Organizations seeking to manage their educational and training content use increasingly popular tools known as Learning Content Management Systems (LCMS). When these systems are implemented the security aspect are often overlooked. In the development of a Learning Content Management System a courseware designer would go through the phases of analysis, design, development, implementation, deployment, evaluation and maintenance. Security issues should be considered as early as in the analysis phase. However many courseware designers would only consider these issues at the maintenance phase or not at all. Therefore the implementation of security elements is an important factor. This paper will discuss the various types of threats to the systems, and steps needed to be taken in securing the LCMS to ensure the validity and integrity of the data
By: Faten Damanhoori, Nur Hussein, Norlia Mustaffa, Wan Mohamad Fauzy
INTRODUCTION The advent of the internet and web technology has enabled people from all walks of life to access and participate in e-learning. In order to monitor this activity and to ensure the content of the e-learning system is in a proper state, we need a subsystem called a Learning Content Management System (LCMS) to address these matters. LCMS refers to the system that is employed to create, store, assemble and deliver course contents to the learners. It evolved from learning management systems (LMS), which are used by organizations to manage the learning needs and accomplishments of employees (Robbins, 2002). However it turned out that LMS do not give the organization sufficient control over the content of their courses. LCMS are engineered with a focus on the creation, editing and reusability of content (Breeding & Katzman, 2002). When the content of the system is the most valuable asset of a LCMS, it is important that the integrity of the content itself is ensured. Therefore, security measures need to be taken when implementing a LCMS for e-learning. The goal of security is to protect data from access by unauthorized users and to ensure the integrity, availability, confidentiality and privacy of data (Elmasri & Nevathe, 2006). Unfortunately, when LCMS software is deployed by instructors, more often than not the security aspect is either haphazard or overlooked entirely. There are many factors that contribute to the reason why security is under-represented in the list of details when designing a LCMS. Most developers rely on the product documentation, white papers and books that only concentrate how to use and create the structure and contents of LCMS, with little or no mention on security. Books on security, however, are too technical or too theoretical for a regular developer to understand, let alone an instructor who is not in the business of security. Additionally, most instructors do not have access to experienced security consultants who audit the systems of big commercial software companies. This paper will discuss the different ways that LCMS are developed and deployed by instructors, and the related security issues surrounding each method of setting up their LCMS. The three different routes that an instructor can take when setting up a LCMS is:
There are different security issues to consider for each of these different ways of implementing or deploying a LCMS. They are discussed in the following sections. CREATING A LCMS FROM SCRATCH The creation of a LCMS will go through the same phases of development as any software system. The general way of implementing an application is to follow the phases of analysis, design, implementation, deployment, evaluation and maintenance. Figure 1 is an adaptation of Royce’s original “waterfall model” (Royce, 1970). Figure 1: The Phases of Software Development Analysis Phase The analysis phase, which is considered one of the most important steps in software development, concerns the gathering of requirements of the users and system and determining the proper tools to create the software. The security aspect should be addressed as early as in this phase. The security issues that need to be addressed can be categorized as follows (Kendall & Kendall, 1998): 1. Behavioral Security Behavioral security is the legal and social aspect of security. It is important to clearly define the roles of each user, and the permissions and rights of each user of the system. This would include a question of policy, e.g. who should be allowed access to what part of the system (Date, 2003). “…the human factor is truly security’s weakest link” (Mitnick & Simon, 2002). 2. Physical security It is important that physical control of the computer facility, both hardware and software is controlled. Even the most sophisticated security software is meaningless if a potential attacker has physical access to the hardware and software we want to protect. The room that the server is located needs to be carefully chosen, and protected from unauthorized access. Also, data needs to be backed up on an off-site location, so that if any incidents happen at the physical location of the server, the integrity of the data on the off-site backup is still guaranteed. 