The threats schools face are becoming ever more sophisticated and targeted. Current trends, such as the use of zero-day vulnerabilities within edge devices and services such as firewalls, VPNs, and file-sharing solutions, are leading to greater risks to our schools.

Schools should be armed with all available information to prevent a cybersecurity incident. Penetration testing is an effective method of exposing the gaps in your school or trust’s systems.

To learn more about penetration testing for schools, I sat down with our Senior Penetration Tester, Daniel Binns.

Daniel is an OSCP and CRT-certified penetration tester with extensive experience designing and leading cybersecurity engagements to test network infrastructure and web applications within the financial and healthcare sectors.

We sat down to learn more about the threats schools face, and the eye-opening discoveries he has made in his first few months working with schools:

Q: What were your first impressions when you started conducting penetration testing for schools?

Daniel: The first thing that stood out to me was the significant disparity in resources compared to private sector companies. Enterprises with multi-million-pound revenues typically have advanced monitoring tools, sophisticated Endpoint Detection and Response solutions, and well-compensated IT staff. In contrast, schools often have limited funding and personnel, focusing primarily on maintaining operations and supporting the educational process.

Q: Can you share any specific instances where you found vulnerabilities in school systems that were particularly surprising or concerning?

One major issue I encountered was password security. In many schools, young children need logins, leading to password policies that are easy for them to remember and compromise. For example, expecting a six or seven-year-old to remember a 16-character password is unrealistic. Consequently, student accounts often have very simplistic passwords, making them easy targets for attackers. Additionally, I've seen cases where file share access is over-provisioned, leaving sensitive information like ID badges and financial records accessible due to insufficient hardening practices.

“The first thing that stood out to me was the significant disparity in resources compared to private sector companies.”
- Daniel Binns on the difference in resources between schools and private sector companies 

Q: Are there any specific policies or procedures you believe schools fail to enforce adequately to protect their students and staff?

Password policies are a significant area of concern. Current guidelines recommend complex passwords, but these are impractical for young children. There's a need for more child-friendly security measures. Things like MyLogin’s use of emojis for logins which can improve security without making it too difficult for students. Regular vulnerability scanning is also lacking, mainly due to the cost and expertise required. Most schools don't have the resources for a comprehensive vulnerability management program, which exposes them to potential threats.

Q: How prepared do you find the average school is for a cyber-attack?

Generally speaking, schools are not well-prepared for cyber-attacks. They lack insight into potential exposures without regular vulnerability scanning and adequate monitoring tools. 

Q: What awareness and training programs do you think schools should have in place to better prepare students and staff for potential cyber threats?

Phishing awareness training is crucial, as phishing is a common attack vector. Educating staff and students on recognizing phishing attempts and signs of breaches, like multiple account lockouts, can help mitigate risks. Additionally, training teachers to understand the importance of strong passwords and basic cybersecurity principles would greatly benefit overall security.

Q: Are there any cyber threats that schools should be aware of and start preparing for?

Ransomware and data extortion are both growing and evolving threats. Attackers increasingly extracting sensitive data and are threatening to leak it publicly to force payment. This is particularly concerning for schools due to the sensitive nature of student data. Preparing for such threats involves having robust security measures in place to prevent breaches and mitigate the impact if one occurs.

Q: What are the most rewarding aspects of your role as a penetration tester working with schools?

It's incredibly rewarding to help schools identify and address vulnerabilities they've never been aware of before. Unlike large enterprises, many schools have never undergone a penetration test or vulnerability scan. Knowing that my work helps protect these educational institutions, making it harder for attackers to exploit them, is very fulfilling. Closing these security gaps means attackers are more likely to move on to easier targets, which significantly improves the security posture of the schools I work with.

Q: What advice would you give someone looking to pursue a career in penetration testing, particularly in the education sector?

Foundational knowledge is crucial. Understanding networking, Windows and Unix operating systems, and various security tools is essential. Practical experience through labs and platforms like Hack The Box is invaluable. Basic certifications like Cisco's CCNA and more advanced ones like OSCP are beneficial. When applying your skills to the education sector, be aware that the same technologies used in business are present, but the extent of hardening differs. Tailoring your recommendations to account for the unique challenges in educational environments is key.

To learn more about how Secure Schools can help your school or trust become more resilient against cyber threats, check out our website. 

You can also sign up for a 30-day free trial on the Secure Schools platform here.