Study found that schools have most vulnerable web servers

A study done by Whitehat Security found that educational institutions were the most likely to be vulnerable while banks and healthcare institutions were the least vulnerable. 

According to NetworkWorld, the study is based off of data from 400 organizations that use the company as their web vulnerability management firm. They found that 71% of schools tested had vulnerabilities on their web servers all the time, in contrast to only 16% of banks had servers that remained unpatched.  Whitehat said, 

While no industry approached anywhere near zero for an annual average, banking, health care and manufacturing performed the best out of all the industries with 30, 33 and 35 serious vulnerabilities respectively per Web site during 2010 for a rough average of 2.5 or so vulnerabilities per month, on the opposite end of the spectrum, Retail, Financial Services and Telecommunications, whose Web sites had the most reported issues, measured 404, 266 and 215 serious vulnerabilities per site -- or between 18 and 34 per month.

Being vulnerable can lead to a lot of different attacks, but the most common were information leakage and content spoofing. Both of these would allows an attacker to steal user information thinking they are giving to a trusted source rather than to the creator of the spoofed content. 

The good news from this study is that you can count on your bank to do its best to make sure your financial information is secure, they have the fastest patch time of all industries. Within 13 days of a vulnerability cropping up, the server is patched. The complete opposite can be said that for the telecommunications industry, they take an average 205 days to patch a vulnerability. The average for all businesses to get around to patching their vulnerabilities is 116 days. 

Report a problem with article
Previous Story

Microsoft manager: Zune isn't dead

Next Story

Firefox 4 final release on March 22

30 Comments

Commenting is disabled on this article.

I worked in the k12 schools system for 8 years, and the powers that be refused to recognize the investments that needed to be made to keep the system up to date in terms of equipment, manpower etc. Case in point, I was assigned to one county for only 3 days a week, and I was responsible for servers, desktop support, labs, LAN, WAN everything. It was beyond impossible. I knew students were getting into places they shouldn't but I had bigger "emergencies" going all the time so I never had time to set up proper security. I still had 98, NT workstations and servers, I had malware problems, it was ridiculous. I could have worked 7 days a week,12 hours a day and not caught up, but I wasn't going to kill myself, especially for what they were paying me.

Well the fact that I know of people with full root access to 2 educational institues would coinside with this fact.

Back in college I sent a message around the entire domain using the 'messaging' service which was enabled on all the pcs across the domain.. ha that was funny! Had to go to the principles office and tell them how I done it.

I work in a school currently, and beleive me when i say the standard of the school networks rests completely on how forward the school thinks and progresses in IT, at our place we run windows 7 on a good portion of machines, but mainly XP - and a network infrastructure built with expansion in mind, and all the computers are newer than 4 years old, and it is my personal preference to keep things CURRENT and AHEAD so that we are teaching the kids on the systems they intend to go out and use not 10 year old OS's and software packages.

now another local school has computers that can barely switch on take 10-15 minutes to log on and have room for 0 expansion, and this isnt a rare thing either atleast in our city. as some Schools just dont care for it.

and on the security issue, alot of what happens isnt the technical staffs fault but its the orders from the management as "WPA keys are annoying to the users" etc.

ok my sperg is done gotta go do some work

At my school we have for secure networks and an open one, we have about 20 imacs and 100 xp computers and few years back I had found the place on the network where the keep all the progam exe. I think that out secuirty has improved

hehe i remember this one time at college i managed to bypass the router and get remote access to our class network from home. i documented everything i did and handed to the system admin at the end of the year. he said why did you tell me about this sooner, i would have hired you to fix these problems, now i got more work to do. i said i didn't tell you because i didnt want to risk being expelled for extracurricular activities. they had all NT4 workstations and ghosted monthly.

Udedenkz said,
I could reshack a programs, to change their names so it didn;t look like I was doing anything bad...

We had our systems locked down so you couldn't open programs on the computer other than what was allowed, but I was in Comp Sci, so I just wrote a launcher app that made Windows launch the app itself, haha.

