Cybersecurity vulnerabilities and solutions in Ethiopian university websites

This study investigates the causes and countermeasures of cybercrime vulnerabilities, specifically focusing on selected 16 Ethiopian university websites. This study uses a cybersecurity awareness survey, and automated vulnerability assessment and penetration testing (VAPT) technique tools, namely, Nmap, Nessus, and Vega, to identify potential security threats and vulnerabilities. The assessment was performed according to the ISO/IEC 27001 series of standards, ensuring a comprehensive and globally recognized approach to information security. The results of this study provide valuable insights into the current state of cybersecurity in Ethiopian universities and reveals a range of issues, from outdated software and poor password management to a lack of encryption and inadequate access control. Vega vulnerability assessment reports 11,286 total findings, and Nessus identified a total of 1749 vulnerabilities across all the websites of the institutions examined. Based on these findings, the study proposes counteractive measures tailored to the specific needs of each identified defect. These recommendations aim to strengthen the security posture of the university websites, thereby protecting sensitive data and maintaining the trust of students, staff, and other stakeholders. The study emphasizes the need for proactive cybersecurity measures in the realm of higher education and presents a strategic plan for universities to improve their digital security.

• The study investigates the causes of cybersecurity vulnerabilities in university websites, with a focus on Ethiopian Universities.

• The evaluation was based on ISO/IEC 27001 series standards and utilized three different automatic VAPT evaluation tools: Nmap, NESSUS, and VEGA.

• The research identified a range of issues contributing to cybersecurity vulnerabilities, including outdated software, poor password management, a lack of encryption, and inadequate access control.

• The study underscores the importance of proactive cybersecurity practices in the higher education sector and provides a roadmap for universities to enhance their digital security.

Ensuring a robust security of university websites has become integral in this digital age, given the expanding reliance on online platforms for educational services, information dissemination, data storage, and administrative functions. When we refer to a “university website,” we mean the entire internet presence of the university. This comprises the public information front-facing system, the faculty and student online learning and administration system, and the internal administration system used for university operations.

The 2023 Verizon Data Breach Investigations Report (DBIR) analyzed 16,312 security incidents and 5199 breaches. 83% of breaches involved external actors with the majority being financially motivated, 74% of breaches involved the human element, which includes social engineering attacks, errors, or misuse, and 50% of all social engineering attacks are pretexting incidents [1]. The permeation of cyber threats and vulnerabilities poses a formidable challenge to the integrity and confidentiality of university data systems. Understanding the factors that contribute to cyber security fault vulnerability within the realm of university websites is critical for proactively addressing potential risks and fortifying these digital infrastructures [2].

Having this in mind, because of the nature of the hostile environment, websites are vulnerable to security faults. Specifically, most of the organizations in Ethiopia that develop and use websites for their activities emphasize the availability and timely accessibility of their websites. This leads their websites to have unguaranteed confidentiality and integrity. Even they did not know to what extent they were risky and exposed to security fault vulnerability. Due to this reason, their customers do not feel free to use their websites. Therefore, it is necessary to study the causes and impacts of these vulnerabilities by assessing the risk and conducting audits using world-standard methodologies. This will enable us to take appropriate countermeasures before the activities and resources of these institutions are devastated. Specifically, higher education institutions (university) websites need to be kept in secure and safeguarded environments since their insecurity of simple data leakage by any means has a great impact on every aspect of the nation including economic, political, and social disorder [3].

Websites can be affected by several vulnerabilities which can be logical or technical [4]. Some examples of technical vulnerabilities are SQL injection, local inclusion, cross-site scripting, and remote file inclusion [5, 6]. These technical vulnerabilities can affect website security. There are different reasons for the occurrence of vulnerability on websites. Some vulnerabilities happen because of poor programming or outdated systems. Web security is a mechanism to protect both websites and users (visitors) from cyber threats and unauthorized access to their information [7]. Malware can slow down the speed of a website, expose confidential information like credit card numbers, and even remove websites from search engines permanently. The practice of protecting websites and general network infrastructures from any unauthorized actions is known as cybersecurity.

The International Telecommunication Union states that cyber security is the collective application of strategies, security measures, plans, threats administration tactics, engagements, training, paramount practices, assurance, and expertise that can be used to guard the cyber system, organization, and related assets [8]. Furthermore, it is important because the government, military, corporate, financial, and health organizations collect, process, and store unprecedented amounts of data on computers and other devices. A significant portion of that data can be sensitive information, whether that is intellectual property, financial data, personal information, or other types of data for which unauthorized access or exposure could have negative consequences [9]. For effective cyber security, an organization needs to coordinate its efforts throughout its entire cyber system. Security countermeasures ensure the confidentiality, availability, and integrity of cyber systems by preventing asset losses from cyber security attacks [10]. Effects of cyber security failure lead to the loss of intellectual property, direct financial loss from cybercrime, loss of sensitive business information, sabotage of operations, extra costs for systems’ recovery, and stakeholders’ loss of on-system confidence.

The cybersecurity process in higher education institutions is part of a holistic organizational and economic system and is ideally suited for functional modeling and graphical descriptions of processes [11]. In cybersecurity, identifying potential threats and vulnerabilities is paramount. This study addresses this important challenge by leveraging automated vulnerability assessment and penetration testing (VAPT) tools, specifically Nmap, Nessus, and Vega, to detect and analyze potential cyber risks [12,13,14]. In the complex world of information security, adhering to established standards is crucial. This study conducts an assessment in strict accordance with the ISO/IEC 27001 series of standards, ensuring a comprehensive and globally recognized approach to safeguarding information.

