Vulnerability Detection Through Penetration Testing on the Internal Networks of Higher Education Institutes
摘要
Higher Education Institutions (HEIs) operate complex internal network environments characterized by open-access policies, Bring Your Own Device (BYOD) practices, heterogeneous infrastructures, and decentralized IT governance, which significantly increase cybersecurity exposure. This paper proposes a structured, standards-aligned penetration testing framework tailored to HEI internal networks. The framework integrates four sequential phases: information gathering, vulnerability assessment, controlled exploitation, and mitigation planning, emphasizing analytical interpretation over tool execution. The approach is aligned with ISO/IEC 27002 and the NIST Cybersecurity Framework and correlates technical vulnerabilities with institutional governance and operational practices. A real-world case study conducted on an anonymized HEI network provides quantitative evidence on asset exposure, vulnerability severity distribution, exploitation feasibility, and mitigation effectiveness. Results reveal recurrent weaknesses related to misconfigurations, delayed patch management, and insufficient network segmentation, largely driven by organizational constraints rather than technical complexity. The proposed framework supports risk-based decision-making and continuous improvement of cybersecurity posture in academic environments.