Strengthening Cybersecurity in Remote Learning: A Technical Analysis of a Charter School System’s Cloud Infrastructure

A large Education Institution (CSS) enlisted AlphaRidge's expertise to perform an in-depth cybersecurity risk assessment and penetration test on their public-facing assets, specifically targeting cloud workloads in Google Cloud Platform (GCP) and Amazon Web Services (AWS). The analysis aimed to uncover and address vulnerabilities resulting from the rapid shift to remote learning, which necessitated relaxing security measures to facilitate collaboration and communication.

The Challenge: The Needle in the Haystack

In a race against time to acclimate to remote learning for over 42,000 students and educators, CSS eased constraints on internal document sharing, collaboration, and digital learning security policies. However, this expedited adjustment, coupled with a limited budget, led to the accelerated development and deployment of applications without adequate security testing. As a result, a substantial number of GCP and AWS resources were programmatically generated via APIs, unbeknownst to the development and security teams, creating a large backhaul of shadow IT.

While undergoing penetration testing, CSS was confronted with a discovery that the application teams inadvertently introduced serverless functions that were vulnerable to initiation from unauthenticated sources, an abundance of cloud resources with external access and elevated privileges, and outdated account listings with global admin rights.

CHALLENGES

+ Depreciated security due to pandemic requirements.

+ Limited internal technical resources.

+ Discovery of critical and high priority vulnerability.

+ Ensuring adherence to regulatory requirements from Department of Education.

Key Findings & Our Approach

AlphaRidge's meticulous analysis revealed previously un-known inter- dependent web applications by interviewing leadership from each application team and cross-referencing the findings. The most significant findings confirmed a large set of unauthenticated publicly exposed cloud functions dating back three years.

This allowed anyone on the open internet to delete databases, create new student records, and send notifications from CSS email accounts to students and staff without authentication.

Acknowledging the severity of risks and the sensitivity surrounding student data, AlphaRidge devised and enacted immediate, 3-month, and 6-month remediation plans in tandem with penetration testing to minimize adverse effects. A thorough review of applications and service accounts was conducted, and secure initiation best practices were deployed to bolster security.

Implementation

AlphaRidge performed a comprehensive examination of applications within the organization, pinpointing functions that could be initiated from unauthenticated sources. These functions were updated employing secure initiation best practices, such as scheduled start, API calls via secure transmission methods, source validation, and authentication. Additionally, follow-up-interviews with application development teams were conducted to ensure the functionality they built, and the consequent security exposure was aligned with their appetite for organizational risk.

Outcomes

The assessment and penetration testing revealed and remediated over 800 unsecured, externally facing serverless functions, preventing potential unauthorized data manipulation and student data exposure. Additionally, AlphaRidge identified over 10,800 redundant projects, enabling annual cost savings of more than six figures by decommissioning these resources.

By way of this engagement, CSS internalized the vital importance of subjecting all internal applications developed for production to thorough reviews by an infosec team or third-party specialists to ensure robust security measures.

Conclusion

CSS's proactive approach to addressing cybersecurity vulnerabilities resulted in substantial policy and process changes, fortifying their security posture while preserving the accessibility and functionality required for effective remote learning.