In our last blog, “How secure is your school from Cyber attacks?” we outlined that schools need to move from defensive to offensive measures against cyber attacks, and the first step listed was to identify all your vulnerabilities. The only way to do this is to perform a point in time assessment of your systems and services through a penetration test.
These actions are supported by the latest consultation from the Department for Education in the UK, who touch upon the approach to cyber risk identification and where schools are obligated to put in place mitigating actions. This guidance is something we expect to cascade to British curriculum International Schools in due course. To further support the dissemination of advice, it is also mirrored in the UK's National Cyber Security Centre (NCSC) recently re-released 2017 blog, which provides general guidance to both the public and private sector - “Sometimes a pen test is the best test”.
A penetration test will provide you with a point in time analysis of your school’s susceptibility to a cyber attack. The tests will identify and assess the vulnerabilities that pose a threat to your school’s environment. Once identified, the assessment will determine the probability and magnitude of the possible threats, vulnerabilities or risks associated with your school’s systems or services.
Through 9ine’s Cyber Defence Essentials service, our penetration tests will provide your school with:
For more information on our cyber services, arrange a call with one of our experts.
9ine provides free, virtual leadership training in the areas of data protection & security and systems in education.
The below tests all form part of 9ine's Cyber Defence Essentials services and will form part of a school’s holistic approach to security and compliance.
1. Internal Penetration Test - these tests simulate attacks to the school’s internal systems and services as if performed by a malicious insider or an external attacker who has already successfully penetrated the school’s perimeter defences (firewall, public-facing services etc). These tests are generally looking for:
2. External Penetration Test - these tests mimic the behaviour of a hacker whose aim is to identify and exploit vulnerabilities found in the schools external facing systems and services, such as email servers, MIS servers, remote access terminals, homegrown and 3rd partly VLE’s etc. These tests are generally looking for:
3. Web Application Penetration Test - these tests are aimed at individual web applications and assess the security level and posture of the web application itself (not any underlying hardware). The tests gauge the strength of the web application for both manual and automated security testing. Some of the procedures used within the simulated attacks include:
Cyber security testing should be part of the school’s annual and ongoing assessment of their risk and susceptibility to attack. Keeping on top of emerging trends and ever-evolving exploits of existing and emerging vulnerabilities are key to maintaining a strong security posture. New vulnerabilities and new exploits are crafted every day. Keeping on top of your systems and services with best practices, such as regular, planned software and security maintenance and supporting regular testing, will ensure your school is in the best position it can be to offensively defend against cyber attack.
Yes! 9ine have been involved in investigating numerous cyber attacks over that last 6 months. These range from common unsophisticated mass mail phishing campaigns, through to highly sophisticated socially engineered spear-phishing (targeted department e.g finance) and whale-phishing (direct attack - the bursar).
For more information about our Security & Systems Essentials service: