Unlocking website security

Steve Lay HeadshotPosted by Steve Lay

As a product manager at Questionmark, one of the questions that I’m increasingly being asked is about support for specific versions of SSL and TLS. These abbreviations refer to different flavours of the ‘https’ protocol that keeps your web browsing secure. Questionmark’s OnDemand service no longer supports the older SSL protocol. To understand why, read on…

In this post I’ll focus on the privacy aspect of secure websites only —the extent to which communication is protected from eavesdroppers. Issues of trust are just as important, but I’ll have to discuss those in a future post.

Most browsers display a padlock icon by the web address or the site name to indicate that communication between your browser and the server is encrypted for privacy. Just as with real padlocks, though, there are stronger and weaker forms of encryption. The difference is too subtle for most browsers to show. In practice, browsers adopt a strategy of attempting to use the strongest type of encryption protocol they can, falling back to weaker methods if required. In Internet Explorer you can even configure these settings under the Advanced tab of your internet options:

qm comp 1As you can see, there are five different encryption protocols listed, in increasing order of strength. Generally speaking, TLS is better than SSL and more recent versions of TLS are better still. Published attacks on these protocols typically enable someone who can view network traffic to decrypt some or even all of the information passing over the ‘secure connection’. This type of scenario is called a ‘man in the middle attack’ because the eavesdropper stands in between your browser and the website it is communicating with.

If your browser always chooses the best encryption available, why would you want to configure the specific protocols it supports? Unfortunately, the very first part of the communication between your browser and the website is more vulnerable. The two systems have to agree on an encryption protocol to use before they can be truly private. In some special cases it is possible for a man in the middle to intervene and force a weaker protocol to be negotiated. By configuring your browser to support only stronger protocols, you can ensure that your browser is never tricked this way.

Here at Questionmark, we care about your security too! If a protocol like SSLv3 is considered vulnerable to interception, shouldn’t the server refuse to use it as well? Yes, it should. In fact, we don’t support SSL versions 2 and 3 for this very reason.

For this blog post I’ve focused on the most visible aspect of the security protocol. In practice, there lots of subtle differences in the way each protocol can be configured. If you use Google’s Chrome browser you can click on the padlock to reveal information about connection security.

qm compNotice that this connection uses TLS 1.2, but there is even more detail reported concerning the specific cryptographic algorithms used. Sites like www.ssllabs.com have almost 50 separate check points that they can report on for a public-facing secure website! Staying on top of all this configuration complexity is critical to keeping websites secure.

Unfortunately, sometimes we have to strengthen security in such a way that compatibility with older browsers is sacrificed. For example, according to the latest simulation results, Internet Explorer version 6 (running on Windows XP) is no longer able to successfully negotiate a secure connection with our OnDemand service.

In practice, an overwhelming majority of users use more modern browsers (or have access to one), so the web remains both secure and usable. Perhaps a greater cause of concern is older applications that are integrated with our APIs. It is just as important to keep these applications up to date. For example, applications that use older versions of Java, such as Java 6 or have their Java runtime configuration options set inappropriately might have problems communicating to the same high standards. If you are running a custom integration and are concerned about future compatibility, please get in touch.

This is a developing field. New ways of exploiting older protocols and cryptographic algorithms are being found by security researchers all the time, and the bad guys aren’t far behind. Our security specialists at Questionmark constantly monitor best practice and update the configuration of our OnDemand service to keep your communications safe.

Questionmark receives U.S. Army Certificate of Networthiness

Julie Delazyn HeadshotPosted by Julie Delazyn

We’re proud to announce to that the Questionmark Perception version 5 assessment management system has been awarded the Certificate of Networthiness (CoN # 201417177) by the U.S. Army Network Enterprise Technology Command.

What exactly does this mean?

The accreditation confirms that Questionmark’s assessment management system meets strict U.S. Army and Department of Defense (DoD) standards for security, compatibility, supportability and sustainability.

