+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 16
Internet Related/Filtering/Firewall Thread, How Safe Is Your Schools Data ? in Technical; Hi Guys A quick question for you all as we are looking at partnering with a ethical hacking service who ...
  1. #1

    CPLTD's Avatar
    Join Date
    Apr 2008
    Location
    Northamptonshire
    Posts
    4,070
    Thank Post
    1,404
    Thanked 652 Times in 507 Posts
    Blog Entries
    1
    Rep Power
    261

    How Safe Is Your Schools Data ?



    Hi Guys

    A quick question for you all as we are looking at partnering with a ethical hacking service who will test on a daily basis your data secuirty,
    We would like offer this service as an addition to any security hardware we provide,

    How do you feel about your schools data security, have you got security provisions in place to prevent data loss,
    Is your schools website locally hosted and tested on a daily weekly or even monthly basis for integrity,

    As more and more delicate student information is now being held online with the likes of moodle and other online student accesss sites we believe this service to be a great addition to the security hardware we are looking at providing to the Public Sector,


    Your feedback is much appreciated,

  2. #2


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,677
    Thank Post
    279
    Thanked 782 Times in 609 Posts
    Rep Power
    224
    1) Since school sites are often hosted on RBC / LEA (or reverse proxied by them), how will you get the RBC/LEA to agree to the testing?
    2) At least one RBC/LEA already carries out scanning for known exploits, for free. How will you compete?
    3) The "tested daily by $foo" is a pre-canned scan for known exploits / misconfigurations - how quickly will 0-days be included as part of the scan?
    4) Who's the firm, what's their reputation? Please say it's not the clowns at Mcafee.

  3. Thanks to pete from:

    CPLTD (11th August 2009)

  4. #3

    CPLTD's Avatar
    Join Date
    Apr 2008
    Location
    Northamptonshire
    Posts
    4,070
    Thank Post
    1,404
    Thanked 652 Times in 507 Posts
    Blog Entries
    1
    Rep Power
    261
    Quote Originally Posted by pete View Post
    1) Since school sites are often hosted on RBC / LEA (or reverse proxied by them), how will you get the RBC/LEA to agree to the testing?
    2) At least one RBC/LEA already carries out scanning for known exploits, for free. How will you compete?
    3) The "tested daily by $foo" is a pre-canned scan for known exploits / misconfigurations - how quickly will 0-days be included as part of the scan?
    4) Who's the firm, what's their reputation? Please say it's not the clowns at Mcafee.
    some great feedback there many thanks,

    The firm in question is not Mcafee and they have some great acreditations which we will be exploring,
    We have noticed alot of schools are colleges actually hosting there websites locally so the onus for security is left upto the school,

    Any further advice or feedback is much appreciated

  5. #4

    russdev's Avatar
    Join Date
    Jun 2005
    Location
    Leicestershire
    Posts
    6,946
    Thank Post
    709
    Thanked 553 Times in 368 Posts
    Blog Entries
    3
    Rep Power
    204
    @Si

    Yes but issue is the websites often go through rbc connection lets put it like this. If I ran it on our internal web servers we run and to do that they had to go through the schools rbc internet connection to access my servers. If I had not got ok from director of the RBC I would be asked to leave my job.

    Russ
    Last edited by russdev; 11th August 2009 at 03:02 PM.

  6. Thanks to russdev from:

    CPLTD (11th August 2009)

  7. #5

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,990
    Thank Post
    1,359
    Thanked 1,827 Times in 1,134 Posts
    Blog Entries
    19
    Rep Power
    602
    You took the words out of my mouth actually Russ.

    If you are part of an RBC and you will be having any intrusion detection done, ethical hacking, remote connection for security testing ... there are a few things to consider.

    1) Should any of your school servers be compromised in any way does it pose a risk to your ISP / RBC and any others sites that connect to that WAN.

    2) Any attempt to attack a school site may be logged by the ISP/RBC and if they are not aware of what is going on they could automatically refer it to the relevant authorities without involving the school immediately.

    3) Are those who are testing going to be covered under DPA to access significantly sensitive information (eg SEN / information about children in care)?

    4) Is there a follow service which will then help the school understand their infomration handling and security considerations based on guidance from Becta and ICO? Is this aimed towards educational institutes? Does it cover the range from Senior managlement to IT Managers to Teachers to parents to students / pupils?

