The following is the second in a series of blogs where 9ine explore how schools can implement technical and organisational changes in order to further protect the confidentiality, integrity and availability of your information and information systems. We will be building upon each stage of the UK’s National Cyber Security Centre (NCSC) 10 Steps to Cyber Security (image below), and in turn, provide our independent recommendations, examples and guidance.
In our previous blog, “Risk Management - How to Effectively Manage Cyber Security Risks in Your School” we outlined how effective risk management will help your school prioritise the actions required to protect your data and network from identified vulnerabilities. The identification of these vulnerabilities was captured in, “How To Assess Your School's Vulnerability To Cyber Attacks”.
In this second blog following the NCSC guidance, we look at Network Security. This topic focuses on the securities in place around the perimeter of your school's network, or on the boundaries between any location where your school data is held and that of a potential attacker. The physical and logical boundaries between your data, software and services and the outside world will be explained in the next section.
By following these recommended steps, you will be able to evidence that you are applying and maintaining the appropriate securities in order to protect your data whether held on-premise or in the cloud.
What or where is our network boundary now?
Prior to the use of full productivity software and data storage ecosystems like G Suite and Microsoft Office 365, your school’s physical and logical boundary would likely have been the school's firewall. However, the network boundary is now harder to define as your school’s data may be hosted offsite in 3rd party services/cloud/data centres, and accessed via a web browser or dedicated software application on a variety of devices, such as domain joined devices, unmanaged bring your own devices (BYOD) and users’ personal devices.
What areas should we be looking at?
As we have outlined, the network boundaries have moved or evolved to include the devices that are both within your school's network and those outside of it. With the technical and organisational shift of moving more data to the cloud, we have the increased awareness that some of these boundaries now sit outside of the school’s control, leaving access to our data to be managed by others.
Based on the above we have listed some of the key areas to reassess and update in order to protect your data from internal or external attack. These include:
The above is not an exhaustive list, in principle, you need to be looking at all entry points into your school's network and the accessibility to areas where school-owned data is stored. Starting with the privileges that are bestowed upon your users when accessing systems and services, through to the devices that are used to access or funnel the traffic into, out of and around your networks.
It’s question time: what should we be asking?
If we specifically look at your users: Students, Teachers, Admin Staff, Guests and 3rd Party Contractors. Ask yourself this:
What software, service or device does this user require access to in order to perform their day-to-day tasks?
What is the lowest privilege level we can provide the user in order for them to perform these tasks?
What additional security could be put in place to ensure the software, service or device remains secure in the event of user credential theft, malware introduction, device theft etc. (this should be proportionate to any identified risk associated with the software, service or device being accessed)?
If we look at user devices: domain joined devices, bring your own device (BYOD), personal devices, guest user devices. Ask yourself:
Who needs access to this device?
What level of network access does this device need (network segregation)?
How does this device receive security, patch and firmware updates?
How does the device receive virus definition updates?
How and can this device be managed?
Does this device need internet access?
Will this device be taken home?
Will this device be used in a public place?
Does this device respond to a remote wipe command?
...and so on...
The above is a small example of the questions you should be asking yourself in order to determine the appropriate level of access, security and monitoring required to protect your school’s data, whether on-premise or in the cloud.
How can we assess our current security?
In order to determine if there are any areas of weakness within the boundaries between both users or devices, and the school's data, you need to conduct a technical and operational assessment. The assessment should look at the effectiveness of the school's systems, services and users in response to an internal/external technical or organisational attack.
9ine's Technical and Vulnerability Service will assess your systems’ susceptibility to attack. Identifying areas where systems have not been updated, patched or configured is key to understanding where and what could allow attackers to exploit known vulnerabilities. Assessing key systems, making use of available securities, and identifying where the application of industry best practices could further enhance your school's security posture.
9ine will systematically document all core systems, evaluating the configuration and identifying any issues and risks. The output of this exercise will be an assessment, per system, of its operational effectiveness and an associated list of issues and actions that need to be completed to improve the integrity and resilience. Included within this will be observational assessments, and where possible, examples of what your school needs to change operationally to improve service levels and reduce the threat of cyber attack. For more information on our Technical and Vulnerability Assessment please contact firstname.lastname@example.org.
The Technical and Vulnerability Assessment baselines your school’s current security and vulnerability status of your systems, providing the school with a risk-weighted action plan to prioritise the required mitigating projects. This service is further supplemented by Penetration Tests and Cloud Security Assessments to further validate and ratify the security of the school’s networks and data. For more information on our Penetration Test Service (Cyber Defence Essentials) or our Cloud Security Assessment please contact email@example.com.
To get an initial high-level understanding of your organisational and technical cyber security posture, why not participate in our global state of the market research into cyber security in education.
Schools taking part in our research can:
Use the questions within our survey to assess your school's current cyber security controls
Determine a cyber security score for your school
Benchmark your progress towards achieving the NCSC Cyber Essentials accreditation
Compare your level of cyber security against a global network of schools
Take & Share 9ine's Survey
This survey should be completed by a senior member of your IT team or an individual who has a good technical understanding of your organisation's IT practices and strategy. Click on the link below to take part in our research, or share the following link around your school:
Securing the physical and logical boundaries between your data, software and services, and the outside world is crucial. This is one of the many facets within a multi-layered approach to data security, often referred to as defence-in-depth. By following these recommended steps, you will be able to evidence that you are applying and maintaining the appropriate securities in order to protect your data whether held on-premise or in the cloud.
For more information about our Technical and Vulnerability Service, or other security initiatives such as Data Loss Prevention, Advanced Threat Protection, End-User Email Digest Solutions, and our recommendations on configuring Office 365, please contact firstname.lastname@example.org.