Educause Security Discussion mailing list archives
Re: Cybersecurity Students
From: Brian Basgen <brian_basgen () EMERSON EDU>
Date: Fri, 5 Apr 2019 10:05:57 -0400
Agree with everything that has been said, one more bit that may help you. When I taught graduate level security courses a couple of years ago, I built out a virtual environment. I leveraged our IT resources to do it, of course, and we segregated it, etc. It was a core part of my curriculum: we have a virtual playground precisely so that my students can exploit, hack, and investigate within that environment. In my view, ethics review should be the first part of every cyber security class. -------------- *Brian Basgen* (he, him, his <https://www.mypronouns.org>) Associate Vice President, Information Technology 20 Park Plaza Building Emerson College | 120 Boylston Street | Boston, MA 02116 IT Helpdesk <http://it.emerson.edu/> | @EmersonIT <https://twitter.com/EmersonIT> On Fri, Apr 5, 2019 at 9:36 AM Pete, Andrew < 000000d06e28c017-dmarc-request () listserv educause edu> wrote:
Thanks for the responses everyone. This has been very beneficial. *From:* The EDUCAUSE Security Community Group Listserv < SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Nicholas Garigliano *Sent:* Friday, April 5, 2019 9:21 AM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* Re: [SECURITY] Cybersecurity Students I guess it depends on how "evaluate the security posture" is defined. If we are talking about reviewing published policies, doing Shodan research, going through publicly accessible web sites for information that could be used against the school etc., then I don't see an issue. If we are talking about using something like Kali to do a "pentest" or even just performing a vulnerability assessment using a scanner, i.e. OpenVAS, then YIKES!. Irrespective of the potential operational issues, it can't be stressed enough to the students that using Kali or just about any tool outside of a well defined and contained test environment, without prior written consent AND a ROE can land them in jail. There really isn't anything to discuss. This isn't about trying to scare them, because we know that doesn't work. This is the reality. There are enough real world examples of security "researchers" who thought they were being helpful but ended up being charged. And I'm sure your legal department will confirm this. As a parent, I find it irresponsible of the professor and the school to even suggest that the students go after the school network, if this is the case, with just a simple verbal agreement. It isn't that difficult to set up a virtual test lab with controlled access for the students to practice. The professor could even show them how to do this (cheap computer with free version of ESXi) for home testing. Ok, done with my rant. Thanks for listening. Nick Garigliano CISSP, GCIH Network Security Engineer Enterprise & Network Solutions Nazareth College 585 389-2109 On Thu, Apr 4, 2019 at 1:44 PM Pete, Andrew < 000000d06e28c017-dmarc-request () listserv educause edu> wrote: Hi Everyone, I was brought on a little over a year ago to help improve the organization’s overall security posture and build out an information security program. Historically, we have authorized our faculty to let students evaluate the security posture of our infrastructure as part of their teaching efforts. I have started an internal discussion around ceasing these types of activities by faculty and students for security reasons. I was curious what other institutions are doing in regards to this area? Thanks, *Andrew Pete* *Information Security Architect* *New England Institute of Technology* One New England Tech Boulevard East Greenwich, RI 02818-1205 401-780-4460 (Direct) apete () neit edu *[image: NEIT_Full_Stack_H_White_BG_PNG1]*
Current thread:
- Cybersecurity Students Pete, Andrew (Apr 04)
- Re: Cybersecurity Students Greg Williams (Apr 04)
- Re: Cybersecurity Students Zachary Yamada (Apr 04)
- Re: Cybersecurity Students Frank Barton (Apr 04)
- Re: Cybersecurity Students Zachary Yamada (Apr 04)
- Re: Cybersecurity Students Burns, Denis (Apr 05)
- Re: Cybersecurity Students Nicholas Garigliano (Apr 05)
- Re: Cybersecurity Students Pete, Andrew (Apr 05)
- Re: Cybersecurity Students Brian Basgen (Apr 05)
- Re: Cybersecurity Students Bob Mahoney (Apr 05)
- Re: Cybersecurity Students Pete, Andrew (Apr 05)
- Re: Cybersecurity Students Giacobe, Nick (Apr 05)
- Re: Cybersecurity Students Greg Williams (Apr 04)
- Re: Cybersecurity Students Rob Milman (Apr 05)
- Re: Cybersecurity Students Giacobe, Nick (Apr 05)
- Re: Cybersecurity Students Michael Duff (Apr 05)
- Re: [EXTERNAL]Re: [SECURITY] Cybersecurity Students Baillio, Aaron (Apr 05)
- Re: [EXTERNAL]Re: [SECURITY] Cybersecurity Students Michael Duff (Apr 05)
- Re: Cybersecurity Students Giacobe, Nick (Apr 05)