The cybersecurity challenges in the government and education space are nothing new. Such challenges soared with COVID and continue today. Unfortunately, the cyber defense of mission-critical government and education services has not always kept pace, so we still see risk from several common vulnerabilities—especially for K-12 education organizations. But with free tools available to detect identity security vulnerabilities, as well as new funding and support opportunities, schools and school districts can significantly improve their security stance in 2023.

Why do cyberattackers target K-12 schools?

According to the Multi-State Information Sharing and Analysis Center (MS ISAC), 29 percent of surveyed K–12 members were victims of a cyberattack in 2021. Cyberattacks against the Los Angeles Unified School District last September led to a U.S. federal warning about an increase of ransomware attacks against the K-12 sector.

Why target K-12 schools? Several potential factors are at play:

Schools and school districts host vast amounts of personal and financial data.
As part of the country’s critical infrastructure, schools are anxious to avoid long shutdowns.
Pandemic-related increases in remote infrastructure have opened doors to attackers.
Finite resources can translate to gaps in cybersecurity measures.

Vice Society (the attackers in the Los Angeles incident) are known for using privilege escalation and domain admin access to carry out double-extortion attacks, in which threat actors steal data and inject malware or ransomware into the targeted systems. Such exploits rely on the infiltration of Active Directory (AD), the directory service that forms the core identity infrastructure for many school districts.

Why is AD such an attractive target for cyberattackers?

AD is the access key to user and computer accounts throughout your organization.
AD environments are notorious for “configuration drift,” in which outdated access permissions and user accounts open holes in the AD attack surface.
Many attackers inject malware or ransomware weeks or months before triggering it, thus infecting system backups and making recovery more difficult.
Newer attacks are adept at bypassing or hiding from traditional security measures.

How can K-12 schools improve identity-focused security?

The best defense against any cyberattack is to focus on a solid operational resilience plan. Such a plan prepares you for recovery should the worst happen. A robust operational resilience strategy includes all critical systems, such as the identity infrastructure, including AD and Azure AD. Protecting these systems enable government and education to maintain the services they provide constituents and students.

The U.S. Cybersecurity & Infrastructure Security Agency (CISA) advises K-12 institutions to “invest in the most impactful security measures,” including “mitigating known exploited vulnerabilities, implementing and testing backups,” and “regularly exercising an incident response plan.” This includes taking steps to “minimize exposure to common attacks.”

“Cybersecurity risk management must be elevated as a top priority for administrators, superintendents, and other leaders at every K–12 institution,” CISA notes. “Leaders must take creative approaches to securing necessary resources, including leveraging available grant programs, working with technology providers to benefit from low-cost services and products that are secure by design and default, and urgently reducing the security burden by migrating to secure cloud environments and trusted managed services.”

Tools and resources for K-12 identity-focused cybersecurity

Prioritizing AD forest recovery as part of your cyber and operational resilience plans is a vital step that K-12—and all state, local, and education (SLED)—organizations can take today to protect themselves against evolving cyberthreats for the long haul. The good news is that funding and support are available to power this mission. The State and Local Cybersecurity Grant Program and CISA provide grants and other resources.

Even without additional funding, K-12 schools can take advantage of free AD vulnerability and attack-path discovery tools, such as Purple Knight and Forest Druid. These tools, which require no installation or special access permissions, are designed specifically to detect AD and Azure AD vulnerabilities. The tools provide easy-to-read reports and actionable guidance to closing AD security gaps. Purple Knight also identifies incidents of compromise (IOCs)—signs that attackers might already have breached the AD infrastructure.


When it comes to backups and incident response, the best approach is to maintain and regularly test AD-specific backups and to develop a detailed plan for recovering AD. Look for expert Identity Threat Detection and Response (ITDR) tools such as Semperis Directory Services Protector (DSP) and Active Directory Forest Recovery (ADFR), which provide next-level protection:

Malware-free AD backups
Automated remediation of suspicious changes
Fast AD forest recovery (90 percent faster than manual recovery methods)
24/7 incident response services

The smart move: Act now to protect AD

Cyberattackers show no signs of slowing their attacks against K-12 schools and other SLED organizations. Schools and districts that develop a cyber incident response plan, download and use free tools to detect and close AD vulnerabilities, and pursue funding for more advanced cybersecurity solutions will be well positioned to fend off such threats, protecting students and staff alike.

Learn more about K-12 schools and identity-first security

Missouri School District Improves AD Security Posture
Washington State School District Uncovers Legacy AD Misconfigurations
2022 Purple Knight Report

The post How Can K-12 Schools Defend Against Ransomware? appeared first on Semperis.