3. Logical security The logical security is the security mechanisms that exist within the software itself (Kendall & Kendall, 1998). This includes the operational control (e.g. passwords, authorization code and encryption), network security (firewalls, demilitarized zones), operating system security (access control lists, access logs, privilege separation) and application security (ensure that software is free from buffer overflows etc.). In the analysis phase, the security support for the software used and the degree of sophistication of that support should be evaluated. At the end of the analysis phase, a set of requirements should be obtained, and decisions must be made to the choice of hardware, software, development methodology and development tools. Design Phase During the design phase, the mechanisms that are required to enforce the security requirements that we acquired during the analysis phase is detailed. Specifically, security controls need to be designed to protect the content and user data of the e-learning system from hackers, viruses, worms and messages overload. It is at this point that decisions are made on how to protect the content or data (password, built-in security for files, encryption, digital signature and certificates). The methods and protocols that address authentication, authorization, privacy and integrity (e.g. Secure Sockets Layer (SSL) or Transport Layer Security (TLS)) should also be decided on) (Satzinger, Jackson & Burd, 2006). Implementation Once the proper security controls are designed, in theory there should not be any security problems in this phase. In practice however, the bugs introduced by poor and careless programming is where a lot of security vulnerabilities crop up. For example, even though input validation was addressed at the analysis and design phases, if a programmer accidentally neglects to validate even one input, it introduces an avenue where malicious hackers can attack the system. This emphasizes the importance of following through with the decisions made during the analysis phase. Deployment Deployment is carrying out the activities planned for actually setting up the system for production use. The administrative tasks required to correctly deploy the system requires a knowledgeable staff that is experienced in securing the server and operating system as planned in the analysis phase. It is essential that the entire software stack, from the operating system to the application, be administered correctly and securely for the entire system integrity to be guaranteed. Evaluation Once the software is developed, it needs to be tested to minimize the amount of bugs that are going to be present when the system is in use. There are two main approaches to testing the software for security holes: 1. White box testing where source code is actively examined for defects 2. Black box testing where the program’s source code is not examined, but instead the program’s behavior is observed in response to test inputs. White-box testing is not as widely used as black-box testing when testing for security vulnerabilities (Kals et al., 2006), so more tools exist for black-box testing. Developers should familiarize themselves with these tools, which are in fact the same tools used by malicious hackers to test the vulnerabilities of systems. However, it should be stressed that black-box testing does not necessarily work better than white-box testing, and that both approaches should be considered during testing. Maintenance The maintenance phase is where most of the actual security holes and bugs are discovered. When this happens, the developer usually has to go back through all the stages of software development to apply the fixes. Usually, implementation bugs are easier to fix than design errors. Therefore it is of utmost importance to get the security right during analysis and design. Deploying an Existing LCMS from a Third-party The second option instructors have for setting up a LCMS is to simply use an existing system that is either bought from a vendor, or downloaded freely from the internet. There exists a number of both commercial and freely available LCMS software that are flexible enough to be used without resorting to customization. Examples of commercial LCMS are WebCT, Blackboard, and IBM Lotus LMS. However, recently open source LCMS such as Moodle have enjoyed a surge in popularity. The advantage of using a third-party LCMS is that the fixing of the security vulnerabilities in the software itself is the responsibility of the vendor or the developers of the system. However, the robustness of the system depends highly on how well the software was developed and how diligent the third-party is when fixing bugs and updating the software. Therefore, the instructor has to evaluate each different product available in the market before deploying it. The security process of deploying a third-party LCMS is similar to the security procedures that concern the instructor if he or she had developed it from scratch. The security of the server on which the LCMS is hosted on should be under the care of an experienced administrator, and access to the server should be controlled both remotely and physically. Extending an Existing LCMS When using an existing third-party system, the primary disadvantage is the loss of flexibility and customization compared to creating one from scratch. However, creating one from scratch involves a lot of work. Therefore, a halfway-point between using an unmodified third-party system and creating an entirely new customized system is to extend the functionality of existing systems that allow the user to modify it (such as the open source LCMS software). Modifying the existing system can be as involved as creating