That initial alert was followed by the scramble to secure connected assets and get a clearer picture of the rapidly evolving cyber incident, LAUSD CIO Soheil Katal told attendees of the AWS Imagine conference July 12.
What could have been a crippling blow to the district and its 670,000 students served instead as a valuable opportunity for all involved to prepare for the next crisis, he said, characterizing the incident as unsuccessful. “If it was successful, I wouldn’t be here,” he joked.
“We were able to contain the threat within the first hour or second hour, but really it was a battlefield to get it done,” Katal said. For every missed school day, the district was set to lose millions of dollars in state funding, not to mention the disruption to meal services, transportation and other critical operations. Because the team was able to stabilize the situation, classes resumed as usual after the holiday weekend.
Cyber attacks are now expected as part of doing business for schools around the world. In the U.S., a lack of IT resources, budget limitations and the sensitive data of children make the education sector a prime target for ransomware groups. Successful attacks often cost far more than ransom — privacy, credibility, insurance rates, downtime and a laundry list of other negative impacts must also be reconciled, Katal said.
From the time of the initial call, LAUSD staff worked to completely lock down the network, isolating the opportunity for data thieves to move around. The FBI and CISA were in contact immediately and on site within 24 hours.
“Minutes count,” Katal repeated throughout his presentation.
The speedy reaction from the district IT team and partners left valuable evidence intact, unlike some other high-profile attacks where thieves locked, or rather encrypted, the door behind them.
“For us, we were lucky, we were able to contain the system and we were able to share a lot of IOC (indicators of compromise) intelligence net resources with these agencies,” he said.
The strategic response is what saved the district from an enormous and extremely sensitive data exposure. Of the 16 petabytes of data under the district’s control, only around 400 gigabytes — roughly the storage capacity of a laptop — was actually lost to attackers, Katal said.
It should come as no surprise that the largest district in the state would be a tempting target for cyber criminals: 250 applications, 1.6 million active directory users and some 130,000 networked devices. It’s a big and potentially lucrative target, Katal admits, noting that 33.5 million attempted malware attacks are launched against their systems each year.
Adding to the challenges is the fact that not every network user in the district can be trained to the same level. Students often struggle with — or worse, don’t care about — the importance of strong password protections or avoiding suspicious links and questionable downloads.
“That’s why you need to complement with a lot of other strategies beyond that to protect K-12,” Katal said.
Unfortunately, the odds are not in LAUSD’s favor when it comes to the potential for a re-breach, though Katal said he is confident the district is more prepared than ever. New resources, governance and strategies are in place to avoid joining the roughly 80 percent of organizations that get hit with ransomware within a year of their first attack.
“I’m waiting for August, but I’m protecting my system to make sure it’s not going to happen to me,” he joked.
His advice for those who find themselves receiving the same dreaded late-night call he got: “Protect yourself and avoid paying the ransom, that was the lesson No. 1 we learned from the FBI, from CISA and everybody else,” he said. “No matter what, your data is going to leak on the dark web, one way or another. Never trust a bad actor.”
