Welcome to the Lockstep Traceroute, a bi-weekly look at the path of K-12 technology. Our goal isn’t to sell you a “magic box” that solves every problem. Instead, we’re here to share the foundational truths we’ve learned from years in the field – the kind of insights that only come from managing district networks, surviving procurement cycles, and building relationships that keep schools running. In this entry, we’ll look at recent regional signals, and why the most powerful security tool in your district might actually be a well-attended meeting.
Immediate Ping
- The Connected School Paradox: Modern schools are more connected than ever, from smart lighting to digital enrollment. Last week’s national telecom outage highlighted how much every department, from Transportation to the Front Office, relies on a stable “digital backbone” to keep students safe and learning.
- Regional Spotlight – Texas: The TEA is currently updating its K-12 Cybersecurity Initiative to provide more coordinated support for districts. This is an excellent opportunity for Texas districts to align their local safety plans with state-provided resources for endpoint protection and incident response.
The Next Hop
What Lurks in the Shadows: The Case of Moltbot (formerly Clawdbot)
It usually starts with a Saturday morning productivity hack. A staff member finds a tool like Moltbot (formerly Clawdbot) – an AI-powered assistant that promises to “unify your digital life”. By connecting your professional tools (like Gmail or Slack) to your personal chat apps (like WhatsApp or Signal), Moltbot acts as a proactive agent that can summarize emails, manage calendars, and even run system commands on your behalf.
For an adventurous employee looking to streamline their workflow, it feels like magic. But for those of us tasked with the “boring” details of enterprise security, these “silent super-users” represent a significant shift in our threat model.
The Risk of the “Helpful” Agent
In a properly hardened environment, we aren’t just worried about malicious actors; we’re worried about unintentional exposure through lax processes. Tools like Moltbot often require broad permissions to be effective, creating two specific challenges for the district:
- Credential Concentration: To function, these agents often require API keys and credentials for sensitive services, which are sometimes stored in plain text or poorly secured local files. If an employee runs this on a personal device that later connects to the district network – or worse, a district device that is lost or compromised – those keys are essentially “sitting on the porch” for anyone to find.
- Identity Hijacking in Real-Time: When the project was forced to rename from “Clawdbot” to “Moltbot” due to trademark issues, it triggered a “cascade of chaos”. Social media handles and GitHub accounts were “sniped” by scammers within seconds of being announced. For a district, this illustrates how quickly a trusted tool can become a malicious one if its identity or repository is compromised or if illegitimate sources are perceived as authentic.
- The Indirect Prompt Injection: This is the “new” battleground. Unlike traditional software that treats “user input” and “system commands” separately, AI agents often view them as the same. If an agent is tasked with summarizing an inbox, a malicious actor can send an email containing a hidden “indirect prompt.” The agent, simply trying to be helpful, might follow the hidden instruction to “forward the last five attachments to an external address” without the employee ever clicking a link or knowing a “hack” occurred.
Building a Unified Defense Through Collaboration
In many districts, cybersecurity is viewed as a “Technology Department” task. However, as our environments become more integrated, a resilient posture requires a shared responsibility model. This is where a Cross-Functional Working Group becomes an essential tool for district leadership. Instead of playing “Whack-a-Mole” with every new AI tool, we should focus on Accountability and Governance.
Why Diverse Perspectives Matter
A working group is most effective when it brings together representatives from Finance, HR, Facilities, Operations, and others.
- Operations & Facilities: Can provide insight into how building automation and safety systems (like cameras or door access) interact with the network.
- Human Resources & Finance: Help align security goals with the “human lifecycle,” ensuring that onboarding and payroll systems are both efficient and secure.
The question for our leaders in HR, Finance, and Facilities isn’t whether we should “ban” AI, but rather: “How do we empower our staff to innovate without creating unmanaged ‘Shadow AI’ entry points?”.
At Lockstep, we believe the answer lies in the Principle of Least Privilege. If a tool is truly “better” and not just “different,” let’s find a way to sandbox it – using separate, low-privilege service accounts rather than full personal identities. By moving these discussions into a collaborative committee, we can turn “adventurous employees” into our best allies in the digital battleground.
The “Shared Risk” Conversation
Rather than framing security measures as obstacles, we should view them through the lens of accountability and risk management. When leaders from different departments collaborate, they can better assess which risks the district is willing to assume and which require immediate mitigation.
Moving toward high-impact, baseline goals – such as implementing Multi-Factor Authentication (MFA) and refining User Access Rights – is a team effort that protects the continuity of every department’s mission.
The Egress Point
Effective cybersecurity isn’t about the products you buy; it’s about the culture of collaboration you build. Whether your district is a large “hub” with deep resources or a smaller rural system, the goal is to break down silos and ensure that technology supports every user’s success.
