Re: Cybersecurity Students

[Frank Barton <bartonf () HUSSON EDU>]

While I haven't taught any such class, I have been invited in to present to
similar classes. I would agree that you should not allow the students to
actively try to penetrate the school's systems. However, I would make sure
that you have the conversation that "if you do see or find something, let
us know"

It is a delicate balance that you need to strike "You are not permitted to
do this outside of the small, isolated networks that we have set up for
this express purpose, and if we find you doing any of this outside of those
networks there will be severe consequences; If you do come across a hole,
notify us responsibly so that we can fix it, and we won't throw the book at
you" and then segue into a discussion about responsible disclosure and
ethical considerations.

Frank

On Thu, Apr 4, 2019 at 4:07 PM Zachary Yamada <zachary.yamada () chemeketa edu>
wrote:

> I agree wholeheartedly with everything that Greg said. Especially in the
> context of students who may, inadvertently, end up attempting to test
> institutional systems via destructive pen-testing techniques.
>
> In addition, I worry about how this interacts with FERPA; what if a
> student's testing activities lead to the student gaining access to other
> students' educational records?
>
> Best,
>
> Zachary Yamada, CEH, CHFI
> Chemeketa Community College
> Information Security Team Lead, Information Technology
> Adjunct Faculty, Computer Information Systems
> 503.584.7367
> zachary.yamada () chemeketa edu
>
>
> On Thu, Apr 4, 2019 at 11:57 AM Greg Williams <gwillia5 () uccs edu> wrote:
>
> > Hi Andrew,
> >
> >
> >
> > I am the former ISO for the university and I also currently teach
> > “ethical hacking”.  I tell my students, you are absolutely not allowed to
> > do use or attempt to use what you learn against our systems and others if
> > you do not have authorization (which they don’t).  It is a violation of
> > university policy and they are not authorized, which means they may be
> > breaking Colorado/US law.  There are plenty of safe environments for them
> > to test their skills where they are authorized to do so.  I provide these
> > environments for them, or point out where they can go.  Now if you have
> > student employees, that is different and they would be supervised under
> > someone that knows what is going on.
> >
> >
> >
> > Here's a quick reason why you shouldn’t allow this.  Several years ago, a
> > computer science student – not mine – decided to try zmap.  It took out the
> > campus firewall and the entire university was down until we rebooted the
> > firewall.  It was an older firewall, not like the ones we have today.  But
> > the entire campus was taken down by a simple tool.  It was not authorized.
> > Also, how are you supposed to accurately go after real attacks if you are
> > investigating what students are doing?
> >
> >
> >
> > I’m sure others will comment, but it’s not a good idea in my opinion.  If
> > you need help with finding vulnerabilities team up with another university
> > that you trust and ask their security department to help.  Not students.
> > They are too dangerous.
> >
> > Greg Williams, ME
> > Director of Operations
> > Office of Information Technology
> >
> > Faculty
> > Department of Computer Science
> >
> > University of Colorado Colorado Springs
> > 1420 Austin Bluffs Parkway, (EPC 136A)
> > Colorado Springs, CO 80918
> > Phone: (719) 255-3292
> > Connect: Skype | WebEx <https://uccs.webex.com/meet/gregwilliams>
> > www.uccs.edu
> >
> >
> >
> > *From:* The EDUCAUSE Security Community Group Listserv <
> > SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Pete, Andrew
> > *Sent:* Thursday, April 4, 2019 11:45 AM
> > *To:* SECURITY () LISTSERV EDUCAUSE EDU
> > *Subject:* [SECURITY] Cybersecurity Students
> >
> >
> >
> > Hi Everyone,
> >
> >
> >
> > I was brought on a little over a year ago to help improve the
> > organization’s overall security posture and build out an information
> > security program.  Historically, we have authorized our faculty to let
> > students evaluate the security posture of our infrastructure as part of
> > their teaching efforts.  I have started an internal discussion around
> > ceasing these types of activities by faculty and students for security
> > reasons.  I was curious what other institutions are doing in regards to
> > this area?
> >
> >
> >
> > Thanks,
> >
> >
> >
> > *Andrew Pete*
> >
> > *Information Security Architect*
> >
> >
> >
> > *New England Institute of Technology*
> >
> > One New England Tech Boulevard
> >
> > East Greenwich, RI 02818-1205
> >
> > 401-780-4460 (Direct)
> >
> > apete () neit edu
> >
> >
> >
> > *[image: NEIT_Full_Stack_H_White_BG_PNG1]*

-- 
Frank Barton, MBA
Security+, ACMT, MCP
IT Systems Administrator
Husson University