Educause Security Discussion mailing list archives
Re: Cybersecurity Students
From: Greg Williams <gwillia5 () UCCS EDU>
Date: Thu, 4 Apr 2019 18:57:08 +0000
Hi Andrew, I am the former ISO for the university and I also currently teach "ethical hacking". I tell my students, you are absolutely not allowed to do use or attempt to use what you learn against our systems and others if you do not have authorization (which they don't). It is a violation of university policy and they are not authorized, which means they may be breaking Colorado/US law. There are plenty of safe environments for them to test their skills where they are authorized to do so. I provide these environments for them, or point out where they can go. Now if you have student employees, that is different and they would be supervised under someone that knows what is going on. Here's a quick reason why you shouldn't allow this. Several years ago, a computer science student - not mine - decided to try zmap. It took out the campus firewall and the entire university was down until we rebooted the firewall. It was an older firewall, not like the ones we have today. But the entire campus was taken down by a simple tool. It was not authorized. Also, how are you supposed to accurately go after real attacks if you are investigating what students are doing? I'm sure others will comment, but it's not a good idea in my opinion. If you need help with finding vulnerabilities team up with another university that you trust and ask their security department to help. Not students. They are too dangerous. Greg Williams, ME Director of Operations Office of Information Technology Faculty Department of Computer Science University of Colorado Colorado Springs 1420 Austin Bluffs Parkway, (EPC 136A) Colorado Springs, CO 80918 Phone: (719) 255-3292 Connect: Skype<skype:gwillia5 () uccs edu?chat> | WebEx<https://uccs.webex.com/meet/gregwilliams> www.uccs.edu<http://www.uccs.edu/> From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Pete, Andrew Sent: Thursday, April 4, 2019 11:45 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Cybersecurity Students Hi Everyone, I was brought on a little over a year ago to help improve the organization's overall security posture and build out an information security program. Historically, we have authorized our faculty to let students evaluate the security posture of our infrastructure as part of their teaching efforts. I have started an internal discussion around ceasing these types of activities by faculty and students for security reasons. I was curious what other institutions are doing in regards to this area? Thanks, Andrew Pete Information Security Architect New England Institute of Technology One New England Tech Boulevard East Greenwich, RI 02818-1205 401-780-4460 (Direct) apete () neit edu<mailto:apete () neit edu> [NEIT_Full_Stack_H_White_BG_PNG1]
Current thread:
- Cybersecurity Students Pete, Andrew (Apr 04)
- Re: Cybersecurity Students Greg Williams (Apr 04)
- Re: Cybersecurity Students Zachary Yamada (Apr 04)
- Re: Cybersecurity Students Frank Barton (Apr 04)
- Re: Cybersecurity Students Zachary Yamada (Apr 04)
- Re: Cybersecurity Students Burns, Denis (Apr 05)
- Re: Cybersecurity Students Nicholas Garigliano (Apr 05)
- Re: Cybersecurity Students Pete, Andrew (Apr 05)
- Re: Cybersecurity Students Brian Basgen (Apr 05)
- Re: Cybersecurity Students Bob Mahoney (Apr 05)
- Re: Cybersecurity Students Pete, Andrew (Apr 05)
- Re: Cybersecurity Students Giacobe, Nick (Apr 05)
- Re: Cybersecurity Students Greg Williams (Apr 04)
- Re: Cybersecurity Students Rob Milman (Apr 05)
- Re: Cybersecurity Students Giacobe, Nick (Apr 05)