From: Gaddis, Jeremy L. (jeremylinuxwiz.net)
Date: Sun Apr 30 2006 - 19:16:27 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Mike Iglesias wrote:
> Many universities do not have a central IT organization running every
> computer on campus as you would in a commercial enterprise. They have a
> decentralized model where each school, department, or research group
> runs their computers. In addition, you have many students, faculty, and
> staff with personally owned laptops that they take care of (or not)
> themselves. So you have many little fiefdoms running computers, some
> with more of a clue than others. The clueless ones have untrained
> students running the computers, and most of them don't know much about
> security. They're told to setup a computer and put this data on it so
> the professor can do his research.

While this often holds true, there should always a central infosec
department that has the ability to kill a switch port. Kill the network
connection to a critical server exposing private information and people
take notice pretty quick.

> Central entities in universities, like the registrar, should know what
> they are doing if they are setting up ways to remotely access information.

Yes, they should, but they often don't. Remember, these end users are
just that -- users, not security professionals.

> Not responding to emails and/or phone calls to the security/abuse/etc
> group is irresponsible, if you ask me.

Agreed, though lack of a response doesn't mean nothing is happening.
Often times, the first time infosec must do is contact legal for advice.
  Legal's first advice is often to simply not respond.

-j

--
eJeremy L. Gaddis
GCWN, MCP, Linux+, Network+
http://www.jeremygaddis.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]