How to Assess Your School’s Vulnerability to Cyber Attacks
By Dan Cleworth - January 15, 2019
How is A Vulnerability Assessment achieved?
In our last blog, “How secure is your school from Cyber attacks?” we outlined that schools need to move from defensive to offensive measures against cyber attacks, and the first step listed was to identify all your vulnerabilities. The only way to do this is to perform a point in time assessment of your systems and services through a penetration test.
These actions are supported by the latest consultation from the Department for Education in the UK, who touch upon the approach to cyber risk identification and where schools are obligated to put in place mitigating actions. This guidance is something we expect to cascade to British curriculum International Schools in due course. To further support the dissemination of advice, it is also mirrored in the UK's National Cyber Security Centre (NCSC) recently re-released 2017 blog, which provides general guidance to both the public and private sector - “Sometimes a pen test is the best test”.
So, what will a “pen test” give our school?
A penetration test will provide you with a point in time analysis of your school’s susceptibility to a cyber attack. The tests will identify and assess the vulnerabilities that pose a threat to your school’s environment. Once identified, the assessment will determine the probability and magnitude of the possible threats, vulnerabilities or risks associated with your school’s systems or services.
Through 9ine’s Cyber Defence Essentials service, our penetration tests will provide your school with:
A list of identified vulnerabilities (point in time analysis)
The likelihood and probability of the exploitation of your current vulnerabilities
The tangible and intangible risk impact of an exploitation
A series of actions or mitigating steps to resolve or reduce the vulnerability
Support if and when a vulnerability is realised
For more information on our cyber services, arrange a call with one of our experts.
9ine provides free, virtual leadership training in the areas of data protection & security and systems in education.
Penetration tests are usually broken down into three main areas:
1. Internal Penetration Test - these tests simulate attacks to the school’s internal systems and services as if performed by a malicious insider or an external attacker who has already successfully penetrated the school’s perimeter defences (firewall, public-facing services etc). These tests are generally looking for:
Vulnerabilities that allow a remote hacker to control or access sensitive data
Misconfiguration of systems (missing patches, security updates)
Default passwords (system accounts, common passwords, default admins etc)
Outdated software that can lead to exploitation and data extraction
Presence of open or unsecured ports
2. External Penetration Test - these tests mimic the behaviour of a hacker whose aim is to identify and exploit vulnerabilities found in the schools external facing systems and services, such as email servers, MIS servers, remote access terminals, homegrown and 3rd partly VLE’s etc. These tests are generally looking for:
Forms and parameters accepting malicious commands
Vulnerabilities that allow extraction of data or unauthorised access
Out of date plugins and components
Improperly configured and unsecured services
Configurations that allow escalation of privileges
3. Web Application Penetration Test - these tests are aimed at individual web applications and assess the security level and posture of the web application itself (not any underlying hardware). The tests gauge the strength of the web application for both manual and automated security testing. Some of the procedures used within the simulated attacks include:
Brute force attack testing
Script injecting and broken access control
Session cookie exploitation
User authorisation process manipulation
SQL injection and OS command injection
How often should we do this?
Cyber security testing should be part of the school’s annual and ongoing assessment of their risk and susceptibility to attack. Keeping on top of emerging trends and ever-evolving exploits of existing and emerging vulnerabilities are key to maintaining a strong security posture. New vulnerabilities and new exploits are crafted every day. Keeping on top of your systems and services with best practices, such as regular, planned software and security maintenance and supporting regular testing, will ensure your school is in the best position it can be to offensively defend against cyber attack.
Are we in danger, have schools been attacked?
Yes! 9ine have been involved in investigating numerous cyber attacks over that last 6 months. These range from common unsophisticated mass mail phishing campaigns, through to highly sophisticated socially engineered spear-phishing (targeted department e.g finance) and whale-phishing (direct attack - the bursar).
For more information about our Security & Systems Essentials services:
Let’s Stay in Touch
Subscribe to our newsletter to receive product announcements & other updates.