On Wednesday, September 4, 2019, ransomware was discovered at Flagstaff Unified School District, Arizona. Schools were closed on Thursday and Friday of that week, but re-opened after the weekend. No ransom was paid, and only two days schooling was lost.
Now Moody’s new weekly Public Finance Credit Outlook newsletter has highlighted the case as an example of how to prepare for and mitigate the effects of ransomware. It says three things were fundamental: distributed processing across several third-party organizations; a well-prepared and executed response plan; and cyber insurance.
The distributed processing between various organizations including Northern Arizona University, Coconino County and private vendors amounted to a form of network segmentation. “This,” comments Moody’s, “limited the potential spread of malware across systems and allowed the district to continue performing important operations, such as vendor payments, payroll and debt service repayment, even if its own systems were not immediately available.”
While commercial organizations might not be able to implement an identical distributed processing plan, they could implement well-controlled internal network segmentation. If this were done, the effect would be similar — any malware infestation would be limited in its ability to affect the whole network. This is not easy, but certainly doable with next gen firewalls and privileged access management.
The second element of Flagstaff’s success highlighted by Moody’s is the district’s well-planned and executed incident response plan. The schools were closed not because of loss of computing, but over safety concerns that systems such as cameras, door locks, HVAC, and communications might have been compromised.
Computers were immediately disconnected from the internet and shut down. They were given factory resets to ensure that no malware could be left on the computers to re-infect the network.
However, Moody’s adds that budgetary preparation for unplanned incidents also benefits the financial running of the schools (which have in excess of 9,000 students and revenue of around $95 million). The schools have an annual ‘snow’ budget for five days closure. While it is unusual to invoke two snow days in September, it nevertheless means that if the winter is not too harsh, there will be no financial impact from the schools’ ransomware closure.
There will, of course, be additional financial costs from the incident, including upgrading security and hiring third-party vendors to improve security to prevent any future incidents. “Most, if not all, of these additional costs,” says Moody’s, “are likely be covered by its cybersecurity insurance policy, although district management says the total financial cost will not be known for at least another month.”
At these Arizona schools, no ransom was paid, the ‘offices’ were closed for just two days without any detrimental financial effect, and any long-term costs eliminated through insurance. The three basic aspects of defense (including network segmentation), planned and effectively executed incident response, and cyber insurance is a model that could be followed by many organizations in the fight against ransomware and malware in general.
As far as Moody’s is concerned, the Flagstaff, AZ Unified School District is ‘credit positive’ (rated Aa1) despite being affected by ransomware.