It also certifies that Questionmark Perception can be deployed for authoring, delivery and analysis of online quizzes, tests, exams and surveys while remaining compliant with U.S. military IT standards.

How significant is this?

The CoN accreditation is required by all enterprise software products functioning within the U.S. Army Enterprise Infrastructure Network. This accreditation applies to the entire U.S. Army, including Army Reserve, National Guard and some DoD organizations.

How do military organizations use Questionmark assessment management technologies?

Military organizations use Questionmark technologies for a range of assessment solutions including:

  • advancement exams
  • medical training
  • job-task analyses
  • post-course exams for distance learning
  • testing for pilots and aircraft engineers

Questionmark is listed with the U.S. General Services Administration (GSA) federal supply list as a provider of testing and assessment technologies and services (contract number is GS-35F-0380Y). This covers Questionmark Perception software, training, consultancy and support.

How important is security for Questionmark?

It’s a top priority, as explained this video:


4 Tips for protecting the security of intellectual property

Headshot JulieThe integrity of your tests and test questions is integral to upholding your reputation and standards, as Questionmark Chairman John Kleeman points out in his post: It takes 20 years to build a reputation and five minutes to ruin it.

I have put together four tips to help ensure the security of your intellectual property. To find out more about deploying assessments safely, securely and successfully you can download this complimentary white paper: Delivering Assessments Safely and Securely.

1) Create and administer multiple test forms: Rather than having only one form of the assessment being administered, deliver multiple forms of the same exam to help limit item exposure. If one exam form is breached, the other exam forms can stay in circulation.

2) Restrict and control administration of beta test items: Beta testing questions is an important part of high-stakes assessment, ensuring the psychometric quality of questions before they appear on actual assessments. However, it is important to have a well conceptualized beta test model that limits the exposure of newly developed questions to participants. Beta test questions must be administered in secure environments, in similar conditions to the actual exam. This prevents the exposure of new questions before they appear on an actual assessment. Some rejected beta test questions could be considered for use in exam prep materials.

3) Update exam forms periodically: Letting exam forms become stale can over-expose questions to participants, increasing the likelihood of IP theft. Periodically updating exam forms (e.g., annually) can help limit the exposure of questions. Consider retiring old exam forms and turning them into exam prep materials that can be sold to participants.

4) Produce exam prep materials: Making exam prep materials available to participants before an assessment helps dissuade participants from trying to obtain exam questions via illegal means as they will have access to the type of questions that will be asked on the actual assessment.

To Your Health! What assessments do regulators require?

John Kleeman HeadshotPosted by John Kleeman

In Questionmark’s white paper, The Role of Assessments in Mitigating Risk for Financial Services Organizations, we shared advice  and requirements from financial services regulators about compliance-related testing for employees.

Do health care regulators also advise or require companies to test their employees to check understanding?

The answer is yes, and here are some examples.

The World Health Organization (WHO) states in its principles for good manufacturing practices for pharmaceutical products:

“Continuing training should also be given, and its practical effectiveness periodically assessed.”WHO | World Health Organization

WHO guidance also states:

“If training is conducted to achieve a goal, it is reasonable to ask if the goals of the
organization’s training programme and the specific training course have been attained or not. Assessment and evaluation are conducted to determine if the goals have been met.

European Commission logo

The European Commission directive 2005/62/EX requires for organizations handling blood that

“Training programmes shall be in place and shall include good
practice. The contents of training programmes shall be periodically assessed and the competence of personnel evaluated regularly.”

The US Department  of Health and Human Services in its Compliance Program Guidance for Medicare Contractors states:

US Department of Health & Human Services“Contractors should consider using tests or other mechanisms to determine the trainees’ comprehension of the training concepts presented.”

Also in the US, the Pharmacy Compounding Accreditation Board (PCAB) gives guidance that

PCAB.org“The pharmacy has SOPs for educating, training, and assessing the competencies of all compounding personnel on an ongoing basis, including documentation that compounding personnel is trained on SOPs.”

