Analysis of FPZ LMS system application Security auditing methods Methodology of FPZ LMS system protection Preliminary protection Database protection Protection within web application Implemented LMS protection against the most common forms of attacks

1. Security Audit and Mechanism of Protecting e-Learning System at the Faculty of Transport and Traffic Sciences Peraković, D., Remenar, V. Faculty of Transport and Traffic Sciences, Vukelićeva 4, 10000 Zagreb dragan.perakovic@fpz.hr, vladimir.remenar@fpz.hr IIS, Faculty of Organization and Informatics, Varaždin, 2007.

2. Keynotes Analysis of FPZ LMS system application Security auditing methods Methodology of FPZ LMS system protection Preliminary protection Database protection Protection within web application Implemented LMS protection against the most common forms of attacks Conclusion Questions IIS, Faculty of Organization and Informatics, Varaždin, 2007.

3. Analysis of FPZ LMS system Introduced in 2004 4800 students Times accessed: 145,000 Constant growth IIS, Faculty of Organization and Informatics, Varaždin, 2007.

4. Security auditing methods Auditing techniques Four techniques Manual Static Dynamic Fuzzing Penetration auditing Web application auditing Database auditing IIS, Faculty of Organization and Informatics, Varaždin, 2007.

5. Methodology of FPZ LMS system protection Preliminary protection Database protection Protection within web application IIS, Faculty of Organization and Informatics, Varaždin, 2007.

6. Preliminary and database protection Information-communication logical network topology Detailed planning of computer network File checking Format, size and anti virus checking Data encryption Custom built data encryption Database protection Separate database server, firewall protected User account access levels IIS, Faculty of Organization and Informatics, Varaždin, 2007.

7. Protection within web application Authorization levels Restricted access Following real system (Faculty) Seven levels Automatic logging off the system Open session problem Defined idle time Error management Errors not visible for low level users Custom error pages IIS, Faculty of Organization and Informatics, Varaždin, 2007.

8. Implemented LMS protection against most common attacks Brute force Frequent method for finding username and password Several methods for defense SQLinject Inserting SQL code into publicly accessible forms Filtering SQL specific characters and commands Cross-site scripting, XSS Cookie theft, session and identity hijacking Filtering specific characters IIS, Faculty of Organization and Informatics, Varaždin, 2007.

9. Implemented LMS protection against most common attacks Buffer overflow Inputting more data than application can process Data size checking on several levels Denial of service, DoS, DDoS Large amounts of false queries Using special tools like IDS, strange traffic detection 42.zip file Specially designed file, 42kb size, decompresses to 4PB Forbidding acceptance of exactly 42kb files, anti virus that recognizes this type of file IIS, Faculty of Organization and Informatics, Varaždin, 2007.

10. Conclusion Providing reliable operation, high level of data security Constant security auditing Expand security auditing and protection for all Faculty information systems Permanent education of teaching and non-teaching staff at the Faculty IIS, Faculty of Organization and Informatics, Varaždin, 2007.

11. Questions? IIS, Faculty of Organization and Informatics, Varaždin, 2007.