Lockstep Technology Group is committed to being that collaborative partner. We help districts of all sizes navigate these departmental intersections to build a safer, more resilient learning environment. If you want to see how we can help you, please contact your account executive or send an email to:[email protected]
]]>
URL filtering used to be a static gatekeeper, blocking “malicious” websites based on outdated lists. But in 2025, threats have evolved and most filtering solutions have not kept up.
Today’s phishing attacks are AI-powered, highly targeted, and built to bypass legacy URL filtering systems. At Lockstep Technology Group, we help organizations move beyond reactive filtering by implementing Palo Alto Networks’ Advanced URL Filtering within your broader security strategy.
The Threat Landscape Has Changed
Phishing continues to dominate the threat landscape, both in volume and in impact. According to recent industry data:
- 84% of organizations experienced successful phishing attacks in 2022.
- 91% of security incidents were phishing-related.
- AI tools like FraudGPT and PoisonGPT are being used to scale and personalize attacks.
Traditional URL filtering struggles to keep up because:
- Phishing sites are often used only once.
- Attackers rapidly create and abandon new domains.
- Static crawlers fail to access gated content or mimic real user behavior.
Tactics Used in Modern Phishing Pages
- Lookalike domains mimicking trusted brands
- Credential forms disguised as login screens
- CAPTCHA-protected pages to block scanners
- Dynamic behavior that activates only for real users
Understanding Real-Time URL Filtering
The webinar included a live demo where Palo Alto Networks showed how their solution analyzes inline traffic in real time as users interact with web content.
This goes far beyond category-based blocking. Their engine evaluates:
- Page behavior (e.g., login forms, CAPTCHA bypass)
- URL history and domain age
- Dynamic content behavior
- User interaction flow
This means phishing sites that evade traditional detection are blocked instantly even if they are brand new.
Inline Detection vs. Traditional URL Filtering
| Traditional Filtering | Inline Detection |
| Static URL categories | Real-time content analysis |
| Misses CAPTCHA or mobile-only content | Detects threats post interaction |
| Can’t stop credential input | Blocks credential submissions live |
| Ignores domain age patterns | Flags newly created or suspicious domains |
| Crawlers can be evaded | Simulates user behavior to expose threats |
Why Implementation Matters
While Palo Alto provides the engine, implementation is where the impact happens. That is where Lockstep comes in.
We help you translate Palo Alto’s advanced capabilities into a secure, usable, and policy-aligned deployment. By tailoring filtering policies and user experiences, we enable you to:
- Customize filters by user group or role
- Implement credential protection without disrupting access
- Analyze real-time logs to support threat hunting and policy refinement
- Avoid unnecessary friction for your users
The Shift from Filtering to Prevention
The webinar highlighted a critical point: Phishing is no longer just an email problem. Today, malicious links are delivered through SMS, chat apps, and even shared documents.
With Advanced URL Filtering, organizations can detect and stop these threats before users interact with them, but only if the system is deployed and governed effectively.
Lockstep’s role is to bridge the gap between cutting-edge capability and operational reality. We help organizations in K-12, higher ed, and enterprise environments move from passive filtering to active prevention without overwhelming your IT team or breaking trust with your users.
Ready to Rethink Web Protection?
If you are still relying on outdated URL filtering systems, it’s time to reassess.
Talk to Lockstep about implementing Palo Alto Networks’ AI-powered solution to protect your users, data and reputation.
]]>“Technology is rapidly reshaping how organizations work and serve their constituents. By joining forces with Lockstep, we can accelerate our mission of delivering positive outcomes through technology innovation,” said Louis Tsotakos, CEO of Ocean.
Both organizations share in providing technology solutions that enable a robust, scalable, innovative, and secure environment. The combined companies will strengthen their market positions and broaden their solution portfolio, which includes managed services, data & infrastructure, security & compliance, and endpoint technology solutions.
“The passion and purpose embodied by the Ocean team strongly align with our focus here at Lockstep. We’re excited to be able to immediately offer a wide range of technology solutions that enable success for our customers.” Anders Nessen, CEO, Lockstep Technology Group.
About Lockstep
Lockstep Technology Group is the leading provider of comprehensive IT solutions and services focused on optimizing IT strategies in the government, education, and medical markets. Founded by mission-focused industry veterans who understand the unique needs of constituencies in highly regulated industries, the company’s unmatched expertise across 100+ technologies offers support spanning managed services, data & infrastructure, security & compliance, and endpoint technology solutions. Lockstep Technology Group serves over 1,500 organizations, providing technologies and highly skilled engineering resources to support key areas of need while allowing clients to focus on core strategic objectives.
About Ocean
For more than 41 years, Ocean Computer Group has helped organizations achieve meaningful business outcomes through innovative technology solutions. As a trusted Managed Services Provider serving both public and commercial sectors, we understand the growing complexity and exposure to today’s security threats. Through deep partnerships with leading security providers and proven expertise across best-in-class solutions, we help our clients implement proactive strategies to detect, prevent, and quickly respond to security incidents—keeping their environments protected and resilient.
