Cybersecurity at Val Verde ISD

When it comes to cybersecurity, criminals know no boundaries. And that includes schools.

For example, St. Landry Parish needs $160,000 for cybersecurity after hackers implanted a computer virus in the district’s computer system. In Naperville, Ill., the personal information of nearly 53,000 students and 3,100 educators in Naperville District 203 and Indian Prairie District 204 was exposed following a data breach at a company that handles the districts’ K-8 academic assessments. And in Bethlehem, Pa., hackers accessed the names, birth dates and email addresses of 2,168 students in the Bethlehem Central School District.

A new cybersecurity incident strikes a school district approximately every three days, according to The State of K-12 Cybersecurity: 2018 in Review. Released by the K-12 Cybersecurity Resource Center, the report cited 122 incidents in 2018 that resulted in the theft of millions of taxpayer dollars, stolen identities, tax fraud and altered school records. “Public schools are increasingly relying on technology for teaching, learning and school operations,” said Douglas A. Levin, president of EdTech Strategies and report author. “It should hardly be surprising, therefore, that they are experiencing the same types of data breaches and cybersecurity incidents that have plagued even the most advanced and well-resourced corporations and government agencies.”

Part of the reason, says the report, is that while the basic structure of elementary and secondary schools remains recognizable, one of the most significant ways schools have changed from the past has been via the massive infusion of technology. In fact, U.S. K-12 schools are increasingly reliant on technology and sophisticated IT systems for teaching, learning and school operations.

The number of U.S. K-12 students with access to the broadband they need for ‘digital learning’ in schools and classrooms grew from 4 million in 2013 to 44.7 million in 2018, according to the report. Millions of mobile PCs – notebooks/Macs, netbooks, tablets and Chromebooks – are being purchased by U.S. K-12 schools every year, with the penetration of mobile PC devices used by U.S. teachers and students now above 50 percent. School telephone systems are migrating to VoIP services; point-of-sale systems are deployed in school cafeterias; HVAC and lighting controls are centrally managed via IP networks; student information systems offer real-time insights to administrators, teachers and parents; Internet-connected surveillance cameras are being deployed in the name of school safety; and school district human resource offices manage hiring, payroll and benefits via online portals. While uneven, the scope and speed of technology adoption by U.S. K-12 schools has been remarkable, the report notes.

“The country’s K-12 information-technology leaders are likely underestimating the dangers they face. Most don’t see cybersecurity threats such as ransomware attacks, phishing schemes and data breaches as a significant problem. Even more troubling, many school technology leaders are failing to take basic steps to secure their networks and data,” the report says. Some states and schools are leading the way in this area. For example, under Texas Senate Bill 820, school districts are required to craft a cybersecurity policy to “secure cyberinfrastructure.” Districts must also perform risk assessments and “implement mitigation planning.” Superintendents will designate a cybersecurity coordinator as a liaison between the district and the state and parents.

Even more, Texas House Bill 3834 requires certain state and local government employees and state contractors to complete a cybersecurity training program certified by the Texas Department of Information Resources. Texas school staff and even school board members fall under that category because of their access to sensitive data.

Val Verde USD

No school district wants to become a victim of a cyberattack, so Val Verde USD proactively sought to increase its data protection.

Val Verde Unified School District (USD) provides students with a world-class education to ensure they are ready to assume their roles in the 21st century workforce. Located in Perris, Calif., the district serves 20,000 students in 23 schools and employs 1,800 teachers and staff. The district had four requirements for data backup: integration with primary storage, which is Nimble Storage from Hewlett Packard Enterprise (HPE), faster recovery, tape support and backup to the cloud.

“It’s our job to support the district’s mission through the use of technology,” says Matt Penner, director of information and instructional technology, Val Verde USD. “We don’t simply train students on how to operate technology – we also teach them how to use it as a resource to further their educations and careers. To accomplish this, our data must be backed up and protected at all times, especially if we experience a catastrophic event such as an equipment failure or a cybersecurity incident.”

No school district wants to become a victim of a cyberattack, so Val Verde USD proactively sought to increase its data protection. The most critical data is in a student management system called Aeries. It contains students’ grades, test scores, attendance records and more. The district’s business data is critical as well. It includes financial, HR and payroll – everything that enables the district to operate smoothly.

“Recovery with legacy backup was horrendously slow, taking an average of three hours for a single file,” Penner says. “When recovery takes that long, it makes you question whether getting data back is worth it, and that’s not a position you want to be in. You certainly don’t want to ask the superintendent how badly he needs a file recovered.”

Penner says legacy backup was also difficult to use. “We spent an hour each day on management and maintenance, so combined with slow recovery, legacy backup was consuming eight hours each week. Like most school districts, we have a small IT team, so every minute counts.”

He understood that he would need to engage a partner with expertise updating a legacy backup system. Val Verde USD contacted several resellers for advice. One stood out among the rest: Logicalis, a global provider of digital enablement solutions.

The Solution

Val Verde USD is using the Logicalis Veeam® Availability Suite and has seen significant results in terms of time savings, ease of use and more. “We replaced a legacy backup with Veeam and it significantly improved our ability to protect data,” Penner says. “Recovery speed increased by 98 percent, so if we find ourselves in a catastrophic situation, we know we’ll be able to recover quickly, avoid data loss and operate as normally as possible.”

“It’s amazing how quickly the solution restores data,” adds Brian Falk, Network Services Manager, Val Verde USD. “Rather than asking someone how badly they need us to restore something, we ask, ‘How fast do you need it? No problem!’ We have full confidence in our ability to do our jobs, and we’re able to do our jobs faster. We save eight hours each week because the solution is fast, simple and easy to use.”

The solution is storage-neutral and integrates deeply with many storage providers, It backs up 30 TB across 100 VMware vSphere virtual machines (VMs) from Nimble Storage Snapshots on-premises for fast recovery. Nimble replicates VMs off-premises for disaster recovery (DR).

The solution also allows the IT team to create isolated environments for testing software updates before deploying them in production. “Sandboxing is a big benefit for us,” Falk says. “When our engineers want to test something in Active Directory, we build them isolated environments, giving them full range to completely destroy Active Directory if they need to because we know we can restore it fast.”

Even more the solution provides fast and secure backup, replication and direct restore to the cloud. Val Verde hasn’t chosen a cloud yet, but the solution can leverage any public cloud provider, including AWS, Microsoft Azure and IBM Cloud, or a managed service provider.

“One of the things we like best about the solution is that it can protect all workloads – virtual, physical and cloud – from a single management console,” Falk says. “But we also appreciate that it supports tape backup, which was another requirement. A lot of resellers pushed us away from tape, but they understood our reasoning: It’s additional security for cyberattacks, particularly in the case of ransomware. Tape is our second media in the 3-2-1 backup rule.”

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.

Many of the security screening standards in use today were put in place decades ago. They addressed the threats at the time and employed the security screening equipment that was available.