E-LEARNING AND CYBER THREAT; A CALL FOR AWARENESS AND MITIGATION.

1 | P a g e

E-LEARNING AND CYBER THREAT; A CALL FOR AWARENESS AND MITIGATION.

Onwuegbuzie I.U [email protected] and [email protected]

Department of Computer Studies The Federal Polytechnic Ado-Ekiti, Ekiti State.

ABSTRACT It is the 21st Century, E-Learning has come to stay. The ever changing and dynamic world of Information Technology (IT) makes it possible for anyone to be educated anywhere, anytime. The barrier is broken, the benefits enjoyed by the privileged few now spreads to all and sundry. It had being recently suggested that with the new way of learning (E-Learning), a student can learn about Five(5) to Fifteen (15) Careers in his/her life time, indeed this is a tremendous breakthrough. But with great power comes great responsibilities. The stage is set, E-Learning is making waves so are the challenges that comes with it, militating against it to ensure it does not succeed. The greatest challenge is not the emergence of a new technology or paradigm, but how to maintain and sustain such technology to truly yield its expected results amongst various challenges. Unfortunately E-Learning has come to inherit some if not all of the various threats that hunts the Internet Technology and the Cyber space since it is driven right on-top of the already existing Electronics and Internet Technology. Attacker have found a new career for themselves, a ground to perpetrate their exploits, hence posing a great challenge to the successful implementation to the use of E-Learning and the E-Learning Technology. Understanding the root cause of a problem is solving the problem to a larger extent. This paper tries to identify whom these attackers are, what data are they interested in, why they carry out their mischievous activities and how best to mitigate their attacks, by these ways E-Learning can truly strive and succeed. Best practices are recommended in other to successfully have and make use of the E-Learning platform that will stand the test of time.

Keywords: E-Learning, Information Technology, Paradigm, Internet, Attackers, Mitigate, Cyber Threat, 21st Century, Information and Communication Technology (ICT).

2 | P a g e

INTRODUCTION The advent of Internet is making the world a soft and flexible place, but in this state of flexibility comes its challenges. In recent times it is becoming a very common thing to find an Internet capable device like Smartphone, Laptop and other handheld devices amongst people, meaning that before long, larger number of people would have access to the Internet via their devices.

The Internet provides us with a whole wealth of knowledge that knows no bounds hence in this 21st century the academic system/sector has decided to leverage this rich availability of knowledge in such as way that it is beneficial to mankind in a well structured and delivered manner, and hence as a result comes the advent of E-Learning. The development of E-Learning has led to a new way of learning and at the same time, has given equal opportunities to everyone to become learners on a leveled playing ground. Unfortunately , to every successful project comes its challenges. E-Learning has come to directly or indirectly inherit some if not all of the threats posed to users of the Internet and the Internet Technology itself. How do we mitigate against these challenges?

The first part of this paper discusses the E-Learning context - its definition, history, development, growth, benefit and the challenges. E-Learning can be in form of online mode; that is Internet enabled or Offline mode; without Internet. Web applications are the medium used to aid the majority of online E-Learning services and, hence, has become the prime target of Internet attacks (Najwa-Hayaati and Ip-Shing, 2010). The second part of this paper looks at Information Security in E-Learning

which has been neglected in research. Many E-Learning Institutions are rushing into adopting Information and Communication Technology (ICT) without carefully planning and understanding the ever-present security concerns. Issues such as legitimate users, course content reliability, and accessibility (including the admissibility and availability, as well as other considerations, all need to be carefully addressed in order to ensure the learning process can effectively take place.

Lastly, this paper discusses the various kinds and nature of E-Learning Cyber and Internet Security threats, how they are perpetrated and how they can be identified, avoided and mitigated in order to successfully administer and use a secured E-Learning platform either offline or online.

E-LEARNING; DEFINITION AND CONCEPT E-Learning stands for Electronic Learning. E-Learning is the use of Information and Communication Technology (ICT) devices to teach and learn electronically, that is, the learner uses Computer devices whether Internet enabled or not to carry out their learning process.

DEFINITION E-Learning has been defined by many expert scholars in different perspective and view-points, some defined it in the context of Technology, some on education some on collaboration, distant learning, etc. (Mason and Rennie, 2006).

3 | P a g e

Source: http://www.egiants.in/e-learning.html

E-Learning is the implementation of technology in order to support the learning process, whereby knowledge or information can be accessed using communication technology. The learning process can be continuous, provided that the content is available on the Internet (Najwa-Hayaati and Ip-Shing, 2010). A discussion paper, Australian National Training Authority, defines E-Learning as a component of flexible learning, which is a wide set of applications and processes, all of which uses all available electronic media to deliver education and training; this includes computer-based learning, web- based learning, virtual classrooms, and digital collaboration.

