Sensenich, now retired, shared her firsthand experience last week with attendees of the Future of Education Technology Conference in Orlando, Fla. Recounting a 42-day effort by her team of 10 to restore systems at Rockingham County Schools, she said they discovered a problem in December 2017 shortly before the holiday break, starting with a call from central office about a handful of computers running slowly. A day later, they got another call about more machines running slowly.
Sensenich and her team found Emotet, the banking trojan, on machines at central office, and it had spread across the network from there. “Patient zero” was an employee who processed invoices and, truly by accident, fell for a phishing attack that tricked them into downloading and opening the wrong invoice.
After IT staff spent the weekend wiping computers, Sensenich said, the superintendent sent a video message instructing teachers and staff to leave all their work-issued devices behind, and the district took the network offline after students went home. Sensenich said her team spent the next 42 consecutive days — many of them 12-hour days, with only some hours off on parts of Christmas and New Year’s Day — driving vans to all locations to collect all devices and USB memory sticks, taking inventory of 1,200 laptops to see who didn’t turn them in, and then imaging, or making copies of, their hard drives and software so they could be wiped.
The team also emailed all staff and the superintendent’s cabinet over the winter break; had an emergency school board meeting to fill them in on Dec. 27; filed a police report with both county and city law enforcement as well as the FBI; contacted Malwarebytes, which offered them six months service for free; drafted a news release to inform the public; and used K12 SIX’s map of cyber attacks on schools to repeatedly emphasize to the school board how common the problem was and to justify spending money on cybersecurity.
Sensenich described several poor practices and assumptions that had contributed to the incident, including a lack of sufficient monitoring.
“We assumed … that the cord that was plugged into the phone and the cord that was plugged into the docking stations of our computers would be the only things accessing those network rules,” she said. “And so we didn’t really have a good monitoring system to tell us when things were joining and getting permissions, any of that stuff.”
Sensenich broke down a list of what she called “bad methodology” that included:
- Using the same endpoint detection system for too many years
- Using an endpoint detection system that she would not name but said was unhelpful in a crisis
- Having network cables that were easily accessed across the district
- Giving network passwords to any staff working with computers in CTE programs
- Having no network monitoring of devices that were plugged into the network
- Allowing USB drives
- Having an insufficient backup plan
On the positive side, Sensenich said the recovery process resolved some of those issues. She said the mitigation team replaced the district’s former endpoint detection partner with the data security company eSentire, which gave them 30 days for free to “see what the network looked like.”
“This is how you begin a conversation to get this in your district. You work with a company and have them do an evaluation, whether you do a [penetration] test, or a breaching, or respond to what’s going on. I was able to go back and show them that … it was a category 5-level incident,” she said. “If you’re given a category 5, that means they have called you. And if I didn’t answer, they call the next person in line, and they call until somebody answers the phone.”
Today, Sensenich said, Rockingham schools allocate more than $300,000 to network security tools, have at least a handful more network staff including engineers and a help desk, hold training for staff on phishing threats, and require computer lab staff to file work orders for network passwords.
But it was a costly lesson.
“In the end, it cost us $1.3 million in cash,” she said. “The reason I say cash is because that’s not salaries of all my staff. That’s the actual physical dollar amount we had to come up with.”
