Harris Federation Report card
F. Could do much better.
The Harris Federation, a not-for-profit charity responsible for running 50 primary and secondary academies in London and Essex, has become the latest UK education body to fall victim to ransomware. The institution itself claimed it was "at least" the fourth multi-academy trust targeted just this month alone. In a message to …
they discovered it late-ish on Friday, were 'restoring' (whatever that really means) over the weekend - or so they were declaring, and all the systems were 'taken down as a precaution' from Monday morning. It's not hard to see the usual pattern though.
p.s. it appears the latest 'wave' of attacks targets poorly (?) secured systems and institutions that hoard, due to their nature of business, large-amount of (time) critical data.
As to the advice: patch, secure, educate, make sure those offline backups are both taken and actually work - how can you verify backups are not infected? In the chaotic rush and pressure from all sides (none lesser than the management, desperate to show they're in control) in order to solve the original infection they initiate their well-practiced backup procedures, thanks God we thought of that! And once completed, 2nd 'bomb' goes of.
p.s. some academies had to resolve to REAL books for teaching. Oh, the abomination! ;)
School networks do tend to be a bit more relaxed than a business or corporate network. This is usually because teachers refuse to have any security controls get in the way of teaching however they are absolutely the first to scream whenever anything goes wrong. I can only describe this as a an utter disconnect between cause and effect with teachers, i.e. if you have no security you will get hacked.
And computing teachers are the worst, I've had one demand that he was entitled to break the computer misuse act because, I quote, "I used to work for Microsoft so I know what I'm doing".
I would be good if NCSC could reinforce the idea that pupils losing all their data irrecoverably is also likely to "hinder teaching".
In terms of my IT Vs Teaching suffering I've spent 4yr as "the computer guy in one school" followed by 16yr dealing with them indirectly and 7yr married to a teacher.
My understanding is that at Universities academic staff are just as bad.
Non teaching research institutions also suffer from this, as seen by the recent SSH hacks that affected HMC sites.
Basically, people don't like security getting in the way, and the more "important" someone is, the less they like to be restricted by security measures.
SOME schools are more relaxed, some of us (that know what we're doing) keep it tightly locked down.
I work as a Network Manager for a set of Academies (Only started this year). I started off in one of our secondary schools long before Academies were a thing and worked my way up the ladder from there.
Our network settings make the security restrictions fairly tight - restrictions on what exes you can run, drives you can browse, very tight firewall rules, granular user share permissions, segmented permission based networking... You know, pretty much everything...
What I have seen however, is the abysmal state of the other schools. Most of them formerly had third party IT support (which I am spending the year transitioning away from) and most of the users have local admin rights and a wide open network. (There are a few schools that are somewhere between the two, but I would still class them as inadequate) - My "favourite" issue that I encountered is that one of the schools had a really obvious username with NO PASSWORD!
I think this may be a general problem with the way school IT is provided for - the usual "cost centre" mindset. For the large Secondary Schools, with their own /competent/ IT team, there shouldn't really be a problem, as long as managers/SLT/SMT are accepting of security risks and measures. (There are a LOT of incompetent IT Techs out there too!) For Primary Schools, and maybe the smaller Secondaries, it's a bit of a different story. Low budgets and high requirements tend to force them to outsource their IT requirements, quite often to a provider that will "maintain what you have" and everything else is an extra cost, that is basically unaffordable. Cheap switches with no network protection are added and very basic NAT firewalls with basic DNS filtering get used to "protect" the network.
The other problem, even for larger schools, is -as you say- "teachers refuse to have any security controls get in the way of teaching". Which is really a management issue. If you have a good set of Senior Leaders, they will listen to the security implications and usage restrictions of any security set-up and basically lay down the law. Where this goes wrong is when there's a particularly vocal teacher that needs things done his/her way and will get on everyone's case about it 24/7 until they get their own way. e.g. Particular software that wants to do something weird on the network (some remote computer control software with some unusual AD integration for example), adamant that they NEED a particular program to do their job, but it requires local admin rights to run. If the Senior Leaders back down to this kind of request, we require the request in writing an keep a log of our objections in case the worst happens.
Staff capability to spot any kind of scam, despite consistent reminders; guidance; and training, also seems to be a big issue. There was an incident not too long ago where someone managed to do it twice in the same week!