E-LEARNING TIMELINE - THE HISTORY The term "E-Learning" has only been in existence since 1999, when the word was first utilized at a Computer Based Training (CBT) systems seminar. Other words also

began to spring up in search of an accurate description such as “Online Learning” and “Virtual Learning” (The History of E-Learning, 2013). However, the principles behind E-Learning have been well documented throughout history, and there is even evidence which suggests that early forms of E-Learning existed as far back as the 19th century. Below is a table showing how E-Learning started and evolved over the years;

Year Type Description 1924 The First

Testing Machine

Ohio State University Professor Sidney Pressey invented the "Automatic Teacher". the first device in Electronic Learning.

1954 The First Teaching Machine

Harvard Professor BF Skinner creates the "Teaching Machine" for use in schools

1960 Computer Based Training

PLATO- Programmed Login for Automated Teaching Operation - was the first computer-based training (CBT) program. It offered drills and the ability to skip questions. The cost was $12,000 at that time

1966 C.A.I in Stanford

4 | P a g e

Schools

University Psychology Professor Patrick Suppes and Richard C. Atkinson began using Computer-aided instruction (CAI) to teach math and reading to young children in Palo Alta Elementary Schools.

1969 ARPANET Heralds Internet

US Department of Defense commissioned ARPANET to create Internet

1970 Computer Mouse and GUI

Computer Mouse and the Graphical User Interface (GUI) begins at the New Jersey Institute of Technology.

1980s PCs begin with the First Mac

Personal Computer era begins with Macintosh, Online communities begin sharing information, slowly paving the way towards E-Learning.

1990s The First Digital "Native"

The first "Digital Native" are born. Email takes off. It is the dawn of a new era in learning. Virtual Learning Environments (VLE) begin and

"E-Learning" becomes a widely recognized term.

2000s Businesses Adopt E-Learning

Businesses begin rolling out E-Learning courses as a central way to train workers. Authouring tools are more accessible than ever, and a wide range of online learning opportunities are available

2010+ Social Online learning

A new wave of learning inspired by Social Media builds momentum. YouTube, Twitter, Massive Open Online Courses (MOOCs), ScoopIt, iTunes, Skype, etc. Opportunities to connect, share information, and learn from each other are found everywhere.

THE E-LEARNING TIMELINE Long before the Internet was launched, distance courses were being offered to provide students with education on particular subjects or skills. In the 1840′s Isaac Pitman taught his pupils shorthand via correspondence. This form of symbolic writing was designed to improve writing speed and was popular amongst secretaries, journalists, and other individuals who did a

5 | P a g e

great deal of note taking or writing. Pitman, who was a qualified teacher, was sent completed assignments by mail and he would then send his students more work to be finished using the same system (The History of E-Learning, 2013).

In 1924, the first testing machine was invented. This device allowed students to tests themselves. Then, in 1954, B.F Skinner, a Harvard Professor, invented the “teaching machine”, which enabled schools to administer programmed instruction to their students. It was not until 1960 however that the first computer based training program was introduced to the world. This computer based training program (or CBT program) was known as PLATO-Programmed Logic for Automated Teaching Operations. It was originally designed for students attending the University of Illinois, but ended up being used in schools throughout the area (The History of E-Learning, 2013).

The first E-Learning systems were really only set up to deliver information to students but as we entered the 70s E-Learning started to become more interactive. In Britain the Open University was keen to take advantage of E-Learning. Their system of education has always been primarily focused on learning at a distance. In the past, course materials were delivered by post and correspondence with tutors was via mail. With the Internet the Open University began to offer a wider range of interactive educational experiences as well as faster correspondence with students via email etc (The History of E-Learning, 2013).

ONLINE LEARNING TODAY With the introduction of the computer and Internet in the late 20th century, E-Learning tools and delivery methods expanded. The first MAC in the 1980′s enabled individuals to have computers in their homes, making it easier for them to learn about particular subjects and develop certain skill sets. Then, in the following decade, virtual learning environments began to truly thrive, with people gaining access to a wealth of online information and E-Learning opportunities (The History of E-Learning, 2013).

By the early 90s several schools had been set up that delivered courses online only, making the most of the Internet and bringing education to people who would not previously have been able to attend a college due to geographical, time or financial constraints. Technological advancements also helped educational establishments reduce the costs of distance learning, a saving that would also be passed on to the students - helping to bring education to a wider audience.

In the 2000′s, businesses began using E-Learning to train their employees. New and experienced workers alike now had the opportunity to improve upon their industry knowledge base and expand their skill sets. At home individuals were granted access to programs that offered them the ability to earn online degrees and enrich their lives through expanded knowledge (The History of E-Learning, 2013).

6 | P a g e

TYPES OF E-LEARNING E-Learning comes in different types and favours, the technique that is right for a student greatly depends upon their method of absorbing the information that is being provided (Types of E-Learning. (n.d). WorldWideLearn). Below is a list of various types of E-Learning with brief emphasis.

• Purely online - No face-to-face meetings

• Blended Learning - Combination of online and face-to-face

• Synchronous - Real-time learning like online chats, teleconferencing, instant messaging that allows students and teachers to ask and answer questions immediately

• Asynchronous - Learning carried out even when the student or teacher is offline i.e. not in real-time.

• Instructor-led group • Self-study • Self-study with subject matter expert • Web-based • Computer-based (CD-ROM) • Video/audio tape

WHY USE E-LEARNING - THE BENEFIT OF E-LEARNING The curious nature of man has indeed worked to his advantage. Since the advent of E-Learning, especially now that it is being powered by ICT and the Internet, E-Learning has come to bridge the gap between the privileged few and the general populace. In the context of Internet Learning, E-Learning now makes learning an equal playing ground by offering everyone the opportunity to learn. With E-Learning distance is no longer a barrier as

one can deploy and make use of E-Learning anytime anywhere. The flexibilities which E-Learning offers is the motivating factor which compels students to choose online courses.

E-Learning is the 21st century learning technology. Companies and educational institutions are keying into this new learning paradigm because of its flexibilities and result oriented nature. One way of meeting the demand for these new skills, especially in Information Technology, is via e- learning, which also offers the potential for continuous learning (Najwa-Hayaati and Ip-Shing, 2010).

The benefits of E-Learning can never be over emphasized. Ever before the inception of the Internet Technology, E-Learning has gradually grown as it finds its way into Industries, Company and most especially in the academic Sector. Fortunately the intervention of the Internet Technology now acted as a catalyst to speeding up the way E-Learning reaches and is being implemented to the far ends of the earth. Learning and research work has never been made easier.

Below are the very important reasons why E-Learning is used in various sectors that implements it:

1. Scalable, Efficient and Fast

E-Learning gives you the ability to quickly create and communicate new policies and training to vast amount of audience in any sector. This is made achievable by using E-Learning Authoring Tool and Learning Management Systems (commonly called LMS). With this one is able to reach out to large audience irrespective of their status,

7 | P a g e

locations and means, especially when the use of Internet is involved.

2. Capacity and consistency

E-Learning offers the ability to achieve high levels of coverage among your target audience and ensures the message communicated is consistent. This means all learners get the same training.

3. Higher Learning Retention than traditional learning

Blended learning results in higher knowledge retention rate as it appeals to a wider range of learning styles and learners. There is also the added ability to refresh or update coursework whenever it is needed and learn at a pace that suits the learners.

4. Using E-Learning saves you time and money

It reduces time away from the workplace, cuts down on expensive travel and reduces the need for costly classroom-based training.

5. Measuring and Tracking learning activity

Learning Management Systems (LMS) are able to track learners progress and provide reporting on learners' learning activities and abilities there by helping tutors to better understand how to best deliver lectures and training to learner in such a way to improve them the more.

6. Reduce your carbon footprint

E-Learning helps in the reduced use of Paper and other form of Physical learning and testing materials hence helping to reduce Carbon footprint and emission.

7. Flexibility and the ease of reach

E-Learning can give learners the freedom to learn when and where they want, and at their own pace. Learners who would usually be in remote locations and have trouble getting to and from physical classroom are easily reach via online E-Learning system (7 Reasons. (n.d). LearningPool).

THE INTERNET: NOT A SAFE GROUND - THE THREATS TO E-LEARNING. With consideration to ICT, people nowadays are getting the benefits of accessing vast information quickly. Information may exist in many forms: it can be printed or written on paper, stored electronically and transmitted by post or by electronic means. Whatever form information takes or the means by which it is shared, it should always be appropriately protected.

Information deriving from useful data is amongst an organisation’s main assets. Nevertheless, when it is always easy for everybody to access, it will therefore also be easy and useful for anybody to gain access, irrespective of whether they have good or bad intention. As a result of this increasing interconnectivity, information is now exposed to a growing number and a wider variety of threats and vulnerabilities. As such, information must be protected in order to avoid the loss of its confidentiality, integrity and availability (Najwa-Hayaati and Ip-Shing, 2010). Some of the most serious threats are listed as below:

• Deliberate software attacks (viruses, worms, macros, denial of service)

• Technical software failures and errors (bugs, coding problems, unknown loopholes)

8 | P a g e

• Acts of human error or failure (accidents, employee mistakes)

• Deliberate acts of espionage or trespass (unauthorised access and/or data collection)

• Deliberate acts of sabotage or vandalism (destruction of information or system)

• Technical hardware failures or errors (equipment failure)

• Deliberate acts of theft (illegal confiscation of equipment or information)

• Compromises to intellectual property (piracy, copyright, infringement)

• Quality of Service deviations from service providers (power and WAN service issues)

• Technological obsolescence (antiquated or out-dated technologies)

• Deliberate acts of information extortion (blackmail for information disclosure).

