What is a compromised user account?
An account is compromised when a valid user loses control of their login credentials because an attacker learns of their username and password. This would allow an attacker to log in to SchoolInsight and download student data as well as reroute direct deposit funds to fraudulent accounts.
There are a few common cyberattacks that cause compromises:
- A user receives a phishing email and is tricked into entering their login credentials to a counterfeit site, which then steals their username and password.
- A user unintentionally installs malicious software that monitors keystrokes and steals their username and password. This malware often attempts to spread by attacking other devices on the network.
- A user utilizes the same username and password across multiple websites. If one of those sites is compromised, attackers can steal this information and use it on other sites.
- For schools that use Login with Google, a compromised Google Account leads to access to SchoolInsight.
A compromised account should be addressed using the following processes:
Secure User Accounts
When an account is compromised, lock the impacted user out of SchoolInsight. This needs to occur immediately, as removing access has the potential to disrupt an attack.
To secure a compromised account, please complete the following processes:
Mark All User Roles Inactive
A user may have a number of roles in SchoolInsight, such as admin, instructor, employee portal, and/or financials user. These roles need to be inactivated to prevent compromised log ins and attacker access to sensitive data.
To inactivate an admin account:
- Go to District Main > Admins
- Select the
icon to Edit the necessary admin
- Select the
icon in the admin role column
- Select Make Inactive
- Repeat this process until all roles are inactive
- Click Save
To inactivate an instructor account:
- Go to School Main > Instructors
- Select edit in the row of the necessary instructor
- Set Active to No
- Click Save
- Repeat this process for every school where the instructor has a role
To inactivate a financials user:
- Go to Financials Main > Employee - Single View
- Search for the necessary employee
- In the General tab select the
icon to Edit
- Uncheck Active
- Click Save
To inactivate an employee portal user:
- Go to Financials Main > Setup > Users
- Select Edit on the necessary user
- Uncheck Active
- Click Save
Forget All Saved Devices
Log the compromised user out of SchoolInsight on any saved devices.
To log a user out of all devices in SchoolInsight:
- Go to Main > Employees - Single View
- Search for the necessary employee
- Select the Logins tab
- In the Login Settings section, select the
icon to Force Logout of All Devices
- Confirm Force Logout
Change the User’s Password
Change the compromised user’s password to avoid future security issues. SchoolInsight advises a long password that can be reset once it is confirmed the user has regained control of their account.
To update a password in SchoolInsight:
- Go to Main > Employees - Single View
- Search for the necessary employee
- Select the Logins tab
- In the Login Settings section, select the
icon
- Select Edit Password
- Enter new Password and Confirm Password
- Click Save
Verify Direct Deposit Account
If using SchoolInsight Financials, review the direct deposit information for the compromised user. If this information has been changed by the attacker, stop payroll for the user until the validity of this information can be verified. This ensures funds are not redirected to a different account.
To remove the compromised direct deposit account:
- Go to Financials Main > Employee Direct Deposit Accounts
- Select Edit for the needed employee
- In the Paycheck Accounts section, select the
icon to Clear row for the impacted account
- Click Save
After these steps are completed, an attacker will no longer have access to SchoolInsight. However, it is possible that the user’s Google Account has also been compromised. You can secure their account in Google by disabling it and changing the password.
It is also possible that malicious software has been installed on the compromised user’s computer. To ensure that this malware cannot be spread on the school network, you should disconnect all impacted devices from the network, including unplugging any ethernet cables and turning off WiFi.
Please work with your cybersecurity experts to verify that any other needed steps outside of SchoolInsight have been taken.
Re-Establish Account Control
Once attackers can no longer access SchoolInsight through the compromised user account, the incident should be investigated. This is less time sensitive due to the attacker losing access to SchoolInsight. Please engage with your cybersecurity insurance and any district or insurance provided technical experts to clarify how the compromise occurred.
The investigation may include the following:
- Scanning the compromised user’s devices
- Reviewing the login history of the user’s accounts, such as SchoolInsight, email, etc.
