consequences for student hacking

[Tom Siu <thomas.siu () CASE EDU>]

Bob,
First, since you have a policy prohibiting the activity, and
hopefully clearly delineated consequences, you should determine if
your institution has the will to enforce the policy.  In the case of
students, you need to have a good relationship with your student
affairs group, who usually has governance over the student
population.  The 'zero tolerance' approach works if you tell
everybody all the time ad nauseum before hand.  Be sure your
acceptable use policy prohibits illegal activity, and you can use
that as the fulcrum for all your other policy.

Typically any number of sensors will correlate a host scanning, so
you will have indirect evidence on hand.  Determining if you have a
person actually running nessus, nmap, hping, etc., is another topic
because you'll need to pretty much catch them in the act.

When somebody installs and runs a utility like CainAbel, which does
ARP spoofing, the network problems that arise help you find them.  If
this happens from a staff or faculty perspective, we investigate and
deliver a stern warning, first offense.  If it is a student, we can
seize the machine with the assistance of student affairs/housing (not
under direction of law enforcement) to determine what happened.  We
then engage the judicial process, unless it looks like criminal
activity was evident, then it might go that direction.

Check to see what student housing does with drug abuse/marijuana
cases, because there might a similar precedent for having them let
your staff into a student campus residence for 'probable cause.'  The
legality needs to be maintained as administrative action under your
housing rules.

Regards,
Tom
On Feb 20, 2008, at 12:00 AM, SECURITY automatic digest system wrote:

> From: The EDUCAUSE Security Constituent Group Listserv on behalf of
> Bob =
> Henry
> Sent: Tue 2/19/2008 5:38 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] consequences for student hacking
>
>
>
> Boise State has a policy restricting the use of network scanners, host
> scanners, sniffers, etc. to those approved by the Network
> Engineer.  The
> consequences for violating the policy are described with these
> words:=20
>
> Depending on the seriousness of an offense, violation of this policy
> can result in penalties ranging from reprimand, to loss of use, to
> referral to University authorities for disciplinary action, to
> criminal
> prosecution.
>
> That's the theory.  I'm looking for a reality check.  What do your
> institutions do when you catch a student sniffing the wired or
> wireless
> network for userID's and passwords?
>
> Thanks,

||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|||
   Tom Siu
   Chief Information Security Officer
   Case Western Reserve University
   thomas.siu () case edu
   www.case.edu/its/security
   my pgp key can be found at pgpkeys.mit.edu
   216-368-6959
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|||
* Make sure you sign up for CaseWARN  notifications at
https://its-services.case.edu/my-case-notifications/