CyberSecurity Part 3: Simple Penetration Testing for K12 Schools

By Tony DePrato | Follow Me on LinkedIn

Cybersecurity Part 2 will be featured in the Tie Magazine. After it is released, I will post the article on the blog.

I have been following a few online threads where schools are considering contracting penetration testers. For those who may not know, penetration testing (pentesting) is a security assessment, an analysis, and progression of simulated attacks on an application (web, mobile, or API) or network to check its security posture. The objective is to penetrate the application or networksecurity defenses by looking for vulnerabilities. These are usuallyweaknesses or flaws that an attacker could exploit to impact confidentiality, integrity, or availability. This goal is the same whether performing application pentesting or network pentesting. ~ https://cobalt.io/pentest

As a consultant, I am not opposed to K12 schools using consultants. However, I have seen some red flags out there from pentesting consultants. I want to highlight those issues, and also provide a method for K12 schools to get started on this process in an easy and low-cost manner.

Finding a Good Pentester

The Conversation

School: We are looking for someone to help test our security.

Pentester: Great. I can do that ( credentials and background presented). 

School: What do you need?

Pentester: I need a list of (x,y,z). I need an office to work from. I need to interview…

What is wrong here?

Here is how this should go

School: We are looking for someone to help test our security.

Pentester: Great. I can do that ( credentials and background presented). 

School: What do you need?

Pentester: I need a contract protecting me if I break into one or more of your services. I need a contact person to send my findings to. I need a timeline. 

A pentester’s job is to find the weaknesses and to find a way to access your organization. If you provide access, not only is the job easier, but they could simply report an issue that is unlikely to occur. I witnessed a similar scenario where a firm was asking for the keys to break into the car.

There may be a point where you want a pentester to become a student and see what a student can do with the access provided. There may be a point where you want them to test spaces used by the public during events.  If you provide and manage laptops, a good pentester will need one of the school’s laptops. 

These are reasonable requests. Asking the school to literally give them a roadmap and set of targets is not reasonable. 

Doing Your Own Testing

I have a list of standards schools should work towards to be secure. Some these do not always connect well to third party services, public-facing websites, etc. 

Over the last few months, I have developed a checklist for pentesting K12 school websites and resources. 

TestDefinition
Subscription and Services DiscoveryCan your subscriptions and services be easily discovered?
Files Exposed to the PublicAre there files publicly available that supposed to be private?
Calendars Exposed to the PublicIs calendar data that should be private, private?
Staff and/or Student Email HarvestingCan your staff and/or student PII be used to create a database for phishing and spamming?
Portals and SISAre your portals and SIS properly secured and difficult to brute force attack?
Websites and Social MediaAre websites and social media properly secured; is the media being used legally and correctly?
Cloud ServicesHave cloud services been properly secured?
Third-Party SharingIs anyone sharing your content and do they have permission?
FTP, SSH, and TelnetAre any of these protocols a threat to your school via publically accessible information?
Email BlacklistIs your email domain blacklisted?
Email Header CheckIs there any data in your header that could be anonymous or lead to blacklisting?
Email Catch-All for Non Existent EmailsIs your email set up to catch any email that does not exist and alert someone?
SMTP RelayIs your email system running services that would allow an attacker to use your email for a criminal act; send an email on someone’s behalf?
4xx and 5xx Error CheckDo the 4xx and 5xx pages on your public-facing services configured properly and supportive of trusted users?
HTML FormsAre any HTML Forms vulnerable to low-level URL based attacks? (Will also review CAPTCHA.)

I score these on a scale of 1-5 and document the issues/results. The next level is researching the solutions to correct the problems. Keep in mind, many solutions are in policies and procedures. This means issues need to be articulated for school leaders, teachers, students, and parents. 

In other words, avoid jargon and lingo.

Doing as much due diligence as possible before contracting someone will not only save time and money, but it will also help to further educate the community.

If you do not know what is actually dangerous, then everything could be sold as dangerous. 

About Tony DePrato

Tony DePrato has a Master’s Degree in Educational Technology from Pepperdine University and has been working as a Director of Educational Technology since 2009. Currently, he works for Episcopal High School in in Houston Texas, USA. He has worked in the United Arab Emirates, China, South Korea, and Japan. In 2013, Tony DePrato released The BYOD Playbook a free guide for schools looking to discuss or plan a Bring Your Own Device program. Tony is originally from the US, and worked in multimedia, website development, and freelance video production. Tony is married to Kendra Perkins, who is a librarian.
This entry was posted in Tony DePrato and tagged , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *