Staying Ahead of Evolving Security Threats

Transcription

1 Staying Ahead of Evolving Security Threats John Kleeman, Questionmark Executive Director and Founder David Hunt, Questionmark Information Security Officer All rights reserved. Questionmark is a registered trademark of Questionmark Computing Limited. All other trademarks are acknowledged.

2 How real is the threat? Slide 2

3 November 23, Pearson Vue system breached by malware Pearson statement: We recently were made aware that an unauthorized third party placed malware on Pearson VUE s Credential Manager System which is used by adult learners to support professional certifications and licenses. The unauthorized third party improperly accessed certain information. We are working with law enforcement and leading third-party forensic experts to assess and verify the scope of the issue and related facts. Customer privacy is a top priority for us and we take this responsibility very seriously. For the time being, the Pearson VUE PCM System remains offline. Slide 3

4 August 3, 2016: SAT questions released Reuters reports: Slide 4

5 February 26, 2017: Indian army exam cancelled Indian army recruitment exams Exam in Feb 2017 cancelled due to leak of question papers Evidence of sale to candidates Seems insider fraud. 3 internal and some external suspects arrested 350 candidates banned from exam forever Slide 5

6 How can you guarantee you are never breached? This is the wrong question No system is ever completely secure. In spite of huge security investment, prisoners have escaped from Alcatraz How can you reduce the risk of a breach? This is the right question Security is about minimizing risks Slide 6

7 Agenda of this session Threat and risk An introduction Getting inside the head of an attacker - an exercise where you practice an attack Recommendations and suggestions Mostly for all users of Questionmark A few specifically for Questionmark OnDemand A few specifically for Questionmark Perception / OnPremise Slide 7

8 Threat and risk

9 Security objectives Availability Confidentiality Integrity Confidentiality Keep questions secure - avoid content theft Results only available to those who should know Integrity Right person takes assessment Assessment process fair and robust No cheating Availability Assessments can be taken when needed Results are stored safely Slide 9

10 Possible threats to security Candidate Impersonation Collusion Content Theft Access to restricted aids Assessment system fails Personal data leaked

11 Risk management Threat potential cause of an unwanted, harmful incident Vulnerability weakness or gap that could be exploited by a threat Risk Potential that a threat can exploit a vulnerability Example risks: A test vendor lets malware into their system which broadcasts out data to third parties A content author breaks confidentiality and shares questions from exams with the public A hurricane destroys the data center in which the exam is delivered from, destroying records Slide 11

12 Probability Risk probability and impact LOW HIGH High probability. Low impact. Low probability. Low impact. High probability. High impact Low probability. High impact. LOW Impact HIGH

13 Octave Allegro: one route for assessing risk Slide 13

14 Why assess risks? Formal process can identify all threats, less likely to miss key threats Quantifying risk allows you to prioritize the actions that will reduce risk Recommended by all respected security authorities: ISO 27001, NIST & many more Example 2016 Verizon data breach report reported 63% of confirmed data breaches involved weak, default or stolen passwords. For most organizations, a risk assessment is going to highlight this and suggest some mitigations Slide 14

15 Getting inside the head of an attacker Some want to cheat the exam Other reasons For fun To show off As a grudge Because they can For profit For curiosity For ideals Slide 15

16 How would you attack an assessment programme? To plan a good defence, it s useful to think like an attacker might Group exercise ABC runs a semi-public assessment program You have a grudge against ABC And would like to embarrass them and make their assessment program fail Imagine you had time, money and skills Get into small groups. You have 10 minutes to come up with a plan of attack

17 Debriefing Could your attack work against some assessment programs? Could someone s attack work against your assessment program? Has the exercise encouraged you to think or plan differently at all? Slide 17

18 Specific security advice for Questionmark users Focus on system security rather than security against cheating Slide 18

19 Approach Risk Identify a possible risk Mitigation Identify how to deal with it In some cases varies between Questionmark OnDemand and Questionmark Perception

20 How to deal with Risks Q u e s t i o n m a r k C o n f e r e n c e Leakage from content authors An author could share content with candidates For money Because they are teaching them Inadvertently Lock down authoring permissions so that each author and item reviewer only has access to specific topics Get authors to sign confidentiality agreements so they realize they must keep material confidential Train authors in security including strong passwords Slide 20

