Our Key Findings from the Cyber Vulnerability Assessments of Schools
By Adam Willmott - December 23, 2020
The ongoing pandemic has forced schools to conduct classes from home which has led to an increasing number of threats and loopholes to exploit for the cybercriminals.
Our teams conducted more than 10 vulnerability assessments in the month of November 2020, and shared the findings through a webinar in which representatives of over 60 schools participated.
The assessments were done on the assumption that a perpetrator has already compromised a device or an account and is within the firewall of the school. This means they have successfully gained access, know the internal weaknesses, and can further elevate their attack to gain privileges within the network.
Cyber attacks in the education sector have drastically surged in this pandemic year due to schools shifting their classes online. As per a Microsoft report on global threat monitoring activity, it recorded the number of attacks on the education sector at 63%.
The in-house developed systems posed a greater risk than software applications provided by commercial providers.
Hackers have targeted teachers’ devices and have put malware within curriculum material which was being then shared by teachers unknowingly spreading the malware onto students’ devices.
They have also started deploying the social engineering strategy, are joining the teachers’ forums on social media websites and building trust by sharing material. The other motive is to collect information on schools in different regions and identify which are soft targets for them to attack.
Here are some of the key findings from our assessment -
1. Weak access permissions on network shares
It was seen that organisations’ data from network shares have weak access permission, or worse no access permission at all. Quite often the shares are created for ease of functions within the organisation and not focused on the function they provide which can leave the data held on the share, vulnerable to exposure. We found weaknesses with Network Attached Storage (NAS) devices that were not part of the central authentication platform, and are used for hosting data that is deemed too large to be stored on local file servers or cloud environments.
It is important that all network shares are secured with appropriate authentication mechanisms, linked to a central identity management platform, such as Active Directory
To combat this, organisations should audit shares and their applied permissions regularly in order to understand where their data is, and most importantly, how it is secured.
2. Misconfigured systems causing security risks
The vulnerability scans regularly picked up misconfigurations across a number of core systems such as:
Default ports open, including Telnet & FTP
Expired SSL certificates
TLS 1.0 & 1.1
If we identify these weaknesses in one system, typically we find them across several on the same network, meaning that there are not the appropriate controls in place when implementing and managing systems.
Manual checks to identify these misconfigurations are time-consuming and hard to consistently report on, therefore it is recommended that automated tools are employed to identify these weaknesses
For a deeper dive into how to improve information security in your school, you can book a free workshop with one of our experts
3. Weak authentication mechanisms in place
We are finding more and more organisations with systems in place that have default credentials protection, this means that they have been set up, and the default administrator username and password are left in place.
These details are easy to find as they are widely published on the internet. For our cybersecurity team, this is an easy way to expose organisational data, access core infrastructure services, and traverse throughout the network to cause significant disruption.
Some examples of such systems were
Default passwords on core infrastructure systems/services
Open source monitoring system had default creds and exposed Root password on ESXi host
Default SNMP community name on Infrastructure devices
4. End of Life (EoL) operating systems and services
Our scans still highlight operating systems that are no longer supported by the vendor. Any unsupported operating systems will no longer receive critical systems updates and therefore it will be vulnerable to exploitation.
If you are running any of the following services, it is recommended that they are isolated away and replaced as soon as practically possible.
Server 2003 EoL July 2015
Server 2008 EoL Jan 2020
Windows XP EoL April 2014
Windows 7 EoL Jan 2020
5. Vulnerabilities exposed by weak patch management
Critical system updates are essential to the upkeep and security of your network regular maintenance plans are important and your IT teams should have processes and structures in place to maintain updates across core services and systems.
Below are some examples of missing critical updates that we find when running vulnerability assessments.
Microsoft RDP RCE (CVE-2019-0708) (BlueKeep) (published May 2019)
MS17-10 - EternalBlue (published March 2017)
MS12-020 (Published March 2012)
All of the above can be mitigated by auditing your core network, being proactive and running regular vulnerability scans.
In summary, our findings showed that there are fewer vulnerabilities externally to the network as firewalls usually do a good job. The vulnerabilities were found in the internal IT framework and web application testing.
About 9ine's GRC App -
9ine has been a leading cyber and compliance consultancy agency and has expertise in IT, Strategic management, data protection, and cyber security. The intellectual property and experience gained over the years have been converted into an app, to better manage their GDPR governance and compliance in schools.
The 9ine app has been built on 3 modules:
Data Protection and Privacy
Safeguarding and child protection
Security and system (IT management)
At the governance level, the app enables you to manage your IT systems and services. Also importantly report issues back to the highest levels of management within the school.
The App also has training videos, events, and news related to cybersecurity. With an additional upgrade, the app also has the feature for you to manage IT projects seamlessly.
ABOUT THE AUTHOR:
Adam is a Senior Technical Consultant with over 20 years’ experience in the IT sector, with a wide breadth of hands on experience and a strong understanding of technologies, specialising in Cyber Security and Cloud Consultancy.