Re: Cybersecurity Students

[Brian Basgen <brian_basgen () EMERSON EDU>]

 Agree with everything that has been said, one more bit that may help you.
When I taught graduate level security courses a couple of years ago, I
built out a virtual environment. I leveraged our IT resources to do it, of
course, and we segregated it, etc.

 It was a core part of my curriculum: we have a virtual playground
precisely so that my students can exploit, hack, and investigate within
that environment. In my view, ethics review should be the first part of
every cyber security class.

--------------
*Brian Basgen* (he, him, his <https://www.mypronouns.org>)
Associate Vice President, Information Technology
20 Park Plaza Building
Emerson College | 120 Boylston Street | Boston, MA 02116
IT Helpdesk <http://it.emerson.edu/> | @EmersonIT
<https://twitter.com/EmersonIT>



On Fri, Apr 5, 2019 at 9:36 AM Pete, Andrew <
000000d06e28c017-dmarc-request () listserv educause edu> wrote:

> Thanks for the responses everyone.  This has been very beneficial.
>
>
>
> *From:* The EDUCAUSE Security Community Group Listserv <
> SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Nicholas Garigliano
> *Sent:* Friday, April 5, 2019 9:21 AM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* Re: [SECURITY] Cybersecurity Students
>
>
>
> I guess it depends on how "evaluate the security posture" is defined.  If
> we are talking about  reviewing published policies, doing Shodan research,
> going through publicly accessible web sites for information that could be
> used against the school etc.,  then I don't see an issue.  If we are
> talking about using something like Kali to do a "pentest" or even just
> performing a vulnerability assessment using a scanner, i.e. OpenVAS, then
> YIKES!.
>
>
>
> Irrespective of the potential operational issues, it can't be stressed
> enough to the students that using Kali or just about any tool outside of a
> well defined and contained test environment, without prior written consent
> AND a ROE can land them in jail.  There really isn't anything to discuss.
> This isn't about trying to scare them, because we know that doesn't work.
>  This is the reality.  There are enough real world examples of security
> "researchers" who thought they were being helpful but ended up being
> charged.  And I'm sure your legal department will confirm this.  As a
> parent, I find it irresponsible of the professor and the school to even
> suggest that the students go after the school network, if this is the case,
> with just a simple verbal agreement.
>
>
>
> It isn't that difficult to set up a virtual test lab with controlled
> access for the students to practice.  The professor could even show them
> how to do this (cheap computer with free version of ESXi) for home testing.
>
>
>
> Ok, done with my rant.  Thanks for listening.
>
>
> Nick Garigliano CISSP, GCIH
>
> Network Security Engineer
>
> Enterprise & Network Solutions
>
> Nazareth College
>
> 585 389-2109
>
>
>
>
>
> On Thu, Apr 4, 2019 at 1:44 PM Pete, Andrew <
> 000000d06e28c017-dmarc-request () listserv educause edu> wrote:
>
> Hi Everyone,
>
>
>
> I was brought on a little over a year ago to help improve the
> organization’s overall security posture and build out an information
> security program.  Historically, we have authorized our faculty to let
> students evaluate the security posture of our infrastructure as part of
> their teaching efforts.  I have started an internal discussion around
> ceasing these types of activities by faculty and students for security
> reasons.  I was curious what other institutions are doing in regards to
> this area?
>
>
>
> Thanks,
>
>
>
> *Andrew Pete*
>
> *Information Security Architect*
>
>
>
> *New England Institute of Technology*
>
> One New England Tech Boulevard
>
> East Greenwich, RI 02818-1205
>
> 401-780-4460 (Direct)
>
> apete () neit edu
>
>
>
> *[image: NEIT_Full_Stack_H_White_BG_PNG1]*