Upload
ali-subhani-ciacisagsna
View
113
Download
2
Embed Size (px)
Citation preview
1
U N D E R S T A N D I N G Y O U R B L A C K B O A R D L E A R N T M
E N V I R O N M E N T S O T H A T Y O U C A N A U D I T I T E F F E C T I V E L Y
March 5, 20158:00 a.m. – 9:10 a.m.
TACUA 2015
Our backgrounds2
March 2015TACUA Conference 2015
Objectives & Agenda
After attending this presentation, participants will:
1. Have a general understanding of the architecture that may be in place to support a Blackboard LearnTM
environment.
2. Be able to identify key functions within the application.
3. Understand how integrations are set up.
4. Be introduced to Building Blocks, and the risks that come along with their implementation.
5. Know potential areas of concern that an audit team should be mindful of related to the Learn environment.
6. Know different controls that can be implemented to enhance the overall security of the environment.
Introduction
What is eLearning?
Why and How Did We Audit It?
Application Overview
Access Controls
Application Inherent Weaknesses
Intro to Controls
Audit Results: Value Added
3
March 2015TACUA Conference 2015
2
What is eLearning?4
eLearning
Provost
Info Resources
Compliance Training
Registrar
Faculty
Students
The use of electronic educational technology.
March 2015TACUA Conference 2015
Risky Process?5
March 2015TACUA Conference 2015
Annual Audit Plan – IT Risk Assessment6
ActivitiesControls* 1 2 3 4 5
Policies HH TAC 202 HM UTS 165 Security Policy HMIT Security Policies and Procedures MH I/R Policies and Procedures
Standards HMSystems Development Process MH
Application Development Standards MH Data Definitions MH
Documentation Requirements for Applications MM Configuration Management
Organization and Management HH I/R Planning and Governance HM Change Management HM Risk Assessment HMProject Management and Quality Assurance MH Organization Structure
Physical and Environmental Controls HH Backup and Recovery HM Data Centers MH Cloud ComputingInformation Resources HM Unix HM Networking HM Active Directory MM Web Services MM Email
Systems Development Controls HMSystems Development Controls HM
Application Maintenance Processes HM
Vendor Review Process and Purchased Software
Application-Based Controls HM Gemini (HR/Finance) HM eLearning/Blackboard HM OnBase HL Orion (Student) MM Comet Cards
IT Security HH Encryption HH Identity Management HM
Access Controls: Firewall/Intrusion Prevention and Detection System HM Patch Management HM Vulnerability Assessment
March 2015TACUA Conference 2015
3
The Audit…How Did We Get Started?
Audit Objective:
To ensure adequate controls existed over the application to ensure compliance…effectiveness and efficiency…reliability
and integrity of information…safeguarding of assets.
Planning
Interviews
Review of Blackboard contract
TAC 202, UTS 165, FERPA
Blackboard user manuals, documents
7
March 2015TACUA Conference 2015
eLearning/Blackboard Risk Assessment8
Governance Operations Access Management
Compliance
Policies & procedures
Building Block Management
Passwords FERPA
SystemDevelopment & Maintenance
DatabaseConfiguration & Management
Access controls Confidential Data
ChangeManagement
Encryption TAC 202, UTS165
Logs: Monitoring, Maintenance, and Retention
March 2015TACUA Conference 2015
The Audit Program9
March 2015TACUA Conference 2015
4
Learning Management System10
Application Overview
Access Controls
Inherent Weaknesses
Introduction to Controls
March 2015TACUA Conference 2015
11
Application Overview
March 2015TACUA Conference 2015
Architecture/Hardware
March 2015TACUA Conference 2015
12 Load Balanced Configuration:
BENEFITS
Typical high performance/ high availability
configuration
Scale as environment grows
1. Web/ App Server
2. Collaboration Server
3. File System Server (Content Storage)
4. Database Server
5
Architecture(less common)
March 2015TACUA Conference 2015
13
No redundancy Suitable for development or test
environments
Architecture -considerations
March 2015TACUA Conference 2015
14
Ability to run on a Unix or a Windows Operating System.
Assess General Controls on the servers BEFORE assessing security around the application: Identify Administrators
Validate Services and Applications
Open Ports
Patching
Age of Hardware
Key Processes
March 2015TACUA Conference 2015
15
Category Process
Authentication • Setup of authentication
Courses • Creating Courses• Course enrollments• Course Archive• Course bulk delete
Grading • Grading Schema• Grading
User / Role Creation
• Creating Users within the application
• Designing Roles• Assigning roles to
Users https://help.blackboard.com/
6
Integrations
March 2015TACUA Conference 201509
16
Allow for automation of specific tasks .
Five types of integrations are available.
