Saturday, December 9, 2023

The Evolution Of The Online SAT: 3 Cyber Risks You Need To Know

 


As I reflect back on my days while growing up, I often reflect back on how I made it through high school, college, and even grad school without Google, or even a smartphone.  But we did it the old-fashioned way, and that was using the Funk and Wagnalls Encyclopedias, and going to the library every day.  Neve did I realize back then (or for that matter anybody, really) that things like Azure or ChatGPT would come into existence.

But one nemesis I had back in high school was that good ‘ole SAT.  I have never done well on standardized tests, and so I ended up taking it like three times, but still never did very good at it.  By good fortune and the grace of God, I was still able  to get into Purdue. 

Back then, we had to report to our school, show some kind of ID, sit down, and take the tests with our number 2 pencils.  Then we had to wait patiently for the next six weeks until we got our results back.  But now, the SAT is starting to be offered online, and will be totally that way starting in 2024. 

The main trigger point for this was the COVID-19 pandemic when test takers had to take the SAT at home.

Along with the advantages of taking it online, come the risks as well, especially from the standpoint of Cybersecurity.  Here is what is at stake:

1)     BYOD:

This is an acronym that stands for “Bring Your Own Device”.  This is where businesses would let their employees do their daily job tasks, straight from their own, personal device.  Again, this peaked during the COVID-19 crisis, as many companies simply were not prepared at the time to issue company devices.  One of the biggest security risks here is that very often these devices do not offer the same level of protection, because many people simply just do not install all of the needed stuff.  So, data leakages are quite common, and are a top prey for the Cyberattacker.  Quite surprisingly, the College Board (the creators and administrators of the SAT) now allow high schoolers to bring their own smartphone, tablet, notebook, etc.  to take the exam  online.  But if the student cannot afford a smartphone, one will be provided to them.  When I took the SAT, nothing was allowed except your ID and pencils.  Not even  a bottle of water.  If you were caught in anything, you were immediately thrown out.  So by letting then use their own device, who is to say that they won’t have materials on their smartphone  to help them cheat?  Obviously, the exam proctors can’t inspect these personal devices, as violation of privacy rights will abound greatly.

2)     The Network Security:

By now having it all online, the school is going to have to make doubly sure that they have the required bandwidth to support the test taking day.  It has been estimated that each student will need at least 100 Kkps of bandwidth to start and end the test.  Now imagine if there were hundreds of students taking this exam all at the same time?  Not only will this lead to slower load times of the online SAT, but it may cause the students to take a lot longer than the allotted to finish it.  Also, slower networks are a backdoor for the Cyberattacker.  For example, with this kind of throughput, the Cyberattacker can get a closer look  into the integrity of the network traffic, determine where the weak spots are at, and from  there, insert the malicious payload.  Another downside here is that high schools often have very limited budgets for doing IT stuff.  As a result, they may try to cut corners in order to accommodate this increased bandwidth need, but once again, this will create more holes for  the Cyberattacker to penetrate  into.

3)     The students themselves:

When we think of a Cyberattacker, we have the image of a person in a dark room in front of a computer with a hoodie, in some foreign country.  But the truth of the matter is that even the high school students themselves could be hackers.  For example, on the Dark Web, there are many “as a Service” offerings that a student can buy for pennies on the dollar.  Many of these services are those that offer launching a Cyberattack on behalf of the purchaser.  It takes very little technical skill and time to do this, so it is a very attractive option for anybody that is bent on doing damage in the digital sense.  The fear now is that on the scheduled day for an SAT, a student could pay for one of these services to launch a Ransomware or even DDoS attack in order to further move back the test date, thus greatly affecting the college application and financial aid process for the test takers.

My Thoughts On This:

In order to level the playing field equally to all students, and to offer the maximum amount of protection from all fronts, schools should consider administering the SAT in a Cloud based environment, such as that of Microsoft Azure.  For example, the school can create a virtual desktop environment for all of the test takers, and once the test administering is done,  these virtual desktops can then be deleted.

IMHO, this is a very affordable and efficient manner in which to deploy the SAT for everybody.  Of course, the details of this kind of infrastructure will vary, depending upon the needs and security requirements of each and every high school.

But whatever happens, we must come to accept that these are the consequences of moving to a 100%, digital based environment.  It sort of goes back to my blog from yesterday, where I wrote about Cyberwarfare: How can one discriminate between a civilian and an enemy combatant when the battle ground is completely digital??  Likewise, how do we know if the students are for real when they take the online version of the SAT??

These are some tough obstacles that will have to be overcome.  More information about the online SAT can be found at this link:

https://newsroom.collegeboard.org/digital-sat-brings-student-friendly-changes-test-experience

 

 

No comments:

Post a Comment

Why Students From K-12 Are So Vulnerable In Becoming A Cyber Victim

  Whenever we hear about a Cyberattack or a security breach, we often think that the entity involved is a Fortune 500 company, or even a hea...