Well.... This was supposed to be a bit of an informative look into the massive differences in IT between schools, but turned into a bit of a rant as well - sorry about that!
TL;DR: Schools NEED at least 1 competent Network Manager, a leadership team that won't make "exceptions to the rules" if someone won't shut up, and if they're big enough - a few decent technicians.
Also: Outsourcing IT support when needing security expertise is a bad idea.
Great post, in particular the issues of balance between security, teaching and the understanding and willingness of parties to support this balance.
I work in a college, have done for many years and know the majority of the tech chaps well; front line and management. Now two examples spring to mind where we've hit a wall through that lack of willingness.
1. Software - It is reasonable request, and often a requirement, to have specific software for teaching staff. Where the IT chaps are great at support systems used by back office or even examination software for online tests, anything more taxing is always met with a rebuff that it can't be done for security. A case in point being the engineering team needing some CAD stuff which caused all sorts of issues due to permissions and access. Ultimately they have to use it and as you mention above once the right management tiers get involved a solution was indeed found. Okay it's limited to a couple of classrooms, possibly for licensing too I don't know for sure, but it was sorted. At the end of the day it's deployed in real world organisations so it should be doable here, right? That's not to say that checks and measures aren't needed but it would be nice if on occasion the default response was 'Okay, let's have a chat and find out what you need and what we can do' other than just an outright no.
2. External access - This one I get, it's a right headache for our chap carrying the burden. However we deal with a lot of external agencies and organisations who on occasion need to access certain information which we are obliged to provide (think regulatory checks). I've tried for a couple of years now to have a system that would allow us (not me, but the greater 'Us') to grant access to a SharePoint or whatever where limited time, read only access could be granted. No dice. The work around solutions are clunky, time-consuming and full of risks of a different nature. I've all but given up now.
The point is that in most cases is a Support service and striking a balance is really important. Education and understanding, especially of the management, really is the key to helping everyone move forward but all parties need to take a more understanding approach to the other person's views and requirements, and end users need to wake up and start learning how it all works. It's become too easy to be lazy.
Agree with the above. I used to work as a network admin in a secondary school. First thing I did was run an antivirus program that would operate on a whitelist principle. This was hell the first few weeks whilst a whitelist "allow" was added, but essential in a school. I also made sure that there was something other than a basic firewall, as per most schools they were short on cash so it was a pfsense, snort and pfblocker - all free and totally useable once configured correctly. 2FA was added, again fuss and shouts were heard, the senior management wanted an exception for certain staff - guess what happened next. One staff member had their password guessed and the spam flowed. After appearing briefly on a blacklist I presented the senior team with my finding that I should not have been overruled on A) their bulk mail ability and B) their 2FA. Schools have kids in them and some kids will try anything to get out of lessons, bringing malware in is certainly one of them.
locking down admin rights completely is a given, teachers are to be trusted less than children for installing software.
Wow, surprised that your marriage lasted 7 years. As a VocEd and University IT and Security instructor I recall many arguments with arrogant IT sys people like you. They seem to think that an educational network exists solely to provide them with employment., not that they are there to support the delivery of effective and appropriate education and training. If there is something educational that the educators need to do on the network that could be compromise security then it is the job of IT to make it secure. Being fully aware of the possible threats we would provide workable suggestions, but these were often not implemented because after all we were only educators (despite usually having more quals and industry experience than them), the suggestion didn't fit into their work flow processes, and because it was just easier to say no. They had no idea who their customers were.
More quals you say, more quals? Just this week I've refreshed some teachers laptops, I was cringing as I watched them use the caps lock for capital letters, they had no idea what the shift key was, we are talking people with a degree here! This is the level of computer competence we are dealing with!
These are the same Teachers who just hand over their keys to pupils to go get something for them , when they have master keys. Same Teachers who lose keyrings with masters on and just go 'o well, can I have another'
The same Teachers who write on Interactive Whiteboards with permanent marker and just laugh
Same Teachers who write on brand new TVs with marker pens because they thought they were interactive.
Same Teachers who think its ok to just let kids use their work devices with all their emails open and pupil data freely browsable.
I could go on and on.....
The concept of security and general common sense is rare in schools. The better, decent Teachers I've come across have generally worked in the private industry before becoming one. Those that have gone School -> College -> Uni -> Teacher don't seem to live in the real world.
