How Kirchenfeld secondary school is improving IT security
with a penetration test
Every day, the media reports on massive data theft, encryption of company data, blackmail, DDoS attacks and much more in the field of cyber security. In addition to the financial damage, which can even threaten a company’s existence, there is usually also a loss of reputation.
Kirchenfeld High School is aware of this threat situation. To ensure IT security in the new network environment, the educational institution commissioned the cyber security specialist United Security Providers (USP) to carry out a penetration test.
“As IT security is very important to us, we wanted to have our IT infrastructure audited externally. The team’s expert and trustworthy presentation convinced me to carry out the penetration test with United Security Providers. The cooperation with the experienced team was very pleasant and instructive, the final report was extremely detailed and helpful, and the result was completely satisfactory.”
Tom Jampen, Head of IT Services
In order to meet the growing need of teachers and students for more autonomy, flexibility and use of digital content and technologies, the Canton of Bern has decided to introduce the Bring Your Own Device (BYOD) concept. Kirchenfeld High School also decided to completely rebuild its IT network infrastructure in order to meet the increased IT requirements. IT security was a top priority in the migration project. A new IT security architecture was designed and implemented. The project was completed with an internal and external penetration test to ensure that the IT network was set up correctly and securely. The Greybox test type was chosen. With this type of test, some limited information is exchanged in advance to increase the efficiency of the penetration test. After the complex migration project, it was important to check whether the transitions and access points of the various VLANs were sufficiently secure. The experienced penetration testers from USP attempted to penetrate the systems using realistic attack simulations and various techniques, tactics and tools.
“Many companies have now written the secure construction of infrastructures into their specifications. Nevertheless, errors can always creep in during configuration or implementation. For this reason, we always recommend subjecting the systems to a penetration test afterwards. This is the only way to ensure that the project has been implemented successfully.”
Stefan Merz, Head of Consulting Services
The security review provided a very good overview of how potential vulnerabilities can be exploited by hackers. In addition, the current threat potential was assessed and detailed suggestions were made for increasing the level of security. The Kirchenfeld secondary school was given a good report card. The security mechanisms worked, and the effort involved in this complex migration project was worthwhile in every respect. Thanks to the close cooperation between the school and USP, a thorough and successful penetration test was carried out, which enabled targeted measures to be taken to improve IT security.
Initial situation
- Complete rebuild of the IT network infrastructure
- Complex network structure with many WLANs and subnets
- Different user groups such as students, teachers, administrative staff and administrators
- Dedicated VPN access to cantonal resources
- On-premise server and cloud services
- Implementation of a Bring Your Own Device (BYOD) concept in the new network environment
Scope penetration test
The focus was placed on the following target system:
- External/internal infrastructure
- Network security
- Active Directory
- Interfaces and access between the various networks
- Users with dual functions or multiple accounts
- Integration of BYOD devices
Findings and benefits
- Possible attack vectors and damage potentials were identified
- Some configuration changes have been introduced to improve the overall security level