Cybersecurity Controls [Best Practices]

In this in-depth guide, you’ll learn:

• Why security controls are needed
• Actionable steps to protect your organization
• Additional Resources to further protect your organization

Are you ready to protect your School? Let’s jump in.

Protecting your School

Maybe you are new to your school or just new to a role where you are now in charge of cybersecurity. You may be feeling lost with what needs to be done to protect your school or organization.

Cybersecurity controls are needed to protect a school’s sensitive and critical information. They are mechanisms used to prevent, detect and mitigate cyber threats and attacks. Schools are increasingly becoming targets of cyber attacks due to lax security policies and lack of cybersecurity awareness in tandem with increasing dollar value attached to student records. So now, more than ever, it is important to implement controls and limit who has access to what information.

The problem is there are many different systems to protect and many things to monitor. It can be a daunting task to dive into security related policies, procedures, and controls. One of the first resources you should use is the K12 SIX Essential Protections.

K12 SIX’s resources are a great first step at looking at your organization’s cybersecurity without being overwhelmed. They include:

• K12 Essential Protections
  • A quick recommendation of protective measures broken down into 4 areas.
• K12 Cybersecurity Standards
  • A short list of actionable cybersecurity controls.
• District Self-Assessment Tool
  • A brief 12 question self-assessment.

These resources are invaluable to getting your organization on the right track. In the next section we’ll run through some actionable steps you can take to get going on improving your security posture today. 

Security Controls – Actionable Steps

In this section we will detail examples of security controls that you can implement in your school today. Some of these are security controls for Microsoft’s Active Directory and others are general controls that can be implemented on any network. 

Those listed as GPO are Group Policy Objects within Active Directory. GPO’s can be edited with the Group Policy Management Editor, which is a part of the RSAT (Remote Server Administration Tools)

• 30 minute screen lockout – GPO
  • After 30 minutes of inactivity the Windows workstation will lock itself and return to the login screen.

• Auto Shutdown Windows Workstations at Night – GPO
  • Not only saves the school money with less power consumption, limits access to workstations in the event of malware infection to the network.

• Block the creation of unauthorized scheduled tasks – GPO
  • Prevents another avenue for malware to operate.

• Block executables from executing from USB drives – GPO
  • Prevents someone from accidentally infecting your network with malware if they bring a USB key from home.

• Disable Autoplay from removable media – GPO
  • Prevents malicious software from auto executing.

• Disable Windows 10 peer to peer updates – GPO
  • Malware can spread through this feature.

• Enable Windows Firewall for all workstations – GPO
  • A bit time consuming as you will need to determine which ports are required to be open for your workstations to communicate properly on your network.
  • In the navigation pane of the Group Policy Object Editor, navigate to Computer Configuration > Administrative Templates > Network > Network Connections > Windows Defender Firewall.
  • For more information, Microsoft’s Best Practices for configuring Windows Defender Firewall.
• Deploy an Endpoint Detection and Response system to your workstations (EDR)
  • If you have Microsoft campus licensing, then you likely already have Microsoft Defender Endpoint available. You can manage it with Microsoft’s Configuration Manager.
• Enable LAPS (Local Admin Password Settings) for Windows workstations.
  • It randomizes local administrator accounts for all Windows workstations and is accessible from a central database for authorized users.
  • No longer use one common password for the local administrator account.
  • Easy to set up.
  • Step-by-Step Guide: How to Configure Microsoft Local Administrator Password Solution (LAPS)
• Create password requirements.
  • Set requirements in any systems that the school uses.
  • Password recommendations from the National Institute of Standards and Technology (NIST), Special Publication 800-63B.
    • Password length is more important than password complexity.
      • Utilize long pass-phrases.
    • Limit number of failed password attempts before account lockout.
    • Implement 2-Factor authentication. (More on that later)
• Set passwords on all network equipment.
  • Routers, switches, etc..
• Create levels of account access (Active Directory).
  • Limit Domain Admin privileges.
  • Create local admin accounts for technicians so they can install software and perform elevated tasks on workstations.
  • Create help desk accounts for user management.
  • By creating different account levels and limiting access, you reduce the risk that elevated accounts can be compromised.
• Remove Local Administrator rights from staff accounts.
  • This is the MOST important thing you can do to protect your network!
  • It is difficult for malware to spread in a network when the users do not have local administrator rights to their workstations.
• Restrict who has remote access to your network.
  • Do not allow staff access to remote tools like Teamviewer.
  • Create a VPN on your firewall to allow remote access.

Multi-Factor Authentication (MFA) and 2-Step Verification

Apart from the security controls listed above, Multi-Factor Authentication or 2-Step Verification are methods that are crucial to help secure one’s identity from unauthorized access. They require two or more factors with your user credentials to verify access. Factors that are used to authenticate are passwords, PIN, smartphone, secure USB key, fingerprint or facial recognition.

Many insurance companies that offer cybersecurity insurance are beginning to require their clients to have MFA for their users to access email or systems with sensitive information.

2-step verification is easy to implement if you are a Google Workspace for Education school. Factors that Google offers are security keys, Google prompt on smartphones, Google Authenticator, backup codes and text message codes. To find out more about how to deploy 2-Step Verification, check out Google’s guide Deploy 2-Step Verification.

A locally-hosted Active Directory does not have multi-factor authentication built in and it will require a third party system to implement. Two third party solutions that can achieve this are DUO or AuthLite. Authlite is the more affordable of the two options.

A YubiKey is another hardware based factor that can be used with many MFA systems. It looks similar to a USB storage device, but it sends one-time passwords to create a second layer of authentication.

Malicious Domain Blocking and Reporting Data Flow (MDBR)

MDBR is a free service for MS-ISAC members in the United States, Multi-State Information Sharing and Analysis Center. MS-ISAC membership is free for state, local, tribal and territorial governments. 

MDBR technology prevents IT systems from connecting to harmful web domains, which can limit malware infections, ransomware, phishing and other cyber threats. This service can prevent ransomware’s delivery domain from being contacted.

The MDBR service is similar to DNS filtering services, but uses threat intelligence to block malicious domains. If you are outside the U.S. and are interested in a similar service, look into commercial options through Akamai, Cisco, and Cloudflare.

The Next Steps

Great, you have implemented some baseline security controls and other measures, now what? The next step is to begin building security policies and procedures, such as developing a Data Governance Plan and an Incident Response Plan.

Download the Center for Internet Security’s (CIS) 18 Critical Security Controls. Begin digging through these controls and see what things you need to improve in your school.

The state of Michigan has great resources on Incident Response Planning. Including a sample Incident Response Plan to help get you started.

Great resources to assist with data governance planning is the Privacy Technical Assistance Center’s Data Governance Checklist and Data Governance and Stewardship.
Lastly, humans are the weakest link in any organization. Get your staff trained and look into running phishing campaigns to test your staff. A company like KnowBe4 offers phishing and training services.

Sleep Easier

Ransomware and hackers are the things that keep I.T. Directors and Sysadmins up at night. By adding these security controls your organization will be much more secure and not as easy to be hacked. Don’t be the low hanging fruit!