Penetration testing reveals cyber Achilles heel


Colorado Springs school districts are hiring hackers to find the holes in their cybersecurity defenses.

They’re among an increasing number of organizations turning to penetration testing — ethical hacking that locates and exploits a system’s security flaws — so they can see their own weaknesses before the bad guys do.

Terry Bradley, chief technology officer at PLEX Solutions LLC, said penetration testing, commonly known as pen testing, isn’t cheap, but it’s not as costly as a data breach — in dollars or in reputation.

“From mom-and-pop up to Fortune 50, the average data breach costs about $1 million … and if you’re on the mom-and-pop side, it might put you out of business,” he said.

“Sixty percent of small and medium businesses [go under after a breach]. It’s reputation — studies say 80 percent of a company’s intangible value is reputation.”

Most small and medium-sized organizations don’t have the resources and expertise to properly secure their networks, and simply aren’t aware of how ubiquitous cyber attacks have become.

“If you think ‘I’m too small to be attacked’ or ‘No one’s heard of us’ or ‘We don’t have any sensitive information’ — no,” Bradley said. “People are just attacking anything that’s on the internet. They’ve got automated systems that constantly scan for vulnerabilities, that scan for weak passwords. If you’re on the internet, you’re going to get attacked.”

Educating local business leaders about vulnerability assessments and penetration testing at the Cybersecurity Oversight Training event Aug. 10, Bradley pointed to Academy School District 20 as an example of an organization successfully using monthly penetration testing to improve their cyber defenses.

“When it first started they had some critical vulnerabilities,” he said. “They fixed those, then more popped up and they fixed those. Over time, they’re getting better.

“They’re measuring it, they’re working on it, they’re improving. That ultimately pays big dividends.”

Shelley Kooser, chief information officer for D-20, said PLEX was hired for penetration testing about three years ago to protect student data and the district’s reputation.

“It was about making sure we were protecting who we are as a district, our name, our brand — and I have students in the district. As a parent, I want to make sure their data is protected,” Kooser said. “These are school-age kids … to start off and someone’s stolen your identity, that’s really scary.”

While personal information “is one of the hottest commodities on the market,” Bradley said,  school districts present opportunities for cybercrime that go far beyond data theft.

School districts are being hit financially by hackers via fraudulent wire transfers and fraudulent invoices. They can also unwittingly become part of  hacker infrastructure.

“Schools and universities are oftentimes targeted by intelligence services, just to gain a closer proximity to the actual target,” Bradley said. “If I’m a hacker, I need a lot of infrastructure: servers that I can send emails from, servers that I can move through that appear to come from different places.

“Say I’m a Russian hacker — if my target is Peterson Air Force Base or Cheyenne Mountain, I’m much better sending out fake emails from [the] district where some of these officers’ children go to school, than from a server in Russia.”

Bradley said many school districts are “just starting to address” penetration testing and consistent vulnerability assessments, while others are being turned down by their school boards for funding reasons.

“Budgets are not unlimited for any department,” Kooser said, “[but] I think it’s better being proactive about spending the money upfront and knowing what your vulnerabilities are, versus having someone else tell you what they are after they’ve taken your data.”

Kooser said year-round pen testing and security assessments are part of a multifaceted approach to information security for D-20, which also emphasizes ongoing employee training.

Elizabeth Walhof, director of instructional technology integration and professional development for Lewis-Palmer School District 38, said the district uses both ongoing pen testing and vulnerability assessments, and audits successfully identified “some patching and configuration challenges” that the district had addressed.

Walhof said LPSD38’s other cybersecurity strategies include patches, updates and filter evolution, legal compliance, staff education, and information-sharing with business, school and community leaders.

“We continually make improvements to make ourselves a ‘hard target,’” Assistant Superintendent Cheryl Wangeman said in an email.

In 2016, a potential data breach of some student accounts was identified at D-38. The investigation was turned over to the Monument Police Department, which completed and closed its investigation without filing charges.

Applied Trust, a data security consulting firm hired by the district, found that a login credentials vulnerability did exist but no student data was compromised.

As a result, Walhof said, D-38 made changes to how user accounts are named and how passwords are provisioned and changed. She said the experience of dealing with a possible data breach had “created a more user-friendly narrative around the importance of cybersecurity. Cybersecurity is talked about in larger circles.”

While D-38 avoided a breach, Bradley said other school districts are not so fortunate.

“There are definitely school districts out there that have already been breached,” he said. “They’re either losing data and they just don’t know about it, or they’ve been breached by a hacker who has some other motive other than financial or personal data.”