About the Author:
Ashish Gupta is the CEO of Bugcrowd.
In the wake of COVID-19, colleges and universities across the U.S. have embraced virtual and hybrid learning to combat the spread of the virus and protect students and staff.
Recent research analyzed the reopening models of 3,000 higher-ed institutions and found that only 4 percent are allowing in-person attendance, making learning management systems, or LMS solutions, critically important.
In short, LMS solutions are a comprehensive platform for students to see a list of their courses, interact with their professors, find assignments and link to applications, such as Zoom, to take part in the virtual classroom. However, many cybersecurity professionals, college students, and faculty are asking: are online LMS solutions safe?
Cybersecurity experts are seeing first-hand how LMS IT teams are working diligently to secure their platforms during these unbelievably challenging times.
The education industry has traditionally been a target for cybercrime. Since the advent of COVID-19 stay-at-home mandates, cybercriminals have ramped up their activity. Most recently, Heartland Community College in Illinois was forced to halt online operations, including classes, as they worked to contain a security breach just a few weeks into the fall semester.
Why LMS breaches can be devastating
Each time a student or faculty member logs onto an LMS solution, a wealth of sensitive information about the user is stored, including the student’s name, address, emergency contact, and other information. Any penetration or breach of a LMS solution could well result in personally identifiable information, or PII, being stolen and sold on the Dark Web for profit. If a bad actor successfully breaches a LMS system, students and faculty could be subject to identity fraud.
LMS solutions, like any software-based system, require continuous testing. These platforms are not free of vulnerabilities, and the recent rise in cybercrime underscores the need for LMS solutions to take a proactive approach to security.
Leveraging ethical hackers to protect LMS systems
The business world is undergoing changes of tectonic proportions that are threatening the future of digital business. Traditional cybersecurity tools, such as scanners, cannot always ascertain what human cybercriminals may decide to do. It often takes a human touch to compete against an army of adversaries, and bug bounty programs that use ethical hackers can provide LMS platforms with an army of their own.
Crowdsourced bug bounty programs are like neighborhood watch programs, but for the internet. These programs are powerful because no company, no matter how vigilant, can defend all its potential vulnerabilities. Even worse, most companies lack the highly specialized cybersecurity expertise required to research, prioritize, and remediate all their cybersecurity vulnerabilities. Crowdsourced cybersecurity gives companies priority access to a global marketplace of on-demand, highly specialized cybersecurity experts who protect companies – like LMS solutions – from constantly evolving adversaries and attack methodologies.
Ethical hackers James McLean and Michael Skelton, who work with LMS customers, provided some interesting insights into their work with the LMS platforms.
Skelton points out that anyone can be an “ethical hacker,” and many times, even the students themselves “…can be armed to be LMS warriors — offering a new level of security for LMS solutions.”
“With ethical hackers, LMS solutions now have an extra pair of eyes on the product that you didn’t have before,” he continued.
“[Hackers] can say, ‘OK, I found something’ and either exploit it against the school or take it to a bug bounty company and potentially receive a reward for it,” said McLean. “These incentives allow many young hackers to choose the right path.”
“We find the vulnerability, build a proof of concept and then report it via a bug bounty platform,” added McLean. “Schools and LMS organizations must be open to taking our feedback and be dedicated to remedying the issue.”
When Skelton and McLean worked on one large LMS solution a few years back, they found several vulnerabilities that could well circulate on today’s LMS platforms. One such vulnerability was called a Cross-site Scripting (XSS), an injection attack whereby the attacker aims to execute malicious scripts in a web browser by including malicious code in a legitimate web application.
Similar to this are ransomware attacks with LMS solutions as an origin. This issue became known in mid-September following a recent spike in hackers targeting universities with ransomware attacks. In these situations, malicious actors not only demanded a significant bitcoin ransom from victims of attacks, but they have also threatened to leak stolen personal data of students if they are not paid.
Protecting the future of online learning
Today, keeping LMS solutions safe is of utmost importance for the hundreds of millions of university students worldwide. Bug bounty programs provide a continuous method for testing and finding vulnerabilities and should be used along with other cybersecurity safeguards.
Given the extraordinary situation we find ourselves in today due to COVID-19, many LMS organizations are taking a proactive approach to strengthening their cybersecurity posture. As such, bug bounty programs are becoming the “new normal,” ensuring that human ingenuity can work alongside AI and other technological solutions to find potential vulnerabilities and exploits.