Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

03 學校網絡安全與防衛

331 views

Published on

電子學習聯盟 (eLC) 會長 范健文先生

Published in: Education
  • Be the first to comment

  • Be the first to like this

03 學校網絡安全與防衛

  1. 1. Experience Sharing on School Pentest Project Eric Fan Chairman, eLearning Consortium
  2. 2. Agenda  School Pentest Project  Our Findings  Recommendation  Best Practice for School  Look Forward in Year 2020
  3. 3. Objective As an independent consultant in providing a series of vulnerabilities scanning, penetration tests and reviews for more then thirty K12 schools’ website security. Identifying potential areas for further improvement to protect school’s sensitive data and good will. 30+ Schools
  4. 4. What we do? Automated Scan Manuel Review Debriefing Meeting Verify the can result, eliminate false-positives and then execute manual business logic test. Application walkthrough and threat analysis will also be conducted during this stage. Report and analysis for the automated scan and manual scanning result with recommendations. Step 3Step 2Step 1 Configure and execute automated scan, followed by test plan development. Risk assessment will take place during the test plan development.
  5. 5. School Project Findings 20,000+PERSONAL DATA RECORD Including public, intranet, internal applications of 30 schools 78APPLICATIONS Including public, private, primary and secondary schools 30SCHOOLS 240+CRITICAL VULNERABILITIES Including email, name, HKID etc
  6. 6. 6,000+ Vulnerabilities Vulnerability Critical 4% High 15% Medium 30% Low 51%
  7. 7. Overall Findings 0 100 200 300 400 500 600 700 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 Critical High Medium Low
  8. 8. 185 325 33 39 XSS SQL Injection SSLV2 & V3 Password in Plaintext Critical Vulnerabilities
  9. 9. Top Security Impact Vulnerabilities Back Up File Impact We found plain text database login credential in the back up file that may lead to unauthorize login. Allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. SQL Injection These outdated software or operation systems cannot no longer update to the latest patch that is vulnerable to exploit Unsupported Software / OS Version Allows anyone who can read the file access to the password-protected resource. Password In Plaintext
  10. 10. 22 16 11 Vendor Solutions School’s own applications Unsupported Operation Systems SQL Injection
  11. 11. SSL Cert [CATEGORY NAME] [PERC ENTAG E] [CATEGORY NAME] [PERC ENTAG E]
  12. 12. Recommendations Reliable Vendor Solutions Software and application vendors should offer OS or patch update for use to fix their software and application vulnerabilities. Regular Scanning Yearly or half-year vulnerability scanning and penetration test is recommended Regular Patch Operation Systems Regular review and update the hardware and application operation systems to the latest patch, in order to avoid vulnerable malware and exploits. More info: Information Security in Schools - Recommended Practice (Jan 2019) https://www.edb.gov.hk/en/edu-system/primary-secondary/applicable-to-primary- secondary/it-in-edu/Information-Security/information-security-in-school.html
  13. 13. Best Practice for Information Security in School End Point Computer and Tablets Firewall and IPS Data Protection and Back Up Regular vulnerability scanning and penetration test CloudFlare Web Application Firewall File, DB, Email Servers Anti-Virus and Anti-Ramsomware Back Up Storage Cloud Service Provider Regular patch update and backup Prevent SQL Injection and web security attack Deny malicious traffic and file download More info: Information Security in Schools - Recommended Practice (Jan 2019) https://www.edb.gov.hk/en/edu-system/primary-secondary/applicable-to-primary- secondary/it-in-edu/Information-Security/information-security-in-school.html
  14. 14. Look Forward in Year 2020 MEET WITH THE STAKEHOLDERS To seek resources for the education sector on CyberSecurity TRAINING TO PRACTITIONER Provide training to the education practitioner on cybersecurtiy BEST PRACTICE Regular update on education specific security incident and best practice
  15. 15. Thank you!

×