]]>
In this tech talk, Patrick Cavell walked through the fundamentals of Open Shortest Path First, or OSPF, one of the most widely used dynamic routing protocols in modern networks. The goal of the session was to demystify how OSPF works, explain why it is so effective at scale, and highlight best practices for real world implementation.
What Is OSPF and Why It Matters
OSPF is a link state routing protocol designed to calculate the most efficient path for traffic across an IP network. Rather than exchanging entire routing tables, OSPF shares detailed information about network links using Link State Advertisements, or LSAs. Each router uses this information to build a complete view of the network and independently calculate the best paths.
This approach allows OSPF to converge quickly and remain highly consistent, even in complex environments.
How OSPF Shares and Maintains Network State
A key concept emphasized during the session is that OSPF shares interface and link information, not individual routes. LSAs are flooded throughout an area, so every router maintains an identical link state database. This shared understanding is critical, as routing stability depends on all routers seeing the same network topology.
Because each router calculates routes locally from the same data set, OSPF can adapt efficiently to changes while minimizing disruptions.
Areas, Scalability, and Design Choices
To support large networks, OSPF allows administrators to divide the network into multiple areas. Areas help control routing table size and limit LSA flooding, improving performance and scalability. All areas connect through the backbone, known as Area 0, which ensures proper route of exchange.
Stub areas were also discussed as a way to simplify routing in parts of the network by limiting which routes are advertised, reducing overhead for routers that do not need full visibility into external networks.
Designated Routers and Adjacencies
On broadcast networks, OSPF uses a designated router and backup designated router to reduce unnecessary traffic. Instead of every router forming adjacencies with every other router, full adjacencies are centralized.
In the example shared during the webinar, router two was elected as the designated router (DR); router three served as the backup designated router (BDR), and all other routers operated as DROTHER routers, having full adjacencies only to the DR and the BDR. This model keeps routing efficient while maintaining full network awareness.
Understanding OSPF LSAs and External Routes
Patrick also reviewed the most common OSPF LSA types and how they are used to share routing information within and between areas. The most encountered types include:
- Type 1 and Type 2 LSAs, which describe routers and networks within an area
- Type 3 and Type 4 LSAs, which allow routes to be shared between different OSPF areas
- Type 5 LSAs, which advertise external networks from Autonomous System Boundary Routers into the OSPF domain
Type five LSAs are particularly important because they allow OSPF to learn routes from non-OSPF domains. These LSAs are flooded throughout the network, except into stub areas, where external routes are intentionally limited.
Reading the Routing Table and Avoiding Pitfalls
An OSPF routing table can reveal whether a network is operating in a multi-area design and whether external routes are being introduced. The session also reinforced the importance of administrative distance, noting that connected routes always take precedence over OSPF learned routes.
One key caution highlighted was route filtering. Because all routers in an area must receive identical LSAs, improper filtering can lead to inconsistencies, routing loops, or traffic black holes.
What’s Next
This session provided a strong foundation for understanding OSPF and how it supports scalable, resilient network design. If you are responsible for building or managing networks, mastering these fundamentals is essential.
Be sure to join us for our next tech talk on January 15, co-presented by Lockstep and Glean, to learn how AI is reshaping enterprises across all industries, including Public Sector, Education, and Healthcare.
]]>
Following the path of K-12 technology, one hop at a time.
A Week of Challenges, Progress, and Opportunities
The central tension of district technology leadership has always been balancing risks against progress. How do we keep our networks secure without stifling the innovation happening in the classroom? This week provided a perfect case study in that balancing act. While cybersecurity pressures continued to demand our attention, a handful of positive developments offered a clear path forward. Below is a curated look at the stories shifting the landscape for K-12 tech leaders this week.
The Vendor Power Dynamic Is Shifting
The FTC’s recent action involving Illuminate Education continues to ripple through the market, creating a distinct shift in tone. For years, districts often had to fight for basic transparency regarding data retention and security protocols. That dynamic is flipping.
Vendors are actively reexamining their retention policies and preparing for tougher questions from districts because they recognize that security expectations are no longer negotiable.
The Strategy: This is the moment to refresh your vendor requirements. The environment is currently supportive of strong expectations. If you have received pushback on strict data privacy addendums in the past, now is the time to re-address them.
Resilience Is Becoming Routine
Threat activity remains a constant in our daily lives—phishing, credential misuse, and ransomware are still poking around district firewalls. However, the story this week isn’t the threats; it’s the response.
Districts are responding with more maturity than ever before. Backups are improving, network segmentation is becoming standard, and response teams are operating with greater confidence. The landscape is dangerous, but the district IT shield is slowly, surely getting stronger.
