Re: Cybersecurity Students

["Giacobe, Nick" <nxg13 () PSU EDU>]

Yes, there are definitely concerns with establishing a culture of freedom to attack the university’s infrastructure in 
an unstructured manner.

We’re on the other extreme side of things – where, honestly, students do not get administrative rights to systems that 
are connected to the University’s network in any shape or manner. That makes it difficult to teach network and system 
administration, except in sandboxed environments. Since our faculty also do not have administrative rights, we find it 
difficult to work with IT to give the faculty sufficient access to develop practical activities. It’s just additional 
hurdles the faculty must work through, which makes it take much, much longer.

A pathway through this is to develop STRUCTURED ENGAGEMENTS between classes and the professional IT staff. For example, 
if you have a penetration testing or ethical hacking class, you could develop an engagement between IT and the students 
to give the students a limited scope of work where you keep them constrained on the targets of interest.  Yes, it’s 
much more boring than getting free reign and permission to burn everything to the ground.  However, it’s closer to real 
life.  Showing them what a real pentest engagement looks and feels like will also help them with the skills they need 
for professional world.  They will need to document their findings in a report – ALL of their findings – so they have 
to operate in much more professional manner, capturing findings along the way, etc.

So how do students get those skills?  Some in the classroom, but honestly, they get more through cyber competitions.  I 
am the Northeast Regional host for the Collegiate Penetration Testing Competition.  See the details on the national 
competition here: https://nationalcptc.org  We provide student teams with access to a hyper-realistic environment (a 
real environment created just for the competition). There, they can do all of the cool cyber stuff – scan, penetrate, 
escalate privs, steal “confidential data”, and also document, report and present their findings… all in a “safe” 
environment designed for the purpose of student engagement. Signup for the Fall 2019 competition is open now.

---
Nicklaus A. Giacobe, Ph.D.
Director of Undergraduate Programs and Assistant Teaching Professor
Phone: 814-865-8233
College of Information Sciences and Technology
Penn State University
E333 Westgate Building
University Park, PA 16802

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Nicholas 
Garigliano
Sent: Friday, April 5, 2019 9:21 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Cybersecurity Students

I guess it depends on how "evaluate the security posture" is defined.  If we are talking about  reviewing published 
policies, doing Shodan research, going through publicly accessible web sites for information that could be used against 
the school etc.,  then I don't see an issue.  If we are talking about using something like Kali to do a "pentest" or 
even just performing a vulnerability assessment using a scanner, i.e. OpenVAS, then YIKES!.

Irrespective of the potential operational issues, it can't be stressed enough to the students that using Kali or just 
about any tool outside of a well defined and contained test environment, without prior written consent AND a ROE can 
land them in jail.  There really isn't anything to discuss. This isn't about trying to scare them, because we know that 
doesn't work.   This is the reality.  There are enough real world examples of security "researchers" who thought they 
were being helpful but ended up being charged.  And I'm sure your legal department will confirm this.  As a parent, I 
find it irresponsible of the professor and the school to even suggest that the students go after the school network, if 
this is the case, with just a simple verbal agreement.

It isn't that difficult to set up a virtual test lab with controlled access for the students to practice.  The 
professor could even show them how to do this (cheap computer with free version of ESXi) for home testing.

Ok, done with my rant.  Thanks for listening.

Nick Garigliano CISSP, GCIH
Network Security Engineer
Enterprise & Network Solutions
Nazareth College
585 389-2109


On Thu, Apr 4, 2019 at 1:44 PM Pete, Andrew <000000d06e28c017-dmarc-request () listserv educause 
edu<mailto:000000d06e28c017-dmarc-request () listserv educause edu>> wrote:
Hi Everyone,

I was brought on a little over a year ago to help improve the organization’s overall security posture and build out an 
information security program.  Historically, we have authorized our faculty to let students evaluate the security 
posture of our infrastructure as part of their teaching efforts.  I have started an internal discussion around ceasing 
these types of activities by faculty and students for security reasons.  I was curious what other institutions are 
doing in regards to this area?

Thanks,

Andrew Pete
Information Security Architect

New England Institute of Technology
One New England Tech Boulevard
East Greenwich, RI 02818-1205
401-780-4460 (Direct)
apete () neit edu<mailto:apete () neit edu>

[NEIT_Full_Stack_H_White_BG_PNG1]