Jul 02 2024

How Penetration Testing in Higher Education Protects Student Data

Cybercriminals are always looking for ways to exploit college networks. Ethical hacking and pen testing can help universities find vulnerabilities first.

For years, Higher education has held the dubious distinction of being among the top targets for cybercriminals. According to Sophos’s The State of Ransomware in Education 2023 report, 40 percent of ransomware attacks in higher education were due to exploited vulnerabilities.

It’s not just ransomware attacks, either. Check Point research shows that education saw a 114 percent increase in cyberattacks between 2020 and 2022 and was the most heavily attacked of all sectors in the first quarter of 2024, with 2,454 attacks per organization weekly. Unpatched vulnerabilities contribute to the growing risk of cyberattacks that, if successful, can be devastating to a college or university’s finances and reputation.

A successful hack can be devastating to an institution and its students. Penetration testing can minimize the risk, reducing the likelihood of a data breach and protecting an institution’s reputation and bottom line. By identifying gaps in security strategies, penetration testing can be a force multiplier as organizations focus their efforts to protect against attacks.

Click the banner below to learn where penetration testing fits into a zero-trust security architecture.


High-Value Data Is the Target for Higher Education’s Cyberattackers

Higher education networks house extremely valuable student data, including:

  • Personally identifiable information, such as Social Security numbers, birth dates and passport data. PII that is exposed can lead to identity theft and fraudulent activities in students’ names.
  • Financial information, such as bank account and credit card numbers. For many younger students, this is pristine data that is sought after by hackers. Theft can lead to unauthorized financial transactions and financial fraud.  
  • Medical information, including student health records, insurance details, medical conditions, family histories and more. Exposure of these records can lead to privacy violations.
  • Academic records, such as grades and transcripts. Tampering could affect the students’ academic futures while causing emotional stress.

In addition to student data, universities often house cutting-edge research data that could prove extremely valuable for cyber espionage. This occurred in 2022 when a group of Iranian hackers targeted researchers in a phishing scam and obtained access to nuclear research data.

DIG DEEPER: University leaders discuss how endpoint detection and response solutions spot threats.

Sprawling Networks and Open Environments Equal Vulnerability

College and university network environments are vast and complex. Educational information is shared with students, parents and third parties via email, productivity suites (Microsoft 365, Google Workspace for Education), collaboration tools (Zoom) and more, often with little regard for protection. Consider outdated systems, a multitude of websites hastily created without adequate attention to security, easy internet access across campuses and the expansion of remote learning. Any of these could have critical vulnerabilities that allow bad actors to exfiltrate data, hold it for ransom, and use it for identity fraud or sell it on the dark web.

University teams are overwhelmed trying to monitor all activity and account for every vulnerability in their complex environment. They look to penetration testing as an excellent approach for finding the most important vulnerabilities, determining how to prioritize them and schedule patching efforts to best protect student data.


The percentage of ransomware attacks in higher education due to exploited vulnerabilities

Source: Sophos, The State of Ransomware in Education 2023, May 2023

Pen Testing Leads to Better Protection for Higher Ed Networks

Penetration testing — also known as pen testing or ethical hacking — is the process of testing systems, networks and applications to discover vulnerabilities and identify ways hackers could exploit them. It can be done in-house or through the use of a service.

It starts with a vulnerability scan, using tools such as Qualys or Tenable that check for the presence of known vulnerabilities. Next, security professionals use manual or automated methods to mimic a hacker’s behavior, attempting to exploit vulnerabilities uncovered during the scan. Pen testing confirms that the vulnerabilities exist and simulates attacks to show what would happen if they were exploited. This can indicate the true level of risk and show the harm that could result.

RELATED: How to create your university’s incident response playbook.

Pen testing should examine application servers, operating systems, websites and web applications, mobile apps, Internet of Things devices, and people and operations. For higher education, pen testing should probe student data stores and sensitive research data to make sure they are adequately protected, both from initial access and deeper access through privilege escalation.

Is Pen Testing Worthwhile for Higher Education Institutions?

Preventing unwanted access is always more effective than trying to recover from a breach. While institutions have built significant cybersecurity protections including encryption, access controls, firewalls and more, one small chink in the armor can render student data widely accessible. It is easy to overlook common weaknesses, such as poor passwords or unpatched vulnerabilities. One of the reasons pen testing is so valuable is because it identifies the level of risk presented to student data, highlighting areas of weakness that should be shored up and helping budget-constrained security teams focus their efforts on the vulnerabilities that really matter.

In addition to helping with funding efforts, pen testing can also bolster compliance with government regulations such as the Family Educational Rights and Privacy Act. This law was designed to address the abuse of student records and requires the institution to implement adequate data security programs to prevent unauthorized access and breaches. Pen testing should be repeated at least once a year to ensure that new vulnerabilities are found and addressed.

Steps to Take After Testing Is Complete

When evaluating the results of pen testing, the security team will have a good idea of which vulnerabilities are categorized as critical or high-level and are most likely to have a significant impact if exploited. This enables the team to prioritize the applications and software that should be patched, configurations that should be adjusted, and workarounds if no patches exist. Having a prioritized list of the most critical vulnerabilities that are highly likely to be exploited helps the team focus its efforts on those activities that can have the biggest impact on protecting student data.

The team records all of the details of their mitigation efforts and investigates root causes. Above all, each action taken must be tested to ensure that it does not inadvertently increase the risk. As always, efforts to secure any data, especially sensitive student data, should be accompanied by further education of staff and students, improving the security posture of the college or university.

Weedezign/Getty Images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.