a new one from scratch. This is because not only do all the phases of software development have to be followed when creating the extension, the developer also has to understand the existing system and how the new modifications will interact with the existing code. Therefore the same security issues related to developing the system from scratch applies here as well. Also, when the original developers make an update or fixes on their system, it may become more difficult to apply those updates and fixes to the modified system. SOURCES OF VULNERABILITIES Securing a LCMS is no different from securing any other type of system that is exposed to public access. There are three different ways security vulnerabilities can creep into the LCMS: Server vulnerabilities Third-party application vulnerabilities Custom developed application vulnerabilities Server vulnerabilities occur during the deployment of a LCMS. Any vulnerabilities affecting the server operating system, database software, web server software or any other running programs on the server can lead to a compromise of system security. It is important for the system administrators in charge of maintaining the LCMS servers to be aware of security issues affecting the software that they run on their machines. They need to take pro-active measures to harden their systems by applying security updates regularly, as well as setting up firewalls, anti-virus software, intrusion detection systems and other such preventive mechanisms. Application security concerns the security of the LCMS software itself. If the LCMS was deployed using a third-party application such as Moodle or Blackboard, then the task of ensuring the security of these applications reside with the vendor of the software. For open-source LCMS software, it is also possible for users to observe and rectify security vulnerabilities by modifying the source code themselves. As long as the users are backed by a vendor or a developer community that addresses security issues, it is generally safe to use. The third category of security vulnerabilities in custom-developed applications is where vulnerabilities can enter if the code is not developed with a focus of security in mind. Also, if existing systems are extended with custom code, it could also be a source of vulnerabilities. Unlike vendor-backed third party LCMS tools, custom LCMS may be developed by educational institutions without any attention given to the process of scrutinizing the code for potential vulnerabilities. According to Glisson et al. (2006), there is a lack of awareness among developers in organizations on the importance of security during the entire development process. Sadly, it is often overlooked by educational institutions deploying LCMS software. Without any support from either a vendor (for proprietary or commercial applications) or a wide-community of developers who debug open source code (for open source and community-oriented software), the educational institution needs to have developers that focus on security during development if they choose to develop their own systems. Currently, the most common way that an instructor creates a custom application is to either create it himself, or to hire student assistants to help create it for him. The main problem with this situation is that neither instructors nor students are professional software developers, so it is more likely that security vulnerabilities will be inadvertently introduced into the system due to lack of development experience and lack of awareness about security issues during the development process. TYPES OF ATTACKS AGAINST LCMS SOFTWARE Almost all LCMS software is web-based, so it is useful to look at attacks that are used against web-based systems. The most common type of attacks are: SQL Injection Cross-site scripting SQL stands for “structured query language”, a language used to read, write and manipulate information in a database. The database component is required by the web system to store data used by the system. SQL injection is the insertion of SQL statements into web forms that trick the web application into running malicious SQL commands. Usually, the attacker will try to extract passwords, or insert unwanted data into the system. Cross-site scripting is the insertion of scripts (short interpreted program code written for a specific purpose) into input forms in the web to enable the attacker to execute malicious code. Users who are tricked into running these scripts can find themselves inadvertently sending sensitive information such as passwords to the attacker’s machine. Both types of attacks are caused by improper sanitization of user input by the web system. Therefore, whenever user input is captured, it is important that it is filtered by the system for malicious content. The attacks that a malicious hacker will attempt are by no means limited to just these two types. It is important that instructors remain constantly updated on security-related information to safeguard themselves from any eventuality. RECOMMENDATIONS FOR IMPROVING LCMS SECURITY Most developers do not adhere to the proper procedure of implementing software applications let alone, consider the security issues. Developers sometimes think either that they are infallible and their systems are invincible or nobody is interested enough in their application for it to be attacked. But when an intrusion happens it may be too late to rectify the predicament. By