Educause Security Discussion mailing list archives
Re: Cybersecurity Students
From: Michael Duff <mjduff () STANFORD EDU>
Date: Fri, 5 Apr 2019 14:38:56 +0000
https://bounty.stanford.edu -- rolled it out in January -- very successful thus far! Feel free to reuse anything on the website. Michael Duff Chief Information Security Officer and Interim Chief Privacy Officer Stanford | University IT michael.duff () stanford edu 650-721-3111 ________________________________ From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Giacobe, Nick <nxg13 () PSU EDU> Sent: Friday, April 5, 2019 7:34 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Cybersecurity Students I think you should have a bug bounty program. However, it should be structured and controlled. Students involved in it should be vetted. They should be given limited targets – especially on systems that you know are of concern and you have control to change. For example, do you want students openly poking at systems that you have no control to change? Do you want them actively trying to penetrate systems that have confidential data on them? I mean, sure, some day you might – then you can go beat up on the vendors to fix them – but to start with, until you get comfortable with what they’re going to do… you might want to keep things under closer control. You’re thinking about the right questions – “Have they found something already?” Yes they have… and if they haven’t, someone else has. If you do not hire someone to try to break into your systems, I guarantee, someone else will pentest your systems … they just won’t be working for you. --- Nicklaus A. Giacobe, Ph.D. Director of Undergraduate Programs and Assistant Teaching Professor Phone: 814-865-8233 College of Information Sciences and Technology Penn State University E333 Westgate Building University Park, PA 16802 From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Rob Milman Sent: Friday, April 5, 2019 10:18 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Cybersecurity Students I’ve met with our cybersecurity students numerous times and they have always asked the same question, can we practice on your network? The answer has always been no. This is reinforced by them having to sign a document that outlines the repercussions for doing so. We do provide them with air-gapped labs so they can attack as hard as they want. Recently they started asking a new question, would you consider putting up a bug bounty? That has got me thinking, if the big guns (Google, Microsoft, Apple) can trust their millions of users to report bugs and not attack why can’t we trust our students to do the same? I’d still have to keep some very sensitive areas out of scope like research and health, but I would like to know if there is an exploitable vulnerability in any of our student facing systems. In the back of my mind, I think that they have already found some weakness and the bug bounty question is a veiled attempt at telling me. Rob Milman [cid:image004.png@01D18F19.9217E950] Rob Milman Associate Director, Information Security Information Technology Services Southern Alberta Institute of Technology EH Crandell Building, GA 214 1301 – 16 Avenue NW, Calgary AB, T2M 0L4 (Office) 403.774.5401 (Cell) 403.606.3173 rob.milman () sait ca<mailto:rob.milman () sait ca> From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Pete, Andrew Sent: Thursday, April 4, 2019 11:45 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Cybersecurity Students Hi Everyone, I was brought on a little over a year ago to help improve the organization’s overall security posture and build out an information security program. Historically, we have authorized our faculty to let students evaluate the security posture of our infrastructure as part of their teaching efforts. I have started an internal discussion around ceasing these types of activities by faculty and students for security reasons. I was curious what other institutions are doing in regards to this area? Thanks, Andrew Pete Information Security Architect New England Institute of Technology One New England Tech Boulevard East Greenwich, RI 02818-1205 401-780-4460 (Direct) apete () neit edu<mailto:apete () neit edu> [NEIT_Full_Stack_H_White_BG_PNG1]
Current thread:
- Re: Cybersecurity Students, (continued)
- Re: Cybersecurity Students Zachary Yamada (Apr 04)
- Re: Cybersecurity Students Frank Barton (Apr 04)
- Re: Cybersecurity Students Zachary Yamada (Apr 04)
- Re: Cybersecurity Students Burns, Denis (Apr 05)
- Re: Cybersecurity Students Nicholas Garigliano (Apr 05)
- Re: Cybersecurity Students Pete, Andrew (Apr 05)
- Re: Cybersecurity Students Brian Basgen (Apr 05)
- Re: Cybersecurity Students Bob Mahoney (Apr 05)
- Re: Cybersecurity Students Pete, Andrew (Apr 05)
- Re: Cybersecurity Students Giacobe, Nick (Apr 05)
- Re: Cybersecurity Students Rob Milman (Apr 05)
- Re: Cybersecurity Students Giacobe, Nick (Apr 05)
- Re: Cybersecurity Students Michael Duff (Apr 05)
- Re: [EXTERNAL]Re: [SECURITY] Cybersecurity Students Baillio, Aaron (Apr 05)
- Re: [EXTERNAL]Re: [SECURITY] Cybersecurity Students Michael Duff (Apr 05)
- Re: Cybersecurity Students Giacobe, Nick (Apr 05)