AJerman said,
We had our systems locked down so you couldn't open programs on the computer other than what was allowed, but I was in Comp Sci, so I just wrote a launcher app that made Windows launch the app itself, haha.
Cool, care to give more information, what language, etc...?

audacioustrash said,
Duh, Schools keeps hiring unqualified people to run their servers!

I was going to say, I'm not surprised by the report since a couple of us student ran our high school's website. Granted we knew what we were doing, but they trusted the web site to students and how do they know how much about security the students know?

The wireless network at my school is totally wide open. There are computers in a common student area still running the original XP, ie no service packs at all. I see people all the time using those same boxes to look at sensitive information, like their bank accounts and what not, and I just sit and laugh.

My college had about 2,000 of their students records published right on the public accessible site (social and everything). Back in middle school the IT administrator send out a paper to all the teachers with the local admin login for all the computers and it said specifically nmot go give the paper to students. What did all my teachers do so I could set up the computers for them? Gave me the paper. The password and user were A7.

I got inhouse suspension once for "bypassing the schools blocks" and installing MSN on one of the computers. It was a Windows 98 machine running a piece of software called "Fools Security". The administrator had left that computer unlocked so I didn't actually bypass anything. Lastly the schools principle called me out of class once to help him register for some online benefits. He repeatedly gave me his social security number.

School system at its finest.

lol i found my way into our windows server and had access to the complete domain, email server and data server, told my team manager this was a joke! BTW the password as P@ssw0rd.

lflashl said,
lol i found my way into our windows server and had access to the complete domain, email server and data server, told my team manager this was a joke! BTW the password as P@ssw0rd.
The password for the computers at my elementary school was the name of the town..

Sometimes it's not the actual school that's at fault. I worked for a school about 5 years ago, they were a satellite school for an Open Access college in Adelaide. The school had it's own servers, network etc but the college just didn't care about keeping things up to date. However much we told them that things were not up to scratch they didn't care and left it as it was.

At the end of the day.. it's down to the IT Managers getting their act together and stop being complacent or lazy.

When I was in school 6 years ago in 2nd to last year I managed to find a database file that contained all staff and student personal details including payment. This was all by mistake, they left the admin password in a .js file for the login page. Not their best decision.

School's don't have the best security or admins in the world as they are paid fairly low compared to others.

Nicholas-c said,
When I was in school 6 years ago in 2nd to last year I managed to find a database file that contained all staff and student personal details including payment. This was all by mistake, they left the admin password in a .js file for the login page. Not their best decision.

My high school was the same way. You could just open up windows explorer and navigate to all the networked drives. Basically, if you could open My Network Places, you had access to everything. All of the teachers had a folder to save all their grades, test, ect... that their profiles mapped to, and you could just open them all up. If you wanted to change a grade they even had the .exe for the grading program on one of them incase you needed to install it.

All of this was on one of the largest school districts in the state of Ohio.
School's don't have the best security or admins in the world as they are paid fairly low compared to others.

AnotherITguy said,
You should see some of the networks ive come across still running windows 2000
I still know companies running 3.11 + NT4.. Windows 2k is still quite common for places like retail, checkouts, etc.

Ryoken said,
I still know companies running 3.11 + NT4.. Windows 2k is still quite common for places like retail, checkouts, etc.

I doubt these schools are running Windows anything though.

bj55555 said,

I doubt these schools are running Windows anything though.


My school does, although my ELEMENTARY school ran OSX. (Well, the better ones ran 10.0, the worse runs ran Mac OS Classic...)

Actually, my school doesn't just run Windows anything, it runs XP. However, I was not in that school for a year, & guess what they did over the year? Upgrade the blocking instead of the software...

bj55555 said,

I doubt these schools are running Windows anything though.

Both School boards I've worked with use Windows, and it would not surprise me if outside of computer labs, Windows 2000 would still dominate..

I know lots of systems in the offices were still NT4 when I was running XP SP2 on my laptop.. Basic text editing for handouts was really all they used it for.. teachers who wanted more used the library or had the school board provide them with a laptop.

School across the street from my house has an unsecured network. I have no idea who did their network setup but they have failed.

Can't say I'm surprised by any of this.. Banks have the most on the line, schools the least.. And Telecommunications have you on a contract so you're stuck lol.