New Aspects of Test Security
Increasingly, standardized examinations are being used to measure the performance of both students and schools. However important these tests may be, the more routine teacher-designed, teacher-administered examinations may be better for early detection of student and curriculum deficiencies. But if routine examinations are good measures of performance and good detectors of weaknesses, then the confidentiality of these tests must be as good as that of the standardized exams.
Before computer generation of exams, "lock and key" was the usual method for maintaining the security of tests from development through storage. Additional procedures were in place if tests were typed or copied by a secretary. But have you ever considered the new ways in which your tests are vulnerable to unauthorized access if you store your test files on an office or home computer?
In an attempt to determine how much educators know about the security of their test files, we conducted a survey of collegiate educators. You can test your knowledge of file security by answering the survey questions, and comparing your results with our explanations and the survey responses.
Test Your Knowledge of File Security
In responding to the following statements with "yes," "no" or "don't know," assume the operating system used by the computer is Microsoft Windows 95 or 98.
1. If a test file is deleted from a computer, it is permanently erased and cannot be retrieved.
2. If a test file is deleted from a computer and the recycle bin is emptied, the file is permanently erased and cannot be retrieved.
3. Test files are secure at all times on an office computer if it is not connected to a network and if the test files are password-protected.
4. If the Internet is accessed and test files are password-protected, they are secure.
5. Test files on a networked office computer are always secure if they are password-protected.
6. Test files on a home computer networked to another home computer are secure if they are password-protected.
7. Test files on a Web page, such as Blackboard, are secure.
Answers and Survey ResponsesIf you answered "yes" or "don't know" to any of the survey questions, you may be living under a false illusion of security. The following explanations spell out some of the more important issues surrounding file security, while Table 1 shows the results of the survey, which had a 52.5% response rate.
1. If a test file is deleted from a computer, it is permanently erased and cannot be retrieved. No.When you delete a file in the Windows 95 or 98 operating system, that file g'es into the recycle bin. If you do not delete the file from the recycle bin, it is still on the hard drive. It would be easy for anyone with access to your computer to copy a test file from the recycle bin onto a floppy without your knowledge.
2. If a test file is deleted from a computer and the recycle bin is emptied, the file is permanently erased and cannot be retrieved. No.Most of the survey respondents, 64.3%, either did not know or were incorrect regarding whether test files could be retrieved from a computer when the recycle bin has been emptied.
Until the space on the drive where the file was stored is overwritten with new data, the file can be retrieved from the computer drive. One should run software, such as Norton Utilities, to overwrite the file space.
This situation has serious implications for a teacher who sells a computer or passes the computer on to another. Test files could be retrieved if the data is not written over before disposal. Other sensitive information, such as grades, could also be retrieved. Even formatting a hard drive will not clear data. Formatting only clears out the directory and file allocation tables. The only way to ensure that sensitive data is not still residing somewhere on a hard drive is to overwrite the data (including slack space) using software designed for that purpose before selling or passing a computer on to someone else.
3. Test files are secure at all times on an office computer if it is not connected to a network and if the test files are password-protected. No.More than half of the survey respondents, 54.8%, either did not know or were incorrect regarding the security of password-protected test files on a stand-alone computer.
The first line of defense should be the physical security in your office. How secure are the following: office locks, ceiling tiles and windows? Who has copies of a master key to your office? How well d'es your department or school control access to the master key? Do you keep backup files on disks? Do you keep them in a disk box, locked or not, that can be easily removed from your office?
Security on your computer is the next consideration. Passwords are amazingly easy to steal. For starters, most passwords are too simple. Users tend to choose familiar names or dates, which could be known by others. However, even more complex passwords may be cracked using one of any number of password-cracking programs available on the Internet. In a recent year, close to 50,000 passwords were collected by a hacker from various colleges and universities around the country (Anonymous 1999).
When you use Microsoft Word or Microsoft Excel, you can place a password on your test files. To place a password on a file, go to the save as command, go to options, and enter a password to open or modify a file.
4. If the Internet is accessed and test files are password-protected, they are secure. No.Nearly half of the respondents, 47.6%, either did not know or were incorrect regarding whether test files were secure when a connection has been established to the Internet.
Whenever you access the Internet, the files on your hard drive are vulnerable to hackers. Most users access the Internet through a modem using a telephone line. If you access the Internet by way of a modem, then test files on your hard drive are vulnerable only when you have established your connection by dialing up. However, if you turn on your computer, dial up the Internet, minimize the Internet screen, and leave the Internet connection open while you work, files on your hard drive are vulnerable to hackers the entire time the connection is open.
If you have a direct connection to the Internet through your phone company (DSL) or cable company, anytime your computer is turned on, your Internet connection is open and test files on the hard drive are vulnerable. If it seems unlikely that your students would be able to hack into your test files, you should know that it is estimated that over 1,900 Web sites provide hacking programs to the general public (Mogelefsky 2000).
An additional problem with direct connections is that most users will have a persistent Internet Protocol (IP) address. Under these conditions, if a hacker obtains your IP address and can determine who you are, then any information he or she takes from your machine (like exams) has much more value. Thus, even a random hacker who stumbles onto your tests could make them available on the Internet.
As mentioned earlier, one type of password-hacking program cracks passwords by simply generating common words and dates until it finds a match. Another method of acquiring passwords is to use a "sniffer." The sniffer program picks up passwords, transmitting them back to the hacker. These programs can be installed on a computer without the user's knowledge through an e-mail attachment, or attached to a file downloaded from the Internet.
5. Test files on a networked office computer are always secure if they are password- protected. No.A majority of the respondents, 57.1%, were correct regarding test file security on a networked office computer. Our survey was conducted before the release of the "I LOVE YOU" virus. Given the volume of publicity surrounding that virus, awareness of network and password vulnerability may well have increased.
Networks add new layers of concern. Network administrators have access to all of your files. Depending on how the network is set up, administrators may be able to access your files through the network. However, even if this is not possible, they can go through the local computer itself since they must have authority to install new software or provide maintenance to your computer. In addition, graduate students or administrative assistants may also service the computers on the network, thus adding another group of people with access to your computer. Password protection on individual files would add a layer of security to test files or other confidential data.
6. Test files on a home computer networked to another home computer are secure if they are password-protected. No.A large percentage of the respondents, 42.9%, either did not know or were incorrect regarding whether test files were secure on home computers networked to another home computer.
The physical security of your home is important, just as it is for your office. Do you have a security alarm system, dead bolt locks and secure windows? Is your network set up so that the computers can share files through data sharing? If so, other computers on the network can access your files. Do other members of the family and their friends use a computer networked to yours? If so, then your files are vulnerable anytime your computer and the second computer are in use at the same time. Turning off data sharing will in many cases prevent unauthorized access through the network. Additionally, passwords on test files will afford some measure of security from casual observation by visitors to your home.
7. Test files on a Web page, such as Blackboard, are secure. No.A little more than half of the respondents, 54.8%, either did not know or were incorrect regarding whether test files were secure on a Web page, such as Blackboard.
Blackboard and other Web-based software allow instructors to provide informational and instructional material to students via the Internet. Use of this type of software can range from something as basic as putting a syllabus and a few assignments on Blackboard to offering a full-fledged course by way of long-distance learning. Blackboard is available free of charge by going to the Web site of the developer. However, many universities purchase a site license and place the software on their own server in order to have control over the maintenance of both the software and the server on which it resides.
Blackboard provides various levels of security through the use of passwords. Access to the control panel is limited to faculty through faculty-chosen passwords. The control panel allows faculty to add, change or delete materials within various areas of a course, such as course information, course documents, assignments, and so forth. If an entire course is password-protected, then only enrolled students with a password (and computer center personnel) can access the various areas of the course. However, it is possible to password-protect only specific areas of the course while allowing access to other areas by anyone. Thus, access to password-protected materials on Blackboard or any other Web page are subject to the security of student passwords. Of even greater concern is the security of faculty passwords. If a hacker gains access to a faculty password, materials could be altered or deleted by accessing the control panel.