    5) Is there a pre-assessment window when IT Managers can take significant steps (under advice) to harden their systems or document why certain systems are likely to be at risk (eg under investment in training, cheap solutions purchased when they are not fully secure, lack of downtime to allow for adequate patch management due to being told to *always* have the system running!, etc)?

    Not trying to say it is not a good idea ... just one to be careful with.

  8. #6

    CPLTD's Avatar
    Join Date
    Apr 2008
    Location
    Northamptonshire
    Posts
    4,070
    Thank Post
    1,404
    Thanked 652 Times in 507 Posts
    Blog Entries
    1
    Rep Power
    261
    Quote Originally Posted by GrumbleDook View Post
    You took the words out of my mouth actually Russ.

    If you are part of an RBC and you will be having any intrusion detection done, ethical hacking, remote connection for security testing ... there are a few things to consider.

    1) Should any of your school servers be compromised in any way does it pose a risk to your ISP / RBC and any others sites that connect to that WAN.

    2) Any attempt to attack a school site may be logged by the ISP/RBC and if they are not aware of what is going on they could automatically refer it to the relevant authorities without involving the school immediately.

    3) Are those who are testing going to be covered under DPA to access significantly sensitive information (eg SEN / information about children in care)?

    4) Is there a follow service which will then help the school understand their infomration handling and security considerations based on guidance from Becta and ICO? Is this aimed towards educational institutes? Does it cover the range from Senior managlement to IT Managers to Teachers to parents to students / pupils?

    5) Is there a pre-assessment window when IT Managers can take significant steps (under advice) to harden their systems or document why certain systems are likely to be at risk (eg under investment in training, cheap solutions purchased when they are not fully secure, lack of downtime to allow for adequate patch management due to being told to *always* have the system running!, etc)?

    Not trying to say it is not a good idea ... just one to be careful with.

    some great points there fella,

    I will pass this info onto the team we are dealing with and await there responce,

  9. #7

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,238
    Thank Post
    882
    Thanked 2,740 Times in 2,315 Posts
    Blog Entries
    11
    Rep Power
    784
    With the concerns raised above perhaps it would be involve less red tape and be more appealing if the security devices (as per OP) came with an initial checked setup. If the purchaser knew what kind of traffic needed to be allowed and denied then the device could be preconfigured in a secure fassion and tested before installation. This would not expose the data but would allow for a value added service as sec hardware can be tricky to get just right.

    Sure this would not take into account the end to end systems involved but at least the device itself would be secured and checked.

    With regard to the PEN testing that is performed by the RBC etc. I guess that how good this heavily depends on how good the staff are that are performing the checks. Nothing is going to be completely secure with todays hardware and software no matter how riggerously it is tested, it is a matter of minimizing risk and impact.

    I would suggest that an external company (propperly acredited) having a crack at the RBC (generic term) would be a good thing but would need to be organised with them at the request (demand) of the school(s). Schools not inside such a network would probably benifit more from this service but again accreditation would be required to handle the data.


    Of course there it the debate as to how effective external PEN testing can really be when you can still walk into most schools and find a logged in unlocked teacher workstation to play with.
    Last edited by SYNACK; 11th August 2009 at 02:06 PM.

  10. #8

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,990
    Thank Post
    1,359
    Thanked 1,827 Times in 1,134 Posts
    Blog Entries
    19
    Rep Power
    602
    Sometimes with this sort of security testing the cost is often the factor that puts people off ... why pay several thousand pounds to an external company that something is wrong when the people you pay in house should be doing it instead! Better to train them up surely?

    In reality it is a bit of a mixture about what is needed. IDS is good for spotting things out of the ordinary but that should not be a safety net for people not hardening things in the first place. Yep, lock everything down to start with and open up as required.

    I have to admit that the NSA guides (Security Configuration Guides - NSA/CSS) are what I used to follow a heck of a lot. And mainly common sense too.

    Now ... are we talking about an application that sits inside the school and probes or probes from outside of the school? Are we also talking about an automated probe or directed attacks?