This investigation seeks to explore the underlying causes that render university websites susceptible to cyber security faults, identifying critical weaknesses and potential entry points for cyber-attacks. By delving into the multifaceted landscape of cyber security, this inquiry aims to illuminate the specific areas of vulnerability within university websites, discerning the intricacies that make them prone to exploitation by malicious actors.

Furthermore, this study endeavors to delineate comprehensive counteractive measures, aiming to devise robust strategies that fortify the cyber security posture of university websites. By identifying best practices, procedural enhancements, and technological approaches, this investigation strives to bolster the resilience of these vital digital platforms, mitigating the potential impact of cyber security faults and enhancing overall data protection.

Related work

In recent years, the field of cyber security has become increasingly important due to the rise in cyber threats and attacks. Universities, being repositories of valuable data and research, have become prime targets for cybercriminals. University websites, in particular, are vulnerable to cyber security faults that can compromise the integrity, confidentiality, and availability of sensitive information [15, 16]. This literature review aims to investigate the causes behind cyber security fault vulnerability in university websites and identify counteractive actions to mitigate these vulnerabilities.

Dioubate et al. [17] explored the role of cybersecurity in the performance of Malaysian higher education institutions. It uses semi-structured qualitative interviews with 10 cybersecurity risk management officers from 10 public universities. The data were analyzed using thematic analysis to identify the strengths and deficiencies of the current cybersecurity frameworks. It has contributed to protecting the data of students and staff, which in turn allowed the universities to improve their reputation. The efficient use of resources, identification, and detection of risk exposures, and improved cybersecurity communication between the technical team and top management are essential for a good decision-making process. This study significantly contributes to the understanding of the performance and applicability of cybersecurity in universities.

In their study, Harrell et al. [18] conducted a large-scale vulnerability assessment of 272 higher education institutions. It identifies vulnerabilities that fail to provide comprehensive remediation strategies. Selected flaws are recreated and remediated in a virtual environment to develop enhanced, automated reporting mechanisms. The remediation reports generated from the tools often cause significant information overload while failing to provide actionable solutions. The study develops enhanced reports that address 27.80% of vulnerabilities found in scanned higher education institutions, enabling efficient vulnerability remediation. This study addresses the lack of appropriate knowledge in higher education institutions to improve their cybersecurity posture. It provides succinct reports to enable efficient vulnerability remediation.

Dioubate and Daud [19] applied cybersecurity risk management in Malaysian public universities. The qualitative research method is applied to collect data by interviewing experts in cybersecurity risk management. The results show the factors that lead to risks and benefits obtained when the stakes are managed. This research shows a greater understanding and knowledge of risk management. The future direction of this study is to propose a cybersecurity risk management framework based on the reviews of the existing frameworks used in Malaysian public universities.

The cybersecurity landscape has evolved over the last few decades and its latest trends and projections for the next decade [20]. It also takes an extensive literature review and desk research of methods that could respond to the cybersecurity vulnerabilities of the next decade. The paper illuminates the importance of strengthening Higher Education Institution (HEI) cybersecurity capacities and explores why HEIs face severe challenges in tackling the ever-escalating cyberattacks. The paper proposes a system-wide approach to safeguard HEI cybersecurity and highlights the necessity to reassess prioritized areas.

Similar to our study, Alhumud et al. focus on evaluating the cybersecurity performance of Saudi universities [21]. The study employs a mixed-method design, utilizing questionnaires and interviews to collect data. The participants include representatives from 10 Saudi universities. There is room for improvement in the cybersecurity practices of Saudi universities. Concerns were expressed about the lack of well-defined policies and procedures, insufficient training and awareness programs, and non-compliance with cybersecurity regulations and standards. The majority of participants affirmed the importance of cybersecurity in strategic objectives and Total Quality Management.

Ulven and Wangen [22] investigated cybersecurity risk by reviewing existing literature on known assets, threat events, threat actors, and vulnerabilities in higher education. The study applies the Comprehensive Literature Review (CLR) Model and includes published studies from the last twelve years. The primary finding was that empirical research on cybersecurity risks in higher education is scarce, and there are large gaps in the literature. The paper concludes nine strategic cyber risks with descriptions of frequencies from the compiled dataset and consequence descriptions. The results will serve as input for security practitioners in higher education, and the research contains multiple paths for future work.

The role of cybersecurity in higher education institutions is presented by Singar and Akhilesh [23]. It highlights the importance of the internet and online services in the modern learning and teaching environment and the risks that come with increased utilization of the Internet and connected devices. The paper identifies cyber threats as risks that impact the information and data security of higher educational institutions. It emphasizes the need for implementing security measures in the higher education sector to prevent hackers from stealing and misusing the information assets collected by the institutes.

Meharu [24] investigated the increase in cyber-attacks in Ethiopia and the lack of a standardized legal cybersecurity framework, strategy, and governance at the national level. The paper also highlights the lack of awareness and expertise in cybersecurity as contributing factors to the increasing level of cyber-attacks in the country. The findings reveal that only 11.6% of government institutions in Ethiopia have legal frameworks to prevent cyber-attacks, while 87.4% have no recognized legal frameworks. The paper also mentions that some local researchers are developing cybersecurity frameworks and strategies for specific sectors, but these frameworks have not been rigorously tested. The paper suggests that future researchers should focus on developing a virtual training system or intelligent security tutoring system to address the shortage of cybersecurity professionals and the lack of cybersecurity know-how in the country.