As much as E-Learning and Internet appears interesting and an attractive ground for knowledge accusations, it is not surprising to see that it is also fertile ground for attacks by those that are selfishly driven because where good things flourish so does evil. Question now is, how can learners avoid and secure themselves from these security threats perpetrated via the Internet which is one of the Power-House of E-Learning?

THE NATURE OF THREATS TO E-LEARNING To know how the threats to E-Learning works is to understand the risks and vulnerabilities of the E-Learning paradigm and the nature of the kind of threats that exists and how they are perpetrated. Who are the Attackers, how do they operate and what E-Learning Assets are they interested in siphoning? These are the questions that are posed. To provide answers to these questions is to truly be able to identify ways to mitigating the efforts of the E-Learning attacks.

THE ATTACKER In reality, it is difficult to answer who the potential attacker to an E-Learning system is and what his capabilities may be. Attackers can take many forms. Some of them may perform their actions deliberately, others may simply be incompetent, legitimate users of the system. Attackers that act deliberately can be divided into many categories: proof-of-concept hackers, crackers, users wanting to get illegal free access to protected resources, disgruntled employees or even bored but technically savvy teenagers. We

9 | P a g e

could try to enumerate common attackers for a specific system but it is impossible to overlook all potential attackers (Maria and Eugene, 2007).

THE ASSETS An asset is any element of an E-Learning system which provides critical functionality. Any threat could be defined in part by the asset which the attacker wants to get access to. Of course the goal of any protection solution is not to eliminate the assets but to protect them. However, to protect assets we must first identify them. For any generic E-Learning system, the following assets could be targeted by an attacker:

• E-Learning content; • Cryptographic key content; • User personal data; • Messages between users; • Different group membership data; • Network bandwidth; • Message integrity; • Message availability.

Having understood nature and kinds of Attackers and their needs, the next thing is to identify how they operate (Maria and Eugene, 2007).

THE E-LEARNING VULNERABILITY ATTACK PATTERN In a way to better understand how E-Learning attackers operates, their attack patterns has being classified into the following categories:

• Availability • Integrity

• Confidentiality and • Authentication

This conceptual model is referred to as the AICA E-Learning Vulnerability /Attack Model, where AICA stands for Availability, Integrity, Confidentiality and Authentication (Maria and Eugene, 2007). Under each of this categories are various attach methods and patterns used on an E-Learning platform. Below is the breakdown of this Model;

Availability

• Denial - of - Service (DoS) • Node attacks • Link attacks • Network infrastructure attack

Integrity

• Malicious code attacks • Message injection • Traffic modification • Traffic deletion • Traffic mis-delivery re-routing • Forgery attacks • Stack overflow attacks

Confidentiality

• Group session eavesdropping • Group session traffic • Group identity disclosure

Authentication

• Brute force attack • Dictionary attack • Login spoofing • Key management attacks • Man - in - middle (MiM) attacks

10 | P a g e

Below is a detailed explanation of this model.

AVAILABILITY ATTACKS.

Availability attacks attempt to make E-Learning services and data (or metadata) unavailable to legitimate users for a period of time. Here, we briefly discuss the two basic types of availability attacks: Blocking attacks and Flooding attacks.

A blocking attack stops authorized users from accessing a resource by physically or electronically destroying the route to the resource. The non-malicious blocking attack (physical denial-of-service) embrace communications lines failure, crash of software/hardware, or inadvertent reconfiguration of systems in a way that prevents access. Malicious blocking attacks may occur when an attacker destroys or delete critical files, invalidates accounts or changes access control protocols.

A flooding attack overloads the E-Learning system with a large number of requests to stop authorized users from accessing its resources. A flooding availability attack typically exploits a flaw in the design/implementation of a network protocol, operating system or commonly used application. Common examples of flooding attacks are:

Denial - of - Service (DoS).

An E-Learning system should have reasonable capacity (in terms of bandwidth and connectivity) to meet the peak demands, however, this capacity is finite and can be exhausted. DoS attacks could be very dangerous for E-Learning systems because a single message/packet may be replicated to many receivers over many links. These attacks may be malicious, but they can also

be caused unintentionally or carelessly. Some are extremely complex, while others rely upon very simple methodologies. These attacks can be conducted in several ways on an E-Learning system:

Source: http://trickovista.wordpress.com/category/un

categorized/page/2/

Masquerading Sender DoS Attacks.

The attacker may gain access to the E-Learning system by joining it through an authentication attack. Once authenticated, a misbehaving source can flood traffic to all other users to disrupt current and future sessions (Tannenbaum, 2002).

Masquerading Receiver DoS Attacks.

Once authenticated through an authentication attack, the attacker may join the traffic by creating many end-user processes, thus greatly increasing the overhead of the system but not the traffic into sessions. The size of the session must therefore expand to handle the increased traffic which consumes bandwidth and processing resources.

11 | P a g e

Insider DoS Attacks.

A legitimate end-user becomes a traitor by flooding traffic to all learners or subverting the e- learning system by signaling or creating many receiver processes.

Transit DoS Attacks.

Without being authenticated, the attacker may inject unauthorized transit traffic on the same network(s) in order to disrupt communications. The widespread use of User Datagram Protocol (UDP) as a transport protocol for real-time communications is a vulnerability since currently there is no UDP mechanism to prevent traffic congestion .

Availability to Present.

A specific learner is denied from participating to a session through a targeted DoS attack

Availability to Receive.

A specific learner is denied from receiving information in a session through a targeted DoS attack

SYN flood attacks.

This is the bombarding of the E-Learning site with SYN packets used to open a connection and could either overload the E-Learning system servers or cause them to crash.

Smurf attacks.

They use a PING packet sent by an end-user computer with the forged return address of the intended victim. This PING is broadcasted to a large number of other users (intermediaries) and if many machines respond by sending PING packets to the

intended victim, the result can be severe network congestion or outages, that could potentially make the network unusable. The intermediary can be victimized in his turn.

Distributed denial-of-service attacks.

This attack multiplies the effect of an ordinary denial-of-service attack by launching it simultaneously from multiple addresses. The attacker gains access to a number of other end-user computers in advance and puts code in each to launch the attack at a preset time or on a signal. Using such remote computers makes the attacker invisible, that’s why distributed denial-of-service attacks are difficult to trace and prevent (Albanesius, 2013).

Node attacks.

By definition, in E-Learning communications there are more nodes (senders/receivers) involved in a session communications than point-to-point communications and thus more potential exposure to node- targeted attacks. Each legitimate user node may be attacked through a node-specific vulnerability and be degraded, subverted or otherwise non-functioning member in the E-Learning process. This decreases the availability of any information or contribution to joint projects and activities from attacked end-user nodes.

Link Attacks.

Communication traffic in an E-Learning system uses many more links than point-to-point communications so it is exposed to link attacks. As some legitimate nodes are connected to the network by a single or few links, if these links are successfully degraded by an attack, the affected nodes may no longer be available to the system

12 | P a g e

and the system is no longer available to them. If link attacks are strategically placed, network partitioning and even general system degradation may occur.

Network Infrastructure Attacks.

If any part of the E-Learning network infrastructure which directly or indirectly supports the communication sessions in progress, is physically/logically attacked or otherwise damaged (power, routers, switches, hubs, servers for DNS, etc.), the system will degrade and may not remain functional.

INTEGRITY ATTACKS.

Integrity attacks attempt to actively modify or destroy information in the E-Learning site without proper authorization. Modification may include creating, changing, appending, and deleting both data and metadata. With an integrity attack, authorized users can gain access, but what they find when they get there is not what is supposed to be there. We shall briefly discuss some integrity attacks:

Malicious Code Attacks.

Integrity attacks can be non-malicious in origin, as many unintentional causes may corrupt or modify data. However, malicious integrity attacks are becoming both more common and destructive. Malicious code comes in a variety of forms – virus, Trojan horse, worm etc. E-Learning system administrators as well as end-users should protect and regularly check their systems to assure they are malware-free.

Message Injection Attacks.

An attacker who joins an E-Learning communication, for example via an authentication attack, may then freely inject messages into the system which will be

viewed as legitimate system traffic by the other end-users.

Traffic Modification Attacks.

An attacker may intercept packet data, rearrange or delete specific bits, and/or forward data as if no changes occurred. This attack does not require knowledge of key data or any particular understanding of the E-Learning data itself.

Traffic Deletion Attacks.

Similarly to the previous attack an attacker may simply delete data on the communication channels. Again, this requires no particular understanding of the E-Learning data itself.

Traffic Mirror-Rerouting Attacks.

An attacker may mirror the traffic by rerouting it to unauthorized end-users. This is analogous to inserting a mirror into the stream of observable traffic and re-directing it elsewhere, without affecting the original stream’s destination – thus making this attack difficult to detect.

Traffic Mis-delivery-Rerouting Attacks.

If the attacker reroutes traffic to unauthorized receivers without mirroring, some messages are lost and not received by some or all end-users. This attack is more detectable than traffic mirror-rerouting attacks since end-users and messaging protocols can detect lost messages.

Forgery (counterfeit) Attacks.

They make a false representation of data that has come from another address. An attacker can also hijack a session by intercepting a communication session and

13 | P a g e

continuing it in the name of (and with the privilege of) the victimized end-user.

Stack Overflow Attacks.

The attacker intentionally supplies a very large amount of input data (for example; 3,000 characters in a limited length field), in order to exceed the space allocated and spill over into adjacent data or code areas, either corrupting other values or inserting new commands to be executed.

CONFIDENTIALITY ATTACKS.

Confidentiality attacks are passive attacks that expose confidential data to the view of unauthorized readers (Ballardie and Crowcroft, 1995). Unlike integrity attacks, confidentiality attacks don’t alter the E-Learning content, but only affect the security level and dissemination of this content, as well as learners’ personal data. However, confidentiality attacks may be used as a first step in availability or integrity attacks, as where the attacker obtains confidential passwords by defeating encryption or simply by password guessing. Confidentiality attacks to E-Learning systems may take the form of commercial appropriation of confidential information. Most involve intrusions and disclosure of private facts that are not commercially motivated, but are undertaken solely for the amusement of the attacker.

In many E-Learning systems, the unauthorised access to confidential data may require the relatively difficult task of gaining access to the system on the administrator level. However, an attacker may also read information without illegitimate privilege escalation (e.g. insider attackers). Storage and timing leaks via covert channels also fall into this class of attack. In an E-Learning system exist more eavesdropping

opportunities in comparison to most networked systems, because of the multiple channels used through the multicast communication protocols (Ballardie and Crowcroft, 1995). Further, attackers don’t need eavesdrop if they can instead simply become learners – at which point the system views them as legitimate and purposely sends them all relevant traffic. Common protection techniques for this type of attack require extensive use of encryption with cryptographic keys to ensure privacy. The cryptography used may or may not be the same as that used for authentication of the learners. Let’s now discuss in short some confidentiality attacks:

Session Eavesdropping Attacks.

Traffic between particular learner’s processes in an E-Learning system is virtually impossible to hide. Because of the dispersal of the processes throughout a typically large network, as well as because the volume of communication channels used, it does not seem feasible to prevent attackers from observing traffic. This is why encryption methods are critical for communications in an E-Learning system. The goal is not to prevent entirely the attacker from observing traffic, but rather to ensure that the observable content is unusable or meaningless to him.

Group Session Traffic Analysis.

Even if appropriate encryption measures are taken, the attacker may still observe the traffic flow and make corresponding deductions based on when and where messages are sent, message type and volume.

Identity Disclosure Attacks.

14 | P a g e

The identity of e-learners is attacked for unauthorized disclosure (Maria and Eugene, 2013).

AUTHENTICATION ATTACKS.

Authentication attacks occur when an attacker masquerades as a legitimate end-user (using a stolen password, key, or credential) or an attack device masquerades as a legitimate device participating in E-Learning scheme both usually aiming to get free access to paid E-Learning networks and services. But a masquerader can also launch insider attacks to access data/metadata (confidentiality attack), modify data/metadata (integrity attack), and/or deny others data/metadata (availability attack) based on the legitimate user identity authorization capabilities they have taken over. Let’s discuss briefly the following attacks:

Brute force attacks.

These attacks are unsophisticated and can be effective only if power computer is used. The principle is to attempt every possible combination of characters to satisfy password (key) authentication.

Dictionary attacks.

They could be considered as a subset of brute force attacks. Instead of trying all password combinations, a dictionary attack attempts to satisfy a password prompt by trying commonly used passwords from a list or dictionary.

Login spoofing attacks.

An attacker can use a fake login program that prompts the legitimate user for an ID and password. Instead of logging the user into the requested E-Learning system, the bogus program stores or forwards the stolen

credentials and returns a notice that the login has failed.

Key Management Attacks.

In a system in which the key management scheme does not adequately protect both forward and backward secrecy, an attacker may use information obtained from a former legitimate user to gain access to the E-Learning system. The attacker may in fact be a former legitimate learner aiming to find enough information to break the current encryption scheme and to access the content for free. A basic example may be procedural mishandling of keys exposing them to disclosure. A centralized server that generates and disseminates keys for legitimate users represents a single entry point and an attractive attack target.

Replay Attacks.

In certain encryption schemes, it may be possible for an attacker to eavesdrop on a communication channel and to record an encrypted message. This recorded message may later be played back in such a way as to allow the attacker to masquerade as the original sender. The attacker may appear legitimate to the recipient and authorized to access data to which he hasn’t a right to.

Man-in-the-Middle Attacks (MITM).

In MITM an attacker actively intercepts messages between end-users and servers of the E-Learning site and is able to read, modify and retransmit these messages without legitimate participators in the communication either knowing that their session has been compromised. The MITM attack may include: eavesdropping (including traffic analysis and known plaintext attacks), chosen cipher-text attacks,

15 | P a g e

substitution attacks, replay attacks, and DoS attacks.

Source: http://www.computerhope.com/jargon/m/mit

ma.htm

Session Hijacking Attacks.

