Cyber threat is on the rise. In 2019, Accenture noted a 67% increase in security breaches in the previous five years. While typical LMS Data is not a typical target for cyber criminals, it is advisable to stand generally aware of the various types of security threats and protections associated with your Learning Management System. No system is completely invulnerable but Accord has built a suite of protections which combine policies and technology. This protective shield has repeatedly proven itself to be successful at warding off cyber attacks and protecting client data.
"Online security has always stood as a top priority for Accord. Engineers who created the Accord LMS specifically designed the product to meet rigid security standards. Accord’s hosted customers are protected with a variety of modern security policies, hardware and software. These policies are enforced through the installation, maintenance and monitoring of proven security platforms and policies."
- Synopsis, Accord Security Policies Document
This article discusses a few issues of concern in the interest of sharing how your LMS is protected from these threats. There are also a few tips on things you might implement to help make your own system more secure. If you are concerned about your overall LMS system security, please contact your IT department or consult with a cyber security firm for more detailed information. Accord will be happy to discuss our online security model in detail with the appropriate technical team.
Understanding the External Threat
Many of us think of online security threats in terms of mysterious hackers trying to break into our computers from a shadowy lair. Sometimes this may be the case, but it can also be a modern data center anywhere in the world dedicated to the task. External threats tend to be malicious and intentional. We broadly group these types of external threats into the category of Cyber Attacks and Data Breaches.
Cyber Attacks are generally an attempt by cybercriminals to gain illegal access to a system or data stored on a computer or network. The intent may be to steal valuable data, install malicious code or simply hijack the server for their own purposes. Sometimes an attack is a deliberate attempt to prevent a site from being able to function.
A data breach is essentially information accessed without the proper authorization. This can be due to a cyber attack but may also be attributed to poor internal LMS security. The specific type of damage incurred through a data breach is dependent upon the sensitivity of any data stored on the system. For example, a site which stores credit card information, PII, or PHI is at far greater risk than a system which does not. In general, any system which does not need to store sensitive information as a primary function should not do so.
The Accord LMS is designed to deliver, track and store training records. While the Accord LMS does not require any sensitive personal information, our clients can customize the Learner Profile Properties. It is possible to store sensitive information in the Accord LMS should any clients choose to do so.
Mitigating the Threat
There are several different ways that your LMS system and it's data could theoretically be threatened. The good news is that few malicious actors are eager to steal quiz scores. The bad news is, your LMS could become an incidental target. Hackers may stumble upon your LMS as part of your larger domain, making it part of a more broad-scale attack. Your LMS may also become blindly targeted. Fortunately, Accord has taken assertive measures to counter these types of attacks.
One of the greatest vulnerabilities with any system is the user’s own computer. Attacking a local laptop, desktop or mobile device can be an effective way to get deeper access to a server. It is important to make sure that your users follow the guidelines established by your IT department. An important measure is to ensure that all software is updated as soon as possible whenever any security patch is released. This becomes especially relevant for browsers and anti-malware tools.
An Accord LMS user is identified by a combination of username and password. Passwords frequently become the chosen target for hackers. The Accord LMS utilizes hashed and salted passwords. This essentially means that once any password is entered into our database, there is no method to reconstruct it. This password becomes irretrievable, either by Accord or any malicious actor. Any passwords specifically generated by the Accord LMS during implementation are strong and unique passwords.
Passwords should be both strong and unique for each system a person uses. For example, it is risky to use the same password for your online banking and Netflix account. Remembering so many challenging passwords can be daunting if not impossible in today’s world. Some people will keep lists of passwords in their desk or even in a file on their computer. At Accord we’ve come across examples where hackers will gain access to a server by first hacking a local PC to find the notepad file where a user keeps a list of passwords.
Fortunately, you can enlist the aid of a secure password vault such as Keeper or Lastpass. These tools provide a central and secure repository for user passwords, making it easy to maintain strong and unique passwords. Having access to a secure password vault eliminates the need for your system users to keep unsecure password lists.
