Internet Related/Filtering/Firewall Thread, How Safe Is Your Schools Data ? in Technical; Hi Guys
A quick question for you all as we are looking at partnering with a ethical hacking service who ...
11th August 2009, 11:34 AM #1
How Safe Is Your Schools Data ?
A quick question for you all as we are looking at partnering with a ethical hacking service who will test on a daily basis your data secuirty,
We would like offer this service as an addition to any security hardware we provide,
How do you feel about your schools data security, have you got security provisions in place to prevent data loss,
Is your schools website locally hosted and tested on a daily weekly or even monthly basis for integrity,
As more and more delicate student information is now being held online with the likes of moodle and other online student accesss sites we believe this service to be a great addition to the security hardware we are looking at providing to the Public Sector,
Your feedback is much appreciated,
11th August 2009, 11:53 AM #2
1) Since school sites are often hosted on RBC / LEA (or reverse proxied by them), how will you get the RBC/LEA to agree to the testing?
2) At least one RBC/LEA already carries out scanning for known exploits, for free. How will you compete?
3) The "tested daily by $foo" is a pre-canned scan for known exploits / misconfigurations - how quickly will 0-days be included as part of the scan?
4) Who's the firm, what's their reputation? Please say it's not the clowns at Mcafee.
11th August 2009, 12:11 PM #3
some great feedback there many thanks,
Originally Posted by pete
The firm in question is not Mcafee and they have some great acreditations which we will be exploring,
We have noticed alot of schools are colleges actually hosting there websites locally so the onus for security is left upto the school,
Any further advice or feedback is much appreciated
11th August 2009, 12:28 PM #4
Yes but issue is the websites often go through rbc connection lets put it like this. If I ran it on our internal web servers we run and to do that they had to go through the schools rbc internet connection to access my servers. If I had not got ok from director of the RBC I would be asked to leave my job.
Last edited by russdev; 11th August 2009 at 03:02 PM.
11th August 2009, 01:35 PM #5
You took the words out of my mouth actually Russ.
If you are part of an RBC and you will be having any intrusion detection done, ethical hacking, remote connection for security testing ... there are a few things to consider.
1) Should any of your school servers be compromised in any way does it pose a risk to your ISP / RBC and any others sites that connect to that WAN.
2) Any attempt to attack a school site may be logged by the ISP/RBC and if they are not aware of what is going on they could automatically refer it to the relevant authorities without involving the school immediately.
3) Are those who are testing going to be covered under DPA to access significantly sensitive information (eg SEN / information about children in care)?
4) Is there a follow service which will then help the school understand their infomration handling and security considerations based on guidance from Becta and ICO? Is this aimed towards educational institutes? Does it cover the range from Senior managlement to IT Managers to Teachers to parents to students / pupils?
5) Is there a pre-assessment window when IT Managers can take significant steps (under advice) to harden their systems or document why certain systems are likely to be at risk (eg under investment in training, cheap solutions purchased when they are not fully secure, lack of downtime to allow for adequate patch management due to being told to *always* have the system running!, etc)?
Not trying to say it is not a good idea ... just one to be careful with.
11th August 2009, 01:38 PM #6
Originally Posted by GrumbleDook
some great points there fella,
I will pass this info onto the team we are dealing with and await there responce,
11th August 2009, 01:50 PM #7
With the concerns raised above perhaps it would be involve less red tape and be more appealing if the security devices (as per OP) came with an initial checked setup. If the purchaser knew what kind of traffic needed to be allowed and denied then the device could be preconfigured in a secure fassion and tested before installation. This would not expose the data but would allow for a value added service as sec hardware can be tricky to get just right.
Sure this would not take into account the end to end systems involved but at least the device itself would be secured and checked.
With regard to the PEN testing that is performed by the RBC etc. I guess that how good this heavily depends on how good the staff are that are performing the checks. Nothing is going to be completely secure with todays hardware and software no matter how riggerously it is tested, it is a matter of minimizing risk and impact.
I would suggest that an external company (propperly acredited) having a crack at the RBC (generic term) would be a good thing but would need to be organised with them at the request (demand) of the school(s). Schools not inside such a network would probably benifit more from this service but again accreditation would be required to handle the data.
Of course there it the debate as to how effective external PEN testing can really be when you can still walk into most schools and find a logged in unlocked teacher workstation to play with.
Last edited by SYNACK; 11th August 2009 at 02:06 PM.
11th August 2009, 02:19 PM #8
Sometimes with this sort of security testing the cost is often the factor that puts people off ... why pay several thousand pounds to an external company that something is wrong when the people you pay in house should be doing it instead! Better to train them up surely?
In reality it is a bit of a mixture about what is needed. IDS is good for spotting things out of the ordinary but that should not be a safety net for people not hardening things in the first place. Yep, lock everything down to start with and open up as required.
I have to admit that the NSA guides (Security Configuration Guides - NSA/CSS) are what I used to follow a heck of a lot. And mainly common sense too.
Now ... are we talking about an application that sits inside the school and probes or probes from outside of the school? Are we also talking about an automated probe or directed attacks?
Thanks to GrumbleDook from:
11th August 2009, 05:28 PM #9
The one I'm aware of is purely automated testing - a canned list of exploits and known vulns using $software_package. Bearing in mind the sales pitch ("daily,weekly or even monthly basis") in the OP, school budgets and the cost of decent human pentests, I really doubt there's a meatsack running the tests.
Originally Posted by SYNACK
You can do the same with at least 7 Fortune 100s - schools aren't a lone bastion of insecurity. If you've ever done contract IT for banks, you'd invest in gold bullion and keep it under your bed. That said, there are probably other things the security funds could be spent on before considering a pen-test.
Of course there it the debate as to how effective external PEN testing can really be when you can still walk into most schools, and find a logged in unlocked teacher workstation to play with.
11th August 2009, 06:34 PM #10
Our school online reporting system is pretty rock solid I reckon, hosted internally but available via https + domain user/pass + database user/pass
Our website and vle is hosted externally, and its a homebrew job by a local company, non-https login etc - Id be interested to see how strong that was.
11th August 2009, 06:49 PM #11
tell you what fella whats better than a FREE test case,
Originally Posted by RabbieBurns
Let me know if your interested then we can use your views as unbiased feedback
11th August 2009, 07:03 PM #12
I dont actually work there directly any more since I came over here, but still in contact with my old boss and helping out etc every now and then. I'll ask them if they are interested. Can you email me some sort of documentation / flyer etc about what it would entail that I can pass on?
Originally Posted by CPLTD
11th August 2009, 07:06 PM #13
will give you buz tomorrow fella
Originally Posted by RabbieBurns
11th August 2009, 07:10 PM #14
It'll be an expensive call...
Originally Posted by CPLTD
11th August 2009, 07:13 PM #15
nah fella we have a wicked deal on calls in all countries because of the telcoms engineers working all over the world bud lol
Originally Posted by kmount
By NetworkGeezer in forum MIS Systems
Last Post: 16th February 2010, 09:22 PM
By CAM in forum General Chat
Last Post: 6th July 2009, 06:55 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)