The investigation of cybersecurity in higher education institutions is a mandatory task. The purpose of our research is to provide a comprehensive overview of the cybersecurity landscape in Ethiopian universities. While it's true that similar studies have been conducted in other countries, this is the first of its kind in Ethiopia. Therefore, the findings are indeed novel in this context. The other contribution of our study, it serves as a benchmark for future research in this area. By presenting a descriptive analysis, we have laid the groundwork for more delicate studies to be conducted in the future. We believe that our work contributes significantly to the knowledge base by filling a gap in the literature.

Methodology

The findings of the VAPT assessment are not self-explanatory for all communities within the cyberspace. Instead, they require detailed descriptions to effectively disseminate the research output to all readers and implementers. Due to this reason, an exploratory type of research approach is used. So, in addition to showing all findings of the data collection techniques, we have narrated the impacts, tendencies, and possible ways of countermeasures for cyber vulnerability.

In our study, we gathered data from primary sources using a survey and a Vulnerability Assessment and Penetration Test (VAPT). We also reviewed related literature, policy manuals, and standards as secondary sources to corroborate our findings with established norms.

In our study, we used purposive sampling to select research areas from Ethiopia’s 44 public and 2 Science and Technology Universities [25]. We analyzed the websites of 16 universities, including 3 comprehensive, 3 applied science, all 8 research universities, and the 2 Science and Technology Universities, and to assess their cyber security. The selection process of universities for research could be biased due to factors such as accessibility of data, geographical location, reputation, and the researcher's familiarity with the institution. This could limit the diversity and representativeness of the sample. Details of these universities are in Table 1.

The respondents are selected based on their roles and positions that have a direct relation to information technology, cyber security, safety and security, risk assessment, and management. The participants for the study consisted of the network, safety, security, and risk assessment professionals from respective Universities.

In this research, our primary objective is to examine the conditions that render targeted websites susceptible to cybercrime. To accomplish this, we surveyed to gauge the level of awareness among experts regarding website security and performance. We also identified potential vulnerabilities in the target website that could be exploited by intruders using automated Vulnerability Assessment and Penetration Testing (VAPT). Based on our findings, we suggested appropriate countermeasures to address these vulnerabilities and defects, aligning the targeted websites with the standards prevalent in the cyberspace world. The methodologies we employed to carry out these tasks are outlined and detailed in Figure 1.

Research methodology design flow

Full size image

Web security standards

Websites are attractive targets for cyberattacks due to their global availability, simplicity, anonymity, and potential for financial gain [26]. To protect it from these threats, everyone involved in website development and operation must adhere to global cybersecurity standards. These standards provide checklists, procedures, and guidelines aimed at ensuring the security, consistency, availability, and reliability of cyberinfrastructure [26]. There are numerous cybersecurity standards, including the NIST 800 series, ISO_IEC_2700 series, ISF SOGP, and SOX. All standards except ISO_IEC_27001 are developed by specific companies or nations based on their requirements.

For example, the Information Technology Laboratory (ITL) developed the NIST standards to strengthen the economy and public interest [27]. However, ISO_IEC_27001 is a globally standardized security measure for information systems developed by a committee of international stakeholders [28]. It provides guidelines for monitoring, operating, verifying, maintaining, and improving the information security management system "ISMS". This standard is designed to understand the training, awareness, and ability of ISMS personnel to conduct investigations to investigate cyber issues on websites, identify vulnerabilities, develop corrective actions, and ultimately report findings.

Vulnerability assessment and penetration testing (VAPT) tools

Vulnerability to the cyber security risks of the data transmission cyberspace via websites is the defects of the overall website security processes, design, implementation, and operational monitoring and control of the services including the vandalism of the standards of website security policies. Using vulnerability assessment and penetration testing (VAPT), the given organization's website can be easily detected. VAPT is used for inspecting the softness of the cyberinfrastructure through which the probability of existences for intruders/hackers to gain unauthorized access. In this study, two stages of vulnerability examination were performed using the VAPT methodology.

• Network Infrastructure Based (NIB-VAPT): This stage includes identifying open ports, exposed operating systems, running application software, outdated software versions, missing patches, or misconfigurations that can be exploited by unauthorized users. Tools such as Network Mapper and Nessus were used for vulnerability assessment and penetration testing.

• Database-based (DB-VAPT): This stage focuses on assessing vulnerabilities in the website's database system, such as SQL and shell injection, cross-site scripting, and session cookies. During this phase, Vega tools were used for assessment and penetration testing.

Network Mapper (Nmap) is an open-source tool for auditing cybersecurity, managing service upgrades, and monitoring host availability [29]. IP packets are used to identify the hosts available on the network, the services they offer, their operating systems, and the type of packet filters/firewalls in use. Nmap stands out as a robust tool utilized for arranging investigations and security appraisals. Being open source and broadly grasped inside the cybersecurity space it serves as a choice for conducting organized filters. One of the restrictions of Nmap is , that it may not always accurately identify the working framework or administrations running on a gadget. This could lead to untrue positives or negatives. So, to expel this issue we ought to have to check over and over.

Nessus is an industry-standard world’s most widely deployed vulnerability assessment tool provided by Tenable [30]. It helps cyberspace security experts reduce their organization’s website attacks and it is also a widely used tool for researchers in the area of cyberspace security to assess and examine the susceptibility of the target website to unauthorized attacks of non-legitimate intruders/hackers.

