Module F

1
(No Transcript)
2
Privacy and Security Issues in Online Learning
Environmentshttp//csc.colstate.edu/summers/Rese
arch/privacy-and-security-issues.ppt
Dr. Wayne SummersTSYS Department of Computer ScienceColumbus State UniversitySummers_wayne_at_colstate.eduhttp//csc.colstate.edu/summers Dr. BhagyavatiTSYS Department of Computer ScienceColumbus State Universitybhagyavati_at_colstate.eduhttp//csc.colstate.edu/bhagyavati
3
Goals

• Confidentiality (privacy) - limiting who can
  access assets of a computer system.
• Integrity (authentication) - limiting who can
  modify assets of a computer system.
• Availability (authorization) - allowing
  authorized users access to assets.

4
Problems

• Student authentication
• How do we get user ids/passwords to students?
• How do we authenticate students for the first
  time?
• How do we ensure confidentiality and privacy for
  our students?
• How do we ensure security in an online course?
• How do we help students maintain security on
  their personal computers / networks?

5
Solutions (authentication)

• Face-to-face class no problem (ask for picture
  IDs)
• Blended class also no problem (ask for picture
  IDs)
• Online classes
• Require a class meeting to distribute user ids /
  passwords
• Require student come to campus to pick up
  ID/password
• E-mail ids / passwords
• Use a standard format with required change of
  password
• Add biometric authentication as front-end to CMS
• Use a federated ID management system (portal)
• Password Policy

6
Solutions (privacy)

• Face-to-face class
• Nothing assumed
• Blended class (online portion does not ensure
  privacy)
• Online classes (typically NOT encrypted)
• You have zero privacy anyway. Get over it.
  (Scott McNealy, CEO, Sun Microsystems, 1999).
• Privacy is the future. Get used to it. (Marc
  Rotenberg, Director, Electronic Privacy
  Information Centre - EPIC) (Fortune, 2001).
• Email
• Chat rooms
• Discussion Groups
• File Space
• Privacy Policy

7
Privacy policy

• E-mail
• All email between students and between student
  and faculty will be kept confidential
• Discussion Groups
• All discussions are designed to be public unless
  specifically indicated as private
• Chat Rooms
• All chat discussions are designed to be public
  unless specifically indicated as private
• Student File Space
• Student Files
• Homepages
• MyGrades
• MyProgress
• http//www.ils.unc.edu/daniel/210user/privacy.html
  
• http//csc.colstate.edu/summers/Notes/privacy.html

8
Internet-specific privacy issues

• Personal information collected during
  registration
• Information provided by browsers
• IP address
• computer name
• link followed to reach site
• browser type
• browser plug-ins
• operating system
• Information in cookies
• SHOULD WE HAVE A PRIVACY POLICY ON CLASS WEBSITES
  ADDRESSING THIS?

9
Security in an online course

• Problems
• Course Management Systems (e.g. WebCT) do not
  typically use encryption
• Cookies must be enabled
• Java must be enabled
• Tied to portal log-in

10
Security in an online course (contd)

• Solutions
• Limit access to online courses by authorized
  students only
• Make sure the browser on your computer is not set
  to store your log-in information.
• Make sure to click on Logout when finished with
  your session. Close the browser.

11
Solutions (security)

• Apply defense in-depth
• Run and maintain an antivirus product
• Run and maintain anti-spyware software
• Keep your patches up-to-date
• Do not run programs of unknown origin
• Disable or secure file shares
• Deploy a firewall
• Policy (Design sound policies)

12
Critical Microsoft Security Bulletin MS03-039

• Verify firewall configuration.
• Stay up to date. Use update services from
  Microsoft to keep your systems up to date.
• Use and keep antivirus software up-to-date. You
  should not let remote users or laptops connect to
  your network unless they have up-to-date
  antivirus software installed. In addition,
  consider using antivirus software in multiple
  points of your computer infrastructure, such as
  on edge Web proxy systems, as well as on email
  servers and gateways.
• You should also protect your network by requiring
  employees to take the same three steps with home
  and laptop PCs they use to remotely connect to
  your enterprise, and by encouraging them to talk
  with friends and family to do the same with their
  PCs. (http//www.microsoft.com/protect)

13
Defending against information sabotage

• Analyze your risks.
• Plan for disasters.
• Write and implement policies.
• Install front-end security. 
• Install back-end security for additional
  protection. 
• Install physical security. 
• Protect against viruses.
• Install firewalls.
• Use encryption.
• Use backups.
• http//www.star-host.com/library/secure.htm

14
Conclusions

• Layered Defense
• Culture of Security
• Security Policy
• Acceptable use statements
• Password policy
• Privacy policy
• Training / Education
• Education

15

• The most potent tool in any security arsenal
  isnt a powerful firewall or a sophisticated
  intrusion detection system. When it comes to
  security, knowledge is the most effective tool
• Douglas Schweizer The State of Network
  Security, Processor.com, August 22, 2003.

16
Resources

• http//www.sans.org
• http//www.cert.org
• http//www.cerias.purdue.edu/
• http//www.linuxsecurity.com/
• http//www.linux-sec.net/
• http//www.microsoft.com/security/
• Cuckoos Egg Clifford Stoll
• Takedown Tsutomu Shimomura
• The Art of Deception Kevin Mitnick

17
Bibliography

• Privacy Policy Statements for WebCT -
  http//www.webct.com/ask_drc/forum/message?discuss
  ion30469topic35986message35986stylee
• Privacy and online learning by Roger Gabb of
  Centre for Educational Development and Support,
  Victoria University http//ceds.vu.edu.au/conferen
  ces/elearning/slideshow/rgabbSlides.txt
• http//www.webct.com/
• http//www.ecollege.com