The Human Element: Burnout as a Security Risk
One theme that surfaced repeatedly this week is staff burnout. While often viewed as an HR issue, for a CTO, this is a security issue. Your team carries one of the most diverse workloads in public education. When they are fatigued, cognitive load drops and risk increases. It is that simple.
The Move: Prioritize margin. Making space for your team to rest isn’t just “nice to have” – it pays security dividends. (Note: If your internal team is red-lining, this is a specific area where Lockstep can step in to augment capacity).
Reframing Shadow IT as “Unsanctioned R&D”
Teachers continued doing what they always do: solving instructional problems quickly, often with tools that aren’t on the approved list. It is tempting to view this strictly as a compliance breach, but I encourage you to treat it as a signal.
When teachers go “rogue,” they are identifying gaps in your current stack. They are experimenting and pushing instruction forward.
Leadership Guidance:
- Investigate the “Why”: Ask what the unapproved tool is helping them accomplish.
- Map to Strategy: Identify if an approved tool already solves this problem (and perhaps just needs better training).
- Collaborate: If the tool has merit, help shape a small pilot. Innovation is not the enemy; unstructured adoption is.
Bright Spots: Removing Friction from Security
Security is often synonymous with friction, but this week saw K-12 friendly MFA options that actually improve the user experience.
- Clever (Classroom MFA): Now offering authentication methods like PINs and badges, strengthening security without frustrating younger students or para-staff.
- RapidIdentity (Device-less MFA): Solving the long-standing “cell phone problem,” this allows for robust authentication without relying on personal student devices.
The Opportunity: These are shifts toward practical security. If your district uses these platforms, investigate these controls immediately.
Regional Intelligence: The Funding Landscape
For districts in the Lockstep service region, policy and funding movements are creating new opportunities for 2026.
- Georgia: State activity continues to favor modernization and cybersecurity refresh efforts.
- North Carolina: Expanded criteria are making more districts eligible for broadband infrastructure grants.
- Louisiana: The state is exploring a cybersecurity cooperative model to help smaller parishes standardize protections and reduce costs.
- South Carolina: Upcoming DOE data privacy guidance looks poised to simplify reporting obligations.
- Texas: Continues to lead nationally in cyber funding, with another round of grants expected in 2026.
- AL / MS / TN: Pre-legislative signals suggest new digital learning and cybersecurity initiatives may appear in the next session.
Strategic Note: Districts with updated documentation and clear technology plans always capture funding first. If you don’t have a relationship with your local state delegate, take the opportunity to brief them on your challenges now, before the sessions begin.
How Lockstep Supports You
Lockstep’s role is simple: We help districts make sense of a fast-changing environment and give their teams the support they need to thrive. Whether you need a cybersecurity roadmap, AI governance support, or just extra hands on-deck when your team is overloaded, we are here.
No pressure. No script. Just practical help.
If something in this week’s update sparked a question for your district, we are always ready to talk.
]]>In today’s healthcare environment, speed and coordination save lives. For LCMC Health, a not-for-profit system serving New Orleans, its patient Transfer Center was both a lifeline and a bottleneck. Thousands of high-stakes transfers depended on outdated phone systems, manual workarounds, and disconnected tools. The result? Missed calls, lost transfers, and patients waiting longer for the right level of care.
That changed when LCMC Health partnered with Lockstep Technology Group to modernize the heart of its transfer operations, turning inefficiency into innovation.
Why Transfer Centers Matter More Than Ever
Across the United States, hospitals face unprecedented pressure to improve outcomes, reduce costs, and enhance patient experience. The once “back-office” transfer center has evolved into a frontline performance driver, directly influencing:
- Access to care
- Clinical outcomes
- Hospital financial stability
An inefficient transfer center doesn’t just create inconvenience—it can delay treatment, increase readmissions, and impact revenue. For LCMC, the challenge was clear: transform the process before inefficiencies threatened patient safety.
The Breaking Point
Operating 24/7, LCMC’s Transfer Center coordinated transfers across eight hospitals and a freestanding emergency department. But legacy systems made this nearly impossible to manage efficiently. Calls rolled haphazardly across desks. Metrics were hard to track. Even basic call recordings required IT intervention.
“We were missing calls,” recalled Jessica Crum, Senior Director of the Transfer Center.
“Quality assurance was almost impossible. We wanted a world-class call center that could route calls properly, track metrics, and drive real improvement.”
Manual tools and fragmented workflows created a critical bottleneck, one that leadership knew could only be solved through a complete reimagining of the infrastructure.
The Risks of Standing Still
Without modernization, the operational consequences were severe:
The costs of delay weren’t just financial; they were human.
Partnering for Change
Lockstep Technology Group brought deep expertise in Cisco Webex Contact Center, Epic EHR integration, and healthcare communication strategy. From day one, the approach was collaborative, not prescriptive.
“Fixing call processing was step one,” explained Chris Favalora, Lockstep’s Solutions Architect. “But the real opportunity was visibility—giving staff control and data insights they never had before.”