Nessus displays the generated vulnerability assessment results as per the descending order of their severity from critical to informal. In general, the results are categorized into critical, high, medium, low, and informative levels of severity with their respective CVSS V3 base scores.

A Common Vulnerability Scoring System (CVSS) is an open framework communicating the characteristics and severity of application service vulnerabilities. It consists of three metric groups Base, Temporal, and Environmental. The Base group matrices, used here in the Nessus assessment, represent the inherent qualities of vulnerability by producing a score ranging from 0.0 to 10.0. Those numerical scores translated into a qualitative representation of low, medium, high, and critically severe vulnerability. The severity magnitude can be calculated according to the CVSS V3 calculator [31]. Nessus holds a status, among vulnerability-checking tools bragging a cluster of plugins. It exceeds expectations in identifying vulnerabilities that may be misused by actors to invade an arrange. Also, it is easy to utilize and gives comprehensive reports, which encourage comprehension and activity on the outcomes. Its effectiveness generally depends on the quality of its powerlessness database. It might miss new vulnerabilities that are not however in its database. Moreover, it may report false positives.

Vega is an open-source Vulnerability Assessment and Penetration Testing (VAPT) service developed by Subgraph. It identifies website vulnerabilities such as SQL injection, cross-site scripting (XSS), remote file includes, shell injection, and disclosed sensitive information [32]. Vega is an open-source, free web application security scanner and testing tool. Vega can assist you with identifying and validating vulnerabilities like SQL Injection, Cross-Site Scripting (XSS), and unintentionally revealing sensitive information. Because of their strength, dependability, and widespread use in the cybersecurity field, those tools were selected over others. They are the best at identifying cybersecurity flaws in Ethiopian university websites because they provide a thorough approach to penetration testing and vulnerability assessment. It might also miss vulnerabilities that require a specific sequence of actions to exploit. It needs a repetitive scanning mechanism.

Automated vulnerability scanning and penetration testing are also provided by programs such as Intruder, Acunetix Web Vulnerability Scanner, and Invicti Security Scanner. These tools are frequently commercial, though, and they might not be as affordable for a research setting as Nmap, Nessus, and Vega.

Research findings and analysis

In this section, findings from the survey and each of the VAPT methods were presented in both statistical presentation and detailed analysis. The collected quantitative data were displayed in tabular form, with an analysis conducted for each method. Finally, a summary of the findings’ consolidated analysis was presented for each web vulnerability method.

In this study, a qualitative approach was used to identify potential threats and vulnerabilities in targeted areas and to gauge the awareness of front-line professionals about these risks [33]. A questionnaire, developed using Google Forms, was distributed to ICT professionals to gather data on the frequency of these incidents and the countermeasures taken. The findings were then compiled, compared, and cross-referenced with literature reviews and automated VAPT results.

The survey, comprising 30 questions, was divided into four sections: ICT expertise profile and responsibilities (5 questions), vulnerability and cyber threat experiences (13 questions), the impact of cyber threats (2 questions), and countermeasures taken against cyber threats (10 questions). The majority of the questions (90%) were closed-ended to facilitate responses.

As outlined in the third section of the research methodology, the questionnaire approach is employed to gather data on potential existing or future cybersecurity vulnerabilities, as well as the countermeasures that university professionals have implemented or may implement. Consequently, Figures 2-12 depict the responses to these questions.

Respondent's job position

Full size image

Figure 2, reveals that the majority of survey respondents, approximately 68.1%, are IT administrators and engineers. Their primary duties include system, network, and data administration, as well as the design and implementation of their institutions’ cyber infrastructures. The remaining 31.3% of respondents are management personnel, risk governance, C-level executives, and system analysts. This indicates that the survey was conducted among those directly responsible for and highly involved in the institutions’ cybercrime responsiveness.

As depicted in Figure 3, when asked if users alter their cyber infrastructure security systems, 90.6% of respondents answered “yes,” while 9.4% were unsure, responding with “maybe.” This suggests that all the institutions’ cyber infrastructure security systems are potentially altered or disabled by users.

Security systems are altered by users or not

Full size image

The survey also assessed the potential vulnerabilities and likelihood of cyber breaches. Respondents were asked to rate the possible causes of vulnerability to cyber breaches, as shown in Figure 4. The three most serious causes identified were the use of outdated patches, unsecured network perimeters, and the absence of antivirus software or the presence of unused installed software, with high to very high ratings of 78.125%, 59.375.%, and 56.25% respectively.

Possible causes of being vulnerable to cyber breaches

Full size image

These vulnerabilities are confirmed by the survey results, with 81.3% of respondents experiencing cyber security breaches in their institutions’ cyber infrastructures. 6.3% were unsure if they had experienced breaches, while 12.5% reported no encounters with cybercrime. This is illustrated in Figure 5.

Cybersecurity breach incidents

Full size image

When asked to select the top three threats to their cyber infrastructures, 65.6% of respondents identified malware (including worms, viruses, Trojans, and spyware) as the primary threat. Individual hackers and illegal information brokers were the next two threats, selected by 56.3% and 50% of respondents respectively. This is shown in Figure 6. Malware, which collects critical information and allows intruders unauthorized access to cyber infrastructures, was ranked as the third top cause of vulnerability, which could explain its prominence as a cyber threat.

