Starting off, and being 100% transparent. It wasn’t just seven random schools. As a general rule (subject to the availability of our team), when a potential new client school comes to 9ine to inquire about our products or services, we generally then do a non-invasive cyber assessment of the school. Likewise, when we’re at an exhibition or conference, we market our free ‘HackAttack’, which is a free cyber assessment of your school while you wait. The tactics we use are the same as any potential hacker.
We externally assess the school systems and services that face the internet—this includes things like any web servers, firewalls, network ports, websites, email servers, and the like. We’re looking to find any system or service that hasn’t had the latest security updates applied. Much like your computer at home or smartphone, all those systems and services facing the internet need continuous monitoring for updates. If an update hasn’t been applied, we will immediately know. Then, using available code from the "dark web" (other sources are available, such as the normal internet), we can then seek to compromise that vulnerability and then escalate our privileges within the school systems.
Our assessment is non-invasive, which means that we ‘look’ but we don’t touch. We observe the vulnerability and identify how we could inject malicious code or other nefarious actions, but we don’t actually do it—unless, that is, a school specifically wants to know how quickly we can get from the internet to, say, their student information system. And that is called a cyber penetration test. A little lesson here. In most cases, you don’t need a cyber penetration test—all you need to know is what is vulnerable and how to fix it.
Results
These results are generally comparable with the outcome of vulnerabilities we find when we’re engaged by a school to complete a top-to-bottom vulnerability or systems and security audit. For those of you reading this, it is likely that one or more of the vulnerabilities above will affect your school. It’s worth noting that even if you had a cyber vulnerability assessment a few months back, more vulnerabilities would have been published and therefore need to be identified within your school systems and mitigated.
Takeaway
It’s important to consider the total attack surface for your school. In most schools, the website isn’t the responsibility of the IT department. It’s the responsibility of marketing, admissions, or advancement. Likewise, the security provided to shared mailboxes is often determined by the department or users who share the mailbox. The split in responsibility between these components of a school's cyber attack surface dilutes a school’s ability to adequately defend itself. And lastly, vulnerable servers facing the internet—an attacker is likely to get into your school from two entry points. The first through Phishing, and then escalating through your network as a consequence of poor network security (ACLs, PLA, and so on). The other is an open gate on your internet-facing services and servers. By having a healthy approach to managing vulnerabilities in these areas, you can more easily protect yourself from a cyber attack.In contacting 9ine to learn more about our services, you may be lucky and chosen to have our cyber security team assess your external IT vulnerabilities.