EP 12 – K-12 Schools in Ransomware Crosshairs w/ Matt Kenslea, Director of State, Local and Education at CyberArk

[00:00:00.250] – David Puner
You’re listening to the Trust Issues podcast. I’m David Puner, a senior editorial manager at CyberArk, the global leader in identity security.

[00:00:23.310] – David Puner
If you’ve seen the movie, Catch Me If You Can. The name Frank Abagnale Jr. probably rings familiar. He was a master con man, played in the movie by Leonardo DiCaprio, and chased around the world, also in the movie, by Tom Hanks’s, FBI Agent character. In real life, Abagnale, long has been on the right side of the law and is a world renowned identity fraud expert. A few years ago, in an interview, Abagnale described why cybercriminals prefer to steal the identities of younger people.

[00:00:52.040] – David Puner
To paraphrase, he said that children are extremely valuable identity targets because they have no credit, aren’t using it, and won’t be using it for a long time. And the younger the target, the longer it will take to realize that person’s identity has been stolen, like years. Fast forward to present day, in recent weeks, educational institutions have been under widespread attack. Earlier this month, September 2022, for those of you listening to this in 2035, the FBI, CISA, and the Multi-State Information Sharing and Analysis Center issued a joint cybersecurity advisory, warning that threat actors are, “Disproportionately targeting the education sector with ransomware attacks,” especially kindergarten through 12th grade institutions.

[00:01:40.230] – David Puner
Why K–12 schools? Well, for the same reason Abagnale talked about years ago, accessible student data. Add to the mix, overworked staffs, and competing priorities that make investing in cybersecurity and hiring specialized cybersecurity staff a major challenge, an attacker’s worm. Which is why, on today’s episode, I check in with Matt Kenslea, who’s CyberArk’s Director of State, Local and Education, aka SLED. As you’ll hear, Matt’s intimately familiar with what’s been going on with the wave of cyber attacks on K–12. He discusses the challenges and what schools can do. It’s an eye-opening conversation, and it’s a hope for conversation too.

[00:02:22.050] – David Puner
Here’s Matt Kenslea on Trust Issues, catch it.

[00:02:27.970] – David Puner
Matt, as we record this episode, we’re still in the thick of back to school. We’re about mid-September. This episode is likely going to release in a couple of weeks, and something we’ve been hearing a lot about is ransomware and schools, which seems super prevalent right now in the news, and in fact, the FBI and CISA and the Multistate Information Sharing and Analysis Center, issued a joint cybersecurity advisory last week that threat actors are disproportionately targeting the education sector with ransomware attacks. Is it a coincidence that these attacks have spiked around the start of the new school year, or something else is going on, I guess. What is going on?

[00:03:07.220] – Matt Kenslea
Thanks and good morning, David. It’s hard to pin down exactly why now, but because the attack environment is constant, it’s never changing. But if you are an attacker, this time of year is a great time of year, an opportunistic time of year, because so much is going on as people come back to school, you’ve got new faculty and staff, new machines. You’ve got a lot of demands on everybody, but particularly on the IT and security staff in the school and school districts, as they have to meet new demands, maybe implement new systems, whether it’s a classroom management system or new content.

[00:03:43.020] – Matt Kenslea
So there’s a lot of demands on those teams, and those teams are kind of chronically understaffed and under-resourced. The shrinking workforce in the United States, for one, impacts everybody across industries and across roles, but in particular, if you think about a K-12 public school district, they’re not famous for their extravagant salaries, and a lot of them, if you’re in an environment where there are healthcare, there are financial services, there are technology companies, it’s going to be really hard for you to attract and retain skilled cybersecurity and IT staff.

[00:04:18.610] – Matt Kenslea
There’s a churn, and one of the largest systems in the country was recently attacked, and one of the sort of forensic after the fact analysis was that they’re just very understaffed and have been for a while for a system that large. And as you think about the largest 50 or so school systems in the United States, the ones in our major cities, those are fortune 100-sized organizations, and oftentimes they have very small IT and security staff. The defense posture may not be as strong as it is in the world. There’s certainly a lot of churn as you get into back to school, and it’s a target rich environment. The data is there, it’s plentiful, it’s really valuable, and there are so many stakeholders, that it’s a very desirable target for the attackers.

