Pen Testing Leads to Better Protection for Higher Ed Networks
Penetration testing — also known as pen testing or ethical hacking — is the process of testing systems, networks and applications to discover vulnerabilities and identify ways hackers could exploit them. It can be done in-house or through the use of a service.
It starts with a vulnerability scan, using tools such as Qualys or Tenable that check for the presence of known vulnerabilities. Next, security professionals use manual or automated methods to mimic a hacker’s behavior, attempting to exploit vulnerabilities uncovered during the scan. Pen testing confirms that the vulnerabilities exist and simulates attacks to show what would happen if they were exploited. This can indicate the true level of risk and show the harm that could result.
RELATED: How to create your university’s incident response playbook.
Pen testing should examine application servers, operating systems, websites and web applications, mobile apps, Internet of Things devices, and people and operations. For higher education, pen testing should probe student data stores and sensitive research data to make sure they are adequately protected, both from initial access and deeper access through privilege escalation.
Is Pen Testing Worthwhile for Higher Education Institutions?
Preventing unwanted access is always more effective than trying to recover from a breach. While institutions have built significant cybersecurity protections including encryption, access controls, firewalls and more, one small chink in the armor can render student data widely accessible. It is easy to overlook common weaknesses, such as poor passwords or unpatched vulnerabilities. One of the reasons pen testing is so valuable is because it identifies the level of risk presented to student data, highlighting areas of weakness that should be shored up and helping budget-constrained security teams focus their efforts on the vulnerabilities that really matter.
In addition to helping with funding efforts, pen testing can also bolster compliance with government regulations such as the Family Educational Rights and Privacy Act. This law was designed to address the abuse of student records and requires the institution to implement adequate data security programs to prevent unauthorized access and breaches. Pen testing should be repeated at least once a year to ensure that new vulnerabilities are found and addressed.
Steps to Take After Testing Is Complete
When evaluating the results of pen testing, the security team will have a good idea of which vulnerabilities are categorized as critical or high-level and are most likely to have a significant impact if exploited. This enables the team to prioritize the applications and software that should be patched, configurations that should be adjusted, and workarounds if no patches exist. Having a prioritized list of the most critical vulnerabilities that are highly likely to be exploited helps the team focus its efforts on those activities that can have the biggest impact on protecting student data.
The team records all of the details of their mitigation efforts and investigates root causes. Above all, each action taken must be tested to ensure that it does not inadvertently increase the risk. As always, efforts to secure any data, especially sensitive student data, should be accompanied by further education of staff and students, improving the security posture of the college or university.
Editor's note: This article was originally published July 2, 2024 and updated Sept. 27, 2024.