Independent security testing finds both primary and secondary
school networks critically vulnerable to attack -
Many primary and secondary schools in the UK are thought to be
highly vulnerable to cyber attacks as a result of poor software
patching and a lack of wider information security provision -
putting pupil, employee and administrative information at risk -
according to security testing specialist NCC Group Security
Testing, Audit & Compliance.
NCC Group Security Testing, Audit & Compliance recently
audited one randomly selected UK secondary school and primary
school - neither of which can be named due to confidentiality
agreements - to ascertain how secure each was as part of a project
to boost security within a local education authority.
At the high school, NCC Group Security Testing, Audit &
Compliance scanned 338 computers in total, unearthing over 9,000
instances of missing critical software patches and multiple
instances of outdated or missing anti-virus software. These flaws
would allow an attacker or virus to trivially exploit the systems
without any prior knowledge of the target. In some instances,
systems holding databases were found to be vulnerable to attack,
which would allow a hacker complete access to information contained
within those databases.
NCC Group Security Testing, Audit & Compliance found that
devices on the secondary school's network were protected by easily
guessable passwords, such as 'private' or 'password', which could
allow anyone to enter the systems and change their configurations.
Multiple users were also found to have access to the
'administrator' group on the network, one of which is a backup
account with a default and widely known password. This could allow
a hacker administrator access, rendering the school's entire
network vulnerable to attack.
At the primary school, 20 of 44 computers tested had critical
security flaws, including missing updates for differing versions of
software in use, missing or outdated anti-virus software and
multiple users located within the 'administrator' group. Various
non-standard software packages were also found to be in use at the
primary school, including Microsoft Windows Messenger, Real Player,
Adobe Reader and Apple iTunes, suggesting that individuals were
importing files from home computers, thus presenting the risk of
Paul Vlissidis, technical director at NCC Group Security
Testing, Audit & Compliance, said: "While it is widely
understood that UK schools are behind other public sector
organisations when it comes to information security, we didn't
realise quite how far until we completed this project.
"The schools in question displayed missing patching - some of
which was 15 years out of date - as well as firewalls and
anti-virus security provision that was totally ineffective. Even
the basics of logical security, such as complex password protection
and limiting administrator access, were not being followed.
"Our research indicates that UK comprehensive and primary school
networks are open to trivial attacks by even the most amateur
hackers, which is highly concerning considering the amount of
personal information on staff members and pupils they contain.
While an attack on a school network may seem like a trivial matter
as no financial data is likely to be obtained, a miscreant could
potentially access thousands of children's personal information -
where they live, next of kin and telephone numbers. In the wrong
hands, this information could be highly dangerous.
"The most likely hackers, however, are the pupils themselves.
Many understand simple techniques to gain access to networks, be it
via brute force attacks or social engineering, and are likely to be
driven by in-school grievances."
Vlissidis pointed to the lack of awareness of IT security risks
amongst staff as one of the reasons for poor assurance provision,
and outlined that many schools viewed limited financial resources
to be better spent elsewhere. He commented: "Teachers are generally
unaware of the logical security vulnerabilities in their schools.
As a result, no one takes responsibility for it. Information
technology teachers may pick up this responsibility, but few have
the time or the specialist skills to ensure a school network is
completely secure. Schools are also unlikely to bring in an
external tester on a regular basis to ensure security, simply
because the cost is too great and the availability of equipment is
viewed to outweigh the need for security.
"Schools need to be aware that public sector organisations are
not exempt from ICO fines and that a serious breach could be costly
to local education authorities."