[00:05:07.650] – David Puner
I want to get back to pretty much every aspect of what you were just mentioning because obviously, it gets to the point where, okay, here’s what’s going on, but what’s the solution? And we’ll get to that in a second. How did you end up in this role, and is it what you wanted to be when you were growing up?

[00:05:24.110] – Matt Kenslea
I was hired in February of 21, to build a state local team. So we standardize on a number of national contracts. We worked with a lot of the security form requirements that the state and local and education accounts require, really tried to get to become a better, more consistent partner, and then we built a focus team that we put in place in January, just a little over eight months ago. And that team is working right now across the United States, focusing on our existing customer base, which is a few hundred existing state, local, and education customers that we had historically, and also adding new ones.

[00:05:59.520] – Matt Kenslea
Part of that role of our SLED team, is not only to serve those markets better, but also to bring those markets needs and their concerns back to our organization, back to strategy and leadership and marketing and product. So we’re trying to create a two-way dialogue, so we can continue to serve these markets because they’re crucial. It’s where you and I vote, it’s where we pay taxes, it’s where our kids go to school. All that data is pretty vital, it’s important, and so we take it seriously and we work hard to try to help protect those environments.

[00:06:34.070] – David Puner
Taking that and going back to what we were already talking about with K-12, and ransomware and just all the craziness that seems to be going on there right now. Is the university and college sector less likely to experience this, I guess, just volume? If that’s what we’d want to call it from a ransomware standpoint, just ransomware attacks because there are more resources and less staff churn as a result.

[00:07:04.150] – Matt Kenslea
Well, so on hard data, there’s a resource called K-12 Dive. Pretty respected blog and journalist site. They published a report that in the academic year 21-22. So the academic year that ended in June of this year, 56% of the K-12 schools worldwide reported a ransomware attack, and 64% of colleges and universities reported a ransomware attack. They’re very different environments. K-12 is a little more locked down. In Higher Ed, you hade the students, typically in K-12, the students are on like a surface tablet or a Google Chromebook, or an apple iPad.

[00:07:44.490] – Matt Kenslea
In those environments, the student don’t have a lot of access, so the students are much less of a vector for the attackers, whereas in Higher Ed, the students can absolutely be a vector. Then you set the Higher Ed, the faculty, they’re the collaborative people. They work with the other faculty members across the world on combined research efforts. So there’s often sharing back and forth. Faculty have been shown to be easily targeted by spear phishing. So if you take a faculty member whose research is on fruit flies and how they multiply and reproduce, if you can create a spear phishing email that has some interesting data on that, you’re much more likely to get a click on that link. So there’s a lot of risks in Higher Ed that expose it too. So we see them both under a lot of threat-

[00:08:34.390] – David Puner
Techers are going to the extremes of being that customized in their-

[00:08:38.910] – Matt Kenslea
Sure, yeah, they’re very sophisticated. Very sophisticated, and it used to be back in the early days, you could tell because your phishing email had spelling errors or it had really bad grammar errors. Now they get very sophisticated. It looks like it’s from a real bank, it looks like it’s from a real insurance company. They are sophisticated. In some cases they’re nation state actors, and other cases they are ransomware groups that are structured and built and work like a business to engage in these attacks and-

[00:09:12.320] – David Puner
So then this seems like it would go to cybersecurity fundamentals and staff training and education. As a trend, is that happening before the breaches occur, or it seem like it’s happening after these breaches occur, and if so, what should we be doing going forward when it comes to training our education staffs and K-12 schools?

