Forum Guide to Cybersecurity: Safeguarding Your Data

Chapter 3: During a Cybersecurity Incident—Mitigation

This chapter reviews measures that agencies can take when a cybersecurity incident has occurred to mitigate the impact of the incident. Many of the recommendations included in this chapter assume that the agency has adhered to the recommendations in Chapter 2 regarding adequate planning before a cybersecurity incident. The recommendations below are not listed in linear order or order of importance; rather, they are best practices that may occur concurrently or in sequential order. The information is general in nature and not exhaustive. Agencies should adapt the information provided to meet their specific needs and requirements.

Confirm the Incident

A cybersecurity incident might be detected through automated monitoring software or the observation of suspicious activity. As part of the cybersecurity incident response plan, agencies should have a process in place for staff to report a potential cybersecurity incident or event to the specific department or staff that are responsible for confirming whether an incident has occurred. After staff have reported the suspected incident, the department or staff identified in the cybersecurity response plan are to examine the available evidence and information for confirmation that an incident occurred and whether the incident is ongoing. Following incident confirmation, determine

• the scope and severity of the incident;
• the number of systems, devices, and users that have been affected by the incident;
• whether any data may have been compromised, and if so, the sensitivity of the data;
• the potential effect of the incident on routine agency operations; and
• whether the incident appears to be malicious or unintentional.

This information will enable the agency to respond appropriately. For example, an agency may need to initiate an advanced, agency-wide response if a malicious hacker attacked the agency’s human resources system and accessed banking information. Conversely, if a staff member unintentionally accessed the agency’s student information system under another staff member’s log-in, the incident would not require an agency-wide response. Rather, the incident could be resolved through one-on-one corrective action and staff training.

Initiate a Response

Once a cybersecurity incident has been confirmed, the cybersecurity response team should consult the response plan to determine how to proceed. Depending on the scope and severity of the incident, some or all of the activities in the cybersecurity response plan may be activated. As noted previously, a malicious attack on an agency’s mission-critical systems and data would require a more advanced response than a minor, unintentional error that did not compromise agency operations. Response activities are intended to contain the incident and prevent further damage. This may include shutting down systems, unplugging devices, and resetting log-ins. Data management and systems operations may be disrupted, including, in extreme situations, the loss of hardware that houses a critical data system—although good planning should ensure that adequate backups are available. Prioritizing essential business functions can help focus response efforts on critical systems- and data-related tasks.

Maintain Communication

Compromised systems can make communication difficult in the wake of an incident. E-mail, internet, and Voice over Internet Protocol (VoIP) systems may be inaccessible as a result of the incident, or they may be offline to help mitigate further issues. If regular telecommunication, internet, e-mail, and other communication channels are impacted by the incident, alternate or temporary communication methods may need to be used.

Depending on the severity of the incident, an agency’s cybersecurity insurance provider might need to be contacted shortly after an incident occurs to ensure the agency responds per policy requirements. The team should also consult legal personnel to determine the agency’s responsibilities and requirements regarding applicable legislation, regulations, and policies.

Communication with federal, state, and local law enforcement during and immediately following a cybersecurity incident may be appropriate if criminal activity is suspected. The U.S. Department of Justice, Computer Crime and Intellectual Property Section maintains a webpage with information and resources on reporting computer, internet-related, or intellectual property crime to federal investigative law enforcement agencies: https://www.justice.gov/criminal-ccips/reporting-computer-internet-related-or-intellectual-property-crime. If a financial crime is suspected, the U.S. Secret Service may be able to provide investigative assistance: https://www.secretservice.gov/investigation/#cyber.

External Communication

Staff who are responsible for agency communications are often best-suited to coordinate external communications with parents, the media, and other parties. Stakeholders, particularly parents, often seek reassurance from agency leaders and want to know that the agency is aware of an incident and working to mitigate it. Communicating factual information about the incident in a timely, concise, clear, and frequent manner can help alleviate stakeholder concerns.

Teleconferencing Services

Teleconferencing services enable education agency staff to connect with their colleagues and students, but these services also introduce new risks. Many education agencies transitioned to remote working and learning during the coronavirus disease (COVID-19) pandemic. In response, malicious actors targeted teleconferencing service users, disrupted virtual meetings, spoofed legitimate meetings, and used fake websites and phishing e-mails to capture sensitive personal and financial information. The following teleconferencing best practices can help protect agencies, hosts, and users.

Agencies

• Look into different teleconferencing services and determine which ones meet agency security requirements.
• If a preferred service does not meet agency security requirements, consider working with the service to enhance security for potential future use.
• Ensure the services are configured appropriately and all passwords are protected.
• Enable multi-factor authentication for any accounts hosting meetings.
• Create policies for the secure use of teleconferencing service.
• Inform staff as to which services are approved and not approved.
• Train staff on how to use teleconferencing services safely and appropriately.
• Investigate any suspicious activity reported by meeting hosts and participants.

Meeting Hosts and Organizers

• Only use official, approved services.
• Make sure the administrator settings are correct.
• Require a password for entry. If sensitive information will be shared, consider sending attendees individual meeting passwords to verify their identity during the meeting.
• Use a lobby to only allow known attendees.
• Remove any participants who will not confirm their identity.
• Close or lock the conference after the meeting has started.
• Understand how to remove participants if needed.
• Limit what is shared on screen. Sharing files is safer than sharing applications and desktops.
• Be aware of what might be shown on a webcam. Blur, replace, or remove any sensitive information that might appear in the background.
• Inform participants whether or not screenshots are allowed.
• Keep a record of meeting attendees (such as phone numbers or Internet Protocol [IP] address). If a cybersecurity incident occurs, share this information with law enforcement.

Meeting Participants

• Double-check the web address of the meeting to ensure it is associated with the correct organization.
• Make sure teleconferencing software is up to date or join meetings via a web browser.
• Observe who is hosting and attending to confirm it is the correct meeting.
• Assume that everything shared during a meeting will be recorded and potentially made public.

Assess Affected Systems

Maintaining system integrity and security is of utmost importance. The first systems-related task for an agency that experiences a cybersecurity incident is to determine which systems have been affected and assess whether any data or information that are stored on, processed by, or transmitted by the affected systems have been compromised. This task is often completed as part of the incident confirmation process. Having an inventory of all agency assets (such as systems, devices, and data) will expedite this task. Log reports generated by automated monitoring software can help staff determine whether systems are working as they should be. If the threat remains active and has not been mitigated, any affected systems, hardware, devices, or software may need to be taken offline or shut down completely to prevent further impact. It can be helpful to prepare an alternate process, such as paper forms, for data collections that need to continue while systems are offline or otherwise inaccessible (for example, attendance, food services, mandatory testing). If an incident occurs during required federal or state data collections, an agency may need to request a waiver or extension.

If private or personally identifiable information (PII) has been exposed as a result of the incident, seek legal counsel’s advice on informing data owners as soon as possible. PII includes, but is not necessarily limited to, direct identifiers (for example, names or identification numbers), indirect identifiers (such as birthdates), or other information that can be used to distinguish or trace a person’s identity either directly or indirectly through linkages with other information. For a complete definition of PII specific to education records and for examples of other data elements that are defined to constitute PII, see the Family Educational Rights and Privacy Act (FERPA).