Strengthening Security Measures: A Case Study on Risk Assessment & Penetration Testing for a Local School
Casserly Consulting recently had the opportunity to collaborate with a local Boston area school. They were seeking to assess the security of their IT systems. With the objective of understanding vulnerabilities, within their cybersecurity and technology infrastructure, the school requested a detailed analysis, prioritization of risks, and suggestions for remediation. In response to these requirements, Casserly proposed a Baseline Risk Assessment & Penetration Testing.
Let’s dive into this successful case study.
The school’s initial Request for Proposal (RFP) expressed the need for an order-of-magnitude prioritization of vulnerabilities, threats, and steps to remediation. They sought specific ideas and suggestions for mitigating risks and vulnerabilities while ensuring objectivity in the assessment process, emphasizing the need for an objective analysis, prioritization of risks, and recommendations for effective remediation strategies.
Casserly Consulting designed and executed a comprehensive solution for the school’s requirements. Including a Baseline Risk Assessment and an internal/external Penetration Test.
The project kicked off with meetings involving the IT director and key personnel. Followed by the penetration testing phase, a period of reconnaissance, social engineering and phishing campaigns. Then, on the penetration testing phase, Casserly Consulting established clear rules of engagement (ROE’s). This was done to provide a framework for the security specialist to adhere to, so that they knew exactly what they could and couldn’t do, without disrupting any systems or data.
The Baseline Risk Assessment used a consultative approach, including interviews with key leaders and thorough review of IT documentation and policies, identifying critical areas of concern and vulnerabilities. Despite scheduling conflicts with the school, Casserly Consulting worked diligently for 3-4 months to complete the project successfully.
Upon completion, Casserly Consulting presented their findings to the school’s IT staff. The report highlighted a SWOT analysis, specific areas of risk, and detailed steps for remediation. During the assessment, our team uncovered several noteworthy findings that underscored the vulnerabilities within the school’s security framework. These findings highlighted compromised accounts and exposed the presence of weak password policies. Furthermore, it also identified some critical areas where essential security measures were absent, including:
- A strong password policy that includes a password length of eight characters or more.
- An inventory of information technology assets.
- The use of a Multi-Factor Authentication (MFA) across multiple authentication realms including the Virtual Private Network (VPN).
- A Mobile Device Management (MDM) solution for Non-Apple products and third-party service provider or vendor management programs.
- A formal vulnerability management program.
- Not conducting periodic penetration testing to verify the effectiveness of information security controls.
- A historical record of Excel workbooks containing sensitive information such as Social Security Numbers not being password protected.
Casserly Consulting also provided actionable steps to improve the school’s security posture and mitigate identified risks. To further support the school’s ongoing security initiatives, Casserly Consulting prepared a comprehensive 3-year information security program, including discounted security services. This program enabled the school to schedule regular vulnerability scans, testing, and other security measures to stay ahead of evolving threats.
Through Casserly Consulting collaborative efforts, the Baseline Risk Assessment and Penetration Testing process were effectively conducted for the local school. Giving valuable insights into their security posture. In conclusion, Casserly Consulting also provided invaluable insights into the school’s security vulnerabilities and shortcomings, enabling them to take proactive steps to enhance their IT systems and technology environment.