Type of integration used is based on the type of data format produced by the source Student Information System.
https://help.blackboard.com/en-us/Learn/9.1_SP_10_and_SP_11/Administrator/120_System_Integration/006_Student_Information_System_(SIS)
Integration Setup Process
March 2015TACUA Conference 2015
17
1. User Name and Password Setup
Location: System Admin>Building Blocks> Data Integration> Student Information>Systems Integrations
sample
Integrations –Data Transfer
March 2015TACUA Conference 2015
18
https://www.youtube.com/watch?v=IE5eWBzz9aw
CURL- A utility to transfer data from one location to the other.
Sample CURL File Clear text password
7
March 2015TACUA Conference 2015
19
Integrations –Flow
20
Integration –Logging
https://help.blackboard.com/en-us/Learn/9.1_SP_10_and_SP_11/Administrator/120_System_Integration/006_Student_Information_System_(SIS)/SIS_Framework_Overview
March 2015TACUA Conference 2015
21
• Document data flow from SIS into Blackboard
• Access to setup and inactivate integrations
• Access to integration password within the application (PATH: System Admin > Data Integration> Integration Password) OR > Data Integration>Student Information System Integrations>’edit’)
• Determine the location where the CURL file is saved
• Determine if appropriate to limit integration process to be only initiated from an authorized site/IP address.
• Review integration logs.
Integration –Suggested Audit Procedures
March 2015TACUA Conference 2015
8
22
• Extend functionality of the application.
• Developed both by BlackBoard and third party developers.
• Have access to user data that is being maintained within the application.
• Permissions are ‘setup’ at the time a building block is installed.
• Critical that a process is in place for review of BB privileges prior to installation.
• Building blocks require periodic updates that are installed separately from the application service packs.
Building Blocks (BB)
March 2015TACUA Conference 2015
23
Building Blocks
March 2015TACUA Conference 2015
24
• Security privileges for BB’s can also be reviewed via ‘bb-manifest.xml’.
• One bb-manifest file for each BB that has been installed.
Building Blocks
March 2015TACUA Conference 2015
• <permission type="java.io.FilePermission" name="lt;lt;ALL FILESgt;gt;" actions=“read,write"/>
https://help.blackboard.com/en-us/Learn/9.1_2014_04/Administrator/080_Developer_Resources/020_Develop/000_Building_Blocks/005_Building_Blocks_and_Java_Permissions
WILD CARD
NOTATION
9
25
Building Blocks
March 2015TACUA Conference 2015
MENU PATH: BUILDING BLOCKS>INSTALLED TOOLS>Global settings
Global Configuration Setting
List of Installed Building Blocks
MENU PATH: System Admin>Building Blocks>Building Blocks>Installed Tools
26
Administrative Building Blocks
March 2015TACUA Conference 2015
LoginAs - http://projects.oscelot.org/gf/project/loginas/
Allow individuals with access to login as another users within the application without knowing the
other users password.
Designed to assist administrators with troubleshooting, but opportunity for abuse.
Effectively allows for impersonation as another user.
27
Administrative Building Blocks
March 2015TACUA Conference 2015
LOGIN AS
APPLICATION PATH: System Admin>Building Blocks>Building Blocks>Installed Tools>LOGIN AS Configuration
10
28
Administrative Building Blocks
March 2015TACUA Conference 2015
29
Administrative Building Blocks
March 2015
Impersonate - http://projects.oscelot.org/gf/project/impersonate/frs/
Another BB similar to LoginAS
TACUA Conference 2015
APPLICATION PATH: System Admin> Tools and Utilities
30
Building Blocks –Suggested Audit Procedures
March 2015
Generate a listing of BB’s that are installed; evaluate there is a strong business need
Ensure all BB’s are up to date
Review BB permissions
Evaluate process for approval/review of BB’s permissions prior to installation
Ensure access to the administrative BB’s (such as Login AS) is restricted
Review audit logs for administrative BB’s to determine if they are being misused
TACUA Conference 2015
11
31
Access Controls
March 2015TACUA Conference 2015
32
INSTITUIONAL HIERARCHY
March 2015
Organize users, courses and organizations
Delegate administration
Flexibility on ‘power’ of administrative privileges
TACUA Conference 2015
Texas Tier 1 University
Richardson Campus
Admin user FOX
Dallas Campus
School of Engineering
Admin User Romo
School of Business
Admin user Nash Accounting
Course Creator user
Ali
Admin user Mickey
Finance
Denton Campus
Spring Courses
Admin user Mike
Fall Course
Admin user Steve
Course Creator user
FOX
APPLICATION PATH: System Admin>Institutional Hierarchy
33
TYPES OF ROLES
March 2015TACUA Conference 2015
System Roles
• Control the administrative privileges assigned to a user.
Course and Organization Roles:
• Control access to the content and tools within a course or organization. Each user is assigned a role for each course or organization in which they participate.
• For example, a user with a role of Teaching Assistant in one course can have a role of Student in another course.
Institution Roles
• Control what brands, tabs, and modules users see when they log in to Blackboard Learn.
• Institution roles also grant or deny access to Content Collection files and folders.
12
34
TYPES OF ROLES
March 2015TACUA Conference 2015
System Roles
• System Administrator
• System Support• Course
Administrator• User
Administrator• Support
Course and Organization
Roles:
• Instructor • Teaching
Assistant• Course Builder• Grader• Student
Institution Roles
• Student (Participant)
• Faculty• Staff• Alumni
35
INSTITUIONAL HEIRARCHY
March 2015TACUA Conference 2015
INSTITUIONAL ROLE
COURSE ROLE
36
PRIVILEGE REVIEW
March 2015TACUA Conference 2015
Vendor Master Role Spreadsheet
https://help.blackboard.com/@api/deki/files/77249/Administrator_Privilege_Descriptions.xls
13
37
PRIVILEGE REVIEW
March 2015TACUA Conference 2015
System Roles
• In the Administrator Panel in the Users section, click Course/Organization Roles.
• On the System Roles page, access the role's contextual menu.
• Click Privileges.• Click Show All.• Highlight both columns, and
copy.• Open up excel and use paste as
text to get a listing of all the privileges that are allowed within the role.
• Repeat for all the course roles.
Course and Organization Roles:
• In the Administrator Panel in the Users section, click Course/Organization Roles.
• On the Course/Organization Roles page, access the role's contextual menu.
• Click Privileges.• Click Show All.• Highlight both columns, and
copy.• Open up excel and use paste as
text to get a listing of all the privileges that are allowed within the role.
• Repeat for all the course roles.
38
USER ROLE ASSIGNMENTS
March 2015TACUA Conference 2015
SYSTEM ROLE
•SELECT users.user_id, users.lastname, users.firstname,•CASE • WHEN system_role = 'Y' THEN 'Community Administrator'
• WHEN system_role = 'C' THEN 'Course Administrator'• WHEN system_role = 'Course_Coordinator_Bb' THEN 'Courser Coordinator Bb'
• WHEN system_role = 'Z' THEN 'System Administrator'• WHEN system_role = 'H' THEN 'System Support'• WHEN system_role = 'S' THEN 'System Support II'• WHEN system_role = 'A' THEN 'User Administrator'• WHEN system_role = 'N' THEN 'None'• WHEN system_role = 'O' THEN 'Observer' • ELSE 'Undefined'•END as Role•FROM users•order by user_id;
Course Roles
•SELECT cm.course_id, users.user_id, users.lastname, users.firstname,users.batch_uid,
•CASE • WHEN course_role = 'B' THEN 'Course Builder'• WHEN course_role = 'E' THEN 'Course Guest'• WHEN course_role = 'G' THEN 'Grader'• WHEN course_role = 'I' THEN 'UG Teaching Intern'• WHEN course_role = 'P' THEN 'Instructor'• WHEN course_role = 'S' THEN 'Student'• WHEN course_role = 'T' THEN 'Teaching Assistant'• WHEN course_role = 'Inc' THEN 'Incomplete'• WHEN course_role = 'CCta' THEN 'Course Coordinator'• WHEN course_role = 'PU' THEN 'Portfolio User'• WHEN course_role = 'U' THEN 'Guest'• WHEN course_role = 'v' THEN 'Visitor'• ELSE 'Undefined'•END as Role•FROM course_main cm, course_users cu, course_roles cr, users
•where cu.crsmain_pk1 = cm.pk1 and cr.course_role = cu.role and cu.users_pk1 = users.pk1 and cm.course_id like '2142%' and cm.available_ind = 'Y'
39
*Some CRITICAL AREAS to CONTROL
March 2015TACUA Conference 2015
PATH FUNCTIONALITY RISK
System Admin>Building Blocks>Authentication
Ability to setup and disable authentication against a directory service
If a user inactivates the authentication service that is utilized by user essentially all non local users are locked out.
System Admin>BuildingBlocks>Data Integration
Ability to setup and disable integrations , and setup and view the integration password
System Admin>Tools and Utilities> System Logs>
Set the frequency and timing of log rotation
Log frequency can be set to 0 days meaning no logs will be retained.
System Admin>Tools and Utilities> Logs>
Ability to view and purge logs
Users with update access can purge the logs.
