School Security: What One School Learned from Penetration Testing

Lessons in Security

On the surface, they were doing everything right. Our private high school customer had a good IT budget, a skilled IT team, modern, quality infrastructure and a focus on security. They had firewalls that were suited to the job. Still, conscious of their responsibility to the families and staff that make up their community, the school’s directors wanted to make sure. So they commissioned TechPath’s security team to conduct penetration testing.

IT Penetration Testing

As is typical, we started as any hacker would, with no passwords and no knowledge of the systems the school used. Penetration testing is about approaching from the outside-in. This is often followed by an inside test, which checks configuration of equipment to ensure best practice. Holes are, of course, easier to find from inside.

In the case of this well-resourced school, with its skilled staff and solid systems, one of our security team was able to find a vulnerability and penetrate defences. Within six hours our specialist had gained full access to their servers and data.

We made recommendations on how to patch the vulnerability, as well as some prevention measures that would make their environment more robust. The school has signed up for the next step, an internal review, to complete the picture.

How Security Vulnerabilities Happen

Some of the most common weaknesses we encounter are not hard to fix, they just take time. Given that IT teams are busy, staff change and – as was the case here – there is little time at the end of projects to go back and review impacts on security. The intent is there, but other projects become new priorities.

For schools without a large IT team, resources can be limited, and systems may be less frequently updated. Whether it is time to apply patches, or more comprehensive issues like upgrading from Windows 7 as it nears end-of-life, hackers aren’t slow to exploit weaknesses.

Schools and the New Data Protection Laws

In the final quarter of 2018, schools were among the top four most breached industry sectors, according to the Office of the Australian Information Commissioner (OAIC). School’s are required to report breaches, but many are still unaware of their obligations under the laws introduced in 2018. It is something that is important to get to grips with, not only because there are fines for non-compliance, but because the associated reputation loss could be a tough blow when convincing parents to trust their children in your hands.

School Security Considerations

It isn’t surprising that schools make a tempting target, but there are some simple things that will immediately reduce risk. We look at user awareness, as well as physical security, such as where servers are located, network configuration, software updates, and authentication methods. Two factor authentication is especially important – and with Office 365, it can now be installed as an app on smartphones.

The way passwords are stored is often an issue. The configuration around passwords, the required complexity and how often changes are forced always come into play. A strong password policy alone can make immense difference.

Our security experts are exposed to the world of new vulnerabilities and hackers daily, and given how fast threats emerge, it takes this full-time focus to keep up. Enlisting our help meant that student data didn’t get into the wrong hands. Keeping youngsters safe as they grow and learn is, after all, something they take very seriously.

Time to check vulnerabilities at your school, or need to chat about easy ways to increase security and meet new data protection obligations? Contact our friendly security experts today.

https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme/quarterly-statistics-reports/notifiable-data-breaches-quarterly-statistics-report-1-october-31-december-2018