Educause Security Discussion mailing list archives
Re: Cybersecurity Students
From: Frank Barton <bartonf () HUSSON EDU>
Date: Thu, 4 Apr 2019 16:31:00 -0400
While I haven't taught any such class, I have been invited in to present to similar classes. I would agree that you should not allow the students to actively try to penetrate the school's systems. However, I would make sure that you have the conversation that "if you do see or find something, let us know" It is a delicate balance that you need to strike "You are not permitted to do this outside of the small, isolated networks that we have set up for this express purpose, and if we find you doing any of this outside of those networks there will be severe consequences; If you do come across a hole, notify us responsibly so that we can fix it, and we won't throw the book at you" and then segue into a discussion about responsible disclosure and ethical considerations. Frank On Thu, Apr 4, 2019 at 4:07 PM Zachary Yamada <zachary.yamada () chemeketa edu> wrote:
I agree wholeheartedly with everything that Greg said. Especially in the context of students who may, inadvertently, end up attempting to test institutional systems via destructive pen-testing techniques. In addition, I worry about how this interacts with FERPA; what if a student's testing activities lead to the student gaining access to other students' educational records? Best, Zachary Yamada, CEH, CHFI Chemeketa Community College Information Security Team Lead, Information Technology Adjunct Faculty, Computer Information Systems 503.584.7367 zachary.yamada () chemeketa edu On Thu, Apr 4, 2019 at 11:57 AM Greg Williams <gwillia5 () uccs edu> wrote:Hi Andrew, I am the former ISO for the university and I also currently teach “ethical hacking”. I tell my students, you are absolutely not allowed to do use or attempt to use what you learn against our systems and others if you do not have authorization (which they don’t). It is a violation of university policy and they are not authorized, which means they may be breaking Colorado/US law. There are plenty of safe environments for them to test their skills where they are authorized to do so. I provide these environments for them, or point out where they can go. Now if you have student employees, that is different and they would be supervised under someone that knows what is going on. Here's a quick reason why you shouldn’t allow this. Several years ago, a computer science student – not mine – decided to try zmap. It took out the campus firewall and the entire university was down until we rebooted the firewall. It was an older firewall, not like the ones we have today. But the entire campus was taken down by a simple tool. It was not authorized. Also, how are you supposed to accurately go after real attacks if you are investigating what students are doing? I’m sure others will comment, but it’s not a good idea in my opinion. If you need help with finding vulnerabilities team up with another university that you trust and ask their security department to help. Not students. They are too dangerous. Greg Williams, ME Director of Operations Office of Information Technology Faculty Department of Computer Science University of Colorado Colorado Springs 1420 Austin Bluffs Parkway, (EPC 136A) Colorado Springs, CO 80918 Phone: (719) 255-3292 Connect: Skype | WebEx <https://uccs.webex.com/meet/gregwilliams> www.uccs.edu *From:* The EDUCAUSE Security Community Group Listserv < SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Pete, Andrew *Sent:* Thursday, April 4, 2019 11:45 AM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* [SECURITY] Cybersecurity Students Hi Everyone, I was brought on a little over a year ago to help improve the organization’s overall security posture and build out an information security program. Historically, we have authorized our faculty to let students evaluate the security posture of our infrastructure as part of their teaching efforts. I have started an internal discussion around ceasing these types of activities by faculty and students for security reasons. I was curious what other institutions are doing in regards to this area? Thanks, *Andrew Pete* *Information Security Architect* *New England Institute of Technology* One New England Tech Boulevard East Greenwich, RI 02818-1205 401-780-4460 (Direct) apete () neit edu *[image: NEIT_Full_Stack_H_White_BG_PNG1]*
-- Frank Barton, MBA Security+, ACMT, MCP IT Systems Administrator Husson University
Current thread:
- Cybersecurity Students Pete, Andrew (Apr 04)
- Re: Cybersecurity Students Greg Williams (Apr 04)
- Re: Cybersecurity Students Zachary Yamada (Apr 04)
- Re: Cybersecurity Students Frank Barton (Apr 04)
- Re: Cybersecurity Students Zachary Yamada (Apr 04)
- Re: Cybersecurity Students Burns, Denis (Apr 05)
- Re: Cybersecurity Students Nicholas Garigliano (Apr 05)
- Re: Cybersecurity Students Pete, Andrew (Apr 05)
- Re: Cybersecurity Students Brian Basgen (Apr 05)
- Re: Cybersecurity Students Bob Mahoney (Apr 05)
- Re: Cybersecurity Students Pete, Andrew (Apr 05)
- Re: Cybersecurity Students Giacobe, Nick (Apr 05)
- Re: Cybersecurity Students Greg Williams (Apr 04)
- Re: Cybersecurity Students Rob Milman (Apr 05)
- Re: Cybersecurity Students Giacobe, Nick (Apr 05)
- Re: Cybersecurity Students Michael Duff (Apr 05)
- Re: [EXTERNAL]Re: [SECURITY] Cybersecurity Students Baillio, Aaron (Apr 05)
- Re: Cybersecurity Students Giacobe, Nick (Apr 05)