Security Audit and Mechanism of Protecting e-Learning System at the Faculty of Transport and Traffic SciencesPeraković, D., Remenar, V.Faculty of Transport and Traffic Sciences, Vukelićeva 4, 10000 Zagrebdragan.perakovic@fpz.hr, vladimir.remenar@fpz.hrIIS, Faculty of Organization and Informatics, Varaždin, 2007.

KeynotesAnalysis of FPZ LMS system applicationSecurity auditing methodsMethodology of FPZ LMS system protectionPreliminary protectionDatabase protectionProtection within web applicationImplemented LMS protection against the most common forms of attacksConclusionQuestionsIIS, Faculty of Organization and Informatics, Varaždin, 2007.

Analysis of FPZ LMS systemIntroduced in 20044800 studentsTimes accessed: 145,000Constant growthIIS, Faculty of Organization and Informatics, Varaždin, 2007.

Security auditing methodsAuditing techniquesFour techniquesManualStaticDynamicFuzzingPenetration auditingWeb application auditingDatabase auditingIIS, Faculty of Organization and Informatics, Varaždin, 2007.

Methodology of FPZ LMS system protectionPreliminary protectionDatabase protectionProtection within web applicationIIS, Faculty of Organization and Informatics, Varaždin, 2007.

Preliminary and database protectionInformation-communication logical network topologyDetailed planning of computer networkFile checkingFormat, size and anti virus checkingData encryptionCustom built data encryptionDatabase protectionSeparate database server, firewall protectedUser account access levelsIIS, Faculty of Organization and Informatics, Varaždin, 2007.

Protection within web applicationAuthorization levelsRestricted accessFollowing real system (Faculty)Seven levelsAutomatic logging off the systemOpen session problemDefined idle time Error managementErrors not visible for low level usersCustom error pagesIIS, Faculty of Organization and Informatics, Varaždin, 2007.

Implemented LMS protection against most common attacksBrute forceFrequent method for finding username and passwordSeveral methods for defenseSQLinjectInserting SQL code into publicly accessible formsFiltering SQL specific characters and commands Cross-site scripting, XSSCookie theft, session and identity hijackingFiltering specific charactersIIS, Faculty of Organization and Informatics, Varaždin, 2007.

Implemented LMS protection against most common attacksBuffer overflowInputting more data than application can processData size checking on several levelsDenial of service, DoS, DDoSLarge amounts of false queriesUsing special tools like IDS, strange traffic detection42.zip fileSpecially designed file, 42kb size, decompresses to 4PBForbidding acceptance of exactly 42kb files, anti virus that recognizes this type of fileIIS, Faculty of Organization and Informatics, Varaždin, 2007.

ConclusionProviding reliable operation, high level of data securityConstant security auditingExpand security auditing and protection for all Faculty information systemsPermanent education of teaching and non-teaching staff at the FacultyIIS, Faculty of Organization and Informatics, Varaždin, 2007.

Questions?IIS, Faculty of Organization and Informatics, Varaždin, 2007.