How to Assess Your School’s Vulnerability to Cyber Attacks

How is A Vulnerability Assessment achieved?

In our last blog, “How secure is your school from Cyber attacks?” we outlined that schools need to move from defensive to offensive measures against cyber attacks, and the first step listed was to identify all your vulnerabilities. The only way to do this is to perform a point in time assessment of your systems and services through a penetration test.

These actions are supported by the latest consultation from the Department for Education in the UK, who touch upon the approach to cyber risk identification and where schools are obligated to put in place mitigating actions. This guidance is something we expect to cascade to British curriculum International Schools in due course. To further support the dissemination of advice, it is also mirrored in the UK's National Cyber Security Centre (NCSC) recently re-released 2017 blog, which provides general guidance to both the public and private sector - “Sometimes a pen test is the best test”.

So, what will a “pen test” give our school?

A penetration test will provide you with a point in time analysis of your school’s susceptibility to a cyber attack. The tests will identify and assess the vulnerabilities that pose a threat to your school’s environment. Once identified, the assessment will determine the probability and magnitude of the possible threats, vulnerabilities or risks associated with your school’s systems or services.

Through 9ine’s Cyber Defence Essentials service, our penetration tests will provide your school with:

• A list of identified vulnerabilities (point in time analysis)
• The likelihood and probability of the exploitation of your current vulnerabilities
• The tangible and intangible risk impact of an exploitation
• A series of actions or mitigating steps to resolve or reduce the vulnerability
• Support if and when a vulnerability is realised
  

For more information on our cyber services, arrange a call with one of our experts.

9ine provides free, virtual leadership training in the areas of data protection & security and systems in education. 

Penetration tests are usually broken down into three main areas:

The below tests all form part of 9ine's Cyber Defence Essentials services and will form part of a school’s holistic approach to security and compliance.

1. Internal Penetration Test - these tests simulate attacks to the school’s internal systems and services as if performed by a malicious insider or an external attacker who has already successfully penetrated the school’s perimeter defences (firewall, public-facing services etc). These tests are generally looking for:

• Vulnerabilities that allow a remote hacker to control or access sensitive data
• Misconfiguration of systems (missing patches, security updates)
• Default passwords (system accounts, common passwords, default admins etc)
• Outdated software that can lead to exploitation and data extraction
• Presence of open or unsecured ports
  

2. External Penetration Test - these tests mimic the behaviour of a hacker whose aim is to identify and exploit vulnerabilities found in the schools external facing systems and services, such as email servers, MIS servers, remote access terminals, homegrown and 3rd partly VLE’s etc. These tests are generally looking for:

• Forms and parameters accepting malicious commands
• Vulnerabilities that allow extraction of data or unauthorised access
• Out of date plugins and components
• Improperly configured and unsecured services
• Configurations that allow escalation of privileges
  

3. Web Application Penetration Test - these tests are aimed at individual web applications and assess the security level and posture of the web application itself (not any underlying hardware). The tests gauge the strength of the web application for both manual and automated security testing. Some of the procedures used within the simulated attacks include:

• Brute force attack testing
• Script injecting and broken access control
• Session cookie exploitation
• User authorisation process manipulation
• SQL injection and OS command injection
  

How often should we do this?

Cyber security testing should be part of the school’s annual and ongoing assessment of their risk and susceptibility to attack. Keeping on top of emerging trends and ever-evolving exploits of existing and emerging vulnerabilities are key to maintaining a strong security posture. New vulnerabilities and new exploits are crafted every day. Keeping on top of your systems and services with best practices, such as regular, planned software and security maintenance and supporting regular testing, will ensure your school is in the best position it can be to offensively defend against cyber attack.

Are we in danger, have schools been attacked?

Yes! 9ine have been involved in investigating numerous cyber attacks over that last 6 months. These range from common unsophisticated mass mail phishing campaigns, through to highly sophisticated socially engineered spear-phishing (targeted department e.g finance) and whale-phishing (direct attack - the bursar). 

For more information about our Security & Systems Essentials service: