understanding-your-blackboard-learntm-environment-so-that-you-can-audit-it-effectively

1

U N D E R S T A N D I N G Y O U R B L A C K B O A R D L E A R N T M

E N V I R O N M E N T S O T H A T Y O U C A N A U D I T I T E F F E C T I V E L Y

March 5, 20158:00 a.m. – 9:10 a.m.

TACUA 2015

Our backgrounds2

March 2015TACUA Conference 2015

Objectives & Agenda

After attending this presentation, participants will:

1. Have a general understanding of the architecture that may be in place to support a Blackboard LearnTM

environment.

2. Be able to identify key functions within the application.

3. Understand how integrations are set up.

4. Be introduced to Building Blocks, and the risks that come along with their implementation.

5. Know potential areas of concern that an audit team should be mindful of related to the Learn environment.

6. Know different controls that can be implemented to enhance the overall security of the environment.

Introduction

What is eLearning?

Why and How Did We Audit It?

Application Overview

Access Controls

Application Inherent Weaknesses

Intro to Controls

Audit Results: Value Added

3


2

What is eLearning?4

eLearning

Provost

Info Resources

Compliance Training

Registrar

Faculty

Students

The use of electronic educational technology.


Risky Process?5


Annual Audit Plan – IT Risk Assessment6

ActivitiesControls* 1 2 3 4 5

Policies HH TAC 202 HM UTS 165 Security Policy HMIT Security Policies and Procedures MH I/R Policies and Procedures

Standards HMSystems Development Process MH

Application Development Standards MH Data Definitions MH

Documentation Requirements for Applications MM Configuration Management

Organization and Management HH I/R Planning and Governance HM Change Management HM Risk Assessment HMProject Management and Quality Assurance MH Organization Structure

Physical and Environmental Controls HH Backup and Recovery HM Data Centers MH Cloud ComputingInformation Resources HM Unix HM Networking HM Active Directory MM Web Services MM Email

Systems Development Controls HMSystems Development Controls HM

Application Maintenance Processes HM

Vendor Review Process and Purchased Software

Application-Based Controls HM Gemini (HR/Finance) HM eLearning/Blackboard HM OnBase HL Orion (Student) MM Comet Cards

IT Security HH Encryption HH Identity Management HM

Access Controls: Firewall/Intrusion Prevention and Detection System HM Patch Management HM Vulnerability Assessment


3

The Audit…How Did We Get Started?

Audit Objective:

To ensure adequate controls existed over the application to ensure compliance…effectiveness and efficiency…reliability

and integrity of information…safeguarding of assets.

Planning

Interviews

Review of Blackboard contract

TAC 202, UTS 165, FERPA

Blackboard user manuals, documents

7


eLearning/Blackboard Risk Assessment8

Governance Operations Access Management

Compliance

Policies & procedures

Building Block Management

Passwords FERPA

SystemDevelopment & Maintenance

DatabaseConfiguration & Management

Access controls Confidential Data

ChangeManagement

Encryption TAC 202, UTS165

Logs: Monitoring, Maintenance, and Retention


The Audit Program9


4

Learning Management System10


Access Controls

Inherent Weaknesses

Introduction to Controls


11



Architecture/Hardware


12 Load Balanced Configuration:

BENEFITS

Typical high performance/ high availability

configuration

Scale as environment grows

1. Web/ App Server

2. Collaboration Server

3. File System Server (Content Storage)

4. Database Server

5

Architecture(less common)


13

No redundancy Suitable for development or test

environments

Architecture -considerations


14

Ability to run on a Unix or a Windows Operating System.

Assess General Controls on the servers BEFORE assessing security around the application: Identify Administrators

Validate Services and Applications

Open Ports

Patching

Age of Hardware

Key Processes


15

Category Process

Authentication • Setup of authentication

Courses • Creating Courses• Course enrollments• Course Archive• Course bulk delete

Grading • Grading Schema• Grading

User / Role Creation

• Creating Users within the application

• Designing Roles• Assigning roles to

Users https://help.blackboard.com/

6

Integrations


16

Allow for automation of specific tasks .

Five types of integrations are available.

Type of integration used is based on the type of data format produced by the source Student Information System.

https://help.blackboard.com/en-us/Learn/9.1_SP_10_and_SP_11/Administrator/120_System_Integration/006_Student_Information_System_(SIS)

Integration Setup Process


17

1. User Name and Password Setup

Location: System Admin>Building Blocks> Data Integration> Student Information>Systems Integrations

sample

Integrations –Data Transfer


18

https://www.youtube.com/watch?v=IE5eWBzz9aw

CURL- A utility to transfer data from one location to the other.

Sample CURL File Clear text password

7


19

Integrations –Flow

20

Integration –Logging

https://help.blackboard.com/en-us/Learn/9.1_SP_10_and_SP_11/Administrator/120_System_Integration/006_Student_Information_System_(SIS)/SIS_Framework_Overview


21

• Document data flow from SIS into Blackboard

• Access to setup and inactivate integrations

• Access to integration password within the application (PATH: System Admin > Data Integration> Integration Password) OR > Data Integration>Student Information System Integrations>’edit’)

• Determine the location where the CURL file is saved

• Determine if appropriate to limit integration process to be only initiated from an authorized site/IP address.

• Review integration logs.

Integration –Suggested Audit Procedures


8

22

• Extend functionality of the application.

• Developed both by BlackBoard and third party developers.

• Have access to user data that is being maintained within the application.

• Permissions are ‘setup’ at the time a building block is installed.

• Critical that a process is in place for review of BB privileges prior to installation.

• Building blocks require periodic updates that are installed separately from the application service packs.

Building Blocks (BB)


23

Building Blocks


24

• Security privileges for BB’s can also be reviewed via ‘bb-manifest.xml’.

• One bb-manifest file for each BB that has been installed.

Building Blocks


• <permission type="java.io.FilePermission" name="lt;lt;ALL FILESgt;gt;" actions=“read,write"/>

https://help.blackboard.com/en-us/Learn/9.1_2014_04/Administrator/080_Developer_Resources/020_Develop/000_Building_Blocks/005_Building_Blocks_and_Java_Permissions

WILD CARD

NOTATION

9

25

Building Blocks


MENU PATH: BUILDING BLOCKS>INSTALLED TOOLS>Global settings

Global Configuration Setting

List of Installed Building Blocks

MENU PATH: System Admin>Building Blocks>Building Blocks>Installed Tools

26

Administrative Building Blocks


LoginAs - http://projects.oscelot.org/gf/project/loginas/

Allow individuals with access to login as another users within the application without knowing the

other users password.

Designed to assist administrators with troubleshooting, but opportunity for abuse.

Effectively allows for impersonation as another user.

27



LOGIN AS

APPLICATION PATH: System Admin>Building Blocks>Building Blocks>Installed Tools>LOGIN AS Configuration

10

28



29


March 2015

Impersonate - http://projects.oscelot.org/gf/project/impersonate/frs/

Another BB similar to LoginAS

TACUA Conference 2015

APPLICATION PATH: System Admin> Tools and Utilities

30

Building Blocks –Suggested Audit Procedures

March 2015

Generate a listing of BB’s that are installed; evaluate there is a strong business need

Ensure all BB’s are up to date

Review BB permissions

Evaluate process for approval/review of BB’s permissions prior to installation

Ensure access to the administrative BB’s (such as Login AS) is restricted

Review audit logs for administrative BB’s to determine if they are being misused


11

31

Access Controls


32

INSTITUIONAL HIERARCHY

March 2015

Organize users, courses and organizations

Delegate administration

Flexibility on ‘power’ of administrative privileges


Texas Tier 1 University

Richardson Campus

Admin user FOX

Dallas Campus

School of Engineering

Admin User Romo

School of Business

Admin user Nash Accounting

Course Creator user

Ali

Admin user Mickey

Finance

Denton Campus

Spring Courses

Admin user Mike

Fall Course

Admin user Steve

Course Creator user

FOX

APPLICATION PATH: System Admin>Institutional Hierarchy

33

TYPES OF ROLES


System Roles

• Control the administrative privileges assigned to a user.

Course and Organization Roles:

• Control access to the content and tools within a course or organization. Each user is assigned a role for each course or organization in which they participate.

• For example, a user with a role of Teaching Assistant in one course can have a role of Student in another course.

Institution Roles

• Control what brands, tabs, and modules users see when they log in to Blackboard Learn.

