Your School is Being (Ethically) Hacked!

Schools are places to learn, connect, and grow—a space for good things to happen. Unfortunately, to cybercriminals, they’re also prime targets for attacks. One way schools can stay cyber safe? Voluntarily get hacked.

It’s called ethical hacking: when a cybersecurity expert, the good guy, tries to infiltrate a school’s network. Known as a penetration test, or “pen test,” it’s essentially someone spending time trying to crack passwords, access sensitive data, or uncover software vulnerabilities that could let a real hacker in.

At WNYRIC, that expert is Rich Drzaz, an 11-year cybersecurity veteran. Drzaz’s journey began when he learned about elderly people being scammed online. “It frustrated me,” he recalled. “They were already vulnerable, and I wanted to do something about it.” His love of video games made hacking feel like a fun challenge, and he started teaching himself ethical hacking techniques. From open-source intelligence to advanced certifications, Drzaz immersed himself in learning how operating systems, networks, and applications work and where they break.

One milestone was a grueling 48-hour hacker’s exam: 24 hours of hacking followed by a detailed report. “It was as much a time management challenge as it was a hacking one,” Drzaz said, but he passed and earned an Offensive Security Experienced Penetration Tester (OSEP) certification. This advanced credential validates his skills in “penetration testing, focusing on evasion techniques and real-world adversarial tactics,” according to OffSec.com.

So why are schools such attractive targets? Drzaz points to two main reasons. First, schools rely heavily on technology. If ransomware freezes their systems, districts often pay up to resume operations. Cyber insurance, meant to ease financial burdens, ironically makes schools more appealing because it ensures funds are available to pay ransoms. Second, schools have people, and people fall for scams. Hackers exploit this by crafting phishing emails that mimic superintendents or business officials, tricking staff into sharing financial or personal data.

A typical pen test starts with a vulnerability scan to identify weak spots. Then Drzaz gets to work. “I’m trying to capture email addresses, crack a password, or access data that should be locked down,” he explained. And what’s a good day for him? “When I fail. If I can’t get in, that means the district is doing all the right things.” If he does succeed, Drzaz provides detailed reports and helps districts strengthen defenses, even offering guidance and resources for staff conversations about cybersecurity.

When he’s off the clock, Drzaz still hacks ethically. He enjoys “bug bounties,” online challenges where companies and organizations invite hackers to find vulnerabilities within their own systems. “It’s practice,” he said, “and it keeps me sharp on the latest tricks attackers use and the latest defenses to stop them.”

Rich Drzaz’s Tech Tips

• Don’t store your passwords in your browser. “The easiest way into a system is through saved passwords,” Drzaz warned. Avoid storing passwords online or on work computers, especially in shared spaces. It’s like leaving your house key under the welcome mat!
• Use Multi-Factor Authentication (MFA). Yes, it takes a few extra seconds, but MFA adds that extra layer of security that makes all the difference.
• Utilize a password manager. The best passwords are complex and hard to remember. A password manager lets you keep one strong primary password while generating unique, complicated passwords for every account.