then you may have lost a significant amount of data. If you do not have a good backup strategy, it is almost impossible to recover from this; it could be years of work lost. We outline several strategies for improving security in LCMS software used by instructors: Awareness of security issues and support from the organization. The use of frameworks when building web applications from scratch. The proper administration of all servers and the network that is used to host the application. Training application developers to learn how to write robust and secure programs. Awareness Of Security Issues The most important consideration in improving security in the implementation of a LCMS software is to raise awareness of security issues among educators about the importance of applying sound security practices in application development throughout the development life-cycle of the software. It is important that security is addressed at every layer in the implementation and deployment of the LCMS; security is only as strong as the weakest link in the chain. Active organizational support is required for security in the process of web development (Glisson et al., 2006). There needs to be explicit support by the educational institution for security, and that means that every person involved in the development and deployment of the system should be aware of the issues involved. Web Frameworks Security flaws can arise from a bad choice of development tools and methodology. For example, a lot of web systems developed from scratch use a scripting language such as PHP: Hypertext Preprocessor (PHP), VBScript with Microsoft Active Server Pages (ASP) and JavaServer Pages (JSP). However, inexperienced developers underestimate the amount of work required to build a web system. More often than not, developers end up reinventing the wheel, and moreover, they are reinventing it badly. The use of web frameworks mitigates many of the inherent problems of developing a new web system. A web framework is a software tool that provides the web developer with a set of ready-made customizable components that only need to be used for common web functionality such as logins, searches, editing and other activities on a web system. Because web frameworks have already properly implemented general solutions to many of the required components of web systems such as user authentication, input verification, database access, templating and session management, the resulting system will be more secure than if it was totally implemented from scratch. Examples of commercial application frameworks are BEA Weblogic, IBM’s Websphere and Microsoft ASP.net. However, there are very popular, freely-available frameworks too such as Ruby On Rails, Apache Struts and Twisted. System and Network Administration To ensure the security of the entire system, it is important that every component is secure. This includes the server and the network that services the system. It is usually unrealistic for an instructor to hire a staff of full-time system administrators to take care of the network and server. Hence, it is important that instructors themselves are aware of basic security and system administrative practices: It is helpful for instructors to choose a server operating system that automates setting up a secure server, and also automatically updates the system. The use of a good automated hardware firewall is essential. While it is insufficient to rely on a firewall alone, a well-configured firewall helps keep the majority of intruders out. The servers that provide services to the internet should be isolated from the rest of the network in a demilitarized zone (DMZ) partitioned off by a firewall (see figure 2). Therefore, any intrusion in the DMZ will be contained within it, and won’t affect the rest of the systems on the network. A comprehensive backup policy that is done frequently, and backup tapes or discs should be stored at a different location from the server. Keep a record of all software used within the system. Keep abreast of security alerts and patches for all software that are issued by the vendor. Figure 2: Setting Up A Demilitarized Zone (DMZ)[1] Developer Training Large software companies send their developers for training in secure programming. It may be worth the cost for instructors to also attend such training courses. These courses provide a refresher even for experienced developers on secure programming techniques. Constant learning by developers is required because the number and sophistication of malicious attacks have increased, and it is a real problem that needs to be addressed. CONCLUSION Learning content management systems are invaluable tools for educators. When implementing and deploying LCMS software, educators should be familiar with the security aspect of maintaining or developing the system. Security should be considered at every stage of the development process, if educators choose to develop their own LCMS. If they choose to deploy existing LCMS software, setting up the software securely should be a priority. Although it may not be practical (due to time and expense considerations) for most educators to achieve truly optimum levels of security, they should be able to fend off most forms of malicious attacks by being aware of the security issues, using (and re-using) good code (via frameworks) when implementing their own LCMS solutions, and by simply keeping their systems up-to-date. |
:.