Course Site Security: Outline

Guidelines
*generalized - for most courses
 - simple for most users
 - light security, suitable for grades, contact info

*specialized - for unusual cases
 - need justification for use - case by case
 - when do you need enhanced security?
 - degree of security we only handle moderate

*security issues - system
 - is this our problem?
 - maybe advise sys admin
 - generally, if we se a glaring problem, mention it.
 - primarily concerned with site security, but does relate to system.
1. why
fair use guidelines
protect copyright
privacy issues - i.e. grades
promote unconstrained discourse freely discuss
information much easier to misuse online (already digitized)
monitor use/misuse (server logs)
prevent hacking (malicious changing of content, i.e. on a forum)

2. what
published works
personal information (ie. contact info, grades)
syllabus
system itself from malicious hacking
 -cgi allows user to run a program on your machine
  *constraints on cgi-bin
 -software vulnerabilities (NT bug, etc.)

3. how
web ct built-in security
-probably good enough for concievable uses
security for non-web ct courses
-evaluate a few

ip address -easy to do, easy to spoof
-like internal page at sims, access w/in domain, password w/out

server side authentication
client side (easy to spoof) http://passwords.javascriptsource.com/

Firewalls & Proxy servers
-hardware/software solutions

packaged solutions
-cost?
-complexity

4. Users
general passwords for groups
personal passwords for individuals
-administration - who? TA or Prof

Policies
- not giving out passwords or access to protected pages
-have users sign agreement (check w/ university for validity)

Procedures?
-what to do if compromised http://www.iss.net/vd/compromise.html
-testing - see how easy it is to compromise network
-evaluation of data - sensitivity of data, consequences of hacking