Of course, any test materials placed on Blackboard or any other Web page are not secure since control cannot be exercised over who is actually taking the test or who might be present with the student while he or she takes the test. Obviously, students could also make multiple copies of tests. Essentially, the control is the same as if a take-home exam were given.
How To Protect Test Files and Other Confidential Data
The results of the above survey indicate a need to learn methods to protect test files and other private information. There is no such thing as perfect security. One should aim for reasonable security. You might think that your students do not have the expertise to steal a test file. But your students need not be the ones with the skill. Friends, neighbors, siblings or other relatives of the student may be able to hack into your office or home computer either through a network entry or through the Internet. Clearly, one of the worst aspects of this problem is that it may occur without your knowledge, leaving you unaware that tests or other data have been compromised.
A number of measures are available that afford a reasonable level of protection for your test files. Generally, the more security you want for test files, the more effort you will have to expend. The following are some of the procedures you might consider:
- Use passwords to provide some level of protection. Passwords should be at least six or eight characters in length and can be a combination of letters and numbers or symbols. Passwords should be changed frequently, and the same password should not be used for all files and systems. Do not leave passwords written down by your computer.
- While the Internet is open, your files are vulnerable. Log off the Internet when you are not using it. If you have a DSL or cable connection, turn your computer off when you are not using it.
- Create firewalls. Firewalls can be hardware and/or software that provide security at the point where your computer or the network is connected to the Internet. Although some of these firewall solutions may be too expensive for the individual user, there are a number of inexpensive software firewalls available. In addition, some network software (for example, Microsoft NT Server Edition) comes with some firewall software (Fleenor 2000).
- Keep test files offline on floppy disks, not on the hard drive. A Zip drive or Jaz drive uses disks that allow larger amounts of storage than 3.5" floppy disks. A CD-RW drive to store files on a CD also allows large amounts of data to be stored offline.
- Encrypt test files. Encryption uses a number expressed in terms of its bit length as a key; the longer the key the harder it would be for someone to break the encryption. Software, such as PGP (Pretty Good Privacy), allows one to encrypt a file, then decrypt to use or edit the file. Another possibility is to adopt Windows 2000 as the operating system. It has an integrated security system that allows encryption of files.
- Lock up test files in a secure safe (too heavy for a person to easily remove).
- Before selling or disposing of a computer, which has had test files on it, use software to write over the files.
You will have to decide the level of security necessary to ensure the integrity of your tests and other confidential material. The more measures you take, the higher the level of security. Remember, however, that security measures often fail because of laxness on the part of users. Passwords are written down on sticky notes and then placed on the computer monitor. Disks are left on desktops. Locks are left unlocked. Whatever level of security you choose, it will only be maintained with your diligence.
Joyce C. Lambert is the Arthur Andersen professor of accounting in the College of Business at the University of New Orleans. A member of numerous professional organizations, including the American Institute of Certified Public Accountants, she teaches undergraduate and graduate courses in auditing and internal auditing. Her primary research interests are in the areas of auditing and accounting education.Carolyn L. Lousteau is an associate professor of accounting in the College of Business at the University of New Orleans. A member of several professional organizations, including the American Institute of Certified Public Accountants, she teaches undergraduate and graduate courses in financial and international accounting. Her research interests include financial and international accounting.
Page T. Mochetta is a part-time instructor of accounting in the College of Business at the University of New Orleans. He operates a computer and accounting systems consulting firm.
Anonymous. March 1999. "Passwords are Weak Links In a Security Chain." Security, 3: 88-90.Mogelefsky, D. May 2000. "Security Turns Inward." Incentive, 5: 16.Fleenor, W. April 2000. "Will Hackers Consume Your Office?" Lagniappe, 25 (9): 8-9.
This article originally appeared in the 08/01/2001 issue of THE Journal.