Together, Lockstep and LCMC co-designed a system that fit their unique workflows while integrating seamlessly into existing platforms
Designing the New Transfer Center
The transformation began with a Cisco–Epic integrated solution powered by SpinSci. Key capabilities included:
- Smart Call Routing & IVR: Prioritized by urgency and specialty
- Click-to-Dial & Caller ID: Speeding outbound communications
- Pop-Up Note Templates: Automatically launched with incoming calls
- Call Recording Integration: Linked directly to Epic notes
- Unified Agent Desktop: Streamlined all workflows into one interface
As Crum put it: “Once we had visibility into abandoned calls and turnaround times, we could fix workflows, improve efficiency, and scale with growth.”
The Measurable Impact
Within months, LCMC’s new Transfer Center delivered quantifiable results—in both patient outcomes and operational efficiency:
- 15.2% increase in completed transfers, representing $1.6M–$2.9M in additional annual revenue
- 27% reduction in transfer turnaround time, improving access to higher-level care
- 47% faster provider engagement, enabling quicker clinical decisions
- Abandoned calls down from 7% to 2%, meaning more patients connected to the right care
- 717,000 minutes saved in just six months, equivalent to over a year of working time recovered
As Crum emphasized: “Every minute we shave off transfers means patients get to the right care sooner. Capturing more patients doesn’t just improve outcomes—it fuels growth.”
Beyond Numbers: A Cultural Transformation
Technology was only part of the story. The new workflows transformed staff experience:
- Paper tools were replaced with automated digital templates
- Agents gained real-time visibility into call metrics
- Shift-change gaps were eliminated
- Frustration dropped as efficiency soared
“We reversed the workflow so calls start with the conversation, not paperwork,” Crum noted. “Staff frustration is way down, and efficiency is way up.”
Partner hospitals now refer to LCMC’s Transfer Center as “the easy button for transfers.”
Why It Matters in Healthcare Today
This transformation aligns with the national shift toward value-based care (VBC)—rewarding coordination, penalizing inefficiency. Reducing turnaround times by 27% and accelerating provider engagement by nearly 50% directly impacts clinical outcomes and hospital sustainability
Industry data shows that 90% of healthcare organizations still lack a robust strategy for managing the patient and provider experience. LCMC’s success demonstrates what’s possible when hospitals treat the transfer center not as an expense—but as a strategic asset.
A Blueprint for the Future
By integrating Cisco Webex with Epic and building a data-driven foundation, LCMC didn’t just upgrade its technology—it redefined how the coordination of care works. Now positioned for future innovation, the organization is exploring:
- AI-driven call routing and predictive staffing
- Integration of Epic scheduling with Amion
- Secure chat enhancements for provider communication
- Advanced analytics linked to patient outcomes
As Crum concluded: “We didn’t just upgrade technology. We changed how we work. And because of that, we’re ready for what’s coming next.”
Final Thoughts
The LCMC and Lockstep partnership is a powerful example of how purpose-built technology can save time, improve care, and enhance the lives of both patients and providers. It’s not just about modern infrastructure; it’s about modern care.
In today’s technology-driven world, the intersection of cyber threats, fraud, and inefficiency presents a unique challenge for government agencies and educational institutions. During a recent tech talk, Dr. Tina Carkhuff, a data analytics innovator and industry expert, shared insights into how organizations can leverage Splunk to mitigate fraud, enhance cybersecurity, and drive operational efficiency.
Watch the full tech talk with Dr. Tina Carkhuff on YouTube here.
Who is Dr. Tina Carkhuff?
Dr. Carkhuff is a recent doctoral graduate from Liberty University, authoring a groundbreaking dissertation on the role of data analytics in detecting unemployment insurance fraud. With 30 years of industry experience, including serving as CIO for the City of Houston and working at Gartner, she now advises state, local government, and education institutions on using data analytics to improve decision-making and operational outcomes. Her work has helped governments save billions for taxpayers by ensuring funds reach those who need them most.
Splunk Beyond Cybersecurity
While Splunk is often associated with cybersecurity, Dr. Carkhuff emphasized that it’s much more than that. Splunk is a versatile data analytics platform capable of:
- Monitoring and detecting fraud
- Ensuring program integrity
- Driving operational efficiency without reducing services
The platform consolidates data from disparate systems, allowing agencies to “speak the same language” across departments, bridging gaps between applications, servers, and networks.
Real-Time Fraud Detection
A key principle Dr. Carkhuff highlighted is the value of data in its early stages. Immediately after data is generated, ranging from seconds to minutes, it can be used for real-time detection and prevention of fraud. In her work with the State of New Jersey, early detection helped prevent nearly $8 billion in fraudulent unemployment payments during the pandemic.
