[BreachExchange] Preventing Data Security Breaches on an LMS
Audrey McNeil
audrey at riskbasedsecurity.com
Tue Aug 9 19:25:29 EDT 2016
http://blog.commlabindia.com/elearning-development/data-
security-breaches-on-lms
How can you ensure the safety of your confidential data? What does it take
to prevent a costly information heist? One of the key repositories of your
organizational data is your Learning Management System (LMS). It is a
treasure trove of sensitive information – information about your business
processes and strategies, new products, and other vital information, and
theft or destruction of this data could have catastrophic consequences.
Let us now look at some of the common challenges to the security of
information stored in LMSs.
Challenge 1: Implementing effective authentication management
This is arguably the biggest information security challenge in the use of
an LMS. Authentication management encompasses all activities related to
identifying specific users and managing active sessions. Companies need to
make sure that they have robust processes in place to manage data
authentication (usernames and passwords) to prevent it from falling into
wrong hands. For instance, it is advisable to have proper procedures to
change passwords to prevent unauthorized access to your LMS and ensure the
security of your confidential information.
Challenge 2: Encrypting information
Proper encryption of sensitive information in your LMS goes a long way in
securing it against confidentiality attacks – attacks carried out by
hackers to access and distribute confidential information. To overcome
these challenges to the safety of data stored in your LMS, you need to
focus on the storage and management of cryptographic codes, security of
direct objects reference, and procedures to handle errors.
Challenge 3: Preventing Denial of Service (DoS) and integrity attacks
DoS attacks are primarily carried out to make the learning content
inaccessible to users. Attackers either use the flaws in an LMS to carry
out requests that make it perform an endless cycle of actions or “flood” it
with a large number of requests so that it crashes. On the other hand,
integrity attacks intend to compromise or destroy the data stored in the
LMS. You need to focus on aspects such as changes to access permissions and
privileges, detection of unauthorized devices and applications connected to
your company’s network and so on to ensure the security of your critical
data.
Let us now look some of the best practices of ensuring data security in
your LMS.
Best practice 1: Use Secure Socket Layers (SSLs) for all actions
SSLs help overcome the data safety challenges in using your LMS by
facilitating secure communication between the LMS and the browser. Many
popular LMSs such as MOODLE use SSLs to cover certain critical actions.
However this may be inadequate to ensure the security of sensitive
information stored in the LMSs. Therefore, it is advisable to use SSLs for
all actions in the LMS.
Best Practice 2: Generate new ID sessions for each validation
SSLs would be ineffective in thwarting attacks on your LMS if a new user is
connected through the HTTP protocol devoid of SSL. This threat to the data
security of your LMS can be overcome by creating a new ID session when the
login credentials supplied by the user are validated.
Best Practice 3: Use CAPTCHA on the login page
CAPTCHAs go a long way in ensuring the safety of data in your LMS from
attacks. Adding a CAPTCHA to the sign-up page makes it very hard for
attackers armed with automated tools to break into the system.
To overcome challenges to the security of data in your LMS, you need to:
- Implement effective authentication information management policies and
make sure your LMS data is well-encrypted.
- Focus on detecting unauthorized applications and devices connected to
your network. It is essential to have a robust system to manage permissions
and privileges. It is advisable to use SSLs for all LMS actions and
regenerate a new ID session for each validation of login credentials.
- Use CAPTCHAs on the sign-up page to prevent automated attacks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160809/70e7bd64/attachment.html>
More information about the BreachExchange
mailing list