Treats mostly found in cyberinfrastructure

Full size image

Figure 7 shows that the four most impactful cyber threats are malware, social engineering, threats, and organized criminals, with impact ratings of 75%, 71.875%, 62.5%, and 46.875% respectively.

Impact rate of Cyber-threats

Full size image

The survey also examined the services most affected by these ungoverned cyber threats and the extent of their impact. Respondents indicated that the most affected cyber security service is unauthorized control of infrastructures and loss of availability, with 53.125% and 40.625% of respondents confirming this, as shown in Figure 8.

Cyber threat impacts on cyber security services

Full size image

The survey results reveal that approximately 34.4% of respondents actively monitor and control their cyber infrastructure to protect against cybercrime. However, the remaining 65.6% either do not manage their cyber infrastructure or are uncertain about their governance methods. This data is represented in Figure 9.

Respondents on security and governance of their cyberspace

Full size image

Figure 10 illustrates that all proposed mitigation measures, which respondents could select as being implemented in their cyber infrastructures, received a response rate ranging from 59.375% to 75%. Specifically, 75%. of respondents indicated that measures such as infrastructure monitoring and securing remote access authentication (no shared password for vendors) are either not implemented or they are unsure if they are implemented in their institutions’ cyberinfrastructure.

Respondents Mitigation Measures up on Cyber-threats

Full size image

This data supports the previous findings regarding the governance of the institutions’ cyberinfrastructure. The responses to the question “What is the maturity level of your cyber security governance?” further illustrate this point. As shown in Figure 11, 37.5% of respondents rated their cyber security governance as basic, indicating a minimal level of maturity. Meanwhile, 15.6% reported inconsistently applied governance, and only 25% rated their governance as establishing and leading or at an established maturity level.

Maturity of cyber security governance for their cyber-infrastructure

Full size image

These results suggest that the institutions are in the early stages of implementing necessary cybercrime mitigation measures and that significant effort is required in this area.

Figure 12, shows that out of 15 proposed cyber threat countermeasures, 13 have either a low impact, have not been implemented, or it is uncertain whether they have been implemented in the respondents’ cyberspaces. This indicates that 86.67% of these mitigation methods, including network segregation, system hardening, vulnerability audits, data encryption, physical access control, environmental standards, system change control, 3rd party remote access, and patch management, have not had a significant impact on the institutions surveyed. These methods received effectiveness ratings ranging from 59.375% to 75%. from respondents. This shows the need for proactive measures to secure cyber infrastructures in institutions.

Effects of Mitigation Methods of Cyber Threat

Full size image

In addition to the survey, a Vulnerability Assessment and Penetration Testing (VAPT) was conducted on 16 public university websites, including the three categories (applied, research, and Science-Technology Universities) [34].

Automated tools were used to assess each site, with findings extracted, reorganized, and analyzed according to cybersecurity standards (ISO-IEC-27000 series). In the end, comparisons of institutions based on the results of the assessment are performed as a summary of the result analysis and interpretations of the respective sections.

The Nmap tool examines the network infrastructure of the respective websites. It delivers how many application service ports are closed, open, and filtered from the total tested well-kwon TCP ports of 1000.

As per reference [35], the accuracy percentage of Nmap’s OS detection scanning indicates the degree of alignment between the target cyber infrastructure’s response and the fingerprints in the Nmap database. A higher accuracy percentage implies greater confidence in Nmap’s operating system guesses for the targeted cyber infrastructures. An accuracy below 80% usually means Nmap is less certain of the guessed OS, which could be due to firewall filtering, real-time patching, or customization of the target operating system. Once intruders/hackers have investigated the types of services, topologies, operating systems, and open ports, they can devise strategies to attack the target through those ports, topology gateways, properties, services, and operating systems.

As demonstrated by the Nmap scanning result, for this study, all 16 tested institutions’ URLs provided the aforementioned information with 87-100% accuracy, except for HAU. Coupled with outdated patching implementation (as mentioned in the survey above), these institutions are susceptible to cybercrime from aggressive intruders/hackers. Linux 4. x and Linux 3. x were identified or predicted by Nmap as the most likely operating systems of the targeted cyber networks.

As indicated in  Table 2, almost all websites, except JU, have more than 96.1% filtered TCP ports. This is beneficial as all packet communications through those ports are regulated by firewall policies. This means that when cyber criminals’ remote scanners send SYN packets or an ICMP ping packet, they are met with an algorithm like iptables that prevents the attacked cyber infrastructure from responding. Instead, it blocks further attempts.

Result of vulnerability assessment & penetration testing tool

As shown in Table 2, 11 out of the 16 websites tested by this tool during the testing period had at least one closed port. Notably, JU had 99.7% of TCP ports in a closed state. This implies that when an intruder sends either a SYN or ICMP ping packet remotely, the targeted host responds with an RST packet, forcing the intruder to reset their request. Unless under certain circumstances where these closed ports are opened and the intruder repeatedly attempts to gain access, the system remains secure. Here, no firewall acts to filter incoming remote intruder scanning packets; instead, it protects itself from the intruder-sent packet since it is closed. A determined intruder could seize an opportunity by waiting for the brief interval when the closed port becomes open. Therefore, responsible professionals must ensure these ports are governed by their firewall policies, effectively making them filtered TCP ports.

Intruders persistently scan ports remotely to determine if the target has services that are susceptible to buffer overflow. These vulnerable services are ports in an open state. Open ports are those where server programs are running, assigned to be a port for the server. If an intruder receives a SYN+ACK packet when attempting to scan the target by sending an SYN or ICMP ping packet remotely, they can confirm the presence of open ports in the target cyberspace, making it vulnerable to system attacks.

Nessus uses the Common Vulnerability Scoring System (CVSS) from the National Vulnerability Database (NVD) which has Common Vulnerabilities and Exposure (CVE) standards. CVSS consists of severity factors of attack vector, complexity, intruder interaction, and the impact of the existing vulnerability over system confidentiality, integrity, and availability and also it considers the required privileges for the existing vulnerabilities [36]. By taking this in mind Nessus calculates the CVSS base score factor of each vulnerability using the formula of calculator syntax described in "Discussion" section. .

We have compiled the comprehensive findings of Nessus in Table 3 in a tabular format, complete with detailed descriptions of impacts and mitigating solutions for the respective vulnerabilities of all 16 examined institutions.

As shown in Table 2, it illustrates that Nessus identified a total of 1,749 vulnerabilities across all the websites of the institutions examined. A significant majority of these vulnerabilities 1,413 (or 80.8%) are classified as Info-type vulnerabilities.

The remaining 336 vulnerabilities (or 19.2%) are direct vulnerabilities that expose the respective institutions’ cyber infrastructures’ immediate flaws. Many of these vulnerabilities stem from the use of unsupported system versions, indicating that institutions are using software with expired licenses. This results in all hosts lacking the latest security patches from their respective vendors. The use of outdated patches is one of the top vulnerabilities identified by survey respondents in the awareness assessment survey.

In terms of severity, most of the identified vulnerabilities fall under the medium severity category, which could lead to significant cybersecurity breaches over time. The top five institutions with the most vulnerability are Woldia, Wollo, DebreTaboor, and Mekele University. The most critical vulnerabilities are found on Hawassa, with one each in Addis Ababa, Woldia, and Mekdela Amba. In terms of high-severity vulnerabilities, Hawassa leads as shown in Fig. 13.

Nessus vulnerability by severity

Full size image

According to the tendencies of the most redundantly occurred vulnerabilities type, the top six categories are illustrated as shown in Fig. 14. SSL certificate category consists of vulnerabilities like self-signed, untrusted, expired certificates, and certificates with the wrong hostnames. Those vulnerabilities lead the cyber systems to carry out man-in-the-middle attacks. Those vulnerabilities happened in almost all institutions examined here except ASTU. TLS category is also the second redundantly vulnerable in almost all institutions except AASTU. Vulnerabilities under this category are Version usage of Version 1.0 and 1.1 which are currently expired versions or do not have new updated patches supported by vendors. Those vulnerabilities cause the institutions to have flawed cryptographic designs for their cyber infrastructures.

Top Six Vulnerability Categories

Full size image

The PHP category vulnerability has existed in all institutions except AASTU. Most of those vulnerabilities are due to unsupported web application scripting language (PHP) and improper handling of CR-LF sequences. This causes the institutions to be affected by multiple vulnerabilities including integer underflow, denial of service (DoS), heap-based buffer overflow, heap-based buffer over-read, information disclosure, and email header injection

The Apache-related vulnerabilities happened on Hawassa which is due to the Version being unsupported and having no updated patch security supported by the vendor. This causes the institution to be affected by multiple vulnerabilities including denial of service, read-after-free error, cross-site scripting, out-of-bounds write, arbitrary file upload, out-of-bounds access, write-after-free, out-of-bounds read, and weak digest

The remote web server is not enforcing HSTS, as defined by RFC 6797 [37] is the sixth top vulnerability that happened on almost all institutions except AASTU. This HSTS is a response header that can be configured on the server to instruct the browser to only communicate via HTTPS. The lack of HSTS allows downgrade attacks, and SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections. As a result, the remote HTTPS server does not send the HTTP "Strict-Transport-Security" header.

Vega provides vulnerabilities by categorizing them under high, Medium, Low, and Informal as per their impact and complexity over the target host’s cyberspace confidentiality, integrity, and availability.

As presented in Table 2, Vega vulnerability assessment held up on the selected 16 public University websites reports 11,286 total findings. From those results, 6, 431 (57% of the total) findings are informational those illustrate the overall secrets of the respective web applications. The informational findings detected by Vega assessment include Blank body, unspecified character set, Error HTTP, Meta Tags, unfixed X-frame header, unfixed cookie HTTP only and secure flag, uploaded form files, possible AJAX code, etc. This information gives important directions for cybercrime intruders/hackers. This implies with this type of information delivery of the web applications; all institutions are fully vulnerable to being attacked by cyber criminals (unethical hackers). The rest 4,855 (43% of the total) findings are the current vulnerabilities of the cyber infrastructures for those institutions following their risk severity level of which 20.68% are High, 4.9% are Medium, and 74.4% are Low.

As shown in Figure 15 and Table 2, the top four vulnerable institutions with highly severe labeled vulnerability cyber issues are WLDU, WU, AAU, and AASTU which cover 35.06%, 5.88%, 8.07%, and 49.2% respectively.

Number of Vulnerabilities as per Institutions

Full size image

The highly severe cyber defects detected by Vega assessment in this study include cross-site scripting, shell injection, SQL injection, Bash “Shell Shock” injection, session Cookie without HTTP Only Flag and secure flag, clear text Password over HTTP, insecure cross-origin Resource Access control, page Finger print differential, Possible Social Security number, etc.

