Re: How do you handle students who attempt to exploit internal resources?

["Sadler, Connie" <Connie_Sadler () BROWN EDU>]

I would refer the matter to the Dean's Office. We have a good working
relationship with our Deans. And if you don't already have a policy
about this sort of thing, you might want to consider that for the
future.

Connie J. Sadler, CM, CISSP, CISM, GIAC GSLC Director, IT Security, 
Brown University Box 1885, Providence, RI 02912 
Connie_Sadler () Brown edu
Office: 401-863-7266
PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x91E38EFB
PGP Fingerprint: DA5F ED84 06D7 1635 4BC7 560D 9A07 80BA 91E3 8EFB

-----Original Message-----
From: Ben Spencer [mailto:ben.spencer () MOODY EDU] 
Sent: Saturday, November 11, 2006 11:04 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] How do you handle students who attempt to exploit
internal resources?

Recently we had an adventurous student who decided that he would try
some common web based exploits against our intranet website (which is
available on the internet). He came to us and informed us what he found.
Through the conversation, it was revealed that this action was
intentional.

He was let off knowing that we had other options but were not going to
pursue them. That was with the understanding that he would not continue
his activities.

Well, activities, though different now, continue. These second
activities apparently caused an outage of a public website.

How are these type of situations handled at your university? 

These things tend to depend on the specifics of the situation and I
intentionally left a lot of them out.

Benji
---
Benji Spencer
System Administrator
Ph: 312-329-2288