Penetration Test Case Study: Hong Kong School System
Brace yourself with penetration test and saving yourself from potential hacking and data leak
Is there any safe place on Earth?
There are news about cyber-attacks almost every day. Recently, a travel agency and a Telecom company were also hacked, leaking out hundreds of thousands of client information. Our information is exposed to risk all the time. Want to provide better protection to your data? A penetration test conducted by professional security experts can prevent cyber-attacks by finding out the weak spot in your computer system before hackers strike.
Background
A primary school in Hong Kong has been using the same three computer systems for years. These systems are used for managing the school website and handling different administrative and communication work. They contain large quantity of confidential personal information of students, parents and staffs from different school years, including their address, scores, occupations of parents, salary and attendance of school staff, etc. These information are extremely sensitive and should be under the best protection. The school finds urgency to examine the system to see if there are any vulnerabilities but they do not have adequate technical know-how. What’s more, all tests and system enhancement must be done within certain time frame.
Challenges
Cyber-attacks are evolving rapidly. Yet, many people mistakenly think that passwords alone offer sufficient protection and do not realize the many unknown flaws in the computer system. Large-scale ransomware attacks like WannaCry and Petya successively bashed the world. Cyber ransom groups have struck many institutions and corporations by exploiting vulnerabilities in their computer systems. Information in those systems were hijacked and held for thousands of dollars’ worth of ransoms.
“Malware attacks are on the rise. Another school was attacked previously. We don’t want the same thing happening to ourselves,” said Steve, Information Technology Officer of the school. In fact, it is not uncommon that hacker groups hack in and ask for ransoms worth tens of thousands of dollars. “Even if the files can be recovered, the stolen information are very likely sold,” Steve continued.
A penetration test is the most efficient way to protect yourself. It is remedy before tragedy. By authorizing a simulated attack on a computer system, we can evaluate the security of the system and determine whether it is vulnerable to attack. Possible security enhancements can be recommended to prevent cyber threats before any incidents occur. Penetration tests are getting more and more common. Some government agencies conduct a test every half a year to make sure their systems are watertight. “It’s actually just like a regular body check. It is always better to find out what is wrong in your body before something bad happens.” Steve said. “Our outdated computer systems are have high risk of being hacked. The test is not neglectable. Another challenge for us is time. All test and enhancement must be completed in the summer holiday, adding more difficulties.”
What UDomain did
To look for the misconfigurations and flaws in their system, our security experts first had preparation meetings with the school to understand their needs and the scope of the job. Timing of the test was mutually agreed to avoid heavy traffic. Our experts first scanned the system with professional software to look for vulnerabilities. Then they performed simulated attacks by imitating hacker’s mindset. The result is alarming to everyone!
Both the administrative system and the website servers are very vulnerable. Although it is protected by passwords, our security experts can effortlessly hack into the admin account, gain access to and retrieve sensitive information. Content of the website and the database can be easily manipulated. Moreover, our experts can even access the server of the system and make some further changes. If these vulnerabilities were not found in advance, sensitive information may be leaked out or erased by a hacker looking for ransom, which will bring serious damage to the interest of all parties, as well as to the reputation of the school.
After the test, UDomain provided a comprehensive report with in-depth analysis and enhancement recommendations. A re-test was performed after remediation to ensure every flaw and loophole is fixed. “Honestly, I am surprised by the report. Even we are the ‘IT guys’, we may not have the time or ability to locate flaws in the system during our daily routine. It is a responsible act to handover the task to a professional security company,” said Steve.
Why UDomain
- Looking for system vulnerabilities to protect your data
Other than educational institutions, banks, hospitals and social service NGOs all possess sensitive personal information in their computer systems. This makes them a favorable target of hackers; thus they must maintain a high security standard. As ransomware is getting more common, it has become futile to go to the police for help. The number of attacks and the location of the hackers make it almost impossible to investigate and sanction the offenders. Penetration test can prevent hacking from happening in the first place.
- Lowering your cost significantly
We understand that it is hard for many institutions to spare time and resources to routinely check on the system security and that their IT staffs may not have the expertise in cybersecurity. However, it is much more costly to recover data or to pay ransom after being blackmailed. There is even a chance of getting fined for not providing adequate protection for personal information (for example, the GDPR of the EU. Not to mention the cost of rebuilding reputation. UDomain offers reasonable and flexible pricing according to specific needs and complexity which helps our clients to ensure system security at minimal expense.
- Certified professionals at your service
High level of expertise in interpreting scanning and suggesting countermeasures are required during Penetration Test. This means not all IT companies are qualified to perform such tests. UDomain’s security experts are all qualified professionals with OSCP certification to carry out ethical penetration test. With years of training and practice, we understand the needs and difficulties of SME and different organizations. You can absolutely count on us.
- Diversified one-stop service
Unlike some tech companies which only specialize in a certain aspect, UDomain provides diversified and comprehensive services. Follow-up measures such as web-hosting, firewall solutions and fixing misconfigurations can all be arranged at the fingertip, saving you the hassle of soliciting different service providers while providing them with the best protection. Our technical support is also available 24x7.
“We all lock our door when going out. But something intangible like cybersecurity is often overlooked. UDomain’s cyber-security team was professional and efficient throughout the process. The test was completed without causing any effect on daily operation. The report and follow-up services are useful and tailor-made. It is certainly a correct move to entrust UDomain with this task,” Steve concluded.
Key Takeaways
Information protection and cybersecurity is now a global problem. Anyone can become a target in the next minute. If you do not want to become a victim of another attack, a penetration test is what you need. As a Managed Security Service Partner stationed in Hong Kong, we offer comprehensive test and follow-up services to combat future threat. Now is the time to be better prepared!
