Re: How do you handle students who attempt to exploit internal resources?

["John C. A. Bambenek" <bambenek () CONTROL CSL UIUC EDU>]

My inclination:

Expel them and press charges.

Official Policy:

"Somewhat" less strict than above. :)

j

-----Original Message-----
From: David Gillett [mailto:gillettdavid () fhda edu]
Sent: Monday, November 13, 2006 4:38 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] How do you handle students who attempt to exploit
internal resources?

  My policy, through three employers now, has been to be pretty tolerant of
explorations *that are cleared in advance*, and to treat all others as
policy violations that get reported upstream for any decision on
disciplinary action.
  I worry that anything else risks making IT, or even the institution,
potentially liable for the results....

David Gillett


> -----Original Message-----
> From: Ben Spencer [mailto:ben.spencer () MOODY EDU]
> Sent: Saturday, November 11, 2006 8:04 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] How do you handle students who attempt to exploit
> internal resources?
>
> Recently we had an adventurous student who decided that he would try
> some common web based exploits against our intranet website (which is
> available on the internet). He came to us and informed us what he
> found.
> Through the conversation, it was revealed that this action was
> intentional.
>
> He was let off knowing that we had other options but were not going to
> pursue them. That was with the understanding that he would not
> continue his activities.
>
> Well, activities, though different now, continue. These second
> activities apparently caused an outage of a public website.
>
> How are these type of situations handled at your university?
>
> These things tend to depend on the specifics of the situation and I
> intentionally left a lot of them out.
>
> Benji
> ---
> Benji Spencer
> System Administrator
> Ph: 312-329-2288