[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] What is wrong with schools these days?

Mike Iglesias wrote:
Many universities do not have a central IT organization running every computer on campus as you would in a commercial enterprise. They have a decentralized model where each school, department, or research group runs their computers. In addition, you have many students, faculty, and staff with personally owned laptops that they take care of (or not) themselves. So you have many little fiefdoms running computers, some with more of a clue than others. The clueless ones have untrained students running the computers, and most of them don't know much about security. They're told to setup a computer and put this data on it so the professor can do his research.
While this often holds true, there should always a central infosec department that has the ability to kill a switch port. Kill the network connection to a critical server exposing private information and people take notice pretty quick.
Central entities in universities, like the registrar, should know what they are doing if they are setting up ways to remotely access information.
Yes, they should, but they often don't. Remember, these end users are just that -- users, not security professionals.
Not responding to emails and/or phone calls to the security/abuse/etc group is irresponsible, if you ask me.
Agreed, though lack of a response doesn't mean nothing is happening. Often times, the first time infosec must do is contact legal for advice. Legal's first advice is often to simply not respond. 

-j

--
eJeremy L. Gaddis
GCWN, MCP, Linux+, Network+
http://www.jeremygaddis.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/