14
40
*Some CRITICAL AREAS to CONTROL
March 2015TACUA Conference 2015
PATH FUNCTIONALITY RISK
System Admin>Security>Privileges
Ability to modify privileges that are being provided by each role
Ability to modify role privileges is not restricted.
System Admin>Security>Safe HTML Filter
Ability to enable/disable filtering of ‘unsafe’ HTML
SystemAdmin>Courses>Course Settings>Default Grading Schema
Allows to setup the configuration that turns exam scores into grade letter equivalent, example 90=A80=B
Bulk Delete
Batch enroll/quick enroll
41
*CRITICAL DIRECTORIES
March 2015TACUA Conference 2015
Blackboard Learn includes a set of system administration tools that must be run from the command line.
blackboard_home/tools/admin
blackboard/apps/bbcms/bin
https://help.blackboard.com/en-us/Learn/9.1 SP 12 and SP 13/Administrator/150 System Management/050 Command Line Tools
42
DEFAULT APPLICATION ACCOUNTS
March 2015TACUA Conference 2015
1. Administrator- The account has full Blackboard Learn administrator privileges.
2. root_admin- The account has full administrative privileges.
15
43
ACCESS CONTROL – SUGGESTED PROCEDURES
March 2015TACUA Conference 2015
Role Design; confirm ‘critical/sensitive’ privileges are only provided to privileged roles
Ensure roles are attached in line an individual’s job responsibilities
Data analysis; query listing of faculty members and course enrollments from Student System and join with data from Blackboard to identify potential ‘issues’
Validate access to critical directories is restricted
Determine if default application accounts are enabled; who has access to them (aware of password)
44
INHERENT WEAKNESSES
March 2015TACUA Conference 2015
LOCAL/STANDALONE ACCOUNTS
No capability to enforce ‘acceptable’ password for local accounts.
• Password Complexity
• Password expiration
• Account Lockout
• As a result manual process must be in place to ensure local accounts are setup in line with university policies.
45
March 2015TACUA Conference 2015
16
VIRUS DETECTION46
Does not support anti-virus scanning on files uploaded by
users into the system. “This feature is on the Blackboard Learn Product Security Roadmap. Any statements about
future expectations, plans and prospects for Blackboard represent the Company’s views as of
January 1, 2013. Actual results may differ materially as a result of various important
factors. The Company anticipates that subsequent events and developments will cause the
Company’s views to change. However, while the Company may elect to update these
statements at some point in the future, the Company specifically disclaims any obligation
to do so.”
Ensure management is aware of the risk of malicious files
being delivered through Learn.
Virus detection critical on machines that are utilized by
faculty, TA’s and admin staff.
https://help.blackboard.com/en-us/Learn/9.1_SP_12_and_SP_13/Administrator/050_Security/000_Key_Security_Features/040_System_and_Information_IntegrityMarch 2015TACUA Conference 2015
LOCKOUT RECOVERY
Vendor offers an ‘Emergency One-time Login URL Tool’ which allows for creation of a temporary session for any user account.
Located in blackboard/tools/admin/ folder.
Script name AuthenticationOneTimeLogin.sh|bat
47
March 2015TACUA Conference 2015
https://help.blackboard.com/en-us/Learn/9.1_SP_10_and_SP_11/Administrator/070_Authentication/Recovering_From_a_Lockout_or_Bad_Configuration
INTRO TO CONTROLS48
March 2015TACUA Conference 2015
17
CONTROLS
SSL functionality
Choice on where encryption is enabled
49
Location: System Admin>>Security and Integration>SSL Choice
March 2015TACUA Conference 2015
GRADING SECURITY50
Location: System Admin>COURSES>COURSE SETTINGS>Grading Security Settings
March 2015TACUA Conference 2015
GRADING SECURITY51
Location: System Admin>COURSES>COURSE SETTINGS> Default Grading Schemas
March 2015TACUA Conference 2015
18
Blackboard allows limits to be setup for courses.
Reporting capability available to identify courses that may be close to or over the threshold.
COURSE SIZE52
Location: System Admin>SYSTEM REPORTING>DISK USAGE
March 2015TACUA Conference 2015
AUDIT RESULTS: VALUE ADDED
1. FERPA Data
2. Integration Security
3. System and Information Integrity
4. Database Controls
5. Authentication Controls
6. Building Blocks
7. User Access Management
8. Operational Efficiency
9. Audit Logging
10. Policies & Procedures
53
March 2015TACUA Conference 2015
Ali Subhani
CISA, CIA, GSNA
Ali Subhani
CISA, CIA, GSNA
Toni Stephens
CPA, CIA, CRMA
Toni Stephens
CPA, CIA, CRMA
972-883-2540
972-883-4876
CONTACT INFORMATION
March 5, 2015TACUA Conference 2010
54