1. Emphasize Backups: Make sure you have multiple, secured backups that are validated (regularly tested?), and at least one is stored offline, off your school system network (not connected to anything, even the cloud). Can’t afford an expensive air-gapped cloud-hosted backup solution? No problem, you can back up to encrypted hard drives and store them in a safe.
b. Restrict printers’ access to other systems by removing access to the internet and placing printers on an isolated VLAN just for print services.
c. Turn logging on for print spoolers and set up a flag and alert to notify you of any efforts to initiate printing outside the school system network.
3. Update Firewall Rules: Review your firewall rules and make sure you take the following actions:
a. Block cobalt beacons to block cobalt strike attacks. Remove the green listing of cobalt strike beacons on your firewalls. While Cobalt Strike can legitimately be used for penetration testing, it does not need to be enabled on your network.
b. Deny all access to print spoolers from any external devices. The Windows Print Spooler service uses a high numbered TCP port range, including ports 49152 through 65535
c. Block international communications at the firewall level. Implement a deny-all, and then add exceptions for approved devices on an as-needed basis.
d. Monitor outgoing traffic for suspicious patterns, as well as incoming traffic. (Not sure on this one – feel free to delete or change.)
There is no set of tools or security solutions that replace the hard work of doing the security basics, and tools alone will not reduce your risk. However, these basic steps can add layers of protection and reduce your risk with a relatively short time commitment.
Authors: By Amy McLaughlin, Rod Russeau, Tony Harvey, and Ryan Cloutier.
CoSN Cybersecurity Advisory Committee Members
Published on: Sept. 27, 2022
CoSN is vendor neutral and does not endorse products or services. Any mention of a specific solution is for contextual purposes.