• Institution roles also grant or deny access to Content Collection files and folders.

12

34

TYPES OF ROLES


System Roles

• System Administrator

• System Support• Course

Administrator• User

Administrator• Support

Course and Organization

Roles:

• Instructor • Teaching

Assistant• Course Builder• Grader• Student

Institution Roles

• Student (Participant)

• Faculty• Staff• Alumni

35

INSTITUIONAL HEIRARCHY


INSTITUIONAL ROLE

COURSE ROLE

36

PRIVILEGE REVIEW


Vendor Master Role Spreadsheet

https://help.blackboard.com/@api/deki/files/77249/Administrator_Privilege_Descriptions.xls

13

37

PRIVILEGE REVIEW


System Roles

• In the Administrator Panel in the Users section, click Course/Organization Roles.

• On the System Roles page, access the role's contextual menu.

• Click Privileges.• Click Show All.• Highlight both columns, and

copy.• Open up excel and use paste as

text to get a listing of all the privileges that are allowed within the role.

• Repeat for all the course roles.

Course and Organization Roles:

• In the Administrator Panel in the Users section, click Course/Organization Roles.

• On the Course/Organization Roles page, access the role's contextual menu.

• Click Privileges.• Click Show All.• Highlight both columns, and

copy.• Open up excel and use paste as

text to get a listing of all the privileges that are allowed within the role.

• Repeat for all the course roles.

38

USER ROLE ASSIGNMENTS


SYSTEM ROLE

•SELECT users.user_id, users.lastname, users.firstname,•CASE • WHEN system_role = 'Y' THEN 'Community Administrator'

• WHEN system_role = 'C' THEN 'Course Administrator'• WHEN system_role = 'Course_Coordinator_Bb' THEN 'Courser Coordinator Bb'

• WHEN system_role = 'Z' THEN 'System Administrator'• WHEN system_role = 'H' THEN 'System Support'• WHEN system_role = 'S' THEN 'System Support II'• WHEN system_role = 'A' THEN 'User Administrator'• WHEN system_role = 'N' THEN 'None'• WHEN system_role = 'O' THEN 'Observer' • ELSE 'Undefined'•END as Role•FROM users•order by user_id;

Course Roles

•SELECT cm.course_id, users.user_id, users.lastname, users.firstname,users.batch_uid,

•CASE • WHEN course_role = 'B' THEN 'Course Builder'• WHEN course_role = 'E' THEN 'Course Guest'• WHEN course_role = 'G' THEN 'Grader'• WHEN course_role = 'I' THEN 'UG Teaching Intern'• WHEN course_role = 'P' THEN 'Instructor'• WHEN course_role = 'S' THEN 'Student'• WHEN course_role = 'T' THEN 'Teaching Assistant'• WHEN course_role = 'Inc' THEN 'Incomplete'• WHEN course_role = 'CCta' THEN 'Course Coordinator'• WHEN course_role = 'PU' THEN 'Portfolio User'• WHEN course_role = 'U' THEN 'Guest'• WHEN course_role = 'v' THEN 'Visitor'• ELSE 'Undefined'•END as Role•FROM course_main cm, course_users cu, course_roles cr, users

•where cu.crsmain_pk1 = cm.pk1 and cr.course_role = cu.role and cu.users_pk1 = users.pk1 and cm.course_id like '2142%' and cm.available_ind = 'Y'

39

*Some CRITICAL AREAS to CONTROL


PATH FUNCTIONALITY RISK

System Admin>Building Blocks>Authentication

Ability to setup and disable authentication against a directory service

If a user inactivates the authentication service that is utilized by user essentially all non local users are locked out.

System Admin>BuildingBlocks>Data Integration

Ability to setup and disable integrations , and setup and view the integration password

System Admin>Tools and Utilities> System Logs>

Set the frequency and timing of log rotation

Log frequency can be set to 0 days meaning no logs will be retained.

System Admin>Tools and Utilities> Logs>

Ability to view and purge logs

Users with update access can purge the logs.

14

40

*Some CRITICAL AREAS to CONTROL


PATH FUNCTIONALITY RISK

System Admin>Security>Privileges

Ability to modify privileges that are being provided by each role

Ability to modify role privileges is not restricted.

