Security

What Happens When Schools Hire an Ethical Hacker?

Getting a professional penetration test can expose network vulnerabilities in K–12.

Mikela Lea is a principal field solution architect with CDW.

Most schools don’t think about hacking their networks until a bad actor does it for them. But K–12 schools cannot afford to be an easy target. They hold some of the most valuable information on the planet — student data — which is likely to have never been used, and that makes it highly profitable on the dark web.

While getting hacked by a bad guy can sometimes be inevitable, schools should take a proactive approach by hiring an ethical hacker to find the holes in their network before a bad actor can exploit them. Also known as penetration testing, these exercises can help make schools more secure and cyber resilient.

Click the banner to learn what it takes to build a cyber resilient K–12 environment.

x-cyberresillience4-static-2024-na-desktop

x-cyberresillience4-static-2024-na-mobile

What a Good Hacker Seeks

You can’t defend what you don’t know, and we don’t know what we don’t know. Penetration testing can provide a wealth of information that is sometimes overlooked by school teams that are bogged down in the minutiae of everyday work. While a strong school network may have layers of protection, as with any other system, one or more of those layers can go down at any time.

Additionally, pen tests should not be a one-time event. Cyber resilient schools benefit from annual pen tests because technology is always changing and solution providers are constantly updating or distributing security patches. My cellphone has had three upgrades in the past three months alone; imagine what could be happening to your network. The fact is, with thousands of patches distributed each year, school networks could have vulnerabilities that go unnoticed.

Discover how cyber resilience gives schools an edge in post-attack recovery.

Find out why dual ransomware attacks could cripple K–12 schools.

Learn four ways K–12 tech teams can share responsibility for cybersecurity.

Vulnerability Assessments Versus Penetration Testing

There are multiple ways that schools can work with a partner like CDW to assess their networks. With a vulnerability scanning, we can use our industry knowledge to discuss common vulnerabilities that schools face and suggest corrective action.

With penetration testing, we will send an engineer to test your network’s defenses. I always recommend schools do two types of penetration testing together: internal and external.

Unfortunately, people are the weakest link in school cybersecurity. Teachers could unknowingly click on a phishing link, or a disgruntled employee could download malware. In an internal pen test, an engineer will attempt to exploit those vulnerabilities from inside your network. During an external pen test, we will try to break in from outside.

DISCOVER: The top 5 vulnerabilities often uncovered during penetration testing.

How a Good Hacker Gets into School Networks

A good hacker will look for missing patches, misconfigurations, a weakness in a tool deployment or a break in your firewall.

They will also look for administrator credentials on the web and may even resort to social engineering, where they will attempt to get valuable information from someone at the school who has administrative access and probably shouldn’t. Once hackers get into your network, they essentially have the keys to your home and can move laterally inside your network and wreak havoc.

Instead of resorting to mischief after a pen test, our engineers will give schools a detailed recommendation for every escalation or pivot so schools can immediately address any vulnerabilities.

LEARN MORE: Schools get creative in improving cybersecurity on a budget.

A Lack of Budget and In-House IT Staff Make Pen Testing Critical

One of the main reasons schools don’t do pen tests is they have no room in the budget. However, this is one of those events that could end up saving you thousands or millions of dollars in the long run. Even if a school never pays the ransom, the process of cyber recovery can be expensive and often disrupts learning.

Even well-funded schools with the latest security tools could be at risk. I recently went to such a school that had an external-facing special education server. The password hadn’t been changed in a while. It took me less than 15 minutes to gain access. Of course, once we let the school know, it immediately put the server behind a DMZ network, changed the password and cleaned up old accounts.

Another challenge that schools face is a lack of IT security staff. According to the CoSN 2024 State of EdTech District Leadership survey, cybersecurity is the No. 1 concern among school IT leaders, and one of the main challenges with technology implementation is an inability to hire skilled staff.

While 53 percent of K–12 respondents now have a cybersecurity plan, only 25 percent have established a cybersecurity team, and 31 percent have had their cybersecurity practices audited by an outside group.

Schools typically don’t have enough IT staff, let alone a budget sufficient to recruit IT security specialists. The fewer security staff members a school has, the more critical it is to add pen testing as an annual line item in the budget. This routine testing could mean the difference between an easy mark for a bad actor and one that is just too much trouble to hack.

This article is part of the ConnectIT: Bridging the Gap Between Education and Technology series. Please join the discussion on Twitter by using the #ConnectIT hashtag.