AZ: Maricopa Community Colleges cancel classes amid cybersecurity issue
The Maricopa County Community College District announced Friday it has canceled classes until March 29 after a cybersecurity issue forced its network system offline.
In a statement on its website, the district said the network outage was due to suspicious activity that appears to be related to a potential cyber attack.
They noted abnormal activity on March 16 and have canceled classes until March 29? That sounds serious.
Regular readers may recall that this site has reported on a number of data security incidents involving MCCCD — including the largest U.S. education sector hack ever disclosed to date. That 2013 breach, disclosed by MCCCD seven months after it was first discovered, appeared to have occurred after the district failed to properly remediate a 2011 breach. The incident cost the district more than $26 million in costs. A third incident noted by this site in 2016 involved MCCCD employee-related files that were exposed on an unsecured FTP server owned by the county.
And now this…. whatever “this” is. It will be interesting to see how any attackers gained access. The following is a summary from the state’s audit of Maricopa County Community College District, the Report on Internal Control and on Compliance for Year Ended June 30, 2017:
We found that the District needed improvements in certain controls over payroll, IT, and full-time student enrollment counts and reported 5 findings. Most importantly, we found the District lacked adequate policies and procedures over IT systems and data to appropriately respond to risks and to prevent, detect, test and review system changes, and respond to unauthorized or inappropriate access, damage, or loss, including protecting sensitive student data.
Two years later, another state audit of MCCCD reported:
Information technology (IT) controls—access and security
Condition and context —The District’s control procedures were not sufficiently designed, documented, and implemented to respond to risks associated with its IT systems and data. The District lacked adequate procedures over the following:
- Restricting access to its IT systems and data—Procedures did not consistently help prevent or detect unauthorized or inappropriate access.
- Securing systems and data—IT security policies and procedures lacked controls to prevent unauthorized or inappropriate access or use, manipulation, damage, or loss.
Criteria —The District should have effective internal controls to protect its IT systems and help ensure the integrity and accuracy of the data it maintains.
- Logical access controls—Help to ensure systems and data are accessed by users who have a need, systems and data access granted is appropriate, and key systems and data access is monitored and reviewed.
- IT security internal control policies and procedures—Help prevent, detect, and respond to instances of unauthorized or inappropriate access or use, manipulation, damage, or loss to its IT systems and data.
Effect—There is an increased risk that the District may not adequately protect its IT systems and data, which could result in unauthorized or inappropriate access and/or the loss of confidentiality or integrity of systems and data.
Cause—The District was unable to update and implement its IT access and security policies and procedures during the fiscal year because of time constraints and a lack of resources.
Recommendations—To help ensure the District has effective policies and procedures over its IT systems and data, the District should follow guidance from a credible industry source, such as the National Institute of Standards and Technology. To help achieve these control objectives, the District should develop, document, and implement control procedures in each IT control area described below:
- Assign and periodically review employee user access ensuring appropriateness and compatibility with job responsibilities.
- Remove terminated employees’ access to IT systems and data
- Review all other account access to ensure it remains appropriate and necessary.
- Evaluate the use and appropriateness of accounts shared by 2 or more users and manage the credentials for such accounts.
- Enhance authentication requirements for IT systems.
- Perform proactive key user and system activity logging and log monitoring, particularly for users with administrative access privileges.
The District’s responsible officials’ views and planned corrective action are in its corrective action plan included at the end of this report.
This finding is similar to prior-year findings 2018-04
So what was the District’s response to these findings and recommendations? They wrote:
Information technology (IT) controls—access and security
Names of contact person: Jacob Vipond
Anticipated completion date: The District anticipates having all of these initiatives relating to this finding completed by the 2nd quarter of calendar year 2021.
The District agrees with the finding. The District recognizes the benefits of adopting guidance from a credible industry source, specifically the National Institute of Standards and Technology, and plans to conduct periodic reviews of employee access and apply principles of least privilege
across all systems, specifically users with elevated permissions.
So exactly which initiatives were completed prior to this latest cyberattack?
Updated March 23: ABC15 provided an update late yesterday:
In a statement, a spokesperson wrote, “MCCCD already had a plan in place to quickly address potential network threats, which includes engaging forensic specialists to help us investigate the situation to understand what happened and if any information may be at risk. The investigation is still ongoing, however, there is no evidence of any breach of sensitive student information, such as social security numbers, educational information or financial data at this time. It’s also important to note that our student information system and our human resources management system are cloud-hosted applications and there is no impact to those systems.”