Testing the hackability of the ProctorExam assessments website
Category : Dissemination
In March 2018 the University of Hertfordshire project team, in the person of Dr Stilianos Vidalis and his associates, set up the means to test the potential for illegal penetration of the ProctorExam website.
In the original Erasmus+ project proposal submitted in March 2016 we had identified this activity as an important area to explore in line with identifying future guidelines to present in the final report for Intellectual Output 2 Security. Thus the aim of this exercise was to demonstrate whether a typical online student would be able to access an unprotected area of the ProctorExam servers and illegally penetrate the security of any aspect of the online assessment systems. The Proctor Exam system does of course already operate with its own secure system designed to counteract typical professional attacks and other random attempts to hack into their site.
The Penetration Testing Execution Standard (PTES) was used together with Open Web Application Security Project (OWASP) methodologies as a baseline for undertaking the tests by Stilianos.
The process requires the initial agreement of typical use cases and scenarios to identify example personas of those likely to want to attack or hack into the online assessment system, and their motivation, to either steal or change data stored on the site or severely impede legitimate activity. During a 24 hour period, intense and persistent attempts were then made to access the ProctorExam servers illegally but no unauthorised access was possible, the denial of service attack was not successful and no information leakage was detected.
It will be important to note in the final project report that all organisations which set themselves up as providers of secure online assessments should be able to withstand a similar simulated attack to assure future users and partners that assessments are undertaken in a secure environment where personal student data and performance details are protected and inaccessible to unauthorised users.