Security Risk by Accepting Policy Exceptions

John P. Gormally, SR
3 min readAug 7, 2022

--

MITRE ATT&CK Framework

When an exception to the rule becomes a security breach.

I was profoundly shocked after reading the cybersecurity act of 2021. The action called for a 120-day study by the CISA on the various attack vectors impacting the K-12 school districts. Additional mandates include recommendations to deal with malware and ransomware. This act and similar educational security mandates are seen to lack the requirement for mandatory implementation and accountability.

An exception to any rule creates more issues by unminding the core principle. K-12 schools have been under cyberattacks, including ransomware, malware, and brute force attacks against passwords. Many schools have been short-sighted about cybersecurity for years. Finally, a cybersecurity act is in play for schools; however, implementing the recommendations is strictly volunteering.

What is the impact of a school district getting hacked?

In some shocking cases, hackers demanded ransoms from parents compromising targeted students’ records by deleting student work and locking the student out of online classes. A breach at Fairfax County Public Schools in Virginia saw their student and staff’s social security numbers posted publicly. The district agreed to pay for credit monitoring for those affected by the breach.

Protection Against Costly Attacks Improves Resiliency

In the face of an impending recession, school budgets may get tighter. Few districts can afford to suffer the financial losses of a ransomware attack or the expensive downtime that accompanies disrupting a school district network. These devastatingly expensive cyber attacks impact area taxpayers as well as their districts.

Many K-12 institutions are turning to cybersecurity insurance companies for guidance in this area and recovering what can be “catastrophic costs.” Most insurance carriers require organizations to ensure the secure deployment and upkeep of a list of security capabilities and adaptive controls, including 24/7 security monitoring, patch management processes–and, very importantly, the implementation of email security.

Yet, complying with the act is still voluntary.

Enterprise company considerations for policy exception

Even in small, medium, and large enterprise companies, some executive always wants to be an “exception” for all that security “stuff.” What is the impact of this exception? Can one account create an attack surface capable of disrupting the entire business?

Absolutely!

East-West Attack Vectors- One host at a time

Thanks to ransomware, east-west propagation of an attack, starting with the exempted endpoint, does happen all too often today. Should organizations do away with the policy exception? Wishful thinking, I know.

What can be done?

While there will always be exemptions to the rule, leveraging containment strategies could be the equalizer. Having the network leverage network isolation and containment based on east-west propagation of ransomware combined with implementing live patching against all critical systems will help reduce the spread of the attack and different attack surfaces. These technologies are becoming affordable and less complex to implement and operate, providing data feeds into XDR architectures.

Staying ahead of the attack is near impossible; automating the response is a solid counter-balance to the problem.

All the best,

John

--

--

John P. Gormally, SR
John P. Gormally, SR

Written by John P. Gormally, SR

John P. Gormally is a fictional and non-fictional cybersecurity blogger and writer based in Lake Forest California.