Infosec In Schools – Is This Too Much To Ask For…?

According to the Information Commissioner’s Office (ICO), Data breaches in the UK have increased tenfold in the past five years. In local government the increase was 1,609% and within the NHS 935%.

With the current potential fine of up to £500,000, for data breach’s and breach of data that is not adequately protected, Schools are not immune to such fines but, at the rate at which cybercriminals are compromising systems with bias to industry or organisation and the lack of robust security in some schools, it will not be long before the ICO will be issuing fines to Schools for data breach’s.

In the education sector, firm figures are not yet available. However, Schools, FE & HE institutions are arguably some of the institutions that have been somewhat left behind in the trends of picking up the mantle for Information Security. Unless they are a ‘flashy’ academy, a high profile university with lots of money, or one of those schools that falls into the category of building schools for the future, essential security programmes and best practices are hardly something that is on the radar of their internal infrastructure. The situation gets worse further downstream, where not a lot of schools actively deliver up to date relevant cybersecurity or cyberbullying workshops and or educational awareness seminars to fulfill there e-safety responsibilities.

The pace of technology is moving so fast to the extent that the programs currently delivered in schools are dated and require a total overhaul for most part. For this to happen, a shift in every aspect of the schools’ culture and the education system needs to take place from strategy, curriculum, to teachers, infrastructure, to pupils’, staff, parents, guardians and careers.

The Facts

More and more there is a significant focus on education institutions, simply because they are seen as easy targets for cybercriminals. Over the past few years there’s been a spike in the frequency and amount of security breaches in the education sector that can be argued to be utter carelessness. One such example is that of the ‘big bang’ of the conficker virus that slammed a lot of educational institutions and compromised a lot of confidential systems, data, emails and took control of critical infrastructure assets. The impact was so harsh that Internet Service Providers and various other organisations blacklisted some institutions and various domains.

Some of the most recent reports of data security breaches in Schools are as follows:

Like many businesses, the default security culture that is expected is a painstaking taste to acquire and the majority of businesses nowadays are playing catch-up with everything in the technology arena unless they are at the cutting edge of forward thinking innovations and being pacesetters.

The Current Situation In the Education Sector

The current situation and the way in which the powers that be fund, support and drive curriculum programmes have much more to be desired. With the lack of, or shortage of ICT teachers and experienced ICT members of staff in some schools, this leaves schools more vulnerable to cyber-attacks and even if schools are subscribed to their Local Authorities for infrastructure services, there are still a massive amount of deficiencies in various areas to say the least, in terms of holistic security and compliance and keeping up with the pace of mainstream technology.

Why Pupils & Institutions Data Needs Protecting?

  • Protected children & vulnerable children need their privacy protecting
  • The school has a responsibility for safeguarding children whilst they are in their care on campus
  • Test results, exams and pupils records can lead to serious implications if their sensitive information were to fall into the wrong hands such as a pedophile, cybercriminals and people with malicious intent

There’s Still Hope…

The Ofsted e-safety framework is a great start to standardise and set the foundation for best practices and governance in schools in a holistic manner.

The framework covers key areas such as:

  • All teaching and non-teaching staff should be aware and be able to recognise e-safety issues with high-quality leadership and management to make e-safety a priority
  • High priority given to training and continuation training to all staff, including the contribution of the wider school community. One member of staff to receive accredited training (for example: to become an e-safety officer)
  • Clear reporting processes
  • Rigorous, plain English policies and procedures integrated with other relevant policies
  • Progressive e-safety curriculum
  • Provision of a recognised Internet Service Provider (ISP) with age-related filtering
  • Good risk assessment

The Challenges

Some of the key challenges that hinder the growth and seriousness of this area as a profession are:

  • It’s attractiveness to the younger audience who will make up the future workforce
  • The industry does not have a standardised career path similar to well established professions such as finance, medical, Nursing etc.
  • There is not enough awareness in schools and even with the general public on the opportunities and rewards in an information Security/Cybersecurity career
  • The lack of teachers & Career Advisers with the right skills, and knowledge and depth of experience – most of these advisers are somewhat backward in terms of technology experience and are predominantly focused on traditional mainstream career paths

 

If the education sector is to thrive and become more vigilant and as high-tech as some of the wealthy academies, there needs to be a radical shift in culture and the way in which the traditional curriculum is structured and run.

What Needs To Be Addressed At School Level?

Some of the things that need to be addressed to enable schools, the labour force and the country on a whole, to sustain and defend against the growing cyber threat that could compromise key National Infrastructure systems are:

  • Greater support from government, education bodies and independent agencies to ensure that the right resources are allocated to the areas that need it most and those areas that will promote a cultural change and a fresh approach to looking to the future of cybersecurity and how to mitigate risks
  • Recruit and or train educators of the future and encourage existing industry professionals to work in the education sector
  • Train a new generation of career advisers and make sure that Information Security is seen as an attractive profession with similar and more rewarding remuneration as similar professions and other career paths
  • Regular campaigns and awareness workshops need to be part of the ethos and strategy to build a stronger platform and framework for the new generation of security professionals
  • More cyberbullying workshops, competitions and activities around security privacy and best practices needs to be undertaken to continuously reinforce the message and long term objectives of establishing Information Security as a professional to aspire to
  • Career open days need to be carried out across the country to raise nationwide awareness to highlight the importance of Information Security and cybersecurity to country and schools

 

At the moment, there are no prescribed pathways for a younger person or an adult looking to get into or switch career paths to follow. Some or if not most of the seasoned security professionals in large organisations nowadays are people who just fell into Information Security because they were the most technical person at the time in an organisation or they independently saw the need and a gap at the time and so their career evolved from there onwards.

Like many other career pathways that have a definitive route into a sector, the IT sector on a whole is one of the most disjointed and there are many unorthodox routes into various roles in Information Technology.

As an example, a typical route into the field of Information Security to become a Chief Information Security Officer (CISO) could possibly look like the below:

  1. Aspiration or career change
  2. Gain applicable experience (through a series of various roles including but not limited to: Security Analyst, Security Auditor, Malware Analyst, Systems Security Administrator, Network Specialist, IT Manager/team lead…)
  3. Gain a degree (or non-degree qualification) or gain private training which are non-curricular related
  4. Qualification is one or many of the following: CISM, CISSP, CISA

 

Some of the most common job tittles/roles in the field of Information Security are:

  • Chief Information Security Officer (CISO)
  • Security Analyst
  • Security Consultant
  • Privacy Analyst/Consultant
  • Security Architect
  • Technical Security Architect
  • Security and Compliance Officer
  • Security Manager
  • Vulnerability Manager
  • Ethical Hacker

 

Some of the various qualifications one needs to possess to work in the field are as follows:

  • CISSP – Certified Information Systems Professionals
  • MSc. Masters in Information Security
  • BSc/BS – Bachelors of Science in Information Security
  • ISO27001 Lead Auditor
  • CISA – Certified Information Systems Auditor
  • CISM – Certified Information Security Manager
  • CSO – Chief Security Officer
  • Many years of hands-on experience directly in the field*

The government recently launched a CyberSecurity Apprenticeship Scheme [ http://www.bbc.co.uk/news/uk-19987761 ] that is aimed at attracting apprentices in the area of Security to create a pool of future professionals to help protect the interest of the country and help with the Country’s cybersecurity strategy. Suffice to say, enough hasn’t been done to ‘chip’ the iceberg and it will take a combination of efforts, partners and equal aspirations of the eligible workforce to really move things forward in this area.

As a country with such a strong reputation for the education system we possess, we are positioned in a unique place to lead by example and embed a strong security culture in schools and education institutions to help combat the ever growing threat of cybercrime against our nation. The sooner efforts to build cybersecurity as a mandatory course in schools, the sooner the better we will be in nurturing an educated, committed and skilled workforce to fill the gaps in this area. Never before has there been such a push for more skilled security professionals to fill the skills gap to protect national infrastructure and intellectual property of the state, business and individuals.

Practical Steps And Suggestions

So, how can the government and the business community help make this happen?

  1. Empower senior educators and institutions with the free-will and support they need to make the right decisions and to be accountable for the outcome of such initiatives
  2. Embed the need for excellence, result-driven measurement in performance objectives and KPI of education institutions
  3. Embed security culture in the core of the education system – i.e – from kindergarten, primary schools, secondary schools through to FE and HE institutions
  4. Develop extra curricular programmes and activities inside and outside the educational environment to keep the momentum and enthusiasm flowing
  5. Make the profession attractive to all gender and other age-old professions
  6. Incentivise and make sure the profession is seen as viable profession worthwhile pursuing as any other career
  7. Develop a framework or code of conduct and association that harmonise all the disjointed packets of the profession – by doing so, this ensure that misconduct and malpractices and carelessness is dealt with in similar ways as those working in the legal, financial and medical arena
  8. Develop and implement legislations and supplementary framework to support and add credibility to the profession to ensure it is taken seriously
  9. Embrace change and adapt to the changing cyber-world around us

This list and recommendations could go on and on but nothing happens without the commitment of all stakeholders involved and senior management buy-in and support. The approach that is needed is a collaborative approach that also requires direct input in the form of a top-down approach where necessary.

Pen Testing (ethical hacking) FAQs

What is Pen Testing?

ANS: Penetration Testing, otherwise known as Ethical Hacking is a proactive test carried out on a systems, application, (a person – social engineering), networks and web applications to determine how secure the system actually is and to test the security and compliance controls that are in place to prevent data breach.

Is it really done in the same way a real hacker/attacker would do it?

ANS: Yes and No!

Yes – depending on the requirements of the company and the level of realistic downtime they are willing to accept. If the company wants to see and experience the same impact to really prove that they are vulnerable (not many companies will go for this option). Some companies are happy to provide a secondary replica of a system to be tested 100% in the manner of a real hacker to see how far and how much of a damage and information security breach they can perform. Most company will be satisfied with the list of vulnerabilities identified and develop an action.

No – because depending on the system and how critical it is for the operation of the business, some business will not allow the Penetration Tester to compromise the target. They rather the Tester demonstrate and present evidence to show that the system can be compromised if certain conditions and actions were to be taken.

Do you need permission to perform the testing?

ANS: Yes. However, most hackers don’t! Normally a due diligence process is undertaken prior to the approval for testing takes place. This can include compliance officers, Lawyers, 3rd parties and other stakeholders to ensure that all parties know what their liabilities are (if any) and what the scope and expectation of the testing output will be.

What are the pre-requisites to engage your services?

ANS:

  • List of IP addresses, IP ranges that require testing and authentication credentials.
  • Access to all in-scope internal VLANs and network segments from a single location, where testing can be carried out.
  • Signed security test authorisation form.

What are different types of penetration testing that can be done?

ANS: Penetration Testing can be done on: Firewalls, Web application, Network infrastructure/devices, software applications, source code and the ‘human’ – Hacking the human.

Why would business want to hacking into their own systems and what are the benefits of doing this?

ANS:

  • Provides assurance that security controls are in place at the network levels that are adequate with regards to addressing real world threats.
  • The rapid identification and resolution of unknown threats and attack vectors.
  • Our network security assessment services are designed to emulate real world attacks rather than a checklist based approach to risk.

What are the deliverables from the penetration testing?

ANS: Whether it’s a network infrastructure testing, web application testing, below are some of the typical deliverables you as a client will receive:

  • Network infrastructure penetration test, including report writing and research.
  • Comprehensive clear report detailing all discovered vulnerabilities, exploits and remediation steps.
  • Provides assurance that security controls are in place at the application code level that are adequate with regards to addressing real world threats.
  • The rapid identification and resolution of unknown threats and attack vectors.
  • Application security assessment services are designed to emulate real world attacks rather than a checklist based approach to risk.
  • Security Aware only use highly experienced security testers that have been performing security assessments for over ten years.

Is it legal?

ANS: Yes it is legal if it is done ethically – i.e. with the explicit permission for the owner of the target system and or asset.

What if I found a lot of vulnerabilities in my systems and I cannot fix them, would I be at risk of an attack?

ANS: Yes. You will need to work with your IT department or IT Support Company to remediate the risks associated with the vulnerabilities found. In some cases they are more than willing to help. It is important that you work with all stakeholders involved to help you mitigate your risk exposure.

How do I deal with vulnerabilities?

ANS: Depending on the type of vulnerability in question, there are various approaches and techniques you can employ to deal with these. Most vulnerabilities are derived from software configurations and unpatched systems. It is recommended that where applicable, you update/install patches to systems with the newest version of the firmware/software. Most vendors and manufactures provide releases of new patches to fix bugs and security holes in their application.

How much does it cost?

ANS: It depends on your scope and what you want to test. It could be the most critical systems, it could be your firewall, your web application, your source code or your employee. You need to decide on what is important to your business and do your risk assessment to determine if you can continue to operate if that system or asset were to be compromised by hackers and controlled by them. If your business were to be impacted significantly and seize its core functions that will result in downtime and disruption to clients, then you will need to include that in your risk assessment and priority for testing so that you can harden the system against attacks.