System & Data Security
Dual Code takes all reasonable precautions to safeguard customer data maintained on our servers and to protect the system against unauthorized use or tampering. We have adopted OWASP recommendations within our organization to ensure that our learning environment, including all customizations, enhancements and third-party plug-ins, are secure. The following are just some of the system and data security measures that we support.
Dual Code has partnered with large carriers to ensure the highest level of security and availability of our systems. Our hardware and network equipment are managed by our partners in their world-class data centers, allowing Dual Code to focus on what we do best: design and develop innovative, custom eLearning solutions.
Servers are protected using Two-Factor Authentication for web access. In addition to their username and password, server administrators are required to enter a unique 6-digit code that expires every 30 seconds as part of this 2-step verification process.
Remote shell connection is only allowed using a secure shell (SSH), which uses private/public key cryptography. Passwords are disabled.
Our software meets requirements specified in the OWASP Top 10 list. We have also adopted OWASP recommendations as part of our software development process for any customizations and enhancements made to Moodle.
Firewall and Intrusion Prevention
Dual Code servers are protected by firewalls and intrusion prevention software to protect against threats from hosts that are trying to breach the system’s security. All non-essential ports are blocked and intrusion prevention software automatically updates firewall rules to reject IP addresses that show malicious signs such as multiple failed login attempts. Antivirus software scans all uploaded files to detect trojans, viruses, malware & other malicious threats.
In addition to the IPS (Intrusion Prevention System), the Dual Code system has an anomaly-based IDS (Intrusion Detection System) that detects misuse by monitoring user activity and classifying it as either normal or anomalous. The classification is based on rules and attempts to detect any type of misuse that falls out of normal system usage. The IDS provides a second line of defense to detect anomalous traffic from users who may have a valid account on the system.
Data at rest is encrypted with a data key using an industry-standard AES-256 algorithm.
Data in transit is protected using TLS 1.2 or greater and high-grade encryption (256 bit), thereby making it virtually impossible for unauthorized people to view information traveling between computers over the Internet.
By default, the system requires that each user authenticates him/herself using a unique username and password combination. If self-registration is enabled, meaning users can create their own account, Dual Code can restrict new users to have an email address that matches a particular domain
The system also has the ability to allow “guests” or anonymous users - a feature that may be useful to some clients.
By default, the system supports 5 user roles, each with different permission levels. These roles include Manager, Course Creator, Trainer, Read-only Trainer, and Student. Existing roles can be customized and additional roles can be created.
The system allows administrators to create user groups to represent business units, departments, or geographically dispersed teams. Students and managers that belong to a user group can only see students that belong to that same group.
Password Encryption and Policies
All user passwords are encrypted in the database.
The customer has the ability to define their own password policies. For example, customers can request that each password be at least 8 characters long, and must contain at least 1 digit and 1 non-alphanumeric character.
The system also provides users with the ability to reset their passwords and have the system email it to them should they ever forget it.
Stored Data and Course Files
Each client has their own private database installed on the system, thereby ensuring the highest level of security. Course files are stored on a system partition that is not available from the Internet. The only way to load the courses is through secure Web pages that authenticate every single request.
Dual Code uses "shred", a Unix command that can be used to securely remove files from the hardware system when they are deleted.
To further restrict access to certain courses, a trainer can optionally set an enrolment key. When doing so, students will be required to enter this secret key prior to enrolling in the course. Users who do not have the key cannot access any of the files for that specific course.
The system keeps a detailed audit trail that can be viewed by administrators through the Web-based user interface. The LMS keeps track of the action that took place, the date and time, the IP address of the computer who initiated the request, and the title of the course that was affected by the selected request.