Red Team Penetration Testing for a US K-12 School
The Customer is a prestigious US private school with over 1000 students from kindergarten to 12th grade.
A reputable educational institution with a century-long history, the Customer strives to create a secure environment for its students. To protect against data theft, ransomware, and other common cyber threats, the school has invested in security tools for its IT infrastructure, security awareness training for its staff, and several vulnerability assessments and penetration tests. In the face of the growing number of cyberattacks on the US educational sector and K-12 schools in particular, the Customer wanted to check how well its security system could respond to real-life targeted cyberattacks. The school was looking for a competent vendor proficient in open-source intelligence, penetration testing, and social engineering techniques to conduct all-around red team testing.
With 19 years in cybersecurity and a solid portfolio of successful security testing projects, ScienceSoft was able to offer the most convincing service proposal among all the candidates considered by the Customer. Thus, the school entrusted the project to ScienceSoft’s team of Certified Ethical Hackers. Like real-world hackers, the testers didn’t have any previous knowledge about the Customer or its IT infrastructure and needed to find a way to get unauthorized access to the school’s IT assets.
To understand how they could infiltrate the Customer's IT infrastructure, ScienceSoft's Certified Ethical Hackers started with open-source intelligence: gathering information about the school from online publications, social media, and other publicly available sources. Using OSINT tools and analyzing their findings, the testers revealed 22 public-facing IPs, including 4 web applications, as well as 76 emails and 4 phone numbers of the Customer's employees. Also, they got insight into the school’s internal activities that could help them create plausible content for phishing emails and vishing calls.
Black box penetration testing
After scanning the Customer's infrastructure components that were found during OSINT and attempting to exploit the detected vulnerabilities, ScienceSoft's testers revealed 14 security issues of medium and low severity. They included:
- Missing HTTP security headers (e.g., X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, Strict-Transport-Security) that offer additional protection against cross-site scripting, clickjacking, or MIME-type sniffing attacks.
- Weak IPsec VPN settings: enabled aggressive mode allowing to retrieve the unencrypted authentication hash (pre-shared keys).
- A web application lacking an anti-automation mechanism needed to prevent brute-force attacks.
- A test account with weak credentials (username = “test”, password = “test”) that a potential attacker could easily brute force, and more.
ScienceSoft’s team provided the Customer with detailed guidelines on the remediation measures. They included:
- Upgrading the outdated components to the latest available versions.
- Implementing the missing security headers.
- Avoiding the use of IKE Aggressive Mode or, if it is not possible, choosing a complex pre-shared key.
- Adding CAPTCHA to login forms and implementing/configuring a web application firewall to prevent automated attacks.
- Enforcing a strict password policy, and more.
While performing a bulk phishing attack on the 76 of the school’s employees, ScienceSoft’s testers used several scenarios. They sent emails with the following content:
- A notification about signing in to your Google account from an unknown device.
- A notification about changes in the curriculum and a link to review the changes.
- An invitation to a school concert with a registration form link.
- A warning about an increase in cases of legitimate mail getting inaccurately marked as spam, and a link offering to report if it happened to the staff or not.
The phishing campaign proved that the school’s existing email anti-phishing tool was quite efficient: it flagged the phishing emails as suspicious, so 80% of the targeted employees didn’t open the emails at all. The other 20% didn’t click the links contained in the emails. As a result, ScienceSoft’s team was pleased to report a high level of security awareness among the school staff.
ScienceSoft’s security tester called four of the school employees pretending to be a tech support worker. He told them that after the recent IT network modifications, he needed to make sure that everything was working as it was supposed to. After that, he tried to talk the targeted staff members into exposing the data that he could use to attempt an attack. For example, he asked them to run the systeminfo command that provides information on Windows edition, processor and memory configuration, computer name, Windows activation status, and more. All four employees turned out to be vigilant: they didn’t follow the instructions and quickly ended the call.
As a result of red team testing performed by ScienceSoft, the Customer received proof that its security management strategy was efficient enough to ensure high cybersecurity awareness among the staff and avoid critical vulnerabilities in the school’s IT infrastructure. The Customer also learned about several security issues that were missed during previous security checkups. Thanks to the detailed remediation guidelines provided by ScienceSoft, the Customer’s IT team was able to quickly fix the vulnerabilities and ensure reliable protection of the school’s IT assets.
Technologies and Tools
Metasploit, Nessus, Qualys, Burp Suite, OWASP ZAP, Nmap, Dirb, SSLScan.