Just like in financial services, health care regulators strongly encourage and in some cases require that regulated organizations test their employees to ensure that they have understood training and that they are competent to do their jobs.

One thing health care regulators emphasize more than those overseeing financial services  is the merit of giving  observational assessments  as well as knowledge tests — presumably because skills are often more practical. For example PCAB guidance says that:

“Staff competency can be evaluated by a combination of … direct observation … written tests [and] … other quality control activities”

Previously, in this series on assessments in health care, I’ve covered good practice in competency testing in the health care industry and shared analysis of why errors are made and how testing can help. I hope these examples of regulator guidance and requirements are also useful.

Cutting the ribbon at the Questionmark European Data Center

Posted by John Kleeman

I’m pleased to let you know we have just opened a European data center for our Questionmark OnDemand service, a scalable, flexible assessment SaaS solution with available 24/7 support. The new data center gives European Questionmark OnDemand customers a highly secure place to keep their assessment data within the European Union.

Basic protections include:

  • Physical security with 24/7 guards and CCTV
  • Fire suppression with 24×7 environmental monitoring
  • N+1 redundant heating / air conditioning system
  • Power feeds from multiple providers, battery UPSs and on-site generators
  • Diverse and scalable Internet connections to multiple carriers

But being an assessment company, certification is also very important for us, as is adherence to appropriate security standards for our customers throughout the world.

In the US, most data centers are certified to a standard called SSAE 16. This standard (which used to be called SAS 70) is controlled by the AICPA – American Institute of Certified Public Accountants – and looking at a data center’s SSAE 16 report is a useful way of checking its security and standards.

But in Europe, SSAE 16 is little used; instead reputable data centers are usually certified to an ISO (International Standards Organization) standard, ISO 27001. ISO 27001 is an information security standard which requires you to assess risks and then set up controls to meet them. Like SSAE 16, ISO 27001 is certified by an independent auditor. Questionmark’s new European data center is not only ISO 27001 certified, but also certified to another important ISO standard, ISO 9001. ISO 9001 is a quality management standard and shows that an organization has strong quality processes in place.

It’s wonderful to have the European data center providing robust and scalable assessment delivery together with the highest levels of security and data protection. We thought of breaking a bottle of top-quality Champagne on the computers, but figured it might be safer to cut some ribbon! In the picture below, you can see me and our VP of Sales Che Osborne cutting the ribbon to formally open the data center.

Click here for more information on Questionmark OnDemand.

Candidate Agreements: Establishing honor codes for test takers

julie-smallPosted by Julie Delazyn

With schools, colleges and universities now fully launched into a new academic year, it’s certain testing season!

The security of test results is crucial to the validity of test scores – something we explored in a previous post. Today, I’d like to look at another helpful tool for promoting secure and fair tests: the candidate agreement or examination honor code.

These agreements outline what is expected of test takers. They present a code of conduct that test takers must agree to before they start an assessment. This can be done manually as an outline or electronically before an online exam begins. When participants sign the code, they’re consciously acknowledging the rules and the repercussions of cheating. Such codes apply to all types of high-stakes testing, such as certification tests.

What expectations should you include in a candidate agreement? Here are some to consider:

  • The candidate must abide by the rules of the test center, organization, or program
  • The candidate will not provide false ID or false papers
  • The candidate cannot take the test on behalf of someone else
  • The candidate will not engage in cheating in any form
  • The candidate will not help others cheat
  • The candidate will not use aids that are not allowed
  • The candidate will not solicit someone else to take the test
  • The candidate will not cause a disturbance in the testing center
  • The candidate will not tamper with the test center in any way
  • The candidate will not share information about the assessment content they saw (non-disclosure agreement)
  • The test vendor will have the option to terminate the assessment if suspicious behavior is detected

If you’d like more details about these and other tips on ensuring the security and defensibility of your assessments you can download our white paper, “Delivering Assessments Safely and Securely.”