[00:09:33.190] – Matt Kenslea
So that report you mentioned earlier, the FBI, the CISA, and the MS-ISAC, they all came out. There was a recent report that they just published on ransomware, and what they’re recommending is, and it’s pretty common sense, it mirrors a lot of what insurance companies are also demanding of these institutions, to enable them to renew their cyber insurance. And the things that they’re demanding are, patch your known vulnerabilities. Update the known vulnerabilities because that’s where the bad guys go. They’re strongly suggesting phishing and other cyber education.

[00:10:08.770] – Matt Kenslea
That’s a real challenge because most of us have been through those courses and there’s a lot of skepticism from the user where people just click and try to get it over with. Meanwhile, sort of a heightened awareness I think is necessary. The challenge is those of us at CyberArk, we live and die with this every day. So we’re always thinking about it, we’re always skeptical. I’ve reported multiple emails that I thought were Phishing, that turned out to be real emails. The question is, am I paranoid enough? And I think the filter needs to get out to the rest of the world. The CISA, MS-ISAC report as well, recommended multi factor authentication, that’s in place in a lot of institutions already.

[00:10:50.300] – Matt Kenslea
It’s one of the first things people do, sometimes in schools that can be a challenge because phones are almost always part of an MFA solution, and sometimes phones are a challenge on a school campus. They don’t maybe let phones come into a campus at some places. And then we would add to that, and I think this is a lesson we’ve learned from what we know about previous ransomware attacks. We would add an endpoint privilege manager solution that controls local admin rights.

[00:11:20.360] – Matt Kenslea
You hear a lot of conversation in cybersecurity about defense in depth. So people may have an antivirus solution or they may even have an endpoint detection and response solution. What those do is they’ll protect against the known virus. They will help you identify an attacker who is in your system. But what an endpoint protection tool like endpoint privilege manager that manages local admin rights, what that’s going to do, is control against lateral motion, and in almost every one of the breaches that are well known and have been publicized, whether it’s the solar winds breach, the octave breach, the recent last pass breach, almost every one of those kinds of the major breaches, what we see is an identity that’s been exploited over time.

[00:12:04.770] – Matt Kenslea
So now, boom, that person can move over to that machine and move up and escalate some privileges, and in a lot of these famous, let’s call them or well-publicised breaches, we’ve seen that the attackers have lingered for time and have moved laterally and escalated privileges. And by controlling local admin rights with a tool, you can get that balance between security and employee productivity. So there’s a lot of recommendations and again, a lot of these are work for the accounts. So a K-12 school district has to make some decisions. They’ve got to make some choices.

[00:12:42.690] – David Puner
Right, which goes, I think to some of the more notable challenges here that you’d mentioned earlier. One of them being, there are staff challenges around IT and security staff and a lot of churn there. There’s also, obviously budget limitations when you’re talking about K-12. How are folks who are handling this better than others addressing these challenges?

[00:13:04.990] – Matt Kenslea
You’re absolutely right. The demands are fairly endless and cybersecurity is just a single pillar, if you will, of the demands and expectations on the combined IT and security staffs in a K-12 school district. We have a blueprint that we believe in, that we have built and refined with over 20 years of experience with thousands of customers worldwide. And our blueprint tells us that what we want to do, is limit the breach, limit privilege escalation, limit lateral movement, and really control those elements.

[00:13:38.270] – Matt Kenslea
Control those in a way that again, is going to limit the end users ability to launch bad files, to launch malware, to launch ransomware, to be victimized by phishing emails, but also a tool that lets them do their work. Lets them install a printer, lets them run a file from an unknown application if they request and are granted the permission.

[00:14:00.870] – Matt Kenslea
And then finally, in a lot of cases, whether it’s for cyber insurance or just regulatory compliance, in a lot of cases, there’s an external demand on these school districts, on these colleges and universities, to do something, to implement these solutions, so that they can write cyber insurance. We work with a number of colleges who have been presented with 100% increases in their cyber insurance policies, or higher than that, we work with a number of colleges who have chosen to self insure to mitigate the risk, because the cost from an insurance company policy is so high.