- Scanning other devices on the school network that may have been affected by malware
SchoolInsight maintains a list of authenticated devices and login history, including IP addresses, for each employee. It is therefore possible to identify attacker logins based on the use of a new device from a new IP address.
To review employee login information:
- Go to Main > Employees - Single View
- Search for the necessary employee
- Select the Logins tab
- Review the Login History section
Once an attacker’s devices, IP addresses, and login sessions have been identified, please contact our Technical Services Organization at support@common-goal.com. We can support the investigation by querying the web pages accessed. By cross referencing this with the activity pattern and application permissions, it should be possible to understand what data the attacker viewed.
The findings of the investigation will identify vulnerabilities and determine next steps. This could include implementing two-factor authentication (2FA), updating device management standards, engaging in security best practices training, etc.
At minimum, the compromised user must have a secure computer in order to reestablish access.
This may be done by:
- Providing a new device with an organization’s standard software image/installation
- Wiping the compromised device and performing a fresh install
- Using the original device after it passes a malware scan
- Note that this is riskier than the previous two options, which ensure that any malware has been eliminated
Before re-enabling access to SchoolInsight, the compromised user should re-establish control of their email account.
This should include the following:
- Log out of all devices
- Reset the user password
- Validate that the user can log in
- Enable two-factor authentication in the email account
- Validate that the user can log in with two-factor authentication
- Remove any unknown two-factor authentication methods
If applicable, please refer to the following article with additional Google recommendations: Google Workplace: Identify and secure compromised accounts
Reactivate the User
Once the compromised user’s devices and other accounts are secure, you can reactivate them in SchoolInsight. It is recommended to complete these processes with the user present to ensure their renewed access and to help the user with any challenges. Additionally, this allows you to confirm that you’re working with the employee and not the attacker.
There are several processes that will need to be completed to ensure the user’s access and improved security:
Reactivate User Roles
To activate an admin account:
- Go to District Main > Admins
- In the Active column select the
icon
- Click Clear
- Select the
icon to Edit the necessary admin
- Check Show Inactive Roles
- Select the
icon in the admin role column
- Select Make Active
- Repeat this process until all roles are active
- Click Save
To activate an instructor account:
- Go to School Main > Instructors
- Uncheck Hide Inactive Instructors
- Select edit in the row of the necessary instructor
- Set to Active to Yes
- Click Save
- Repeat this process for every school where the instructor has a role
To activate a financials user:
- Go to Financials Main > Employee - Single View
- Select the
icon and check Show inactive Employees
- Search for the necessary employee
- In the General tab select the
icon to Edit
- Check Active
- Click Save
To activate an employee portal user:
- Go to Financials Main > Setup > Users
- Select Edit on the necessary user
- Check Active
- Click Save
Send a Password Reset
A user’s password was manually updated when their account was being secured. They can now reset it to regain access to their account.
To send the user a reset password link:
- Go to Main > Employees - Single View
- Search for the necessary employee
- Select the Logins tab
- In the Login Settings section, select the
icon
- Select Send Password Reset
- Confirm Reset
Once the employee has reset their password, confirm that they can once again access SchoolInsight.
Enable Two-Factor Authentication for the User
A user who has experienced compromise in the past should be required to use two-factor authentication to log in. Users with two-factor authentication are a much harder target for cyberattackers. Currently, two-factor authentication may need to be configured at your district before it can be enabled for an employee. Please reach out to us at support@common-goal.com if you need to configure two-factor authentication at your district.
To enable two-factor authentication for a user:
- Go to Main > Employee - Single view
- Search and select the necessary employee
- Select the Logins tab
- In the Login Settings section, select the
icon
- Select Edit Login Info
- Set Force 2FA
- Click Save
Securing the username and password of a compromised account is the customer’s responsibility. However, our Technical Services Organization is happy to answer any questions regarding these essential processes. Please reach out to us at support@common-goal.com.