Implementing robust cyber security measures after school endured a severe data breach

A serious cyber security breach

In 2021, Lady Eleanor Holles School faced a severe cyber security breach, compromising the Veeam Backup Server & subsequently gaining access to the VMware Server administration.

This breach showcased the importance of a robust cyber security strategy.

How serious was the data breach & how did it happen?

This breach led to the irreversible deletion of critical virtual machines (VMs). The attackers escalated their actions by wiping first-level backups on the Veeam server and targeting QNAP second-level backups in the Junior School. They also encrypted a VM and left a ransom message in the VM server administration. The chaos extended to rendering school workstations inoperable, displaying ransom demands across all printers.

Attackers exploited a four-year-old RM network administrator password, previously known to former IT staff. Acquisition methods might have included hacking web services, using the same password, or deploying a key logger via a malware attachment. WDigest credential harvesting, identified on the Veeam backup server, involves storing clear-text credentials in memory, making them susceptible to theft.

Our secure solution

We implemented immediate security measures after the event such as changing all administrator passwords to prevent a single point of compromise. The Veeam backup server underwent reconstruction, restoring most VMs from the CT Secure Cloud Backup which was thankfully installed a week prior to the attack. All VMs were thoroughly scanned for viruses, and essential Windows updates were applied before reconnecting to the network.

Protective measures included Microsoft 365 Advanced Threat Protection and antivirus software on all new network servers and workstations. In additions, the following actions we implemented for the future cyber security of the school:

  1. Unique Passwords: Implementing distinct passwords for different systems.
  2. Administrator Account Usage: Instructing IT staff to avoid using the administrator account unless necessary.
  3. Password Renewals: Enforcing 90-day administrator password renewals for all accounts.
  4. Air-Gapped Backups: Using air-gapped disk caddy backups disconnected from the network.
  5. Cloud Backup Maintenance: Maintaining cloud backup services with sufficient capacity for all VMs.
  6. Security Best Practices: Adhering to cyber security best practices for remote desktop usage.
  7. Prompt Security Updates: Ensuring timely application of all security updates.

Client
review

“While first and second-level backups were historically deemed sufficient, evolving attack strategies such as the complete destruction of online accessible backups, exposed vulnerabilities. The recovered VMs from the old RM network revealed critical issues like the absence of anti-virus software, disabled firewalls, and unrestricted administration access via remote desktop.”

Martin Taylor, Director IT Services at LEH School