CyberSecurity Part 3: Simple Penetration Testing for K12 Schools

By Tony DePrato | Follow Me on LinkedIn

I have been following a few online threads where schools are considering contracting penetration testers. For those who may not know, penetration testing (pentesting) is a security assessment, an analysis, and progression of simulated attacks on an application (web, mobile, or API) or network to check its security posture. The objective is to penetrate the application or networksecurity defenses by looking for vulnerabilities. These are usuallyweaknesses or flaws that an attacker could exploit to impact confidentiality, integrity, or availability. This goal is the same whether performing application pentesting or network pentesting. ~

As a consultant, I am not opposed to K12 schools using consultants. However, I have seen some red flags out there from pentesting consultants. I want to highlight those issues, and also provide a method for K12 schools to get started on this process in an easy and low-cost manner.

Finding a Good Pentester

The Conversation

School: We are looking for someone to help test our security.

Pentester: Great. I can do that ( credentials and background presented).

School: What do you need?

Pentester: I need a list of (x,y,z). I need an office to work from. I need to interview…

What is wrong here?

Here is how this should go

School: We are looking for someone to help test our security.

Pentester: Great. I can do that ( credentials and background presented).

School: What do you need?

Pentester: I need a contract protecting me if I break into one or more of your services. I need a contact person to send my findings to. I need a timeline.

A pentester’s job is to find the weaknesses and to find a way to access your organization. If you provide access, not only is the job easier, but they could simply report an issue that is unlikely to occur. I witnessed a similar scenario where a firm was asking for the keys to break into the car.

There may be a point where you want a pentester to become a student and see what a student can do with the access provided. There may be a point where you want them to test spaces used by the public during events.  If you provide and manage laptops, a good pentester will need one of the school’s laptops.

These are reasonable requests. Asking the school to literally give them a roadmap and set of targets is not reasonable.

Doing Your Own Testing

I have a list of standards schools should work towards to be secure. Some these do not always connect well to third party services, public-facing websites, etc.

Over the last few months, I have developed a checklist for pentesting K12 school websites and resources.

Test Definition
Subscription and Services Discovery Can your subscriptions and services be easily discovered?
Files Exposed to the Public Are there files publicly available that supposed to be private?
Calendars Exposed to the Public Is calendar data that should be private, private?
Staff and/or Student Email Harvesting Can your staff and/or student PII be used to create a database for phishing and spamming?
Portals and SIS Are your portals and SIS properly secured and difficult to brute force attack?
Websites and Social Media Are websites and social media properly secured; is the media being used legally and correctly?
Cloud Services Have cloud services been properly secured?
Third-Party Sharing Is anyone sharing your content and do they have permission?
FTP, SSH, and Telnet Are any of these protocols a threat to your school via publically accessible information?
Email Blacklist Is your email domain blacklisted?
Email Header Check Is there any data in your header that could be anonymous or lead to blacklisting?
Email Catch-All for Non Existent Emails Is your email set up to catch any email that does not exist and alert someone?
SMTP Relay Is your email system running services that would allow an attacker to use your email for a criminal act; send an email on someone’s behalf?
4xx and 5xx Error Check Do the 4xx and 5xx pages on your public-facing services configured properly and supportive of trusted users?
HTML Forms Are any HTML Forms vulnerable to low-level URL based attacks? (Will also review CAPTCHA.)

I score these on a scale of 1-5 and document the issues/results. The next level is researching the solutions to correct the problems. Keep in mind, many solutions are in policies and procedures. This means issues need to be articulated for school leaders, teachers, students, and parents.

In other words, avoid jargon and lingo.

Doing as much due diligence as possible before contracting someone will not only save time and money, but it will also help to further educate the community.

If you do not know what is actually dangerous, then everything could be sold as dangerous.

These recommended tests are not very difficult, but if you want to outsource this, email me at:  .  I thoroughly enjoy doing this kind of work and have automated many of these processes with scripts and services.





Start At the Wall


Holidays are a very interesting time if you work in technology leadership or support. Ideally, people want to have some time-off. Therefore, making a list of essential projects to finish starts months before the holiday plans. Then a list of “what to do if” scenarios needs to be created and shared with whomever is going to be covering the campus/organization/service/website etc.

If you are like me, you are always prepared to remotely assist, even during times of rest and relaxation. The fact is critical processes can fail, and when they fail, a team effort is required to bring the world back online and settle the chaos.

My expectations for having to spend time-off supporting my campus connect directly to events that are unplanned, or mistakes in planning I have made. I do not expect to be contacted with an urgent request, have to leave my plans and find a laptop, and then fix something that is a problem inside of the local infrastructure. In other words, I do not want to get a phone call because someones chair is broken or printer is out of ink.