  11. Thanks to GrumbleDook from:

    CPLTD (11th August 2009)

  12. #9


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,677
    Thank Post
    279
    Thanked 782 Times in 609 Posts
    Rep Power
    224
    Quote Originally Posted by SYNACK View Post
    With regard to the PEN testing that is performed by the RBC etc. I guess that how good this heavily depends on how good the staff are that are performing the checks. Nothing is going to be completely secure with todays hardware and software no matter how riggerously it is tested, it is a matter of minimizing risk and impact.
    The one I'm aware of is purely automated testing - a canned list of exploits and known vulns using $software_package. Bearing in mind the sales pitch ("daily,weekly or even monthly basis") in the OP, school budgets and the cost of decent human pentests, I really doubt there's a meatsack running the tests.

    Of course there it the debate as to how effective external PEN testing can really be when you can still walk into most schools, and find a logged in unlocked teacher workstation to play with.
    You can do the same with at least 7 Fortune 100s - schools aren't a lone bastion of insecurity. If you've ever done contract IT for banks, you'd invest in gold bullion and keep it under your bed. That said, there are probably other things the security funds could be spent on before considering a pen-test.

  13. #10

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,531
    Thank Post
    1,341
    Thanked 470 Times in 307 Posts
    Blog Entries
    6
    Rep Power
    200
    Our school online reporting system is pretty rock solid I reckon, hosted internally but available via https + domain user/pass + database user/pass

    Our website and vle is hosted externally, and its a homebrew job by a local company, non-https login etc - Id be interested to see how strong that was.

  14. #11

    CPLTD's Avatar
    Join Date
    Apr 2008
    Location
    Northamptonshire
    Posts
    4,070
    Thank Post
    1,404
    Thanked 652 Times in 507 Posts
    Blog Entries
    1
    Rep Power
    261
    Quote Originally Posted by RabbieBurns View Post
    Our school online reporting system is pretty rock solid I reckon, hosted internally but available via https + domain user/pass + database user/pass

    Our website and vle is hosted externally, and its a homebrew job by a local company, non-https login etc - Id be interested to see how strong that was.
    tell you what fella whats better than a FREE test case,

    Let me know if your interested then we can use your views as unbiased feedback

  15. #12

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,531
    Thank Post
    1,341
    Thanked 470 Times in 307 Posts
    Blog Entries
    6
    Rep Power
    200
    Quote Originally Posted by CPLTD View Post
    tell you what fella whats better than a FREE test case,

    Let me know if your interested then we can use your views as unbiased feedback
    I dont actually work there directly any more since I came over here, but still in contact with my old boss and helping out etc every now and then. I'll ask them if they are interested. Can you email me some sort of documentation / flyer etc about what it would entail that I can pass on?

  16. #13

    CPLTD's Avatar
    Join Date
    Apr 2008
    Location
    Northamptonshire
    Posts
    4,070
    Thank Post
    1,404
    Thanked 652 Times in 507 Posts
    Blog Entries
    1
    Rep Power
    261
    Quote Originally Posted by RabbieBurns View Post
    I dont actually work there directly any more since I came over here, but still in contact with my old boss and helping out etc every now and then. I'll ask them if they are interested. Can you email me some sort of documentation / flyer etc about what it would entail that I can pass on?
    will give you buz tomorrow fella

  17. #14


    Join Date
    Feb 2007
    Location
    Northamptonshire
    Posts
    4,697
    Thank Post
    352
    Thanked 803 Times in 718 Posts
    Rep Power
    348
    Quote Originally Posted by CPLTD View Post
    will give you buz tomorrow fella
    It'll be an expensive call...

  18. #15

    CPLTD's Avatar
    Join Date
    Apr 2008
    Location
    Northamptonshire
    Posts
    4,070
    Thank Post
    1,404
    Thanked 652 Times in 507 Posts
    Blog Entries
    1
    Rep Power
    261
    Quote Originally Posted by kmount View Post
    It'll be an expensive call...
    nah fella we have a wicked deal on calls in all countries because of the telcoms engineers working all over the world bud lol

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Programatic data extraction from SIMS.net Data Base
    By NetworkGeezer in forum MIS Systems
    Replies: 108
    Last Post: 16th February 2010, 09:22 PM
  2. Not Safe!
    By CAM in forum General Chat
    Replies: 4
    Last Post: 6th July 2009, 06:55 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •