NGS Secure recently audited one selected UK secondary school and primary school to ascertain how secure each was.
At the high school, 338 computers were scanned, unearthing over 9,000 instances of missing critical software patches and multiple instances of outdated or missing anti-virus software. According to the auditors these flaws would allow an attacker or virus to exploit the systems without any prior knowledge of the target.
In some instances, systems holding databases were found to be vulnerable to attack, which would allow a hacker complete access to information contained within those databases.
NGS Secure found that devices on the secondary school's network were protected by easily guessable passwords, such as ‘private' or ‘password'.
Multiple users were also found to have access to the ‘administrator' group on the network, one of which is a backup account with a default and widely known password.
At the primary school, 20 of 44 computers tested had critical security flaws, including missing updates for differing versions of software in use, missing or outdated anti-virus software and multiple users located within the ‘administrator' group. Various non-standard software packages were also found to be in use at the primary school, including Microsoft Windows Messenger, Real Player, Adobe Reader and Apple iTunes, suggesting that individuals were importing files from home computers with a risk of virus infection.
Paul Vlissidis, technical director at NGS Secure, said: “It is widely thought that UK schools are, for the most part, behind other public sector organisations when it comes to information security. The two tests we carried out do nothing to dispel this perception.
“The schools in question displayed missing patching – some of which was 15 years out of date – as well as firewalls and anti-virus security provision that was totally ineffective. Even the basics of logical security, such as complex password protection and limiting administrator access, were not being followed.
“We believe our research to be indicative of similar issues in many UK comprehensive and primary schools. While an attack on a school network may seem like a trivial matter as no financial data is likely to be obtained, a miscreant could potentially access thousands of children's personal information – where they live, next of kin and telephone numbers. In the wrong hands, this information could be highly dangerous.
“The most likely hackers, however, are the pupils themselves. Many understand simple techniques to gain access to networks, be it via brute force attacks or social engineering, and are likely to be driven by in-school grievances.”
Vlissidis pointed to the lack of awareness of IT security risks amongst staff as one of the reasons for poor assurance provision, and outlined that many schools viewed limited financial resources to be better spent elsewhere.
“Teachers are generally unaware of the logical security vulnerabilities in their schools. As a result, no one takes responsibility for it. Information technology teachers may pick up this responsibility, but few have the time or the specialist skills to ensure a school network is completely secure. Schools are also unlikely to bring in an external tester on a regular basis to ensure security, simply because the cost is too great and the availability of equipment outweighs security concerns”
“Schools need to be aware that public sector organisations are not exempt from ICO fines and that a serious breach could be costly to local education authorities.” he said