View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
April 4, 2019updated 05 Apr 2019 10:12am

UK Universities Have Failed 100% of Penetration Tests Within Two Hours

“Senior leaders are not taking the issue seriously enough.”

By CBR Staff Writer

Whitehat’s carrying out penetration tests on the online infrastructure of UK universities had a 100 percent success rate in every test within two hours.

The tests were carried out on behalf of the Higher Education Policy Institute (HEPI) and Jisc, the institution that provides internet services to UK universities. Penetration testing was done on over 50 universities, all of which failed.

Their report found that: “Alarmingly, when using spear phishing as part of its penetration testing service, Jisc has a 100 per cent track record of gaining access to a higher education institution’s high value data within two hours.”

Third level educational facilities and organisations hold extremely sensitive data belonging to their students, staff and organisations engaged in research projects on campus. This data can range from staff and students’ medical, financial and location data, to the intellectual property of companies.

UK Universities Hacked

The report states that: “In the spring of 2018, Jisc surveyed university information technology and security staff to better understand their security position. The results demonstrate that perceptions of cyber-security protection are fairly negative.”

That survey notes that only 15 percent of higher education IT and security staff believed that their organisation was well protected. A host of reasons were cited for the low scores such as a lack of dedicated staff, budget constraints, lack of policies and suggestions that “senior leaders are not taking the issue seriously enough.”

Adrian Taylor, CTO of ITC Secure told Computer Business Review in an emailed statement that: “Academic networks have long been a target for malicious actors for several reasons, the two most prominent being that they tend to have huge bandwidth to the internet, which is super handy if you happen to be running a DDoS farm and can gain control of a server or two to run one of your bots.”

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

“They often run cutting-edge technology or configurations far in advance of a typical enterprise risk appetite – for example most universities had IPv6 in production long before enterprises were even considering the benefits.”

“This has been the case for years, but as Universities are partnering with commercial institutions to carry out research with potentially very sensitive implications – think pharmaceuticals or environmental / geopolitical – then their attraction for bad actors becomes greater and greater.”

“Ironically, of course, some of the most valuable research into cyber security comes from these self-same institutions, so it’s not as if they don’t have the skills or capabilities to secure their own estate.”

See Also: Misconfigured Storage Tech Strikes Again, Facebook User Data Exposed

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.