Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyber Insurance

Arizona Schools Provide Model for Managing Ransomware

On Wednesday, September 4, 2019, ransomware was discovered at Flagstaff Unified School District, Arizona. Schools were closed on Thursday and Friday of that week, but re-opened after the weekend. No ransom was paid, and only two days schooling was lost.

On Wednesday, September 4, 2019, ransomware was discovered at Flagstaff Unified School District, Arizona. Schools were closed on Thursday and Friday of that week, but re-opened after the weekend. No ransom was paid, and only two days schooling was lost.

Now Moody’s new weekly Public Finance Credit Outlook newsletter has highlighted the case as an example of how to prepare for and mitigate the effects of ransomware. It says three things were fundamental: distributed processing across several third-party organizations; a well-prepared and executed response plan; and cyber insurance.

The distributed processing between various organizations including Northern Arizona University, Coconino County and private vendors amounted to a form of network segmentation. “This,” comments Moody’s, “limited the potential spread of malware across systems and allowed the district to continue performing important operations, such as vendor payments, payroll and debt service repayment, even if its own systems were not immediately available.”

While commercial organizations might not be able to implement an identical distributed processing plan, they could implement well-controlled internal network segmentation. If this were done, the effect would be similar — any malware infestation would be limited in its ability to affect the whole network. This is not easy, but certainly doable with next gen firewalls and privileged access management.

The second element of Flagstaff’s success highlighted by Moody’s is the district’s well-planned and executed incident response plan. The schools were closed not because of loss of computing, but over safety concerns that systems such as cameras, door locks, HVAC, and communications might have been compromised.

Computers were immediately disconnected from the internet and shut down. They were given factory resets to ensure that no malware could be left on the computers to re-infect the network.

However, Moody’s adds that budgetary preparation for unplanned incidents also benefits the financial running of the schools (which have in excess of 9,000 students and revenue of around $95 million). The schools have an annual ‘snow’ budget for five days closure. While it is unusual to invoke two snow days in September, it nevertheless means that if the winter is not too harsh, there will be no financial impact from the schools’ ransomware closure.

There will, of course, be additional financial costs from the incident, including upgrading security and hiring third-party vendors to improve security to prevent any future incidents. “Most, if not all, of these additional costs,” says Moody’s, “are likely be covered by its cybersecurity insurance policy, although district management says the total financial cost will not be known for at least another month.”

Advertisement. Scroll to continue reading.

At these Arizona schools, no ransom was paid, the ‘offices’ were closed for just two days without any detrimental financial effect, and any long-term costs eliminated through insurance. The three basic aspects of defense (including network segmentation), planned and effectively executed incident response, and cyber insurance is a model that could be followed by many organizations in the fight against ransomware and malware in general.

As far as Moody’s is concerned, the Flagstaff, AZ Unified School District is ‘credit positive’ (rated Aa1) despite being affected by ransomware.

Related: Moody’s Downgrades Equifax Outlook to Negative Over 2017 Data Breach 

Related: Ransomware Attack Hits School District Twice in 4 Months 

Related: The Growing Threat of Targeted Ransomware 

Related: ‘Coordinated’ Ransomware Attack Hits 23 Towns in Texas

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Ransomware

A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cyber Insurance

Cyberinsurance and protection firm Boxx Insurance raises $14.4 million in a Series B funding round led by Zurich Insurance.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...