[Full-disclosure] What is wrong with schools these days?

[Gaddis, Jeremy L.]

Mike Iglesias wrote:
> Many universities do not have a central IT organization running every 
> computer on campus as you would in a commercial enterprise.  They have a 
> decentralized model where each school, department, or research group 
> runs their computers. In addition, you have many students, faculty, and 
> staff with personally owned laptops that they take care of (or not) 
> themselves.  So you have many little fiefdoms running computers, some 
> with more of a clue than others.  The clueless ones have untrained 
> students running the computers, and most of them don't know much about 
> security.  They're told to setup a computer and put this data on it so 
> the professor can do his research.

While this often holds true, there should always a central infosec 
department that has the ability to kill a switch port.  Kill the network 
connection to a critical server exposing private information and people 
take notice pretty quick.

> Central entities in universities, like the registrar, should know what 
> they are doing if they are setting up ways to remotely access information.

Yes, they should, but they often don't.  Remember, these end users are 
just that -- users, not security professionals.

> Not responding to emails and/or phone calls to the security/abuse/etc 
> group is irresponsible, if you ask me.

Agreed, though lack of a response doesn't mean nothing is happening. 
Often times, the first time infosec must do is contact legal for advice. 
  Legal's first advice is often to simply not respond.

-j

--
eJeremy L. Gaddis
GCWN, MCP, Linux+, Network+
http://www.jeremygaddis.com/