In this kind of attack an attacker intercepts and continues a session started by a legitimate user of the E-Learning site. In contrast to MITM session hijacking occurs after a session is established and the legitimate user’s session is terminated.

Non-Repudiation Attacks.

Non-repudiation requires the ability to prove to a third party that a particular message is sent or received preventing the source from later denying transmission of the message. As a consequence of existing vulnerabilities in access control, E-Learning user may deny (legitimately or illegitimately) having participated in some or all communication sessions and having sent/received specific messages.

Source Non-Repudiation Attacks.

An attack targeting an end-user in order to deny sending communications.

Receiver Non-Repudiation Attacks.

An attack targeting an end-user in order to deny receiving communications.

RECOMMENDATIONS AND BEST PRACTICES ON SECURING THE E-LEARNING SYSTEM A positive change of attitude is the first sign of a sure success story. Having gotten the awareness of how much damage can be done to E-Learning both on the Network and Learners by Attackers it is important that the attitude of an E-learner changes with respect to how he/she operates and makes use of the E-Learning Technology in knowledge accusation. The following practices is advice to at least prevent or mitigate against any possible E-Learning attack since it might be impossible to completely eradicate attacks on the E-Learning Network.

• Always make backups of important information and store it in a safe place separate from your computer.

• Update and patch your operating system, web browser and software frequently.

• Install a firewall. Without a good firewall, viruses, worms, Trojans, malware and adware can all easily access your computer from the Internet. Consideration should be given to the benefits and differences between hardware and software based firewall programs.

• Review your browser and email settings for optimum security. Why should you do this? Active-X and JavaScript are often used by hackers to plant malicious programs into your computers. While cookies are

16 | P a g e

relatively harmless in terms of security concerns, they do still track your movements on the Internet to build a profile of you. At a minimum set your security setting for the "Internet zone" to High, and your "trusted sites zone" to Medium Low.

• Install Anti-virus software and set for automatic updates so that you receive the most current versions updates.

• Do not open unknown email attachments. It is simply not enough that you may recognize the address from which it originates because many viruses can spread from a familiar address.

• Do not run programs from unknown origins. Also, do not send these types of programs to friends and coworkers because they contain funny or amusing stories or jokes. They may contain a Trojans horse waiting to infect a computer.

• Disable hidden filename extensions. By default, the Windows operating system is set to "hide file extensions for known file types". Disable this option so that file extensions display in Windows. Some file extensions will, by default, continue to remain hidden, but you are more likely to see any unusual file extensions that do not belong.

• Turn off your computer and disconnect from the network when not using the computer. A hacker cannot attack your computer when you are disconnected from the network or the computer is off.

• Consider making a Recovery Boot Disk in case your computer is damaged or compromised by a

malicious program. Obviously, you need to take this step before you experience a hostile breach of your system.

• Use complex passwords - whether at work or at home, use complex passwords (and never write them down!). Using a password longer than 8 characters can greatly reduce the chance that someone will guess your password. Hackers don't usually sit there and try to guess your password one at a time. They use automated brute force tools that can break a simple password in a few minutes to a few hours. Here's an example of a complex password: 1mSdM5m3MbEr. As a general rule of thumb, Passwords should be changed at least once every three (3) months, and avoid the reuse of already used password. In addition avoid the use of your Birthday, children's names, spouse name, and other biographical details as part or whole of your password. an attacker very close to you can guess any of these and use them to gain access to your system (Secure Your Personal Computer. (n.d). Ian Del Carmen)

CONCLUSION In recent years the rapid growth of E-Learning is something to reckon with. Increasing number of Academic Institutions are buying into the idea, so is the Industrial sectors for the training of their staff. One must not be carried away with only the good sides but also be fully aware of the challenges therein to implementing and using the E-Learning technology. The

17 | P a g e

functionality of E-Learning continues to expand and relies more and more heavily on the Internet. However, the Internet has become a place of illegal activities, which therefore expose E-Learning to threats. Ensuring the availability and integrity of information and material within E-Learning environments requires that countermeasures, such as security technology hardware and software, need to be implemented. Unfortunately these countermeasure will yield no result if the attitude of E-Learning Stakeholders are not changed.

It is my opinion that this paper will not only present to learners the beauty and benefits of E-Learning, but also its dark sides, how to identify them how to avoid them and how to mitigate against them in the instance of any attack and ways to better, safely and profitable use this new Learning technology for better learning experience.

REFERENCES Mason, R. and Rennie, F. (2006): E-Learning: the key concepts, Routledge; 1 edition July 27, 2006, Abingdon Great Britain.

Eklund, J., Kay, M. and Lynch, H. M. (2003): E- learning: emerging issues and key trends: A discussion paper, Australian National Training Authority, Australia.

