Re: [External Email] [SECURITY] Risks from partner/3rd party who's victim of ransomware attack

[Michael J Behun <behun () BINGHAMTON EDU>]

Just a few suggestions to think about.

1.  First - *verify you have offline backups* -  If you can see
your backups online, then they likely can be deleted/ecrypted.
2.  Take a look at your accounts

   - Password  - Anyone that has an account at the K12 and university may
   be vector if they use the same password for both accounts or logged on
   through a compromised K12 computer.  - suggest a password reset
   - Check/monitor any privileged accounts (Backup Admin and Windows Domain
   Admin) at University  -  suggest MFA be enabled for privileged accounts.
   - monitor RDP access or require MFA

3.  Ensure Unversity domain controllers are patched  - break trust to BCPS
4.  Disable PowerShell or whitelist applications

Vector seems to be more account compromise,  privilege escalation, and
reconnaissance.   It is less likely email will contain a payload.

Mike.

Michael Behun
Director of Information Security
Chief Information Security Officer
Binghamton University
607-777-6198 Office
607-644-3427 Direct
behun () binghamton edu


On Mon, Nov 30, 2020 at 9:48 AM Jim A. Bole <jbole () stevenson edu> wrote:

> Are there any good precautionary measures to help reduce risks coming from
> a partner who's been the victim of a ransom attack?
>
> The K-12 org in our area was hit by a major ransomware attack just before
> Thanksgiving:
>
> Baltimore County schools closed Monday, Tuesday due to ransomware attack (
> wbaltv.com)<
> https://www.wbaltv.com/article/baltimore-county-public-schools-closed-monday-tuesday-ransomware-attack/34811334
> >
>
> We have some students and faculty who are also connected with the school
> district (BCPS). They just got their public-facing website back up
> yesterday: Baltimore County Public Schools (bcps.org)<
> https://www.bcps.org/>
>
> Out of an abundance of caution, we've temporarily quarantined all inbound
> email from BCPS.
>
> We are also recommended that anyone who may have used their personal
> computer to connect to BCPS resources to not use the device until more
> information is known.
>
> We're also doing a general review of good practices (patching, monitoring,
> etc).
>
> Our VPN is limited to a handful of key staff members. Most
> faculty/staff/student connecting remotely to resources via cloud apps or
> RDP instance restricted to a few on-prem apps.
>
> Jim Bole
> Director of Information Security
> Stevenson University
> 1525 Greenspring Valley Road
> Stevenson, MD, 21153-0641
> jbole () stevenson edu | O: 443-334-2696
>
>
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community