In this blog, the second in the series, we look at Network Security, following the guidance from the UK National Cyber Security Centre (NCSC). We explore how schools can implement technical and organisational changes in order to further protect the confidentiality, integrity and availability of your information assets. We are building upon each stage of the UK’s National Cyber Security Centre (NCSC) 10 Steps to Cyber Security, and in turn, providing our independent recommendations, examples and guidance.
In this blog following the NCSC guidance, we look at Network Security. This topic focuses on the securities in place around the perimeter of your school's network or on the boundaries between any location where your school data is held and that of a potential attacker. The physical and logical boundaries between your data, software and services and the outside world will be explained in the next section.
By following these recommended steps, you will be able to evidence that you are applying and maintaining the appropriate security procedures in order to protect your data whether held on-premise or in the cloud.
What or where is our network boundary now?
Prior to the use of full productivity software and data storage ecosystems like G Suite and Microsoft Office 365, your school’s physical and logical boundary would likely have been the school's firewall. However, the network boundary is now harder to define as your school’s data may be hosted offsite in 3rd party provider’s data centres (the cloud), and accessed via wider variety of devices, such as unmanaged bring your own devices (BYOD), users’ personal devices as well as your domain joined devices.
What areas should we be looking at?
As we have outlined, the network boundaries have moved or evolved. The edge now includes devices that access data whilst within your school's network and those outside of it, and devices that are managed and unmanaged. With the technical and organisational shift as we move more data and services to the cloud, we are becoming increasingly aware that some of these boundaries now sit outside of the school’s direct control. We are relying more and more on the 3rd parties we engage with to apply and maintain the appropriate security measures required to protect our data.
Based on the above we have listed some of the key areas to reassess and update in order to protect your data from internal or external attack. These include:
- Review internal/external traffic on your firewall and perimeter devices
- Assess all allow lists, ports and protocols
- Ensure appropriate network traffic segregation
- Implement wireless networks security standards
- Review all remote administrative access to Servers, Firewalls, IoT
- Update all systems with the latest security and firmware updates
- Define your data loss prevention policies
- Ensure threat protection mechanism are up to date
- Configure auditing, alerting and reporting
- Run regular vulnerability scans
- Perform penetration tests to check for:
- Forms and parameters accepting malicious commands
- Vulnerabilities that allow extraction of data or unauthorised access
- Out of date plugins and components
- Improperly configured and unsecured services
- Configurations that allow escalation of privileges
- Script injecting and broken access control
- Session cookie exploitation
- User authorisation process manipulation
- SQL injection and OS command injection
- Implement appropriate password complexity
- Use two step authentication
- Assess 3rd party operational and technical security measures
The above is not an exhaustive list, in principle, you need to be looking for any weakness in your school's network that could allow access to school systems and data. Your users’ credentials and accounts are the most common entry point to an attack. Starting with assessing and defining the privileges that are bestowed upon your users when accessing systems and services and implementing two step authentication is one of your primary lines of defence.
What questions should we be asking?
If we specifically look at your users: Students, Teachers, Admin Staff, Guests and 3rd Party Contractors. Ask yourself this:
- What software, service or device does this user require access to in order to perform their day-to-day tasks?
- What is the lowest privilege level we can provide the user in order for them to perform these tasks?
- What additional security could be put in place to ensure the software, service or device remains secure in the event of user credential theft, malware introduction, loss etc?
- Which of the available security measures is proportionate to the identified risk associated with the software, service or device being accessed?
If we look at user devices: domain joined devices, bring your own device (BYOD), personal devices, guest user devices. Ask yourself:
- Who needs access to this device?
- What level of network access does this device need (network segregation)?
- How does this device receive security, patch and firmware updates?
- How does the device receive virus definition updates?
- Does this device need to be managed?
- How and can this device be managed?
- Does this device need internet access?
- Will this device be taken home?
- Will this device be used in a public place?
- Can, has and should this device be encrypted?
- Does this device respond to a remote wipe command?
- ...and so on...
The above is a small example of the questions you should be asking yourself in order to determine the appropriate level of access, security and monitoring required to protect your school’s data, whether on-premise or in the cloud.
How can we assess our current security?
In order to determine if there are any areas of weakness within the boundaries between both users or devices, and the school's data, you need to conduct a technical and operational security assessment. The assessment should look at the effectiveness of the school's systems, services and users in response to an internal/external technical or organisational attack.
9ine's Cyber Vulnerability Assessments will identify weaknesses in your systems’ and services that make you susceptible to attack. Identifying areas where systems have not been updated, patched or miss-configured is key to understanding where and what could allow attackers to exploit known vulnerabilities. Assessing key systems, making use of available security features, and identifying where the application of industry best practices could further enhance your school's security posture.
The output of this exercise will be an assessment, per system, of its operational effectiveness, and an associated list of issues and actions that need to be completed to improve your organisation’s security posture. Included within this assessment will be observational assessments, and where possible, examples of what your school needs to change operationally to improve service levels and reduce the probability and impact of a cyber attack.
The Security & Systems Essentials Assessment provides you with a point in time evaluation of your school’s vulnerability and response capability to attack. The output of the assessment provides the school with a risk-weighted prioritised action plan. Enabling the school to implement the recommended security controls and mitigation actions in a structured way. This service can be further supplemented by Penetration Tests and Cloud Security Assessments to further validate and ratify the security of the school’s networks and data.
Securing the physical and logical boundaries between your data, software and services, and the outside world is crucial. This is one of the many areas within a multi-layered approach to data security, often referred to as defence-in-depth. By following these recommended steps, you will be able to evidence that you are applying and maintaining the appropriate securities in order to protect your data whether held on-premise or in the cloud.
For more information about our Security & Systems Essentials, or other security initiatives that we provide:
ABOUT THE AUTHOR:
Dan Cleworth has worked in education for over 20 years. He is a certified information security professional and data protection practitioner. Dan heads up 9ine's cyber security team and currently works with schools in the UK, Europe and the Middle East to evaluate and secure systems and services to meet data protection and cyber security compliance.