Re: Cybersecurity Students

[Greg Williams <gwillia5 () UCCS EDU>]

Hi Andrew,

I am the former ISO for the university and I also currently teach "ethical hacking".  I tell my students, you are 
absolutely not allowed to do use or attempt to use what you learn against our systems and others if you do not have 
authorization (which they don't).  It is a violation of university policy and they are not authorized, which means they 
may be breaking Colorado/US law.  There are plenty of safe environments for them to test their skills where they are 
authorized to do so.  I provide these environments for them, or point out where they can go.  Now if you have student 
employees, that is different and they would be supervised under someone that knows what is going on.

Here's a quick reason why you shouldn't allow this.  Several years ago, a computer science student - not mine - decided 
to try zmap.  It took out the campus firewall and the entire university was down until we rebooted the firewall.  It 
was an older firewall, not like the ones we have today.  But the entire campus was taken down by a simple tool.  It was 
not authorized.  Also, how are you supposed to accurately go after real attacks if you are investigating what students 
are doing?

I'm sure others will comment, but it's not a good idea in my opinion.  If you need help with finding vulnerabilities 
team up with another university that you trust and ask their security department to help.  Not students.  They are too 
dangerous.
Greg Williams, ME
Director of Operations
Office of Information Technology
Faculty
Department of Computer Science

University of Colorado Colorado Springs
1420 Austin Bluffs Parkway, (EPC 136A)
Colorado Springs, CO 80918
Phone: (719) 255-3292
Connect: Skype<skype:gwillia5 () uccs edu?chat> | WebEx<https://uccs.webex.com/meet/gregwilliams>
www.uccs.edu<http://www.uccs.edu/>

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Pete, Andrew
Sent: Thursday, April 4, 2019 11:45 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Cybersecurity Students

Hi Everyone,

I was brought on a little over a year ago to help improve the organization's overall security posture and build out an 
information security program.  Historically, we have authorized our faculty to let students evaluate the security 
posture of our infrastructure as part of their teaching efforts.  I have started an internal discussion around ceasing 
these types of activities by faculty and students for security reasons.  I was curious what other institutions are 
doing in regards to this area?

Thanks,

Andrew Pete
Information Security Architect

New England Institute of Technology
One New England Tech Boulevard
East Greenwich, RI 02818-1205
401-780-4460 (Direct)
apete () neit edu<mailto:apete () neit edu>

[NEIT_Full_Stack_H_White_BG_PNG1]