Independent Science Research
Cybersecurity and Penetration Testing
In the current era, secure digital systems are extremely important to the functioning of any institution. This project will attempt to fix potential issues and improve security on the HPA campus network by utilizing various penetration testing techniques to verify the integrity of the school’s cybersecurity, find loopholes through which the school could be attacked, and provide input on how any problems can be fixed.
The various components of the HPA network, from the school Wi-Fi to the various servers that hpa.edu runs on, are essential to the school’s function. Students need access to their accounts, as do teachers, administrators, and all other members of the HPA community. We are dependent on the HPA account integration with PowerSchool to record every grade, dependent on the Honu database for the honor system, and dependent on the integration of Naviance to record test scores and college applications. Without these systems, the school’s ability to run smoothly would be greatly impacted. Therefore, it is essential to verify that no attacker - from an irritated student to a bored “black hat” hacker - can digitally break into the HPA systems using existing tools, by conducting penetration testing on the vulnerable parts of the network. Penetration testing, in the context of cybersecurity, is the practice of acting in the place of a potential attacker to try finding exploitable security flaws in a system, to be able to patch them before a real attacker can use them.
A malicious user could theoretically access school data, and execute many malicious programs to destroy or modify school data - delete student profiles, change grades, add or subtract demerits, or manipulate the system in any other way, given enough access. Several potential security issues are apparent at the moment, and could be exploited by a clever attacker. The goal of this project will be to practice breaking into these same systems first, and provide input on how to foil similar attacks in the future. Using Kali Linux and its suite of built-in tools for penetration testing, basic security flaws in the network can be found, proved exploitable, and then patched to prevent the same attack from a legitimately nefarious actor trying to access the network.
By the end of this project, obvious loopholes and security problems on the HPA network should have been spotted and solutions proposed. I want to have learned about typical attack vectors used against networks like that at HPA. Using the security testing techniques I will learn about and research, I will improve the state of the system for all users. No attacker with access to similar tools as I enter this project will be able to gain access in the same ways as I do, because any errors that I find will be fixed.
IMPLEMENTATION AND CHALLENGES
The challenge in this project will be the integrity of the existing HPA network systems. The HPA network consists of several major systems: the RAD network, its attached guest network, the Elab wifi systems (of which there are a few operating independently), and the individual access points that are not affiliated with any of the major systems (set up by individual teachers and the like). I will test all of these systems, until it is provable that they are secure. As the entire point is to crack the systems, acting as a stand-in for a malicious user, I should not need any special administrator privileges on the school network. All I will need is my own personal laptop (which contains tools for cracking various systems, thanks to my Kali Linux partition) to work on the project. Depending on the nature of the HPA network (how the various subnets are set up to interact with each other), I may need to go to specific locations to execute some tests. I will use various techniques covered by built-in Kali Linux tools, such as packet sniffing to view content served over http, stealing data from physically-connected school computers through techniques such as ARP cache poisoning, and testing command and query injection against insecure hpa.edu pages. As for fixing the security flaws uncovered, I plan to leave that to the relevant school officials.
IMPACT AND LEGACY
This project will leave behind a more secure HPA network. Continuing this project will be a useful asset for the school if any new systems (like the Honu server last year) are implemented, as they will need to be secured properly. My weblog will contain instructions for students following me to install Kali Linux and use its array of tools - that way, any future Independent Science Research students can get a head start on learning cybersecurity. The world needs more people trained in how to protect themselves, their business ventures, and everything else, from cyber attacks - with everything becoming more and more dependent on the Internet, these attacks are more dangerous than anything in the physical world, and a more secure network at HPA is a good start. Additionally, I will be leaving for college next year. I will take this security knowledge with me, and be able to conduct similar tests in the future as a security analyst.
APPENDIX A: KEY RESOURCES
APPENDIX B: TOOLS AND MATERIALS
My MacBook Pro, dual booting OSX and Kali Linux
External Wifi antenna
Online guides and tools