NIST Reporting

Summery

A new teacher reported that she could not log into her internal network account. The teacher indicated that she had received an email this morning asking her to go to an external website to log in with her credentials to retrieve a message from the principal. Access logs indicate that her account has been actively accessing student records. We believe this is the method a threat actor uses to gain access to internal networks and student grades. Teachers have indicated that three students’ grades have been altered.

Identify

The Team Audited the systems, devices, and access policies of teachers and students on the system. The team found that a threat actor obtained the teachers' credentials and used them to access student data on the school's database, specifically the grades of three students.

Protect

The team implemented multi-factor authentication (MFA) to prevent future attacks. To this end, the team has created a training video for all employees explaining how to set up MFA and reviewing policies regarding sharing credentials.

Detect

The team has implemented new firewall logging and policy flags for employees. The new flags for employees' login fail attempts are set to three. The new flags for teachers' login attempts outside of the VPN network are also set to three.

Respond

The team reset teachers’ passwords, provided training to teachers and employees on how to protect login credentials in the future, informed upper management of the event, and contacted the student's parents.

Recover

The team restored student grades by restoring the database from backup. We informed staff that grades from today will not be in the database and will need to be re-entered.