Concerns raised about the safety of student and staff data

CERT Polska has released a report advising the education sector on how to protect against cyber-attacks

Education institutions in Poland have been advised to tighten their security controls after a new report highlighted various gaps in their web infrastructure.

The Poland Computer Emergency Response Team (CERT Polska) released a report last week studying thousands of webpages belonging to schools and other places of education across the country.

Misconfigured security mechanisms, a lack of preventative measures against cyber-attacks, and unpatched vulnerabilities were highlighted as the main issues impacting the eastern European country’s education sector.

In addition, just 42% of tested pages had their SSL/TLS certificates properly configured.

Large-scale study

During the course of their research, the CERT Polska team studied 20,464 webpages belonging to educational authorities across the country.

While some were simply brochureware-style websites containing information about the school itself, many others were involved in the collection of sensitive student information.

This included web applications that were built to accommodate distance learning during the Covid-19 pandemic.

“Some of the vulnerabilities we have found allowed for website defacement or to access and dump the website’ database,” a spokesperson from CERT Polska told The Daily Swig.

“While most of the schools’ websites are just purely informative without having access to students’ data, their significance increased in the Covid-19 pandemic, especially when students from all grades are remote-learning as of late November.”

Read more of the latest cybersecurity education news

CERT Polska explained that since education institutions handle the data of a “significant share” of the country’s citizens, the decision was made to ensure this information was secure.

“Massive testing of their public-facing services on the internet is our biggest yet, but not the first undertaking,” the spokesperson said.

They added: “We plan to perform regular testing like this in different sectors.”

The CERT Polska team studied more than 20,000 webpages belonging to the country's education sectorThe CERT Polska team studied more than 20,000 webpages belonging to the country’s education sector

Deeper dive

The study found that 43% of the websites used either WordPress or Joomla CMS frameworks.

By using the Joomscan tool, CERT Polska said it identified at least one high or critical-severity vulnerability – such as SQL injection or remote code execution – on 25% of all Polish education sites that were built with Joomla.

Using the open source wpscan software, the team detected the same vulnerabilities on just 4% of WordPress sites.

READ MORE Rampant CNAME misconfiguration leaves thousands of organizations open to subdomain takeover attacks

“The good point is that we have found nearly half of WordPress and Joomla systems to be up-to-date versions,” CERT Polska told The Daily Swig.

The study also found that the majority of institutions lacked mechanisms to prevent email spoofing.

“Out of 13,522 domains having the MX record, we found 9,929 of them having a proper SPF policy, and only 1,297 with a valid DMARC record,” the spokesperson said.

Sage advice

CERT Polska said it has advised each school and their hosting providers on best practices moving forward, producing a personalized plan on “how to fix vulnerabilities, properly configure missing or misconfigured security mechanisms, and some best practices including, but not limited to, web and email services”.

The full report (in Polish) can be found on CERT Polska’s website.

YOU MAY ALSO LIKE Cybersecurity skills gap narrows for the first time