As data ages, its primary value shifts toward audits, forensic investigations, and compliance. Understanding this data continuum is crucial for organizations seeking to prevent losses before they occur.
Types of Fraud and Threats
Fraud actors vary widely:
- Individual actors are usually driven by financial hardship and are easier to detect.
- Organized crime and nation-state actors are highly sophisticated, often operating outside the U.S., making them difficult to prosecute.
Splunk’s analytics capabilities, combined with machine learning, allow organizations to detect both obvious and subtle schemes. Dr. Carkhuff demonstrated how small details, such as extra spaces in address fields, can reveal major fraud schemes, including $12.5 million in fraudulent unemployment claims.
Multi-Layered Fraud Detection
Splunk enables a structured approach to fraud detection, analyzing a broad spectrum of data points, such as network logs, user behavior, and endpoint activity. Risk scoring helps investigators focus on high-priority cases, reducing investigative time from weeks to minutes. This efficiency accelerates legitimate payments and ensures resources are allocated effectively.
Data for Multiple Uses
One of the most compelling aspects of Splunk is the ability to use the same data sets for multiple purposes:
- Cybersecurity monitoring
- Fraud detection
- Operational insights (budgeting, forecasting, and efficiency improvements)
By breaking down data silos, organizations can maximize ROI while creating a more transparent and efficient operational environment.
Executive Dashboards and Outcomes
Dr. Carkhuff stressed the importance of executive dashboards, which communicate complex findings in a clear, actionable way. These dashboards are invaluable for:
- Securing funding from senior leadership
- Presenting actionable insights to governors, CEOs, or COOs
- Supporting law enforcement and legal proceedings
Dashboards can be customized for any audience, from analysts to executives, allowing for clear visualization of outcomes and impact.
Driving Efficiency in Government and Education
Beyond fraud and cybersecurity, Splunk helps organizations streamline operations and increase efficiency. Key areas include:
- Reducing mean time to detection for issues
- Recovering network bandwidth
- Detecting and preventing waste, fraud, and abuse
- Managing remote work security and productivity
- Ensuring operational resilience during system outages
Monitoring software licenses, employee activity, and financial transactions uncovers hidden savings and prevents unnecessary spending.
Conclusion
Data analytics, when harnessed effectively, is a powerful tool for preventing fraud, strengthening cybersecurity, and enhancing operational efficiency. Splunk equips government agencies and educational institutions with the tools to detect subtle threats, make informed decisions, and ensure resources are allocated where they matter most.
Dr. Tina Carkhuff’s work demonstrates that combining data analytics with structured processes, machine learning, and executive-level reporting is not just about technology. It safeguards public funds, enables efficient operations, and protects organizations from fraud and misuse.
]]>
Week Ending October 31, 2025
Executive Summary
This week was a reminder that even the systems built to protect us can become the source of risk. A newly discovered flaw in Windows Server Update Services (WSUS) (CVE-2025-59287) is being actively exploited, allowing attackers to distribute malicious “updates” across entire districts. If you still rely on WSUS, patch now and verify it’s properly segmented and using valid certificates before resuming normal sync operations.
Two recent incidents highlight why vigilance still matters. In New York, Voorheesville Central School District lost nearly $1 million in a fraudulent bank transfer tied to a likely business-email compromise. And in Texas, Uvalde CISD was forced to close schools after ransomware crippled phones, HVAC controls, and payroll – proof that classroom IT and building systems are now inseparable.
At the same time, there’s ongoing fallout from the PowerSchool / Salesforce integration issue, where stolen tokens and connected-app abuse exposed vendor environments. Even if you weren’t directly impacted, now is the time to ask vendors about their token management and connected-app reviews.
Add a Chrome / Chromium zero-day to the mix, and the pattern becomes clear: attackers are focusing on trusted tools – update servers, browsers, and cloud integrations. The best defense this week is a quick audit of the systems you assume are safe. A few minutes of validation today can prevent a very public problem tomorrow.
Itemized Findings
Microsoft WSUS Remote Code Execution (CVE-2025-59287) – Critical
It’s every patch admin’s nightmare: the tool you use to keep systems secure becomes the threat itself. That’s what’s happening with this new WSUS vulnerability, now being actively exploited in the wild. An attacker who gets in can use WSUS’s trusted update channel to push out malicious “updates” across your entire fleet – servers, desktops, everything.
For most districts, WSUS isn’t something people think about often; it just quietly does its job. That’s what makes this dangerous. If you’re still using it, patch immediately, make sure the server is isolated from the open internet, and confirm it’s only reachable by authenticated systems. Also verify that WSUS is enforcing TLS and valid code-signing certificates before distributing updates.
If you had any custom update rules or paused approvals in past years, now’s a good time to revisit those. A quick audit of your WSUS logs and update history since mid-October could tell you if anything unexpected slipped through.
If you have engaged Lockstep to manage your organization’s patching services, rest assured that we have already addressed this vulnerability.
