Educause Security Discussion mailing list archives
Re: Cybersecurity Students
From: Bob Mahoney <bobmah () MIT EDU>
Date: Fri, 5 Apr 2019 15:21:33 +0000
[Disclaimer: I am no longer at MIT, and am only here as a guest associate, which I appreciate.] Some time back now, I started and ran MIT’s first Network Security Team. Through need and an appreciation of the untapped resource, we employed a number of student staff. This worked out fabulously. “Win-win” doesn’t begin to do it justice. The relevance to this discussion is that using students served to seed some security awareness out into the student community, where they naturally came to advise their friends with security problems, and interrupted any number “clever ideas” in the dorms, where random student curiosity might have gone on to become a problem, all happening below my radar. They were a back-channel to communicate security information, and they helped the team and IS&T have real credibility among the students. They were our secret weapons out in the community. We *never* had a breach of trust or confidentiality involving the student staff, and we only very rarely saw any serious misbehavior in the student population. Once or twice we did have a computer science class do something very unwise. (like pinging all the NTP servers they could find on planet Earth, and doing unannounced & unauthorized performance testing... my phone rang angrily for days afterwards) But generally Computer Science classes kept their experiments to their own local networks, and we had good relations. Student security staff were intimately involved in doing campus vulnerability scanning, and maintaining/extending that capability. I’d just like to suggest that interested students can be given a productive outlet for their curiosity, that can greatly aid security your effectiveness. They became critical to our success. They were a whole lot of fun to work with, and they helped us do so much more than we could have otherwise ever done. (of course, I may have just lucked-out in employing the kids most likely to have caused problems if left to their own curiosities... :-) The bug-bounty program suggestions here sound like a great innovation in this direction. Many of our students came back expressing real appreciation for the experience, and said it gave them a unique, real-world resume item that helped them really stand out to their early employers. Quite a few work in security now, and at least one is a CS professor of some note. It might be useful to consider students as a potential opportunity, rather than simply a threat. -Bob
Current thread:
- Cybersecurity Students Pete, Andrew (Apr 04)
- Re: Cybersecurity Students Greg Williams (Apr 04)
- Re: Cybersecurity Students Zachary Yamada (Apr 04)
- Re: Cybersecurity Students Frank Barton (Apr 04)
- Re: Cybersecurity Students Zachary Yamada (Apr 04)
- Re: Cybersecurity Students Burns, Denis (Apr 05)
- Re: Cybersecurity Students Nicholas Garigliano (Apr 05)
- Re: Cybersecurity Students Pete, Andrew (Apr 05)
- Re: Cybersecurity Students Brian Basgen (Apr 05)
- Re: Cybersecurity Students Bob Mahoney (Apr 05)
- Re: Cybersecurity Students Pete, Andrew (Apr 05)
- Re: Cybersecurity Students Giacobe, Nick (Apr 05)
- Re: Cybersecurity Students Greg Williams (Apr 04)
- Re: Cybersecurity Students Rob Milman (Apr 05)
- Re: Cybersecurity Students Giacobe, Nick (Apr 05)
- Re: Cybersecurity Students Michael Duff (Apr 05)
- Re: [EXTERNAL]Re: [SECURITY] Cybersecurity Students Baillio, Aaron (Apr 05)
- Re: [EXTERNAL]Re: [SECURITY] Cybersecurity Students Michael Duff (Apr 05)
- Re: Cybersecurity Students Giacobe, Nick (Apr 05)