Security

Threats in
Computer-Based
Assessment

TAO Days 2013
Bern (Switzerland) - October 1-2, 2013

herve.cholez@tudor.lu
patrick.plichart@taotesHng.com

Conclusion

Introduction

 As

for any IT system there is lot of classical IT

security risks in CBA

Server failure
Man in the middle attack
SQL injections
DDoS attacks

Conclusion

Intro

IT Risks

Use cryptography as secret key algorithms (DES, AES, etc),

public key algorithms, digital signatures, etc.

Web-based system using HTTP protocol

Conclusion

Intro

IT Risks

There exist encrypHng standards like SSL or TLS to transfer sensiHve data via
HTTPS

 Denial-of-service aRack (DoS aRack) or

distributed denial-of-service aRack (DDoS aRack)

SaturaHng the target machine

with external simultaneous

communicaHons requests

Make a resource unavailable

to its intended users

Conclusion

Intro

IT Risks

 DetecHng symptoms by focusing on how an aRack

may manifest itself and how to respond to them

Requests being blocked indenitely

Abnormal trac volume in a network segment

Unusual processes and CPU load

Captcha

Conclusion

Intro

IT Risks

 Social engineering is the act of manipulaHng people

into performing acHons or divulging condenHal

informaHon

It is much easier to trick someone into giving a

password for a system than to spend the eort to

crack into the system (Kevin Mitnick)

Conclusion

Intro

IT Risks

Communicate on assets

Communicate on risks

InformaHon security policies

Train people who manipulates sensiHve data

Conclusion

Intro

IT Risks

 Brain dump: Memorize and share items

Some test takers

memorize (brain)
test items and share
(dump) the
informaHon a\er the
assessment.

Conclusion

Intro

CBA Security Risks

Conclusion

Intro

CBA Security Risks

Brain dump companies (e.g., www.testking.com)

Brain dump communiHes (e.g., www.postyourtest.com)

 Larger item bank with random quesHons

ConstrucHng high quality quesHons is dicult, Hme

consuming and expensive

Such banks usually require thousands of quesHons
Performance issue
Equity and fairness issue

Prevents items from overexposure by algorithms

Conclusion

Intro

CBA Security Risks

 Items design

Dynamic QuesHons

Conclusion

Intro

CBA Security Risks

 StaHsHcal analyse with new and old items

Update test quesHons

A web monitoring
Try to remove this illegal disclosure
Through simple leRers or through invoking policies

through the site operator or the Internet provider

By engaging legal acHons

Conclusion

Intro

CBA Security Risks

 Detect item memorizaHon

Aberrant response paRerns
Response latencies
Stealth items (items very similar to others quesHons)

Conclusion

Intro

CBA Security Risks

 Dierent studies esHmate at 70% of students who

admit to cheaHng at least one Hme ([Lathrop2000],

[Cizek1999], [Lanier2006])

Randomise the order of quesHons

However, the items randomisaHon is not a simple and

straigh`orward task, take some precauHons is essenHal to

avoid any unfairness

Randomise the order of responses choice

Conclusion

Intro

CBA Security Risks

 Controls can be incorporated

Disabled certain browser operaHons, displayed quesHons in a

secure web browser window that contains no toolbars or menus,
with disabled keyboards shortcut
Prevents accidentally exiHng the assessment, task switching
Disabled calculator, disable most networking capabiliHes on
machines, including wireless ones to avoid Internet access
Close all unnecessary ports to limit communicaHons between test-
takers

Conclusion

Intro

CBA Security Risks

 DetecHon with key loggers

Key loggers (so\ware or hardware) records all keyboards and

mouse acHons
Invasion of the user right to privacy, thus test-takers should
know that they will be monitored and give wriRen consent
StaHsHcal detecHon of answer copying ([Frary1977],
[Bellezza1989], [Bay1995], [Wollack2004])

DetecHng highly unusual score in regards to previous

assessments [Cizek2001]

Conclusion

Intro

CBA Security Risks

 Test takers could easily hire a good test-taker to take

their tests

Specic to CBA (for instance, this is not an issue for

bank accounts)

Conclusion

Intro

CBA Security Risks

Conclusion

Intro

CBA Security Risks

 What you Know:

Passwords, challenge-

response, one-Hme
passwords, etc

What you Have:

Smart cards, smart

badges, etc

Conclusion

Intro

CBA Security Risks

 What you Are:

Fingerprints, iris recogniHon, reHna scan,

facial recogniHon, palm-vein scan

Legal issues (especially in EU)
What you Do:

Electronic signatures (wriHng

speed and pen pressure, etc)

Conclusion

Intro

CBA Security Risks

 ConHnuous authenHcaHon

Video monitoring
Fingerprint mouse
Mouse and/or keystroke analyse

Conclusion

Intro

CBA Security Risks

 224 References

Legend:
- Not covered or very
briey exposed
+ ParHally covered
++ Playing a central role

Conclusion

Intro

State of the Art Overview

Conclusion

Intro

State of the Art Overview

Main concerns:

Results integrity
cheaHng
Test takers integrity
authenHcaHon
Test/item condenHality
brain dump

Lacks:

Availability
classical security
Results condenHality
Isolated soluHons:
Research works focus on
specic risk/context

Intro

Security is sHll a challenge in CBA

As for any IT system there is lot of classical IT

security risks in CBA

There is lot of specic risks in CBA

Intro

Future Work:

Development of a framework adequate to analyze

and assess informaHon security in CBA processes
by taking into account the dierent contexts.

Intro

Contexts variables:

SummaHve purpose / FormaHve purpose
/ Low stake
High stake
/ Small scale
Large scale
/ PopulaHon scope
Individual scope
/ Manual scoring
AutomaHc scoring
Centralized collecHon / Decentralized collecHon
/ Physical delivery
Network delivery
/ Low exposure
High exposure

herve.cholez@tudor.lu
patrick.plichart@taotesting.com

contact@tao.lu