21 How to deal with Risks Q u e s t i o n m a r k C o n f e r e n c e Review usage rights Surprisingly common for organizations to fail to remove permissions from leaving or transferring employees/contractors Suppose someone finds a way to create themselves an administrator user or give themselves more permissions without you knowing? At regular intervals Review all Questionmark administrators Are they who you expect? Are they still employed and/or allocated to your project? Do they still need all the access they have? SAML can be another approach Slide 21

22 How to deal with Risks Q u e s t i o n m a r k C o n f e r e n c e Password weaknesses Passwords can be compromised in many ways including: Weak passwords being guessed or cracked People writing down passwords insecurely Phishing attacks Malware (e.g. keylogging) Upgrade to the latest version (OD3 or Questionmark OnPremise) so you can set a good password policy Train your users on passwords and general IT security Limit rights to the least privilege that people need Consider SAML which allows two-factor authentication Slide 22

23 Upgrading to the latest version doesn t just give you more features, it also makes you more secure Questionmark OnDemand Most secure as updated monthly, often fixing security issues If you re not already there, please move to OD3 Authoring Manager Is less secure On Premise Worth moving from 5.x to Questionmark OnPremise Removes Authoring Manager Allows stronger passwords and SAML Many, many security improvements If you can t then consider moving to OnDemand Slide 23

24 Learning from the scouts.. Be prepared the meaning of the motto is that a scout must prepare himself by previous thinking out and practicing how to act on any accident or emergency so that he is never taken by surprise Slide 24

25 How to deal with Risks Q u e s t i o n m a r k C o n f e r e n c e Be ready for the first 24 hours of a security incident If you are unprepared for a security incident, likely: Have a wider breach Lose confidence from customers & stakeholders Organization suffer more serious damage Not be able to respond well to media/press Create a security incident response plan covering Roles, classification of incident, response plans, recovery, retrospective Conduct regular live table top test sessions to check out the plan and train your team Slide 25

26 How to deal with Risks Q u e s t i o n m a r k C o n f e r e n c e Backup If you were to lose your data You d have to re-create all your questions and assessments You would have lost all your past participant results no evidence, no item analysis, no records Your assessment program would be down for a considerable period If you use Questionmark OnDemand, we do it for you If you use Perception / On Premise Set up a reliable backup Conduct regular restore tests to check the backups can be restored Slide 26

27 Other things to ensure in Questionmark Perception / On Premise installation (we do it for you OnDemand) Harden Windows Install Windows patches Network security Power supply redundancy Multiple connection from servers to Internet Physical security of server room Use HTTPS Set up firewalls Redundant hardware Intrusion detection/prevention Anti-malware Regular vulnerability scans Slide 27

28 How to deal with Risks Q u e s t i o n m a r k C o n f e r e n c e Least privilege If you give someone a wide set of privileges, this can cause damage If their credentials are stolen If they make a mistake (e.g. delete something) If they become untrustworthy Limit super user permissions If you need super users, create two accounts One for normal access One for privileged access Reduces risk of super user account causing damage Slide 28

29 Define roles that match needs Allocate users to roles Consider Least privilege Segregation of duties For a primer, attend Bart and April s user conference session Role-based Security in Questionmark OnDemand: Managing users and roles effectively Use roles and permissions Slide 29

30 If using an LMS Calling Questionmark from an LMS introduces a theoretical extra attack surface Many LMSs do not support IMS LTI, but if they do, this is more secure than SCORM or AICC, please consider it Questionmark now making SCORM with SAML available improves the security of SCORM Slide 30

31 Some additional specific advice for Questionmark Protect master password OnDemand Questionmark sends you a master name/password to login to the system which gives access to all functions Change this from what is sent to you Restrict access Set a strong password policy or use SAML If not using an LMS, disable PIP integration If not using open assessments, disable this entry point Slide 31

32 Some additional specific advice for Questionmark Perception 1. Change the default password combination of Manager/Secret 2. Change the server key from the default 3. Change the QMWISe trusted key from the default 4. Disable integration entry points if you are not using them 5. Disable open.php (open access to assessments) if not using 6. In a multi-tier installation, ensure communication between the presentation and business tiers of delivery are secure See for details Slide 32

33 Your advice Any advice you would like to share on improving security? Slide 33

34 Summary Slide 34

35 Risk management is the key to security Threat potential cause of an unwanted, harmful incident Vulnerability weakness or gap that could be exploited by a threat Risk Potential that a threat can exploit a vulnerability

36 Some useful places to learn more ISO and security standards NIST security controls Octave Allegro Slide 36

37 Your questions Slide 37