The Basic Problem 

Many years ago I realized that for some reason people who do IT Support seem to follow patterns (almost blindly). They repeat the same steps all the time, without actually diagnosing cause. They treat the symptoms and not the disease.

In addition, IT Support people make assumptions about users as well. The assumptions often lead to inaction or the repeating of useless actions, without any consideration of the actual situations.

In 2009, I instituted a simple rule on my campus. When anyone, myself included, walks into a classroom or office, go straight to the connection point in the room and Start At The Wall.

If a classroom or office uses Ethernet (pictured above), always check the cable first and walk socket. If the user is on Wifi, inspect the work area and power, and also if possible, visually inspect with Wifi Access Point.

The rule states that even if the problem is simply a question, take 30 seconds to inspect the source of communication and power in any and every space and look at the workspace.

Why This is Not a Huge Waste of Time

IT support people very infrequently connect to an individual user in the user’s space. In a given semester, support might enter a given teacher’s classroom or other user’s space just a few times. Therefore, every time IT support enters a room they should be observant and looking for any issues, which include simple maintenance problems, that a user may not notice.

Starting at the wall also has the benefit of focusing the mind. When a person goes into a space, their assumptions take a backseat to the job and process they are following.

What Happens When this Process is Ignored

Panic. Irrational judgement. Defeat. Only bad things can happen. In fact, in a recent case during my time-off,  IT Support made an assumption that the problem was not only unsolvable by local means, it was completely external. Meaning, there was nothing they could do to solve it. They tested the issue in 3 laptops, with the same exact results, and never once considered the issue could be something on the local network.

This assumption should have been avoided, as they had an email from 24 hours before explaining that the system in question had been successfully tested by a third party (off-campus), and the performance was normal.

They were so convinced, that even after the problem was tested off-campus and visual confirmation was provided that the services in question were working fine, e-mails flew reconfirming the problem still existed. I inferred from the emails that they believed I was using the system by some mystical means, which would prevent me from seeing the same results they were seeing.

The fact is, once people believe in a cause, justified or not, getting them to let go of that belief is extremely difficult. Not following some initial simple steps, can lead to conclusions that make bad problems worse.

All school administrators should be aware of their campus IT support processes and procedures. People tend to disconnect from IT support and see it as a black-hole of mystery, and they just hope that it will work.

Tony DePrato


The Cost of Doing Business

I had a heated argument last week with a teacher about printing. One of the issues on the table, and the one that stuck in my mind, was that the teacher wanted to have all their students print projects.  Normally this is not something that is even discussed. Students have areas they can print from. If they have laptops the students can even print in certain areas directly from their laptops.

The thing was, and is, these students are in Grade 4-5. They have normal IT courses and none of them have laptops. According to their curriculum, and historical practice, all the printing was done during IT class.  These classes, however, are not coordinated with the homeroom teachers’ activities.  So one homeroom teacher came to me looking for a solution.

Now, that is the background. However, the issue with giving these students more printing options has nothing to do with technology and everything to do with budgets. In fact, I find most teachers have no idea how our budget works. It got me thinking that maybe I should explain it.

Every year the various line-items in the budget get listed based-on need. Hopefully that need will be researched. Then the budget is submitted, and we fight over cuts and compromises. In the end we have line-items, and we want to spend each one down to zero.

So we are half way through the year and the grade 4-5 printing budget is about half way gone. If we enable 200 plus students to start printing off their curriculum plan, then that budget will be exhausted before the year ends. Overages in printing in 2012 are difficult to explain when everyone is pushing for printing reduction. …Use less, reuse when you can, recycle often…I think many people have gotten this message and in order to really support it you cannot and should not easily compromise.

It is important for budgeting practices to have discipline, but I also believe they should be communicated to people who are doing planning and research in individual departments. These people should understand and see the budgets that connect to their budgets. People seem to assume that paper, ink, electricity, etc are all automatically included in their curriculum plans.

The true cost of doing business is something that is regularly calculated outside of education, even if it is ignored on risk and carelessness. However, in education cost is often seen as departmental instead of communal or institutional. This can cause waste and shortfalls because all sides of the equation are not understood. In economics this is called an asymmetry of information.  I think some simple policies and improved communication can bring about an equilibrium, and I am really going to make an effort to get some balance back in the budgeting.

As always we are curious if you have any budgeting related comments or stories. It is not the most exciting topic, but it is something that affects everyone.

Tony DePrato