We all want our schools and educational institutions to be secure. We all want to ensure that our children can learn and thrive in a safe environment, and that we keep their data protected from those who might misuse it. Schools are under attack, though – almost constantly – from increasingly organised and sophisticated criminal gangs.
In cyber security circles, we often talk about an arms race between attackers and defenders (with the unspoken conclusion reached by many of us that the attackers almost always have the upper hand). We trot this out, blithely, in relation to big businesses – huge corporations with dedicated cyber security departments, making seven-figure investments in controls and with the best training money can buy. The truth is that the criminal gangs that those big businesses are protecting themselves against often have the exact same resources and capabilities as the criminal gangs which are targeting our schools – a much softer target.
When we look at cyber security for schools, it's a wholly uneven battlefield where schools are simply outgunned. Schools face some particularly thorny challenges when it comes to securing their estates, and these are incredibly difficult to overcome.
School budgets are inevitably (and most would say, quite rightly) focussed on learning outcomes primarily. Support roles, though invaluable for attaining those learning outcomes, are often less visible as priorities for budget expenditure. Having internal IT and systems personnel is expensive, and many schools outsource these functions and responsibilities to third-party service providers. When it comes to cyber security, having in-house expertise in security domains is vanishingly rare.
Though academies are accountable for maintaining the security of their systems and data, what this means in practice is often poorly-understood – especially when the answer to most questions about cyber risk boil down to a "risk vs. reward" calculation. How are academy trustees to ensure the security of their systems and data when they don’t have the knowledge or guidance to understand the technical risks they face, or what types of controls might be appropriate? Corporate entities spend a fortune to buy in the expertise that they need to make these decisions; schools don't have access to pockets that deep.
Schools have user-bases which rotate constantly. Each and every year, there is a mass-enrolment / account creation process which has to take place, and a mass-offboarding / account suspension process which has to take place. Anybody who manages starter and leaver processes within a business knows how complicated these processes can be, and given the constraints on technical resourcing which schools are exposed to, these processes must be as simple as possible in order to be practical. Logical, practical responses to the challenges? Things like predictable student usernames based on student enrolment numbers, or names, and pre-selected passwords.
The pandemic forced schools to rapidly move from an in-person learning paradigm to an online learning paradigm. This meant rapid adoption of cloud-based file sharing solutions and video-conferencing platforms. Schools needed to innovate quickly to facilitate learning, and the speed with which this happened left little room for introspection and assessment of the possible security consequences. A big change which has affected many institutions has been the resultant exposure of student user accounts to remote access via cloud sign-in. Whilst this has had positive impacts in terms of access to learning during various lockdowns, it has had the side effect of exposing those user accounts to attacks from external adversaries.
That is quite a list of significant factors adversely impacting cyber security in schools, but here's the big one: in many cases, schools simply cannot practically implement the best-of-breed security controls which would be recommended to keep them safe.
Let's look at something simple, like user account protection. We’ve known for a long, long time that passwords are a pretty poor way to secure access to anything. People, left to their own devices, tend to choose predictable passwords, share these between different accounts and change them in predictable ways. For an attacker, access to a user account is often quite easily possible – either through password guessing, through password dumps from other compromises or through social engineering / phishing. Implementing multi-factor authentication is a control which greatly reduced the exposure of user accounts to password guessing, and therefore is recommended in almost all situations where a password is used.
Think about the situation schools find themselves in, though: Do all students have smartphones? Can a school manage and maintain a pool of physical authentication tokens? Does the school have the resources and capability to manage second authentication factors (especially when students may be blocked from learning resources if they forget or lose their tokens)? Suddenly, the practicalities of implementing a vital security control mean that it's unlikely to be an investment that a school can make, even though it would vastly reduce risk.
When assessing cyber security risk, schools also need to consider the separation of staff accounts and student accounts, and the controls that are in place to protect staff areas from student access. If student accounts are inherently weaker than staff accounts (which will often be the case), then an attacker will much more easily be able to achieve access to a school within a student account context. If separation controls between student access and staff access are weak, or poorly-implemented, this could lead to an attacker with a student account context gaining access to systems and data that should be restricted to staff only.
As we know from our experience in offensive security (conducting penetration tests and red teaming assessments) the presence of controls alone is never enough to guarantee protection. It’s important that controls are regularly tested to ensure that they are doing what they are assumed to be doing, and that they have been configured as they are expected to be configured. Schools, on the whole, don’t have the expertise to do this, nor the knowledge or budget to buy in the expertise that would help them achieve this goal.
So far, so negative – but it's not all bad news. Cyber Essentials for Schools (and Cyber Essentials Plus) is a step in the right direction. This is part of a trend which gives a verification certification measuring whether several key cyber security controls are in place. These audit-based approaches, though, don't provide schools with adequate cyber security assurance alone.
To gain a better understanding of their real susceptibility to the criminal gangs, we're firm believers in technical assurance activities (such as scenario-based penetration testing) providing real benefits in terms of steering the right investments in the right controls to get the right outcomes.
We’ve piloted this approach with a local multi-academy trust and found that we were able to identify problems with assumptions that had been made about security controls, controls which weren't functioning as expected and clear exposures that hadn't been considered. We were able to provide the school with clear, actionable guidance based on the ways a criminal gang is likely to target them; implementing this guidance, they were able to demonstrate clear improvements in their resilience and make business cases for additional investment.
Used correctly, scenario-based penetration testing can provide schools with a good balance – understanding how well they stand up to attack, and also understanding what they can practically do to manage the risk.