Is it Important to Use a Penetration Testing Firm that Specializes in Higher Education?

In an era where cybersecurity has become a critical concern for institutions across all sectors, higher education institutions face unique challenges in safeguarding sensitive data, protecting research networks, and maintaining the trust of students, faculty, and stakeholders. The importance of using a penetration testing company focused specifically on higher education is key for achieving the highest quality and most actionable results as they relate to the education sector. In this blog, we will explore some of the reasons why using a penetration testing firm that specializes in higher education can be such an advantage.

Understanding the Higher Education Landscape

The IT landscape for colleges/universities can be somewhat unique and much more complex when compared to other sectors. Networks are usually substantially larger as compared to other organizations across other sectors of business, with entire Internet-facing Class B ranges (~65,635 IP addresses) and multiple Class B’s used internally. Additionally, these organizations are often using externally addressable IP ranges internally still, remnants of purchasing large ranges during the early days of the Internet and historical precedence in network administration. Maybe more importantly, these institutions leverage a very diverse ecosystem of systems and higher-education specific software, spread over network segments that are setup unlike your standard internal network, organized into student VLANs, administrator/faculty VLANs, research network VLANs, etc.

These environmental factors are combined with the unique challenges that higher education institutions often face when it comes to systems administration internally. Many facilities have operated under a “permit by default, deny by exception” principle for a long time that is antithetical to current information security wisdom and best practices. Culturally, sharing and openness are the guiding light of many colleges and universities. These kinds of entrenched policies can be very hard to change and often require understanding and alternative mitigating controls to achieve improved security outcomes, where other penetration testing firms may not have encountered issues or pushback in the past. Higher education institutions are more susceptible to funding issues and staffing shortages as well, creating an increased use of open source software, automation, and custom-developed fixes that are at an increased risk of having security issues.

Addressing Relevant Compliance Requirements

Having a penetration testing firm familiar with the regulatory environment higher education institutions operate in can also be extremely beneficial. Properly scoping assessments and ensuring the minimum testing requirements for meeting the FTC Safeguards Rule, as one example, is a great way to make sure you are getting exactly what you need without overpaying. Using a firm that is also intimately familiar with other important compliance standards that affect almost all colleges and universities, such as the Payment Card Industry (PCI) Data Security Standards (DSS) and the Health Insurance Portability and Accountability Act (HIPAA), can help ensure your information security program and penetration testing meets these standards at the same time.

Experience in Similar Environments and with Specialized Software

Part of addressing the relevant compliance requirements and operating within higher education’s unique landscape is addressing the specialized software and systems that they use. This includes student information systems (e.g., Ellucian Banner, DegreeWorks, and PeopleSoft), ERP systems, CRM systems, etc. Understanding where sensitive information is stored within the university environment helps a penetration tester better emulate a threat actor and ensures that the “crown jewels” for the organization are adequately protected. Additionally, having experience interacting with and testing these platforms allows testers to be more efficient and effective in vulnerability identification.

Overall, these are just a few of the advantages of engaging a penetration testing team that specializes in working with higher education institutions. The experience those teams have both within universities and with customers in different verticals combine to provide the best of the both worlds and get the most return for your security assessments.