By Greg Nikkel
The computer network for the Holy Family Roman Catholic Separate School Division has been beefed up with up-to-date cyber-security, following an attack by hackers last fall on school board trustees and others employed by the school division.
The trustees heard a report on a network vulnerability assessment carried out on the computers used by Holy Family employees and board members, and what measures have been taken to strengthen the system and make it safe.
“Education is currently under fire in this area, which came as a surprise to me,” said Chad Fingler, superintendent of school operations for Holy Family.
He pointed out that hackers were apparently looking for any personal information they could possibly get, such as social insurance numbers or health care numbers, which could then be sold to the black market.
Hackers use such methods as Trojans or ransomware to extract information, he said, explaining that Trojans are programs within programs that give a hacker the ability to lock down an organization. Ransomware has been used to lock up an organization’s data until a ransom is paid, usually by bitcoins.
Holy Family asked IBM to come in and do a network vulnerability assessment, and they compiled a list of the issues in Holy Family systems that were fixed, said Fingler, and they arranged to have them come and educate their staff on what they should and should not do with their emails and Internet use, as well as to keep on top of the trends of what hackers are going after.
Kyle Hambly, a computer-network support technologist for Holy Family, explained that a “phishing” attack occurred on Holy Family in the fall of 2017 to the email accounts of a number of staff and board members.
As Hambly explained, there are numerous types of phishing, and the type used in this case was emails disguised as coming from Holy Family or from the Saskatchewan School Boards Association (SSBA), with the goal to gain access to a computer or a program or its network. He was able to catch a “phisher” and found that the hacker was sending e-mails using a Holy Family address.
“We decided to go with IBM, since they built our infrastructure initially. They are an international company with a high level of expertise, and they are up-to-date on cyber-attacks,” said Fingler, who noted they were able to provide security that is appropriate to a school or school division.
In a report card on the Holy Family’s cyber network, 17 per cent of issues were deemed as “critical”, 12 per cent were high, 54 per cent was medium and 17 per cent of issues were considered as low-risk, with 76 items that IBM determined needed attention.
“In the big picture, we’re not that far from the national average, although we were a little higher in critical areas. They were internal things that were easy for us to manage,” said Fingler, explaining that both external and internal scans were made of the computer network.
One of the good points is that employee emails are not readily available on the Internet, and there were no critical external threats to Holy Family’s network, he added.
Holy Family were encouraged to ensure they use good secure passwords that aren’t duplicated in use anywhere else, said Hambly, noting some people will use a “default” or “Golden Ticket” password, the same for all of their accounts or Internet activities. This is a practice he urges all computer users to avoid doing, as it could expose them to being hacked.
“You should change passwords regularly, and keep a combination with upper and lower case with numbers,” said Fingler, adding the most common password in the world is the number sequence “1-2-3-4-5-6”.
Internally, most administrators are limited to what they can access, mostly on a “need-to-know” basis, with only two or three staff who have the proverbial “master key” to the computer network at Holy Family, explained Fingler.
There will be a followup vulnerability assessment done of Holy Family’s system once a year from now on, he added, and in the meantime the experts at IBM can be called on anytime something comes up that they need to deal with in terms of cyber security.
Staff member Lynn Colquhoun pointed out that she will refuse to accept any emails of a personal nature sent to her from a business email account, because she doesn’t want to expose any business to possible attacks through her email.
