A penetration (often shortened to ‘pen’) test is an assessment designed to find weaknesses and vulnerabilities in your organisation’s cyber defences. It seeks to exploit authentication issues, cross-site scripting problems, source code flaws, logic flaws, and insecure network configurations. It tests all of the software and technical infrastructure that keep the systems in your school or trust up and running.
It sounds great. Why wouldn't I get one straightaway?
The exact format of a penetration test can depend on the interests or expertise of the person running it. External penetration testers can charge between £755 and £3,774 per day. Typically, medium complexity penetration tests extending over several weeks can start around £10,000 but can rise to well above £20,000 as complexity or scope increase.
Duration and, therefore, the cost will depend on the scheme of work agreed upon before the test starts. Schools and trusts have distinct and specific IT structures and arrangements. Non-specialists may not understand them and concentrate on the wrong things, leading to scope creep and increased cost.
Other activities exist which will cost less and are more appropriate for the level of resources and budget ordinarily available to schools and trusts. They are simple to undertake and will result in actions that a typical school or trust IT department can implement themselves. There is no need to pay for a full penetration test that reveals security weaknesses that can be identified and addressed internally. By working this way, you can save money to engage external resources for more complex work that you cannot perform yourself later.
You do not need a pen test to discover that cyber criminals can breach your network and infrastructure. They can, and probably more quickly than you think. In 2018, the UK digital, data and technology agency focused on tertiary education and research institutions tested almost 100 FE/HE and research establishments. All were fully compromised within hours, with many taking considerably less time.
The six things to do before you commission a pen test
Get the basics done
A list of basic cyber security practices for schools and trusts can be worked through methodically. It would include implementing multi-factor authentication (MFA), establishing suitable back up protocols, switching the passwords on internet-enabled devices such as network switches, CCTV systems etc. from the default and encouraging users to use strong passwords for their devices.
Although not education specific, the National Cyber Security Centre’s 10 Steps to Cyber Security provides suitable guidance for trusts and larger schools.
Do an External Vulnerability Assessment (VAS)
Vulnerability assessment generally involves scanning a network using an automated tool to expose a network’s security weaknesses. It will mainly focus on issues such as local misconfigurations and patching levels. You should include your website in the vulnerability assessment as it will be a possible entry point to other elements of your network. The NCSC offers its web check service free to public sector organisations, including schools.
Using an automated process for vulnerability scanning means it will be done much quicker than a manual test and following pre-agreed protocols and standards.
Patch or mitigate the vulnerabilities
The outcome of your initial vulnerability assessment will typically read like a frightening and long to-do list. In particular, you will probably have multiple software patches to implement. It can be overwhelming to decide the order in which you act on the vulnerabilities you now know to exist. The US Cybersecurity and Infrastructure Security Agency publishes the Known Exploited Vulnerabilities Catalog, which lists vulnerabilities and provides a score to rank their gravity. Typically, you should urgently address anything scoring over seven.
VAS exposes vulnerabilities in your infrastructure and should provide details of available patches. However, implementing a patch can have a detrimental impact. You should assess the risk of installing a patch against the risk inherent in not doing so. Patching is not necessarily the only option since not everything shown on the VAS will be internet/outside world facing. Other ways of mitigating a risk could be more appropriate for your situation. For example, encrypting data stored using hardware or software identified as vulnerable could be an alternative approach if patching would have an undesirable effect.
Redo the VAS
Software and hardware manufacturers identify new vulnerabilities constantly and addressing the results from your first VAS is likely to be time-consuming. You should therefore conduct a second VAS once you have dealt with the vulnerabilities identified by the first. It is also possible that by fixing one problem, you create another.
Patch or mitigate any new vulnerabilities
Hopefully, your VAS to-do list is much shorter the second time around, and less scary. However, new vulnerabilities need to be addressed.
Do a Threat Assessment
Threat assessments examine technology infrastructure from the point of view of the cyber criminal trying to infiltrate it. The people you’re trying to simulate are doing this for financial gain so think about what will be useful to them. Once you know what cyber criminals are interested in, you can design testing to simulate and combat that.
A threat assessment focuses on the human element of your cyber security. It will help quantify the threat posed by people within your organisation. For example:
- Is everyone’s training up to date?
- Does everyone understand and apply your organisation’s IT policies?
- Do the details of anyone in your organisation appear in previous data or password breaches?
- Are there high-value targets among your staff, parents or other stakeholders?
The kind of information revealed in a threat assessment can help reduce the likelihood of your organisation falling victim to phishing attacks, social engineering and business email compromise.
And once you’ve been through these six steps, maybe now consider a penetration test.
Penetration testing is an example of high-level cyber security preparedness. As schools and trusts manage the pressure of increasing costs in many different areas, improving your cyber security with less costly and more productive methods is possible. Education is a specific context which can render the outcome of a penetration test unsuitable when it’s based on what works in corporate environments. This is especially true for trusts or groups of schools that need individual and collective protection.
To find out more about how RM can help protect your school or trust infrastructure from attack, contact us today.