Starting off, and being 100% transparent. It wasn’t just seven random schools. As a general rule (subject to the availability of our team), when a potential new client school comes to 9ine to inquire about our products or services, we generally then do a non-invasive cyber assessment of the school. Likewise, when we’re at an exhibition or conference, we market our free ‘HackAttack’, which is a free cyber assessment of your school while you wait. The tactics we use are the same as any potential hacker.
We externally assess the school systems and services that face the internet—this includes things like any web servers, firewalls, network ports, websites, email servers, and the like. We’re looking to find any system or service that hasn’t had the latest security updates applied. Much like your computer at home or smartphone, all those systems and services facing the internet need continuous monitoring for updates. If an update hasn’t been applied, we will immediately know. Then, using available code from the "dark web" (other sources are available, such as the normal internet), we can then seek to compromise that vulnerability and then escalate our privileges within the school systems.
Our assessment is non-invasive, which means that we ‘look’ but we don’t touch. We observe the vulnerability and identify how we could inject malicious code or other nefarious actions, but we don’t actually do it—unless, that is, a school specifically wants to know how quickly we can get from the internet to, say, their student information system. And that is called a cyber penetration test. A little lesson here. In most cases, you don’t need a cyber penetration test—all you need to know is what is vulnerable and how to fix it.
- School office@ or info@ email accounts
In six out of seven schools, the generic email accounts for the schools' credentials are posted online. This means the username and either the current or previous password for the inbox were available. If the password was still the existing password, then the email account would be accessible unless there was multi-factor authentication or other security controls. Interestingly, out of the six accounts in two schools, the ‘admissions@’ inbox and the ‘bursar@’ inbox also had the credentials available online. All slightly concerning!
- Microsoft hosts
Three out of the seven schools had ‘critical’ and when I say 'critical', I mean scary critical—like Halloween scary vulnerabilities. One school had a vulnerability that allowed a hacker to inject code to take control of the Microsoft Exchange server, then escalate privileges to drop malware and encrypt the entire network. All these vulnerabilities are facing the internet, which means they are publicly available for anyone to find, anyone to compromise, and consequently, attack the schools. The other two schools had vulnerabilities that would allow us to compromise the server architecture and then escalate our privileges across the server estate—essentially leading to the delivery of a malware payload.
Four out of the seven had vulnerabilities within the school websites. The vulnerabilities expose the schools to a number of different scenarios. First, someone could take control of the website, changing the text, images, and pages. Second, if the website has any forms, private areas, or other sensitive information, that data could be exfiltrated—exposing the individuals whose data has been lost to fraud or other types of damage or distress. Third, if the website is connected to any other school systems, there is the possibility a hacker could navigate from the website to the school systems. And lastly, any user accounts and passwords used to administer the website could be decrypted and used to gain access to school systems (if they are the same).
These results are generally comparable with the outcome of vulnerabilities we find when we’re engaged by a school to complete a top-to-bottom vulnerability or systems and security audit. For those of you reading this, it is likely that one or more of the vulnerabilities above will affect your school. It’s worth noting that even if you had a cyber vulnerability assessment a few months back, more vulnerabilities would have been published and therefore need to be identified within your school systems and mitigated.
It’s important to consider the total attack surface for your school. In most schools, the website isn’t the responsibility of the IT department. It’s the responsibility of marketing, admissions, or advancement. Likewise, the security provided to shared mailboxes is often determined by the department or users who share the mailbox. The split in responsibility between these components of a school's cyber attack surface dilutes a school’s ability to adequately defend itself. And lastly, vulnerable servers facing the internet—an attacker is likely to get into your school from two entry points. The first through Phishing, and then escalating through your network as a consequence of poor network security (ACLs, PLA, and so on). The other is an open gate on your internet-facing services and servers. By having a healthy approach to managing vulnerabilities in these areas, you can more easily protect yourself from a cyber attack.
9ine has a range of products and services to support your school in managing cyber threats. Take a look and get in touch if you need more information:
- 9ine’s Network Security suite provides tech teams with a comprehensive programme of work and supporting resources to audit, configure, and upgrade network security, giving confidence in their cyber protection and performance of network systems.
- Cyber Vulnerability Assessment, internal and external scanning and reporting on cyber vulnerabilities that need attention.
- Security & Systems Audit, a comprehensive audit of the configuration, capacity, technical, and security operations of your IT systems and services.
In contacting 9ine to learn more about our services, you may be lucky and chosen to have our cyber security team assess your external IT vulnerabilities.