[00:14:37.450] – Matt Kenslea
We’ve seen, there was an article the other day in the Wall Street Journal, a lot of insurance companies are declaring that the cyber attack is an act of war because it was done by a nation-state actor, and thus they don’t cover the incident. So it’s a really challenging environment. Yeah, it’s really challenging. I don’t mean to laugh, but it’s a really challenging environment for anyone. So there’s a lot to do. We try to listen actively and serve our customers the best, what’s going to help them, again, mitigate their risk in a measurable way as quickly and affordably as possible.

[00:15:15.070] – David Puner
What are some of the implications of a ransomware attack for a K-12 school, in today’s mostly post-online learning, at least?

[00:15:22.280] – Matt Kenslea
There has emerged a new approach. People talk about ransomware 2.0. If you think about the original ransomware approaches, it was, we’re going to break into your system, we’re going to get our privileges escalated. And then we’re going to encrypt all your data, and we’re going to sell you a key that will unlock that data for you, and then you’ll be able to go back and do your lives. We know of colleges, a small private college, had to pay a million dollars in ransom because from the month of August through early October, 1 year, they had to run their entire system on paper because they had been completely encrypted.

[00:15:57.810] – Matt Kenslea
What’s emerged is, as these attackers have become more sophisticated, is this idea of ransomware 2.0, where they don’t encrypt the data, they offload the data, and they threatened to release it, they threatened to publish it on the dark web. So now you’ve got a school district which has the name, think about the large cities in the US. Millions of students in their system, and you’ve got an attacker who says, okay, I’ve got the student data, I’ve also got your faculty and staff data, and I’m going to publish it on the dark web unless you give me ten bitcoin or whatever the going rate is these days.

[00:16:31.670] – Matt Kenslea
So that’s a real financial risk to them, and it’s a reputational risk. If you’re a college and that happens to your student data, that’s a real threat to future enrollment. If you’re a K-12 school district, and your student data is compromised and threatened to be released, you’ve got a problem with your citizens and your stakeholders, and also your elected officials. No mayor is going to look kindly on a school system that has had children’s data exposed on the dark web. So those threats are really, maybe they are existential, but they’re certainly serious.

[00:17:05.650] – Matt Kenslea
If you’ve been breached and you’ve had your data taken, and you’ve had your data exposed or encrypted, you’ve got a reputational problem with your stakeholders, with your consumers, your citizens, and that’s a challenge to recover from. I did some more specific research. One of the things that really caught my eye was somebody from the FBI said that education data, Higher Ed, US Higher Ed data, and US K-12 data is always for sale on Russian hacker forums, and other dark web locations. So there is always… That data is always out there. It always has a sticker price. It’s always desirable to the bad actors that want to buy it, so the attacks will not relent.

[00:17:53.030] – Matt Kenslea
They will continue… There’s still value there for the bad actors to come after it, and the challenge for the protectors, as always, the attackers and these exploits to take advantage of known vulnerabilities. You don’t need to be a good hacker to go acquire an exploit kit on the Internet. Our research lab, we have 4 million known variants of ransomware that we know we protect against, and that ticker. It’s like the deficit clock or the world population clock. It’s always moving. We are always identifying new variants of ransomware, and those are available to anybody who’s got bad intentions and you don’t even have to be very good.

[00:18:37.510] – David Puner
We’ve hit the solution, or at least where to start. CSA guidelines, endpoint privilege controls. What else, if somebody, a school or a school administration is looking to immediately limit their exposure to ransomware without letting other priorities slip, is there anywhere else to start?

[00:18:56.270] – Matt Kenslea
Yes, with school districts are served by lots and lots of content providers, lots of textbook providers, educational systems. They’ve engaged in digital transformation the same way anyone else has. So they’ve got student management systems, they’ve got course management systems, they have financial systems. All of those are potentially vulnerable to a direct attack, but also, all of those connect to other systems. And those connections are often not a human action. Sometimes it’s a hard-coded credential, that goes from one application to another and that can bring risk. And very often those identities aren’t managed on a day-to-day basis, so the hard-coded credentials can live in there.

