Hacking The SATs And ACTs – Expert Comments

Notify of
1 Expert Comment
Oldest Most Voted
Inline Feedbacks
View all comments
Quentin Rhoads-Herrera
Quentin Rhoads-Herrera , Director of Professional Services
InfoSec Expert
May 4, 2020 2:29 pm

With reports that students might soon be able to take college admissions exams remotely due to the COVID-19 pandemic, one challenge that is being potentially overlooked and that needs serious vetting is security. Anything that is done online or remotely can be hacked, including the SATs and ACTs.

With educational institutions moving everything online due to COVID-19 there is a growing concern over hacking into their systems, which in some cases haven’t been updated in years due to a lack of budgets being directed for upgrading. In addition to the potential of outdated systems, the lack of security insight into their networks may also be limited resulting in hacks that may go un-noticed for extended periods of time. In response, these institutions should be paying close attention to their more sensitive systems and allocating funds and resources to ensure there security. The following are just some ways this can be done:

1. Identify educational resources such as systems and applications that are critical or sensitive in nature
2. Systems that are being leveraged for testing should be hosted on hardened systems per guidelines specified by the operating system vendor (e.g. Microsoft).
3. Applications that are being leveraged for testing should go through a complete and thorough security review to include penetration testing to ensure they cannot be easily compromised.
4. Implement Endpoint Protection tools and configure them in a way that allows for immediate alerting to suspicious activity on the host system.
5. Implement Web Application Firewalls for the applications being leveraged for tests and other critical/sensitive educational reasons.

In addition to hacking threats, these institutions also have to be concerned about cheating, especially with the SATs and ACTs being moved online. There are companies that do provide “secure browser” functionality such as LockDown Browser which aims to prevent students from accessing other resources on their machines to include access to other browsers and even system functions. This effectively turns the students machine into a “secure” machine. However, with the growing number of devices that are internet capable, and the tech savviness of our youth, this is just one layer that can be easily defeated. If this is all a school is leveraging, all a student has to do is use their smart phone to google for answers, or even use a tablet. Some ways to prevent this have been used by a various vendors and schools but a short list is:

1. Require students to submit completed hand written notes via image files for subjects like math
2. Leverage video conferencing tools to keep a watchful eye on the student during the course (this has been recently implemented by a security vendor named Offensive Security for their Offensive Security Certified Professional exam)
3. Implement “honeypot” questions in exams that can easily be found on Google or other search engines that would catch a student cheating if they chose the answer that showed up.
4. Conduct sample exams in a controlled environment (video camera) to estimate the average exam time. With that average, scrutinize those students who finish in record breaking times.

Last edited 2 years ago by Quentin Rhoads-Herrera
Would love your thoughts, please comment.x