The top three frequently detected vulnerabilities in a high number of web applications are cross-site scripting, Injection (SQL, Shell, and shellshock), Session Cookie without HTTP Only and Security flag (/), and Clear Text Password over HTTP which is depicted in Figure 16.

Top three vulnerabilities detected

Full size image

As in the pie graph of Figure 16 of highly severe detected vulnerabilities, Clear Text password over HTTP covers 49% of vulnerabilities which are ranked first. Of those vulnerabilities, all 100% are detected from www.aastu.ed.et and the second-ranked Injection vulnerability has 30% coverage of all high-risk vulnerabilities from which 76.08% are shell Shock injections detected from Woldia. 38.21% of the third-ranked vulnerability which is cross-site scripting are detected from Addis Ababa.

Vega’s vulnerability assessment reveals that the web applications S. No. 11, 12, and 10 are the most susceptible, accounting for 73.22%, 6.69%, and 4.2% of all identified medium-risk vulnerabilities. These vulnerabilities include the local file system and its path, potential HTTP PUT files, possible source code exposure, HTTP Trace server type (Apache/2.4.26 (Win32), and PHP errors. The local file system path vulnerability is the most common across all investigated web applications. This vulnerability is sensitive as it can disclose server environment details to an attacker, thereby increasing the success rate of blind attacks. The second most common vulnerability is the PHP error page signature, which can leak sensitive information such as software patch levels, configuration settings, and database or file system structure.

In terms of low-level severe risk vulnerabilities, Vega’s assessment identifies UOG, HU, WU, HAU, and DBU as the top five vulnerable web applications, covering 24.06%, 18.06%, 15.2%, 13.76%, and 13.04% respectively. The most common vulnerabilities in this category include email addresses, internal addresses, Autocomplete password fields, and Directory listing. The most frequent vulnerability is the discovery of internal addresses. These are references to internal hosts or networks found in publicly accessible content. Such addresses can disclose information about the internal network structure to an attacker, thereby increasing the likelihood of successful blind attacks involving other vulnerabilities. It can also expose the internal network structure, including Internal IP addresses, to external attackers.

In general, university websites are the most important gateways of cybercrimes due to their ubiquitous behavior and accessibility by all members and outsiders throughout the world. Highly ranked cyber-secured and highly accessible infrastructure has a great impact on the University's reputability in Worldwide computation ranks. As described in the findings of the above assessments using survey and VAPT techniques University websites are vulnerable to cybercrimes in numerous ways including missed patch management, missed firewall support port and other service management, cross-site scripting, SQL injections, and the like. In this study, we have conducted vulnerability assessment and penetration testing simply to reconnaissance the vulnerabilities and report the findings as a research output.

The results found in the above investigations assured that all of the investigated Universities are vulnerable at least with one type of vulnerability. This result also indicates the need for further vulnerability assessments should be performed and mitigation policies should be designed by the responsible administrators of the respective institutions to safeguard their cyberspaces from unethical hackers. Cyber security vulnerability investigation is a proactive defensive mechanism as it plays a significant role by simulating intruders to reconnaissance vulnerable defects from cyberspace. The output of vulnerability assessment is used for protecting cyber infrastructures before unethical hackers act on them.

Proposed counter measure mitigation solutions

For the respective key findings identified by the study as listed above, the countermeasures designed and proposed for those who want to tackle the issues are illustrated as follows. Those countermeasure mitigation solutions are developed based on: ISO-IEC-27001 standard guidelines.

Awareness development of cyber professionals

According to the National Institute of Standards and Technologies (NIST) [38], training of cyberspace professionals is the vehicle for disseminating cyber security information for establishing and maintaining a robust and relevant countermeasure upon the vulnerabilities confronted. NIST also considers cyber security awareness training as an escapable program rather it being one part of the overall cyber security program. This training is conducted for all levels of personnel to provide awareness about the information itself, services needed to protect, and overall responsibilities of protecting the organization's cyberspaces they are belonging from cyber criminals.

The steps that you have used to develop awareness for cyber professionals begin by evaluating the present cybersecurity expertise of your IT personnel. Next, create a thorough training curriculum covering the fundamental ideas, dangers, and best practices of cybersecurity. Update this program often to handle new threats and technological advancements. Making sure the training curriculum is current and interesting enough to promote learning is the biggest obstacle. It might be difficult to locate resources or trainers with the necessary qualifications. Also, Make use of internet tools and platforms that provide cybersecurity education. Involve the students in interactive lessons, practical applications, and hands-on activities.

In multiple respects, our study is consistent with the ISO/IEC 27001 series of standards. Firstly, the guidelines provided in ISO/IEC 27001 serve as the foundation for our risk assessment methodology. The ISO/IEC 27001 risk assessment process's essential elements—assets, threats, vulnerabilities, impacts, likelihoods, and risk levels have all been identified.

Second, by following the guidelines in ISO/IEC 27001's Annex A, the vulnerabilities found in our analysis can be mitigated. For example, inadequate access control was one of the vulnerabilities we found. The controls from ISO/IEC 27001 for user access management (A.9.2) and access control policy (A.9) can be used to address this.

Furthermore, our results are consistent with other relevant cybersecurity standards. For example, by following the encryption specifications outlined in the NIST cybersecurity framework, the vulnerability associated with insecure communications can be reduced.

Patch management

Vendor-unsupported outdated versions of cyber security services are patches without use. This can be the reason for individual hackers to have ways for making unauthorized access, modify and disrupt the whole cyberspace, and use critical information for unethical activities like accessing registrar information to change students’ grades and finance information to theft money and the like. Since instances of this type of vulnerability are large in number, it is difficult to put it here.