Not all vulnerabilities are tied to external threats. Many systems have a limited number of administrative account types. This can frequently lead to providing more permissions than necessary to a given employee, so that they may perform their assigned LMS admin duties. These permissions can expose either data or functionality, potentially allowing them to affect users or data beyond their allowed scope of authority.
The Accord LMS has a sophisticated custom administration model which limits authority in two dimensions. Whenever necessary, a new administrator type can be created which will only allow specific types of administrative permissions. In addition to specific Admin-Type limitations, an administrator can be assigned these administrative privileges within one or more Teams. The combination of restrictions applied to a given Team and authorities granted through their specific Admin-Type, ensures that each administrator maintains only the types of permissions necessary for them to conduct any of their duly-authorized LMS tasks. Combining these methods helps keeps your system and its data safe.
Data Location – Secure Server Facility
Physical security for cloud computers is generally not a concern within the industry. Accord SaaS clients are accessing servers stored in a Canadian facility which specializes in large scale server hosting. This facility features robust physical security and limited access. The data is also stripped across several drives, making it impossible for any single physical drive to provide any access to any data. For example, a discarded hard drive cannot be accessed on another system to retrieve any client data.
Transport Layer Security; aka End-to-End Protection
Accord provides each client, free of charge, an LMS security certificate which allows us to provide end-to-end data encryption between your browser and our server, protecting your information as it passes across the internet. Although these certificates are usually referred to as SSL Certificates, they enable us to utilize the current state of the art TLS 1.2 encryption.
Protecting Data On the Hard Drive - Encryption at Rest
In the remarkably unlikely event that a malicious actor gains access to an Accord LMS server hard drive, there is a chance they could locate the LMS data files which could expose any user data. As discussed earlier, most LMS implementations do not store sensitive data within the LMS. In any cases where it becomes necessary to store sensitive user data, Accord has an optional service which should be considered; called Encryption at Rest. Encryption at Rest essentially encrypts all user data within the LMS, to increase its security. Encrypted data cannot be decoded without a de-encryption key or a very difficult de-encryption method. Encryption at Rest technology specifically encrypts user records, but does not encrypt Learning Elements, uploaded files, images, etc.
Direct Attacks – Pridwen
It is not uncommon for hackers to attempt to probe various systems looking for vulnerabilities. Forbes reports, that as of mid-April 2020, the FBI’s Internet Crime Complaint Center received 3,000 – 4,000 complaints per day. Accord has developed a proprietary shield called Pridwen, to detect potential intrusions and then shut them down before they gain access. In this blog article we do not discuss the particular details of this technology, but feel free to ask your Accord Sales Team for further general information.
Any Internet server ecosystem has a wide range of software which contributes to it's overall functionality. A common vulnerability is enabled when software is not updated on a regular basis. Just as your team should ensure that your clients' computers are properly updated, the Accord Team makes sure that our servers are continually updated with the most recent patches. This policy is defined in the Accord Security Policies document.
Should there be a destructive LMS security breach event, Accord can restore system data to the most recent backup. Each week we capture a full Disaster recovery backup of each customer site on our SaaS servers. Incremental backups containing any changes from the last full backup are taken daily. This recovery process effectively protects our clients against a worst-case scenario event.
Cyber threats are a reality of modern life. The Accord LMS is protected by an array of technological solutions and information security policies which work together to provide reliable security for our systems while simultaneously protecting client data from cyber attacks and data breaches. These protections, in partnership with robust endpoint security provided by each client, helps greatly mitigate any potential risk from malicious actors.
If you have any questions about Learning Management Security when using the Accord LMS, please contact your Accord Sales Team or Solutions Engineer. If you aren't yet a customer, our Learning Management professionals would be happy to discuss your project and help you evaluate the Accord LMS as a valuable tool in your online learning strategy.