Education Bureau - Experience Sharing on School Pentest Project · 2020. 1. 17. · cybersecurtiy...
Transcript of Education Bureau - Experience Sharing on School Pentest Project · 2020. 1. 17. · cybersecurtiy...
![Page 1: Education Bureau - Experience Sharing on School Pentest Project · 2020. 1. 17. · cybersecurtiy BEST PRACTICE Regular update on education specific security incident and best practice](https://reader033.fdocuments.us/reader033/viewer/2022053109/607e09898e546d03870cd36b/html5/thumbnails/1.jpg)
Experience
Sharing on School
Pentest Project Eric Fan
Chairman, eLearning Consortium
![Page 2: Education Bureau - Experience Sharing on School Pentest Project · 2020. 1. 17. · cybersecurtiy BEST PRACTICE Regular update on education specific security incident and best practice](https://reader033.fdocuments.us/reader033/viewer/2022053109/607e09898e546d03870cd36b/html5/thumbnails/2.jpg)
Agenda
School Pentest Project
Our Findings
Recommendation
Best Practice for School
Look Forward in Year 2020
![Page 3: Education Bureau - Experience Sharing on School Pentest Project · 2020. 1. 17. · cybersecurtiy BEST PRACTICE Regular update on education specific security incident and best practice](https://reader033.fdocuments.us/reader033/viewer/2022053109/607e09898e546d03870cd36b/html5/thumbnails/3.jpg)
Objective
As an independent consultant in providing a series of
vulnerabilities scanning, penetration tests and reviews
for more then thirty K12 schools’ website security.
Identifying potential areas for further improvement to
protect school’s sensitive data and good will.
30+ Schools
![Page 4: Education Bureau - Experience Sharing on School Pentest Project · 2020. 1. 17. · cybersecurtiy BEST PRACTICE Regular update on education specific security incident and best practice](https://reader033.fdocuments.us/reader033/viewer/2022053109/607e09898e546d03870cd36b/html5/thumbnails/4.jpg)
What we do?
Automated
Scan Manuel
Review
Debriefing
Meeting
Verify the can
result, eliminate
false-positives and
then execute
manual business
logic test.
Application
walkthrough and
threat analysis will
also be conducted
during this stage.
Report and analysis
for the automated
scan and manual
scanning result
with
recommendations.
Step 3 Step 2 Step 1
Configure and
execute automated
scan, followed by
test plan
development. Risk
assessment will
take place during
the test plan
development.
![Page 5: Education Bureau - Experience Sharing on School Pentest Project · 2020. 1. 17. · cybersecurtiy BEST PRACTICE Regular update on education specific security incident and best practice](https://reader033.fdocuments.us/reader033/viewer/2022053109/607e09898e546d03870cd36b/html5/thumbnails/5.jpg)
School Project Findings
20,000+ PERSONAL
DATA RECORD
Including public, intranet, internal
applications of 30 schools
78 APPLICATIONS
Including public, private,
primary and secondary
schools
30 SCHOOLS
240+ CRITICAL
VULNERABILITIES
Including email, name, HKID etc
![Page 6: Education Bureau - Experience Sharing on School Pentest Project · 2020. 1. 17. · cybersecurtiy BEST PRACTICE Regular update on education specific security incident and best practice](https://reader033.fdocuments.us/reader033/viewer/2022053109/607e09898e546d03870cd36b/html5/thumbnails/6.jpg)
6,000+ Vulnerabilities
Vulnerability
Critical 4%
High 15%
Medium 30%
Low 51%
![Page 7: Education Bureau - Experience Sharing on School Pentest Project · 2020. 1. 17. · cybersecurtiy BEST PRACTICE Regular update on education specific security incident and best practice](https://reader033.fdocuments.us/reader033/viewer/2022053109/607e09898e546d03870cd36b/html5/thumbnails/7.jpg)
Overall Findings
0
100
200
300
400
500
600
700
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
Critical High Medium Low
![Page 8: Education Bureau - Experience Sharing on School Pentest Project · 2020. 1. 17. · cybersecurtiy BEST PRACTICE Regular update on education specific security incident and best practice](https://reader033.fdocuments.us/reader033/viewer/2022053109/607e09898e546d03870cd36b/html5/thumbnails/8.jpg)
185 325 33 39
XSS SQL Injection SSLV2 & V3 Password in Plaintext
Critical Vulnerabilities
![Page 9: Education Bureau - Experience Sharing on School Pentest Project · 2020. 1. 17. · cybersecurtiy BEST PRACTICE Regular update on education specific security incident and best practice](https://reader033.fdocuments.us/reader033/viewer/2022053109/607e09898e546d03870cd36b/html5/thumbnails/9.jpg)
Top Security Impact Vulnerabilities
Back Up File Impact
We found plain text database
login credential in the back up
file that may lead to
unauthorize login.