Make a list of all the systems and software that are currently in use to start. Collect information on vulnerabilities and patches that are available regularly. Examine these patches in light of appropriateness and grant them deployment permission. Before patching, test the updates in a safe environment. It can be very difficult to keep track of all the systems, software, and patches that are related to them. Hence, to expedite the process, make use of automated patch management technologies.

Avoiding open ports from cyber spaces

According to the findings of Nmap scanning as in chapter four, all institutions are vulnerable to being attacked by cybercriminal intruders easily through the available open ports. Therefore, the mitigation solution for such types of vulnerabilities is performing a similar type of scanning by the administrators of the respective cyber spaces by sending SYN packets. After receiving the SYN+ACK packet for the request from the target resend the RST signal for the target. Immediately the open port makes itself a closed port. Another way of protecting the open ports is to make them be governed by firewall policies of the respective cyberspace which means making them to be filtered state. It can be difficult to strike a balance between minimizing open ports and preserving essential functionality. So, Establish stringent guidelines requiring a reason to be given for maintaining a port open. Make sure these defenses are still sound by reviewing them regularly.

HSTS enforcement

HSTS is an optional response header that can be configured on the server to instruct the browser to only communicate via HTTPS. Make sure your website can be accessed via HTTPS first. Next, set up your server so that every response includes the HSTS header. The lack of HSTS allows downgrade attacks, and SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections. The remote web server is not enforcing HSTS, as defined by RFC 6797. As a result, the remote HTTPS server does not send the HTTP "Strict-Transport-Security" header. The mitigation solution for such type of vulnerability is configuring the remote web server to use HSTS. Your site may stop working due to misconfiguration. Before deploying the configuration, give it a thorough test in a safe environment.

XSS, injections, and clear text password over HTTP and others

Descriptions and respective mitigation solutions for those vulnerabilities are described in Table 4.

The study aimed to explore the vulnerabilities of cyberspace on cybercrime in 16 selected public universities, focusing on their web pages. The awareness of cyberspace professionals regarding these vulnerabilities was evaluated through a questionnaire-based survey conducted in sixteen of the sampled universities. The study employed VAPT assessment tools to scrutinize the vulnerabilities of the websites.

The findings indicated that all the university websites were critically vulnerable to cybercrime breaches in one way or another. The VAPT assessment revealed that the key issue was the outdated patch implementations on their servers, a fact confirmed by the survey respondents. Other significant findings included the widespread presence of XSS, Injections, and Clear text Passwords over HTTP, along with numerous open ports. These threats pose a high risk of causing the respective University websites to crash due to an aggressive cybercrime intruder exploiting these identified vulnerabilities or any other means unless the responsible stakeholders take action.

Finally, the importance of stakeholder engagement in cybersecurity efforts cannot be overstated. By involving university administrators, IT staff, policymakers, and the academic community, a collaborative approach to establishing more robust cybersecurity infrastructures can be advocated.

Based on the findings identified by this study, those examined University websites are at risk ON cybercrime vulnerabilities unless the responsible respective officials strongly act upon them. If so, before starting their actions, we recommend there to plan and start by reconnaissance their cyberspace infrastructure defects with the methods we use here or by designing any appropriate method for their own. Even recommend our findings as a startup for optimizing the respective cyber security as per the standards of ISO-IEC-27001 series.

Furthermore, since things are dynamically changing in the cases of cyberspace security, those examined Universities even any related organization's cyber infrastructures shall be overcoming their skill and alert cyber professionals by delivering short-term and long-term training on the overall cyberspace issues.

Lastly, we recommend those Universities or any related institutions, before starting the deployment of websites for implementations, should have strongly examined the basic agendas of cyber security vulnerabilities based on the checkpoints of the respective standards. After deployment, the responsible administrators should follow everything in the cyberspaces specifically, the vendor-supported patch management with serious and committed taskforces.

The datasets generated during and/or analyzed during the current study are not publicly available but are available from the corresponding author upon reasonable request.

Not applicable.

Authors declare no funding for this research.

Authors and Affiliations

1. School of Electrical and Computer Engineering, Institute of Technology, Woldia University, Woldia, Ethiopia

   Ali Yimam Eshetu & Endris Abdu Mohammed

2. Department of Electrical/Electronics and Computer Engineering, Afe Babalola University, Ado-Ekiti, Nigeria

   Ayodeji Olalekan Salau

3. Saveetha School of Engineering, Saveetha Institute of Medical and Technical Sciences, Chennai, Tamil Nadu, India

   Ayodeji Olalekan Salau

Contributions

Ali Yimam Eshetu: Conceptualization, Methodology, Software, Performed the experiment, Visualization, Writing- Original draft preparation. Endris Abdu Mohammed: Investigation, Methodology, Visualization. Ayodeji Olalekan Salau: Data curation, Formal analysis, Methodology and Writing- Reviewing and Editing, Validation.

Corresponding author

Correspondence to Ayodeji Olalekan Salau.

Ethics approval and consent to participate

Approval has been obtained from the Woldia University Research, Publication and Ethics Review Board.

Competing interests

The authors declare that they have no competing interests.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Open Access This article is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License, which permits any non-commercial use, sharing, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if you modified the licensed material. You do not have permission under this licence to share adapted material derived from this article or parts of it. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by-nc-nd/4.0/.

Reprints and permissions