State auditors found “significant risks” within Baltimore County public schools’ computer network, according to a report released Tuesday, the day before a ransomware attack shut down the school system.
The network was not adequately secured, and sensitive personal information was not properly safeguarded, among other issues, the Office of Legislative Audits found.
County police are investigating the attack, which school IT personnel say they identified late Tuesday night. They’ve declined to release details of the probe. It’s unclear what role the weaknesses described in the audit may have played in the ransomware incident.
The cyber attack has halted school for 115,000 students, with no timeline for when classes will resume. It came as the school system has shifted to online classes amid the coronavirus pandemic.
State auditors conducted fieldwork for their assessment from May 2019 to February 2020.
“Significant risks existed within BCPS’ computer network,” they wrote. “For example, monitoring of security activities over critical systems was not sufficient and its computer network was not properly secured.”
The county schools chief of staff, Mychael Dickerson, did not directly respond Thursday to questions about the audit.
He told The Baltimore Sun that investigators say it’s too early to tell the cause of the cyber attack. School officials are continuing to share information with local, state and federal agencies for the investigation, he said. Staff were working on the systems during the Thanksgiving holiday.
Among the audit findings: 26 publicly accessible servers “were located within the BCPS internal network rather than being isolated in a separate protected network zone to minimize security risks.”
“These publicly accessible servers, if compromised, could expose the internal network to attack from external sources,” auditors wrote.
In addition, “intrusion detection prevention system coverage for untrusted traffic did not exist,” the auditors wrote. Also, students were allowed “unnecessary network-level access to administrative servers” within the school system’s data center and individual schools.
The auditors also found that the school system didn’t adequately safeguard personally identifiable information.
The report does not describe what kind of data that was. Auditors wrote that they omitted sensitive aspects about their findings on personal information safeguards in the public report, but shared them with school officials.
In a Nov. 18 formal response to the audit, school officials addressed each finding. They said that they were investigating ways to better protect personal data and that they were relocating publicly accessible servers to a separate network zone.
The Morning Sun
If left unaddressed, the issues identified in the audit could result in a ransomware attack succeeding or “being broader in scope than it otherwise would have been,” said Brett Callow, a threat analyst with the cybersecurity company Emsisoft.
“It’s absolutely critical that organizations rigidly adhere to best practices,” Callow wrote in an email Thursday to The Baltimore Sun. “If they do not, they face a significantly elevated risk” of a cyber attack succeeding against them.
Callow said that until late last year, ransomware attacks “were simply expensive inconveniences” in which organizations’ data was encrypted.
But now, about 50% of incidents are also data breaches because the threat actors “steal organizations’ information prior to encrypting it,” he said.
He noted that in some cases, hackers have posted online the personal data maintained by organizations.
Local authorities have not said whether the hackers have accessed personal data of students or school employees.
The audit also identified issues unrelated to network security, including the need to improve controls in procurement, disbursements and payroll processing. In one example, auditors found that the school system paid an additional $1.2 million for upgraded anti-theft devices on a $140 million contract for laptops without executing a written contract modification.