System Admin>Security>Safe HTML Filter

Ability to enable/disable filtering of ‘unsafe’ HTML

SystemAdmin>Courses>Course Settings>Default Grading Schema

Allows to setup the configuration that turns exam scores into grade letter equivalent, example 90=A80=B

Bulk Delete

Batch enroll/quick enroll

41

*CRITICAL DIRECTORIES


Blackboard Learn includes a set of system administration tools that must be run from the command line.

blackboard_home/tools/admin

blackboard/apps/bbcms/bin

https://help.blackboard.com/en-us/Learn/9.1 SP 12 and SP 13/Administrator/150 System Management/050 Command Line Tools

42

DEFAULT APPLICATION ACCOUNTS


1. Administrator- The account has full Blackboard Learn administrator privileges.

2. root_admin- The account has full administrative privileges.

15

43

ACCESS CONTROL – SUGGESTED PROCEDURES


Role Design; confirm ‘critical/sensitive’ privileges are only provided to privileged roles

Ensure roles are attached in line an individual’s job responsibilities

Data analysis; query listing of faculty members and course enrollments from Student System and join with data from Blackboard to identify potential ‘issues’

Validate access to critical directories is restricted

Determine if default application accounts are enabled; who has access to them (aware of password)

44

INHERENT WEAKNESSES


LOCAL/STANDALONE ACCOUNTS

No capability to enforce ‘acceptable’ password for local accounts.

• Password Complexity

• Password expiration

• Account Lockout

• As a result manual process must be in place to ensure local accounts are setup in line with university policies.

45


16

VIRUS DETECTION46

Does not support anti-virus scanning on files uploaded by

users into the system. “This feature is on the Blackboard Learn Product Security Roadmap. Any statements about

future expectations, plans and prospects for Blackboard represent the Company’s views as of

January 1, 2013. Actual results may differ materially as a result of various important

factors. The Company anticipates that subsequent events and developments will cause the

Company’s views to change. However, while the Company may elect to update these

statements at some point in the future, the Company specifically disclaims any obligation

to do so.”

Ensure management is aware of the risk of malicious files

being delivered through Learn.

Virus detection critical on machines that are utilized by

faculty, TA’s and admin staff.

https://help.blackboard.com/en-us/Learn/9.1_SP_12_and_SP_13/Administrator/050_Security/000_Key_Security_Features/040_System_and_Information_IntegrityMarch 2015TACUA Conference 2015

LOCKOUT RECOVERY

Vendor offers an ‘Emergency One-time Login URL Tool’ which allows for creation of a temporary session for any user account.

Located in blackboard/tools/admin/ folder.

Script name AuthenticationOneTimeLogin.sh|bat

47


https://help.blackboard.com/en-us/Learn/9.1_SP_10_and_SP_11/Administrator/070_Authentication/Recovering_From_a_Lockout_or_Bad_Configuration

INTRO TO CONTROLS48


17

CONTROLS

SSL functionality

Choice on where encryption is enabled

49

Location: System Admin>>Security and Integration>SSL Choice


GRADING SECURITY50

Location: System Admin>COURSES>COURSE SETTINGS>Grading Security Settings


GRADING SECURITY51

Location: System Admin>COURSES>COURSE SETTINGS> Default Grading Schemas


18

Blackboard allows limits to be setup for courses.

Reporting capability available to identify courses that may be close to or over the threshold.

COURSE SIZE52

Location: System Admin>SYSTEM REPORTING>DISK USAGE


AUDIT RESULTS: VALUE ADDED

1. FERPA Data

2. Integration Security

3. System and Information Integrity

4. Database Controls

5. Authentication Controls

6. Building Blocks

7. User Access Management

8. Operational Efficiency

9. Audit Logging

10. Policies & Procedures

53


Ali Subhani

CISA, CIA, GSNA

Ali Subhani

CISA, CIA, GSNA

Toni Stephens

CPA, CIA, CRMA

Toni Stephens

CPA, CIA, CRMA

[email protected]

972-883-2540

[email protected]

972-883-4876

CONTACT INFORMATION

March 5, 2015TACUA Conference 2010

54

Documents

understanding-your-blackboard-learntm-environment-so-that-you-can-audit-it-effectively