Good to see that the sanctimonious are alive and well and still on El Reg. There is clearly an epidemic of ransomware out there. Is any organisation really safe? My guess is that the world is probably simply divided into 3.
1. Organisations where ransomware attacks have caused disruption already
2. Organisations where ransomware attacks will cause disruption
3. Organisations that don't own or use any computers
Any network will get malware on it eventually. Some networks get malware on them a lot more often than others. These things are not contradictory.
Any system will lose data permanently eventually. Some systems have no backups and therefore will lose data permanently more often and in a more damaging manner. These things are not contradictory.
The most sophisticated attack will eventually get access through a very good security system. A good enough security system will block less sophisticated attacks. These things are not contradictory.
Some of this is about doing the job well. Ransomware can be prevented more often by employing security measures that make it harder to install. While it can't be prevented in all cases, the risk can be reduced. If ransomware does strike, it will be debilitating, but if there are good backups, it will lessen the cost of fixing things. A sophisticated attacker may manage to infect the backups too, but it's possible to avoid that. Therefore, it is justifiable to say that a place with local admin rights for everybody and no backup system has failed to do its job related to security. We're not being sanctimonious any more than you would be if you told me not to leave the keys to my car in the car and then walk away. It's a precaution they have to take and they didn't. This doesn't apply to everybody, but you'll find it applies to a lot of them.
Actually you are being sanctimonious. Petty much the dictionary definition 'making a show of being morally superior to other people.' .On the basis of the reports you don't really have any info on how good, or not, Harris' security has been. Knowing a little of the trust's ethos, i imagine their IT was pretty locked down and their policies pretty rigorous. Nowhere in the reporting did it say that they were lax with local admin rights or didn't have good backups.
That's really the point I was making. El Reg at times a) assumes any one who has their car stolen must have left he keys in it, b) that the reason their car has not yet been stolen is because of their superior 'take key out of ignition' skills'.
Car thefts have been in massive decline since about 1992. Why? Better security. The ones that still get nicked are largely low-hanging fruit, which means either something like keys in ignition or manufacturers that still haven't got on board with the security thing. Even with the latter, if people paid attention to possible vulnerabilities and took appropriate action, they could mostly be avoided. So I think your analogy is indeed relevant. It just doesn't mean what you think it means.
Actually it does. The relative frequency over time of car thefts is irrelevant. The relevant bit is the mind set that says, 'I'd never be as dumb as that', and assumes that car thefts are the owners problem through being lax, or the manufacturers slapdash coding.
When an organisation admits to a ransomware attack you might be seeing the idiot who left their keys in the ignition with a laptop left on the passenger seat, or you might be seeing the work of the criminal who spotted the flaw in a keyless entry no-one else did, and exploited it before it was patched. Or the ones who bypassed the security altogether by turning up as you parked with a club/knife/gun. And given the money to be made how long before ransomware attacks are initiated by waiting for the PFY to stagger back from the pub and 'persuading' them that a ransomware attack is better than losing a finger or two?
I don't know about this situation. That is true. However, I do know about a lot of other situations where ransomware has struck in the past. A lot of those which had problems were due to configuration problems. People got hit with ransomware and you don't know about it because they limited the spread and recovered quickly. The ones who get articles here usually had more trouble, either a more pervasive spread, difficulty recovering from insufficient backups, or both. Therefore, if an organization is having a lot of trouble because of a ransomware situation, I view it as more likely they didn't take a backup step than they were hit with a very sophisticated ransomware variant.
As a teenager back in the mid-90s, I obtained an admin password for my ~1500-pupil secondary school network by dropping a fake Novell login screen (which I'd knocked together in VB 4, iirc) on a machine I knew to be frequented by admins. Was that "highly sophisticated"? Personally, I'd say it was pretty basic (if you'll pardon the pun). But I could have used the results in the same way. (I didn't – I just had a bit of fun and ultimately got a slap on the wrist as long as I explained to them exactly what I'd done [I'd probably be arrested these days].) These things they call "sophisticated" are often much more basic than that, with skiddie scripts scanning for default services with default passwords. I'd argue that the encryption systems they use are the sophisticated bit. The "attack" itself is usually a lot more like hopping over a back fence and carding a fire exit.
They aren't the only ones to be hit recently
Interestingly the ones I've come across are the ones that pay their leadership teams inflated salaries. Perhaps they have no money left for a network manager...
Biting the hand that feeds IT © 1998–2021