[Full-disclosure] What is wrong with schools these days?
Gaddis, Jeremy L.
jeremy at linuxwiz.net
Mon May 1 01:16:27 BST 2006
Mike Iglesias wrote:
> Many universities do not have a central IT organization running every
> computer on campus as you would in a commercial enterprise. They have a
> decentralized model where each school, department, or research group
> runs their computers. In addition, you have many students, faculty, and
> staff with personally owned laptops that they take care of (or not)
> themselves. So you have many little fiefdoms running computers, some
> with more of a clue than others. The clueless ones have untrained
> students running the computers, and most of them don't know much about
> security. They're told to setup a computer and put this data on it so
> the professor can do his research.
While this often holds true, there should always a central infosec
department that has the ability to kill a switch port. Kill the network
connection to a critical server exposing private information and people
take notice pretty quick.
> Central entities in universities, like the registrar, should know what
> they are doing if they are setting up ways to remotely access information.
Yes, they should, but they often don't. Remember, these end users are
just that -- users, not security professionals.
> Not responding to emails and/or phone calls to the security/abuse/etc
> group is irresponsible, if you ask me.
Agreed, though lack of a response doesn't mean nothing is happening.
Often times, the first time infosec must do is contact legal for advice.
Legal's first advice is often to simply not respond.
eJeremy L. Gaddis
GCWN, MCP, Linux+, Network+
Full-Disclosure is hosted and sponsored by Secunia.