nnISC2 Associate Justine Guyau looks at some of the challenges facingncybersecurity professionals in France tasked with securing key educationnIT resources following an uptick in threats.nnn
nnVigipirate is thenFrench national security alert system. Created in 1978, it is a five-levelnalert system ranging from Level 0 (White) when no dangers exist, up to Leveln4 (Scarlet) when a definite threat is perceived or there is a proactiveneffort to prevent a major attack.n
nnThe French Government declared Vigipirate Level 4 after the March 2024nnMoscow concert hall attack. At the time, schools all over France received bomb threats via thennational academic internal email system. In response, French Minister ofnEducation Nicole Belloubet opted to temporarily suspend the email system tonprevent further misuse.n
nnIn an already tense education sector, how can we build a secure solutionnthat takes as many situational parameters as possible into account?n
nnA Series of Threatsn
nnOn March 21, 2024, some 30 high schools in the Paris area received terroristnthreats accompanied by a graphically violent video allegedly linked ISIS.nThe message was sent via thennENT platform, an online space and messaging platform used nationally in education thatnallows to send students homework or parents to ask questions. The messagenexplained that a bomb had supposedly been hidden in the school and includedna call to arms for students to commit heinous acts.n
nnIt was quickly established that these messages were empty threats and thatnno explosive devices had been planted in the targeted schools. However, onenweek later, over 300 more suspicious messages of the same type werenreported, this time all over the country. Given attacks in recent years thatnresulted in the death of teachers includingnnSamuel Patynnand Dominique Bernard, the series of threats were both extremely concerningnand taken very seriously.n
nnSuspension of the Messaging Servicen
nnOn March 28th, 2024, a week after the first wave of threat emailsnwere received, Belloubet announced that all communications via t the ENTnplatform would be temporarily suspended, to allow the government time tondevelop a way to further secure it.n
nnNo official statement has been made regarding what measures are beingnconsidered. However, the implementation of two-factor authentication tonconnect to ENT will probably be one of the key measures the Ministry ofnEducation will deploy.n
nnThenninvestigation of the March 21 incidentnnled to thennarrest of a 17-year-oldnnwho revealed he was able to send the threats by hijacking the identity ofnstudents and parents within the academy of Paris. To collect this data, thenindividual sent several phishing emails asking targets to retrieve their ENTnaccount. On this basis, a multifactor authentication solution would be a sensible step,nin theory.n
nnn
nnA Challenging Implementationn
nnThe reality of the situation inside French schools would make two-factornauthentication pretty impractical. Teachers would need to confirm theirnidentity by receiving, for instance, a text message, which would benimpossible in some facilities because they are located in areas with nonmobile phone service. This includes schools in rural countryside locations,nbut also urban institutions, particularly those with basement levels wherenmobile signals are often limited.n
nnEven more problematic is access for students. Two-factor authenticationnwould require students to use their phone when such use is strictlynforbidden in a large number of middle schools and in some high schools. Onnthat basis, should policies be changed to allow the limited use of phones innspecific cases, such as two-factor authentication for educational platformsnlike ENT? If they were changed, it risks creating difficulties for teachers,nwho would face trying to engage and control a class of students, even morendistracted than before.n
nnEven if the state implements technical solutions to improve the security ofnacademic platforms like ENT, arguably the focus should be elsewhere. ThenMarch 21st incident was a phishing attack, but there are other ways thesenservices can be compromised, such as packet sniffing and open Wi-Finconnections. Even if the motivation for increased security has shifted fromnthe time students tried to give themselves better grades by tampering withnthe platform, this was not the first time such a breach occurred, it willnnot be the last.n
nnIdeally, the focus needs to shift to educating students, parents andnteachers about cybersecurity. Measures such as password awareness workshops,nphishing simulations, roundtables with professionals etc. Social engineeringnattacks can be avoided, or at least significantly reduced, through betterneducation, yet they remain commonplace.n
nnAs a final note, is there a better way to avoid cyberattacks than… bynavoiding the use of digital tools? In an increasingly digital education andnclassroom environment, online platforms will always be useful for uploadingnlesson plans, coursework or grades. As for the email platform, can’t parentsnand teachers set up appointments with teachers through writtenncommunication, as they did just a few years back? The use of the ENTnplatform grew during the pandemic, as it became one of the only ways tonmaintain a link between teachers and some students. Now that lockdown isnover, many teachers have reverted to their old ways and don’t use the toolnanymore.n
nnOn that basis, why not go back to the good old school diary as a linknbetween teachers and parents?n
nnnJustine Guyau is a cybersecurity student passionate about CNI securitynand cyber resilience. She became a ISC2 Associate by passing the CISSPnexam in February 2024.nn
nnn
n- n
- n n Cloud Security Skill-Buildersn n grow what you know with short-format learning designed to fit your busyn schedulen n
- n n Download the CCSP Ultimate Guide heren n to get everything you need to know about the world’s leading cloudn security certificationn n
- n View our webinar discussingn n passwordless securityn n and earn CPE creditsn n