Many primary and secondary schools in the UK are thought to be highly vulnerable to cyber attacks as a result of poor software patching and a lack of wider information security provision – putting pupil, employee and administrative information at risk.
My company recently audited one selected UK secondary school and primary school – neither of which can be named due to confidentiality agreements – to ascertain how secure each was as part of a project to boost security within a local education authority.
At the high school, we scanned 338 computers in total, unearthing over 9,000 instances of missing critical software patches and multiple instances of outdated or missing anti-virus software. These flaws would allow an attacker or virus to trivially exploit the systems without any prior knowledge of the target. In some instances, systems holding databases were found to be vulnerable to attack, which would allow a hacker complete access to information contained within those databases.
We found that devices on the secondary school’s network were protected by easily guessable passwords, such as ‘private’ or ‘password’, which could allow anyone to enter the systems and change their configurations. Multiple users were also found to have access to the ‘administrator’ group on the network, one of which is a backup account with a default and widely known password. This could allow a hacker administrator access, rendering the school’s entire network vulnerable to attack.
At the primary school, 20 of 44 computers tested had critical security flaws, including missing updates for differing versions of software in use, missing or outdated anti-virus software and multiple users located within the ‘administrator’ group. Various non-standard software packages were also found to be in use at the primary school, including Microsoft Windows Messenger, Real Player, Adobe Reader and Apple iTunes, suggesting that individuals were importing files from home computers, thus presenting the risk of virus infection.
It is widely thought that UK schools are, for the most part, behind other public sector organisations when it comes to information security. The two tests we carried out do nothing to dispel this perception. The schools in question displayed missing patching – some of which was 15 years out of date – as well as firewalls and anti-virus security provision that was totally ineffective. Even the basics of logical security, such as complex password protection and limiting administrator access, were not being followed.
I believe the research to be indicative of similar issues in many UK comprehensive and primary schools, where networks are open to trivial attacks by even the most amateur hackers. This is highly concerning considering the amount of personal information on staff members and pupils these networks contain.
While an attack on a school network may seem like a trivial matter as no financial data is likely to be obtained, a miscreant could potentially access thousands of children’s personal information – where they live, next of kin and telephone numbers. In the wrong hands, this information could be highly dangerous.
The most likely hackers, however, are the pupils themselves. Many understand simple techniques to gain access to networks, be it via brute force attacks or social engineering, and are likely to be driven by in-school grievances.
The lack of awareness of IT security risks amongst staff is one of the reasons for poor assurance provision, and outlined that many schools viewed limited financial resources to be better spent elsewhere. Teachers are generally unaware of the logical security vulnerabilities in their schools. As a result, no one takes responsibility for it. Information technology teachers may pick up this responsibility, but few have the time or the specialist skills to ensure a school network is completely secure.
Schools are also unlikely to bring in an external tester on a regular basis to ensure security, simply because the cost is too great and the availability of equipment is viewed to outweigh the need for security. Schools need to be aware that public sector organisations are not exempt from ICO fines and that a serious breach could be costly to local education authorities.