Chrome / Chromium Zero-Day Exploit – Moderate
Browser vulnerabilities rarely make front-page news, but this one deserves attention. A new Chrome/Chromium flaw (CVE-2025-2783) has been spotted in real spyware campaigns. With so many student and staff devices running Chrome, one unpatched browser could become a quick entry point for attackers.
The good news is that Google has already issued a fix. Districts should enforce automatic browser updates wherever possible and restrict unnecessary extensions – particularly ones with access to tabs, cookies, or clipboard data. If your MDM can force a version baseline, this is a good week to use it.
For student devices, encourage short, simple messaging: “Restart your Chromebook today – it applies security updates.” It sounds trivial, but it works.
PowerSchool / Salesforce Integration Incident – Moderate
The trouble with cloud integrations is that no one really knows how many there are until something breaks. The latest example comes from a Drift–Salesloft–Salesforce token-theft campaign, which exposed a number of connected environments – including PowerSchool’s Salesforce-based customer-support portal.
Even if your district wasn’t directly involved, you’re still connected to that ecosystem. It’s worth asking every vendor that uses Salesforce whether they’ve rotated tokens or reviewed OAuth permissions in the past month. If your own district runs Salesforce, pull an inventory of connected apps and revoke anything you don’t actively use.
Voorheesville (NY) $1 Million Treasury Fraud – Moderate
This story is a familiar one, but it still stings: a district finance office gets an email that looks legitimate; a transfer is approved, and money disappears. Voorheesville Central School District in New York lost about $1 million this month in what appears to be a classic business-email-compromise case.
The district was able to recover part of the funds, but it’s another warning that financial controls matter just as much as firewalls. Dual approvals for every wire or ACH transfer, daily reconciliation, and a rule that any bank-account change must be verified by phone – those simple steps still stop the majority of these attacks.
Ransomware Impact on Uvalde CISD – Informational
Uvalde CISD in Texas spent nearly a week offline after a ransomware attack took down phones, HVAC controls, security cameras, and payroll systems. It’s a stark example of how “technology” in schools now goes well beyond the computer lab. When HVAC and door-access systems are connected to the same network as instructional tools, attackers can easily disrupt daily operations.
This incident didn’t involve data theft so much as plain old disruption – and that can be just as damaging. It’s a good moment to review how your operational technology (OT) is segmented from your instructional and administrative networks. Even a few simple VLAN and firewall-rule changes can dramatically reduce cross-impact.
Recommended Actions
- WSUS – Patch First, Verify Second
Install Microsoft’s out-of-band patch for CVE-2025-59287, confirm the server isn’t internet-exposed, enforce TLS, and validate update signatures. Check logs for unusual activity since mid-October; small anomalies now may prevent a big cleanup later.
- Browsers – Close the Zero-Day Window
Push the newest Chrome/Edge update and prune unnecessary extensions. Managed Chromebooks can update silently; for unmanaged ones, a quick “restart today” message is often enough.
- Third-Party SaaS – Trust, but Verify
Ask vendors tied to Salesforce or PowerSchool if they’ve rotated tokens or audited app permissions. Short-lived tokens and least-privilege scopes are the goal. Review your own Salesforce connected-app list while you’re at it.
- Finance Offices – Rehearse the Basics
Dual approvals and call-backs still stop most treasury fraud. Host a 30-minute tabletop with your business office this month; it’s time well spent.
- OT Segmentation – Prevent Collateral Damage
Work with facilities to map HVAC, cameras, and access controls. Separate them from instructional networks with VLANs and firewall rules. It’s the simplest form of resilience you can build.
What Next?
If any of these issues raise questions about your own environment, don’t hesitate to reach out to your Lockstep Account Executive. Whether it’s a quick conversation about patching priorities, or a deeper look at your district’s readiness around WSUS, browser security, or third-party integrations, our team can help you assess where things stand and what steps would make the biggest difference. Sometimes a short, focused review is all it takes to turn concern into confidence.
Contact us
Every October, Cybersecurity Awareness Month, led by CISA and the National Cybersecurity Alliance, reminds us of a truth we sometimes overlook behind every cyberattack are real people. Students are unable to access online classes. Patients whose data and trust have been compromised. Communities facing disruptions to essential services.
At Lockstep Technology Group, we believe cybersecurity is not just about protecting systems. It is about protecting the people those systems serve. Security is not a technical checkbox; it is an act of stewardship.
The Evolving Threat Landscape
Cyber threats in 2025 are more complex, targeted, and patient than ever before. Breaches rarely start with dramatic exploits. More often, they begin quietly with a single overlooked patch, a reused password, or a carefully crafted phishing email.
Once inside, attackers move laterally, escalate privileges, and blend in with legitimate system activity. Increasingly, they exploit supply chains, where one vulnerable vendor can expose an entire ecosystem of trusted organizations.
Identity has become the most common point of compromise. CISA reports that most breaches begin with stolen credentials or phishing attempts. That makes identity and access management, including multifactor authentication, privileged access controls, and continuous monitoring, a cornerstone of modern defense.
Turning Awareness into Action
Awareness is only valuable when it leads to measurable action. True resilience comes from translating awareness into habits, controls, and cultural norms. Organizations can begin by strengthening identity management, maintaining disciplined patching and monitoring practices, and regularly testing incident response plans.
Equally important is securing the supply chain. Understanding which vendors have access to your systems, ensuring their controls meet your standards, and maintaining visibility across all integrations are key to minimizing risk.
Yet beyond technology and process lies something deeper: a mindset of shared responsibility.
Building a Culture of Cyber Resilience
Technology can only go so far without people who are equipped and empowered to use it well. Building a culture of cybersecurity means creating an environment where employees report suspicious activity without hesitation, where training is ongoing and relevant, and where security is embedded in everyday operations rather than treated as an afterthought.
At Lockstep, we work alongside schools, healthcare providers, and government agencies to cultivate that culture. Our role is not limited to deploying tools or running assessments. We partner with mission-driven organizations to ensure their people and technology move in lockstep. Through continuous monitoring, penetration testing, identity programs, and vendor risk management, we help organizations progress beyond compliance toward true resilience.
Committed to a Safer, Stronger Future
Cyber threats will continue to evolve, but so can we. By combining strong technical foundations with a culture of vigilance, organizations can withstand disruptions and recover with confidence.
This Cybersecurity Awareness Month, let us commit to more than awareness. Let us commit to partnership, preparedness, and people. Resilience begins when technology and humanity move forward together.
If your organization is ready to take the next step, Lockstep Technology Group is ready to walk beside you.
Contact us today to begin building a safer, stronger future together.
Technology has become part of how every classroom learns, connects, and operates. In digital classrooms, the most valuable asset is not just instructional content. It is student identity. Each login, cloud account, and connected app represents personal data that must be protected carefully.
As schools adopt AI tools, cloud platforms, and personalized learning systems, those identities become the primary gateway for both innovation and risk.
Focusing on identity protection helps schools strengthen trust within their communities while keeping students’ information and learning environments secure.
The Real Risk Behind a Compromised Account
When a student or staff account is compromised, it rarely stops at one login. Attackers can use those same credentials to move laterally across systems, from email and cloud storage to gradebooks, learning management platforms, and even payroll data. What begins as a single password breach can quickly turn into unauthorized access to personally identifiable information (PII), student records, and financial data.
It can expose sensitive information about students and families, disrupt classroom activities, and damage community trust. For educators, it can mean locked accounts, lost instructional time, and long recovery processes. For districts, it often brings reputational harm and costly remediation.
Core Pillars of an Identity-Centric Defense
To make your identity strategy meaningful and sustainable, focus on these foundational pillars:
- Multi-Factor & Adaptive Authentication
MFA should be enabled for everyone in the school environment, including students, staff, and contractors. Whenever possible, use risk-based authentication. Ensure break-glass accounts exist only under tight controls and review. - Least Privilege & Just-In-Time Access
Avoid giving broad permissions by default. Grant roles that match the minimal access needed. Use just-in-time elevation for higher privileges when tasks demand it and clearly expire or revoke those roles when the task is done. - Behavorial Monitoring & Anomaly Detection
Layer identity analytics on top of your environment. Monitor for odd behaviour’s (unusual login times, mass downloads, spikes in API calls). Flag and step up authentication when anomalies appear. Don’t wait for a full-blown incident. - Identity Lifecycle & Deprovisioning Discipline
Make offboarding and role changes automatic. When a student graduates, or a teacher role shifts, their associated accounts and tokens must be disabled immediately. Review dormant accounts periodically and remove what’s no longer needed. - Harden Identity Infrastructure & Adopt Zero Trust Mindset
Keep your login and account management systems secure and up to date. Use secure protocols (SAML, OIDC) and limit exposure of identity endpoints. Operate with a “never trust, always verify” mindset and treat each access request as potentially untrusted.
Strengthening Your Identity Strategy
Once the foundational controls are in place, these supporting practices will help your identity defenses adapt and stay ahead.
- Run Identity-Focused Simulations
- Vet & Harden EdTech Integrations
- Elevate Identity Awareness Culture
- Ensure Identity-Aware Incident Coverage
- Embed Identity into Leadership Thinking
These small but continuous improvements make identity protection not just a policy, but an operational habit.
Moving Forward with Confidence
Protecting student identities isn’t just about technology. It’s about preserving trust across your entire learning community.
If you’d like to understand how mature your current identity protections are or explore where your biggest vulnerabilities may lie, Lockstep Technology Group can help.
Contact us to schedule a tailored cybersecurity and identity assessment for your district.