Educause Security Discussion mailing list archives
Re: [EXTERNAL]Re: [SECURITY] Cybersecurity Students
From: Jessica Murray <jlmurray () MIT EDU>
Date: Fri, 5 Apr 2019 17:04:56 +0000
Hi Michael! +1 for bounty programs with a scope and rules defined. We also have classes that come to us with final project ideas. BTW, MIT’s bounty is something custom, not using a platform. -- Jessica Murray Information Security Officer MIT From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Michael Duff <mjduff () STANFORD EDU> Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> Date: Friday, April 5, 2019 at 11:00 AM To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] [EXTERNAL]Re: [SECURITY] Cybersecurity Students We wanted to keep it simple, so we're just using ServiceNow to accept submissions and a Google spreadsheet to track status. We modeled our program after MIT's (https://bounty.mit.edu), which I believe is using one of those platforms. p.s. Recent Today Show segment that mentioned the program: https://www.today.com/video/college-freshman-getting-paid-to-hack-into-companies-1443781699757 Michael Duff Chief Information Security Officer and Interim Chief Privacy Officer Stanford | University IT michael.duff () stanford edu 650-721-3111 ________________________________ From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Baillio, Aaron <abaillio () OU EDU> Sent: Friday, April 5, 2019 7:48 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] [EXTERNAL]Re: [SECURITY] Cybersecurity Students Michael, Are you all leveraging a platform to manage the bounty program, like through Bugcrowd or Hackerone? I’ve been playing with this idea and I thought it was interesting. B. Aaron Baillio, Sec+, CEH, CISSP University of Oklahoma, Information Technology Deputy CISO O: 405-325-7948 C: 254-400-6404 From: The EDUCAUSE Security Community Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Michael Duff Sent: Friday, April 5, 2019 9:39 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [EXTERNAL]Re: [SECURITY] Cybersecurity Students https://bounty.stanford.edu<https://urldefense.proofpoint.com/v2/url?u=https-3A__bounty.stanford.edu&d=DwMF-g&c=qKdtBuuu6dQK9MsRUVJ2DPXW6oayO8fu4TfEHS8sGNk&r=qFQzCTOmPXQnJcsnnqPUqQ&m=1AQfv5Gc_Rw170PMgqMHMpQmDLDs41Env8kWh6pRp7g&s=TCiH7-PNIki3GrDdwBRCWYC4cxyUmznnOeY-XdA4ZhU&e=> -- rolled it out in January -- very successful thus far! Feel free to reuse anything on the website. Michael Duff Chief Information Security Officer and Interim Chief Privacy Officer Stanford | University IT michael.duff () stanford edu<mailto:michael.duff () stanford edu> 650-721-3111 ________________________________ From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> on behalf of Giacobe, Nick <nxg13 () PSU EDU<mailto:nxg13 () PSU EDU>> Sent: Friday, April 5, 2019 7:34 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Cybersecurity Students I think you should have a bug bounty program. However, it should be structured and controlled. Students involved in it should be vetted. They should be given limited targets – especially on systems that you know are of concern and you have control to change. For example, do you want students openly poking at systems that you have no control to change? Do you want them actively trying to penetrate systems that have confidential data on them? I mean, sure, some day you might – then you can go beat up on the vendors to fix them – but to start with, until you get comfortable with what they’re going to do… you might want to keep things under closer control. You’re thinking about the right questions – “Have they found something already?” Yes they have… and if they haven’t, someone else has. If you do not hire someone to try to break into your systems, I guarantee, someone else will pentest your systems … they just won’t be working for you. --- Nicklaus A. Giacobe, Ph.D. Director of Undergraduate Programs and Assistant Teaching Professor Phone: 814-865-8233 College of Information Sciences and Technology Penn State University E333 Westgate Building University Park, PA 16802 From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Rob Milman Sent: Friday, April 5, 2019 10:18 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Cybersecurity Students I’ve met with our cybersecurity students numerous times and they have always asked the same question, can we practice on your network? The answer has always been no. This is reinforced by them having to sign a document that outlines the repercussions for doing so. We do provide them with air-gapped labs so they can attack as hard as they want. Recently they started asking a new question, would you consider putting up a bug bounty? That has got me thinking, if the big guns (Google, Microsoft, Apple) can trust their millions of users to report bugs and not attack why can’t we trust our students to do the same? I’d still have to keep some very sensitive areas out of scope like research and health, but I would like to know if there is an exploitable vulnerability in any of our student facing systems. In the back of my mind, I think that they have already found some weakness and the bug bounty question is a veiled attempt at telling me. Rob Milman [cid:image004.png@01D18F19.9217E950] Rob Milman Associate Director, Information Security Information Technology Services Southern Alberta Institute of Technology EH Crandell Building, GA 214 1301 – 16 Avenue NW, Calgary AB, T2M 0L4 (Office) 403.774.5401 (Cell) 403.606.3173 rob.milman () sait ca<mailto:rob.milman () sait ca> From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Pete, Andrew Sent: Thursday, April 4, 2019 11:45 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Cybersecurity Students Hi Everyone, I was brought on a little over a year ago to help improve the organization’s overall security posture and build out an information security program. Historically, we have authorized our faculty to let students evaluate the security posture of our infrastructure as part of their teaching efforts. I have started an internal discussion around ceasing these types of activities by faculty and students for security reasons. I was curious what other institutions are doing in regards to this area? Thanks, Andrew Pete Information Security Architect New England Institute of Technology One New England Tech Boulevard East Greenwich, RI 02818-1205 401-780-4460 (Direct) apete () neit edu<mailto:apete () neit edu> [NEIT_Full_Stack_H_White_BG_PNG1]
Current thread:
- Re: [EXTERNAL]Re: [SECURITY] Cybersecurity Students Jessica Murray (Apr 05)