The history of E-Learning (n.d.): Retrieved from: http://blog.efrontlearning.net/2013/08/a-brief-history-of-E-Learning-infographic.html

Types of e-Learning, (2014): Retrieved from: http://www.worldwidelearn.com/E-Learning-essentials/E-Learning-types.htm.

Najwa Hayaati Mohd Alwi and Ip-Shing Fan (2010): E-Learning and Information Security Management. International Journal of Digital Society (IJDS), Volume 1, Issue 2, June 2010

7 Great reasons to use E-Learning (2014): Retrieved from: http://www.learningpool.com/new-e-learning.

Maria Nickolova, Eugene Nickolov (2007): Threat Model for user Security In E-Learning by. International Journal "Information Technologies and Knowledge" Vol.1 / 2007

Albanesius, C. (2013): Record-Breaking DDoS Attack Slows Web. Retrieved from PC Magazine: http://www.pcmag.com/article2/0,2817,2417131,00.asp

Marshall Brain and Wesley Fenlon (n.d.): How Computer Viruses Work. Retrieved from: HowStuffWorks: http://computer.howstuffworks.com/virus5.htm

Swiderski ,F. and W. Snyder (2004): Threat Modeling (Microsoft Professional). Microsoft Press, 2004.

Judge, P. and M. Ammar (2004): “Security Issues and Solutions in Multicast Content Distribution: A Survey,” IEEE Network, January/February 2003.

Myagmar, S., A. J. Lee, W. Yurcik (2005): “Threat Modeling as a Basis for Security Requirements,” In Symposium on: Requirements Engineering for Information Security (SREIS), 2005.

Tannenbaum A., M. van Steen (2002): Distributed Systems: Principles and Paradigms, Prentice-Hall, Inc., 2002.

18 | P a g e

Nickolova, M. and E. Nickolov. (2006): User Privacy Problems in DRM protected E-learning Objects from Standards to Practice, Second International Workshop on Compiter Science and Education in Computer Science, June, 5-7, 2006, Borovetz – Sofia, Bulgaria.

Conole, G. and Oliver, M. (n.d.): Contemporary perspectives in E-learning Reserach themes, methods and impact on practice, Routledge, London; New York, pp.38-54.

Dietinger, T. (2003): Aspects of E-Learning Environments (unpublished Doctor of Technical Sciences thesis), Institute for Information Processing and Computer Supported New Media (IICM), Graz University of Technology, Austria.

Jain, K. K. and Ngoh, L. B. (2003): ‘Motivating Factors in e-learning; A Case study of UNITAR’, Student Affairs Online, Vol. 4, no. 1, pp.21, June, 2008. Retrieved from: http://www.studentaffairs.com/ejournal/Winter_2003/e-learning.html.

Aziz A., et. al (2006): ‘Design and development of learning management system at universiti Putra Malaysia: a case study of e-SPRINT. I’, WWW 06: Proceedings of the 15th international Conference on World Wide Web, May 23 - 26, 2006, Edinburgh, Scotland, ACM, New York, pp.979-980.

Raitman, R., Ngo, L. and Augar, N. (2005): ‘Security in the Online E-Learning Environment’, Advanced Learning Technologies, 2005.ICALT 2005.Fifth IEEE International Conference on Advanced Learning Technologies, pp.702-706.

Rosenberg M. J. (2001): E-learning strategies for delivering knowledge in the digital age, McGraw- Hill, New York.

Graf, F. (2002): ‘Providing security for E-Learning’, Computers & Graphics, vol. 26, no. 2, pp.355-365.

Norman, S. and Da Costa, M. (2003): ‘Overview of e-learning Specifications and Standards’, Open Learning Agency, and Eduspecs Technical Liaison Office.

Furnell, S. M. and Karweni, T. (2001): ‘Security issues in Online Distance Learning’, VINE: The Journal of Information and Knowledge Management Systems, vol. 31, no. 2.

Yang, C., Lin, F. O. and Lin, H. (2002): ‘Policy- based Privacy and Security Management for Collaborative E-education Systems’, Proceedings of the 5th IASTED International Multi-Conference Computers and Advanced Technology in Education (CATE 2002), pp.501–505.

Saxena, R. (2004): ‘Security and online content management: balancing access and security’, Breaking boundaries: integration and interoperability, 12th Biennial VALA Conference and Exhibition Victorian Association for Library Automation.

Yong, J. (2007): ‘Digital Identity Design and Privacy Preservation for e-Learning’, Proceeding of the 2007, 11th International Conference on Computer Supported Cooperative Work in Design, , pp. 858-863.

Trèek, D. (2003): ‘An integral framework for information systems security management’, Computers & Security, vol. 22, no. 4, pp.337-360.

E-LEARNING AND CYBER THREAT; A CALL FOR AWARENESS AND MITIGATION.

Documents

Transcript of E-LEARNING AND CYBER THREAT; A CALL FOR AWARENESS AND MITIGATION.