Allow an attacker to
compromise the application,
access or modify data, or
exploit latent vulnerabilities
in the underlying database.
SQL Injection
These outdated software or
operation systems cannot no longer
update to the latest patch that is
vulnerable to exploit
Unsupported Software / OS
Version
Allows anyone who can
read the file access to
the password-protected
resource.
Password In Plaintext
![Page 10: Education Bureau - Experience Sharing on School Pentest Project · 2020. 1. 17. · cybersecurtiy BEST PRACTICE Regular update on education specific security incident and best practice](https://reader033.fdocuments.us/reader033/viewer/2022053109/607e09898e546d03870cd36b/html5/thumbnails/10.jpg)
22 16 11
Vendor
Solutions
School’s own
applications
Unsupported
Operation Systems
SQL Injection
![Page 11: Education Bureau - Experience Sharing on School Pentest Project · 2020. 1. 17. · cybersecurtiy BEST PRACTICE Regular update on education specific security incident and best practice](https://reader033.fdocuments.us/reader033/viewer/2022053109/607e09898e546d03870cd36b/html5/thumbnails/11.jpg)
SSL Cert
[CATEGORY NAME]
[PERCENTAG
E]
[CATEGORY NAME]
[PERCENTAG
E]
![Page 12: Education Bureau - Experience Sharing on School Pentest Project · 2020. 1. 17. · cybersecurtiy BEST PRACTICE Regular update on education specific security incident and best practice](https://reader033.fdocuments.us/reader033/viewer/2022053109/607e09898e546d03870cd36b/html5/thumbnails/12.jpg)
Recommendations
Reliable Vendor Solutions
Software and application
vendors should offer OS or
patch update for use to fix
their software and
application vulnerabilities.
Regular Scanning
Yearly or half-year
vulnerability scanning
and penetration test
is recommended
Regular Patch Operation
Systems
Regular review and
update the hardware and
application operation
systems to the latest
patch, in order to avoid
vulnerable malware and
exploits.
More info: Information Security in Schools - Recommended Practice (Jan 2019)
https://www.edb.gov.hk/en/edu-system/primary-secondary/applicable-to-primary-
secondary/it-in-edu/Information-Security/information-security-in-school.html
![Page 13: Education Bureau - Experience Sharing on School Pentest Project · 2020. 1. 17. · cybersecurtiy BEST PRACTICE Regular update on education specific security incident and best practice](https://reader033.fdocuments.us/reader033/viewer/2022053109/607e09898e546d03870cd36b/html5/thumbnails/13.jpg)
Best Practice for Information
Security in School
End Point Computer and Tablets
Firewall and IPS
Data Protection and Back Up Regular vulnerability scanning and penetration test
CloudFlare Web Application Firewall
File, DB, Email Servers
Anti-Virus and Anti-Ramsomware
Back Up Storage
Cloud Service Provider Regular patch update and backup
Prevent SQL Injection and web security attack
Deny malicious traffic and file download
More info: Information Security in Schools - Recommended Practice (Jan 2019)
https://www.edb.gov.hk/en/edu-system/primary-secondary/applicable-to-primary-
secondary/it-in-edu/Information-Security/information-security-in-school.html
![Page 14: Education Bureau - Experience Sharing on School Pentest Project · 2020. 1. 17. · cybersecurtiy BEST PRACTICE Regular update on education specific security incident and best practice](https://reader033.fdocuments.us/reader033/viewer/2022053109/607e09898e546d03870cd36b/html5/thumbnails/14.jpg)
Look Forward in Year 2020
MEET WITH THE
STAKEHOLDERS
To seek resources for the education sector on CyberSecurity
TRAINING TO
PRACTITIONER Provide training to
the education practitioner on
cybersecurtiy BEST PRACTICE Regular update on education specific security incident and best practice
![Page 15: Education Bureau - Experience Sharing on School Pentest Project · 2020. 1. 17. · cybersecurtiy BEST PRACTICE Regular update on education specific security incident and best practice](https://reader033.fdocuments.us/reader033/viewer/2022053109/607e09898e546d03870cd36b/html5/thumbnails/15.jpg)
Thank you!