[00:19:40.320] – Matt Kenslea
So sometimes a focus on the non-human accounts, and that’s absolutely part of our blueprint as we talk about a cybersecurity maturity model, we believe control your privilege, control your privileged accounts. Again, network admins, systems admins, move to controlling local admin rights on the end point, and then move into really a security mindset where you’re securing your non-human accounts. We deal with a lot of colleges, but also school districts that have multiple cloud environments. They may be in the AWS environment, they may be in Google cloud, they may be in Microsoft’s Azure Cloud.

[00:20:18.540] – Matt Kenslea
All of those environments bring risks. In many cases, the default identities, you create a user in that environment, that identity brings with it certain privileges and nobody really knows what happens to those privileges, who’s got what. So a solution that can point at those, identify where the risk is, and manage those, that’s another part of our maturity model.

[00:20:39.570] – David Puner
What are the potential scenarios near future and longer term when it comes to schools and heightened cybersecurity? What do you think things might look like a few years down the road or next year, let alone a few years down the road?

[00:20:52.550] – Matt Kenslea
So the good news is that a lot of federal money has been made available in the last two or three years. Under the previous administration, the CARES Act absolutely released money that’s focused to cybersecurity. And under the current administration, the Infrastructure Act, I’m sorry, the Rescue plan, then the CARES Act, all of these things have released federal funding, much of it targeted specifically at cybersecurity efforts. That money is starting to filter out to the states and localities. It’s starting to be budgeted and made available. It’s always a process. It’s always a process in the public sector for budgeting and for appropriating, for spending.

[00:21:30.610] – Matt Kenslea
There are lots of efforts underway across the country on behalf of centralized state chief information security officers for what they call, a whole-of-state approach. And so where the state sees so, who may be, almost always is, very much on top of things, typically right on top of things, well funded, well staffed. How can they help the groups that are less so, and so we’re seeing a movement around the country too. Again, that so called whole-of-state approach, that’s absolutely in place, and we partner with a number of states on those kinds of initiatives.

[00:22:06.240] – Matt Kenslea
I think the awareness of risk is there for sure. Certainly at the practitioner level, they’re aware of the risk, and in the public, at large, the awareness of risk is real. It’s very easy when a breach occurs and gets publicized for somebody to try to jump that we use the phrase “Ambulance chasing,” not to make light of that, but it’s very easy for somebody to try to jump in and say, “Oh, we can help you today.” Meanwhile, the folks who have been breached and have been attacked, are dealing with that attack and they’re trying to unencrypt their data, they’re trying to protect their student information. They’re trying to deal with-

[00:22:39.380] – David Puner
Crisis at the highest level.

[00:22:41.260] – Matt Kenslea
Yeah, I think empathy and understanding, to the customer, to the prospect, to the folks in these roles, is a really crucial skill. If we’re not approaching them as a human being and trying to work within what is crucial and a priority for them, we’re never going to have a meaningful impact. It’s the golden rule, right? Do unto others as you would want them to do unto you.

[00:23:07.120] – David Puner
It sounds like you’re a busy man, Matt. Thank you very much for coming on to the podcast today. I think it’s a really interesting conversation and look forward to speaking with you again down the road when we know what the future looks like.

[00:23:19.080] – Matt Kenslea
Well, my pleasure, David. Good to be with you. Thanks so much for the opportunity. I tell my kids I’m doing a podcast and they’re not really impressed, but they’re less unimpressed.

[00:23:28.490] – David Puner
Well, definitely we’ll send them a link when we go live. We want their support.

[00:23:34.490] – Matt Kenslea
There you go. Thanks.

[00:23:45.870] – David Puner
Thanks for listening to today’s episode of Trust Issues. We’d love to hear from you. If you have a question, comment, constructive comment preferably, but it’s up to you or an episode suggestion, please drop us an email at [email protected] and make sure you’re following us wherever you listen the podcast.