-
Security Threats in Computer-Based
Assessment
TAO Days 2013 Bern (Switzerland) - October 1-2, 2013
[email protected]
[email protected]
-
Conc
lusi
on
Introduction
-
Conc
lusi
on
Intr
o IT Risks
As for any IT system there is lot of classical IT security risks
in CBA
Server failure Man in the middle attack SQL injections DDoS
attacks
-
Conc
lusi
on
Intr
o IT Risks
Use cryptography as secret key algorithms (DES, AES, etc),
public key algorithms, digital signatures, etc.
Web-based system using HTTP protocol There exist encrypHng
standards like SSL or TLS to transfer sensiHve data via HTTPS
-
Conc
lusi
on
Intr
o IT Risks
Denial-of-service aRack (DoS aRack) or distributed
denial-of-service aRack (DDoS aRack)
SaturaHng the target machine with external simultaneous
communicaHons requests
Make a resource unavailable to its intended users
-
Conc
lusi
on
Intr
o IT Risks
DetecHng symptoms by focusing on how an aRack may manifest
itself and how to respond to them
Requests being blocked indenitely Abnormal trac volume in a
network segment Unusual processes and CPU load
Captcha
-
Conc
lusi
on
Intr
o IT Risks
Social engineering is the act of manipulaHng people into
performing acHons or divulging condenHal informaHon
It is much easier to trick someone into giving a password for a
system than to spend the eort to crack into the system (Kevin
Mitnick)
-
Conc
lusi
on
Intr
o IT Risks
Communicate on assets
Communicate on risks
InformaHon security policies
Train people who manipulates sensiHve data
-
Conc
lusi
on
Intr
o CBA Security Risks
Brain dump: Memorize and share items
Some test takers memorize (brain) test items and share (dump)
the informaHon a\er the assessment.
-
Conc
lusi
on
Intr
o CBA Security Risks
Brain dump companies (e.g., www.testking.com) Brain dump
communiHes (e.g., www.postyourtest.com)
-
Conc
lusi
on
Intr
o CBA Security Risks
Larger item bank with random quesHons ConstrucHng high quality
quesHons is dicult, Hme consuming and expensive
Such banks usually require thousands of quesHons Performance
issue Equity and fairness issue
Prevents items from overexposure by algorithms
-
Conc
lusi
on
Intr
o CBA Security Risks
Items design Dynamic QuesHons
-
Conc
lusi
on
Intr
o CBA Security Risks
StaHsHcal analyse with new and old items Update test
quesHons
A web monitoring
Try to remove this illegal disclosure Through simple leRers or
through invoking policies through the site operator or the Internet
provider
By engaging legal acHons
-
Conc
lusi
on
Intr
o CBA Security Risks
Detect item memorizaHon
Aberrant response paRerns Response latencies Stealth items
(items very similar to others quesHons)
-
Conc
lusi
on
Intr
o CBA Security Risks
Dierent studies esHmate at 70% of students who admit to cheaHng
at least one Hme ([Lathrop2000], [Cizek1999], [Lanier2006])
Randomise the order of quesHons However, the items randomisaHon
is not a simple and straigh`orward task, take some precauHons is
essenHal to avoid any unfairness
Randomise the order of responses choice
-
Conc
lusi
on
Intr
o CBA Security Risks
Controls can be incorporated Disabled certain browser operaHons,
displayed quesHons in a secure web browser window that contains no
toolbars or menus, with disabled keyboards shortcut
Prevents accidentally exiHng the assessment, task switching
Disabled calculator, disable most networking capabiliHes on
machines, including wireless ones to avoid Internet access
Close all unnecessary ports to limit communicaHons between
test-takers
-
Conc
lusi
on
Intr
o CBA Security Risks
DetecHon with key loggers Key loggers (so\ware or hardware)
records all keyboards and mouse acHons
Invasion of the user right to privacy, thus test-takers should
know that they will be monitored and give wriRen consent
StaHsHcal detecHon of answer copying ([Frary1977],
[Bellezza1989], [Bay1995], [Wollack2004])
DetecHng highly unusual score in regards to previous assessments
[Cizek2001]
-
Conc
lusi
on
Intr
o CBA Security Risks
Test takers could easily hire a good test-taker to take their
tests
Specic to CBA (for instance, this is not an issue for bank
accounts)
-
Conc
lusi
on
Intr
o CBA Security Risks
-
Conc
lusi
on
Intr
o CBA Security Risks
What you Know: Passwords, challenge-response, one-Hme passwords,
etc
What you Have: Smart cards, smart badges, etc
-
Conc
lusi
on
Intr
o CBA Security Risks
What you Are: Fingerprints, iris recogniHon, reHna scan, facial
recogniHon, palm-vein scan
Legal issues (especially in EU)
What you Do:
Electronic signatures (wriHng speed and pen pressure, etc)
-
Conc
lusi
on
Intr
o CBA Security Risks
ConHnuous authenHcaHon Video monitoring Fingerprint mouse Mouse
and/or keystroke analyse
-
Conc
lusi
on
Intr
o State of the Art Overview
224 References
Legend:
- Not covered or very briey exposed
+ ParHally covered ++ Playing a central role
-
Conc
lusi
on
Intr
o State of the Art Overview
Main concerns: Results integrity
cheaHng Test takers integrity
authenHcaHon Test/item condenHality
brain dump
Lacks: Availability classical security
Results condenHality Isolated soluHons:
Research works focus on specic risk/context
-
Intr
o
Security is sHll a challenge in CBA
As for any IT system there is lot of classical IT security risks
in CBA
There is lot of specic risks in CBA
-
Intr
o
Future Work: Development of a framework adequate to analyze and
assess informaHon security in CBA processes by taking into account
the dierent contexts.
-
Intr
o
Contexts variables: SummaHve purpose High stake Large scale
Individual scope AutomaHc scoring Centralized collecHon Network
delivery High exposure
/ FormaHve purpose / Low stake / Small scale / PopulaHon scope /
Manual scoring / Decentralized collecHon / Physical delivery / Low
exposure
-
[email protected]
[email protected] [email protected]
