes it incredibly difficult for attackers to get past, MFA can block over 99.9 percent of account compromise attacks. With MFA, knowing or cracking the password won’t be enough to gain access.”
Even though the division does have cyber insurance due to the increasing prevalence of cyberattacks, cyber insurers are now requiring applicants to demonstrate that they have taken steps to prevent cyber attacks. For example, most cyber insurance carriers are now making two-factor authentication or Multi-Factor Authentication a condition for purchasing and renewing cyber insurance.
Microsoft Multi-Factor Authentication (MFA)
Microsoft believes that enabling MFA will eliminate 99.9% of the security issues that can occur against Microsoft accounts.
What Happens Once MFA is Turned On:
- Once MFA is activated, personally owned devices that attempt to connect to Microsoft hosted fcps1.org services (such as online email) will be prompted to have an additional security check.
- FCPS owned Windows computers are trusted by Microsoft and count as an MFA device, which means using a school issued Windows laptop and signing in through a compatible browser such as Chrome or Edge, will not have an additional prompt for MFA.
- Accessing Microsoft fcps1.org accounts using a personal computer will prompt for security steps to be followed and will be required to go through those steps once every 90 days (four times a year). Situations that would require this to happen more frequently would be actions such as clearing out browser cookies, using a different browser on the same device, or using private incognito mode in a browser.
MFA Authentication Methods (only one is required):
- Call to Phone – When signing into your fcps1.org account, an automated phone call from Microsoft will be sent to whichever phone number you have provided the system at setup. The call will provide you with a code to use for authentication.
- Text to Phone – When signing in, your phone will receive a code to type in with your login. This requires Wi-Fi or cell service to be available.
- Notification through Mobile App (Microsoft Authenticator app – available for iPhones and Android) – The Microsoft Authenticator app can be downloaded to your phone and configured to just ask, on your phone, if you are attempting to sign into your fcps1.org account, and if so, you answer yes. This method requires your phone to have internet connectivity via Wi-Fi or cell service.
Google 2-Step Verification
- After logging into your Google Workspace account (fcps1schools.net), click on the application icon () in the top right-hand corner of your browser. Click on the Account icon.
- In the navigation panel on the left, select Security.
- Under “Signing in to Google“, select 2-Step Verification, then Get Started
- You will likely be asked to re-enter your Google Workspace password.
- Follow the on-screen prompts to complete the process. You have the options to
More information can be provided from the Google Support page about 2-Step Verification.
Once you have set up your first 2FA authentication method, you will be able to set up additional authentication options on your account. These include:
- The three initial methods (text message/phone call passcodes, Google Prompts, security key)
- Backup codes
- Authenticator app
Google recommends setting up at least one additional authentication method if you can, in case your primary method is unavailable.
Additional information related to the Google Authenticator app and backup codes can be found at the University of York’s support page. These options can be used as alternative methods over texting.
What if I don't want to use my personal phone number?
When first setting up 2FA, you usually have to provide a phone number to receive a call or SMS message. Some staff may prefer to not use their personal cell phone. Options can include the use of a hardware security key (e.g. Yubikey). Another option can be to use a website that can receive SMS text messages. There are many such websites, and many of them may not work with Google or Microsoft. They provide a pool of phone numbers from the US and other countries. It can be hit and miss if a number will work. When it does work, the user should set up a secondary option for 2FA (e.g., printing out codes or setting up an authenticator app on their phone).
The following sites have been tested, and at the time worked. The sites are not endorsed and advisement to use at your own risk. You may need to refresh the screen periodically to see if the SMS text has been received. Sometimes it appears quickly, and other times it can take longer, or not appear.
- FreePhoneNum.com (http://www.freephonenum.com) – Our website allows developers to receive SMS online for testing. We provide disposable/temporary phone numbers so you can test 2FA using SMS. Select the country, then select the number that has had active SMS texting today.
- SMSSellaite.com (https://sms.sellaite.com/) – Sellaite SMS RECEIVER has been around for several years and is different from most of the other services here because it uses three phone numbers from Estonia (country code +372). Click on the phone number you want to use. Copy all numbers after the 00372 (this is the Estonia country code). Be sure to select Estonia as the country when using the copied numbers.
- Receive-SMS.com (http://receive-sms.com) – provides three US demo numbers.
- MyTrashMobile.com (https://www.mytrashmobile.com) – select one of the free numbers, use the number shown to receive an SMS message, click RECEIVE to view the message sent.