News

UK school networks vulnerable to attack

Warwick Ashford

UK schools are vulnerable to cyber attack, putting pupil, employee and administrative data at risk, according to security testing firm NGS Secure.

The conclusion is based on an audit of a primary and a secondary school by NGS Secure.

The audit was part of a project to boost security in a local education authority, but neither school can be named under confidentiality agreements.

At the high school, NGS scanned 338 computers, unearthing over 9,000 instances of missing critical software patches and multiple instances of outdated or missing anti-virus software.

These flaws would allow an attacker or virus to exploit the systems without any prior knowledge of the target, the company said.

In some instances, systems holding databases were found to be vulnerable to attack, which would allow a hacker complete access to information contained in those databases.

Devices on the secondary school's network used easily guessable passwords, such as "private" or "password", which could allow anyone to enter the systems and change their configurations.

Multiple users were also found to have access to the "administrator" group on the network, one of which is a backup account with a default and widely known password. This could allow a hacker administrator-level access, making the school's entire network vulnerable to attack.

At the primary school, 20 of the 44 computers tested had critical security flaws, including missing updates for differing versions of software in use, missing or outdated anti-virus software and multiple users located within the "administrator" group.

Various non-standard software packages were found to be in use at the school, including Microsoft Windows Messenger, Real Player, Adobe Reader and Apple iTunes, indicating users were importing files from home computers, increasing the risk of virus infection.

Paul Vlissidis, technical director at NGS Secure, said the audits supported the widely held belief that UK schools trail behind other public-sector organisations when it comes to information security.

According to Paul Vlissidis, some of the software security updates were 5 years out of date, some firewall and anti-virus protection was ineffective, and the basics of logical security - such as complex password protection and limiting administrator access - were not being followed.

"We believe our research to be indicative of similar issues in many UK comprehensive and primary schools, where networks are open to trivial attacks by even the most amateur hackers," he said.

This is highly concerning, said Vlissidis, considering the amount of personal information on staff members and pupils these networks contain.

"The most likely hackers, however, are the pupils themselves. Many understand simple techniques to gain access to networks, be it via brute force attacks or social engineering, and are likely to be driven by in-school grievances," he said.

Vlissidis said a lack of awareness of IT security risks among staff is one of the reasons for poor assurance provision.

Many schools view limited financial resources to be better spent elsewhere, Vlissidis said. Also, because teachers are generally unaware of the logical security vulnerabilities in their schools, no-one takes responsibility for it, he added.

Few schools have the time or the specialist skills to ensure a school network is completely secure, he said. Schools are unlikely to bring in an external tester on a regular basis to ensure security, because of cost and availability concerns.

"Schools need to be aware that public sector organisations are not exempt from ICO fines and that a serious breach could be costly to local education authorities," said Vlissidis.


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy