Finding vulnerabilities - networkshop44

•Download as PPTX, PDF•

0 likes•2,294 views

The document discusses responsible disclosure in higher education. It surveys policies at universities regarding cyber issues and outlines additional approaches used in industry, like bug bounties. There were complications in directly applying industrial practices to universities. Outcomes of consulting key stakeholders included utilizing interested student groups to test low-risk systems during off-hours. Current work involves selecting initial systems for students to penetration test, with the goal of establishing a formal responsible disclosure policy.

Education

Additional work (undertaken simultaneously)
» Bug bounties
» Whitelists of systems that can be attacked
» Leaderboards
» Guarantee of safe disclosure if flaws are reported using a defined
procedure instead of being simply publically disclosed
» Assurances that flaws reported via the defined process will be afforded
high priority
» Test accounts for performing exploitation testing without damaging
own/other accounts
Surveying industrial practice in responsible disclosure:
23/03/2016 Responsible disclosure in Higher Education

Complications
» Professional services (student services, finance, HR, etc.) could not risk
interruptions to core business due to unregulated attempts to exploit their systems
» Concerns from multiple stakeholders as to which students/staff this was going to
apply to and in particular, how the students would be vetted
» Further concerns that this may need doing at a much higher level (i.e. an
institutional policy of responsible disclosure of a variety of situations, not purely
cyber security ones)
» Not all University systems are directly managed by the IT service – reporting
out to vendors and manufacturers might take substantial time before
fixes are available
Consulting with key stakeholders within our institution resulted
in the following issues being highlighted:
23/03/2016 Responsible disclosure in Higher Education

Primary outcomes
» Utilising either the student-run cyber security society or a self-selected population
of interested students to exploit systems with some further constraints
» Usage of ‘at-risk’ periods (as are used for schedule maintenance/system upgrades
at present) outside of core business hours which would allow the systems to be
tested with little-to-no risk to business processes
» Coordination with the Chief Information Officer and others to determine systems
which both had value in being tested as well as not representing a substantial risk
in letting students make attempts to exploit them
Initial groundwork for a localised responsible disclosure process:
23/03/2016 Responsible disclosure in Higher Education

Current work
» HEA-funded project led by Federica Paci (F.M.Paci@soton.ac.uk) at University of
Southampton under the title of “Enhancing campus cyber security through
constructivist student learning”
» Work is beginning on selecting systems for the first round of penetration testing by a
group of interested students
» There is no official policy on responsible disclosure (yet!) but multiple parties are
working together on this initial activity to hopefully iron out a more structured and
policy-backed process for doing this in future
23/03/2016 Responsible disclosure in Higher Education

23/03/2016 Responsible disclosure in Higher Education
Questions?

Thank you
23/03/2016 Responsible disclosure in Higher Education
Giles Howard
University of Southampton
giles.howard@soton.ac.uk

Students expect their assessment experiences to be effectively supported by technology but this can be difficult to achieve with current assessment processes, practices and systems. This demonstration shows how our new resources, developed in collaboration with universities, colleges, and partner bodies, can help. Using the outcomes of our self-assessment tool you can develop a tailored action plan supported by proven guidance and resources to maximise the benefits that technology can offer.

Implemententing analytics part 1 - Niall Sclater

Jisc

Scaling upon online learning project update_22.04.15

Heather Price

Collaboration through technology: moving from possibility to practice - Noel ...

Jisc

Understanding learning gain and why this might matter to you

Jisc

The changing face of assessment and feedback: how technology can make a diffe...

Jisc

Over the past two years, the Jisc Assessment and Feedback programme has worked with over 30 institutions in the UK further and higher education sector to pilot new approaches that address a range of challenges to better meet the needs of learners, employers and staff. This workshop will share some of the experiences, approaches and lessons learned from these projects around key themes including: Influencing change in assessment and feedback practices through a principle-led approach Assessment and employability: the role of technology in supporting the development of skills and competences to enhance employment prospects Feedback and feed forward: the role of technology in supporting learner engagement with feedback and improving progression Electronic assessment management and how technology can support assessment lifecycle processes to make more effective use of resources A range of resources will also be shared that can help to inform organisational good practice in enhancing assessment and feedback through technology. The session will involve a mixture of presentation and discussion, giving participants opportunities to ask questions, discuss the themes emerging and how they relate to their contexts, and contribute to discussions around future priorities related to technology-enhanced assessment and feedback

FE digital student findings and recommendations

Jisc

Networks and DDoS

Jisc

Led by Esther Barrett, subject specialist in teaching, learning and assessment, Jisc. With contributions from Andrew Jaffrey, head of the office for digital learning and Richard Beggs, instructional design consultant - both from Ulster University. There will be a focus how technology can support learning and teaching for a better student experience. Local providers will be sharing how their technology-based approaches have made a difference for learners and teachers. Jisc Connect more in Northern Ireland, 23 June 2016.

Designing and developing great courses together - Jisc Digifest 2016

Jisc

Pearson’s course development team helps universities create innovative online and blended courses by providing flexible and scalable services, underpinned by rigorous learning design. We make design suggestions that promote your desired outcomes and after creating the course, track metrics so you can evaluate success. By participating in the session, you will see examples of great learning design, understand Pearson’s participatory approach to developing courses, share ideas with colleagues, and apply principles to a live example.

Student digital experience tracker 2017: summary of key findingsJisc

Digital Diagnostic: identifying staff digital capabilities at Staffordshire U...

Jisc

Speakers: Julie Adams, academic skills tutor, Staffordshire University Helen Walmsley-Smith, e-learning development officer, Staffordshire University This session will provide an overview of the digital transformation work undertaken at Staffordshire University over the last 12 months, with a particular emphasis on the digital learning project and the Digital Diagnostic tool which has been developed. This online tool allows all staff to self-assess their current level of digital capability, provides an overall 'score' and directs them to relevant development and training material available at the university.

Keeping learners safe online presentation

Jisc

Facilitating your registration with the Office for Students using the Jisc st...

Jisc

YSJ and Jisc: standing on the shoulders of giants - Phil Vincent

Jisc

Jisc toolkit: supporting the digital experience of new students

Jisc

Making a difference with technology-enhanced learning - Esther Barrett, Debbi...

Jisc

Led by Esther Barrett, subject specialist - teaching, learning and assessment, Jisc. With contributions from: Debbie Baff, senior academic developer, Swansea University Richard Speight, Digiskills Cymru Project Manager, Unison Cymru There will be a focus how technology can support learning and teaching for a better student experience. Local providers will be sharing how their technology-based approaches have made a difference for learners and teachers. Connect more in Wales, Thursday 7 July 2016

Supporting staff to teach effectively online

Jisc

Making a difference with technology-enhanced learning - Sarah Knight and Sara...

Jisc

Led by Sarah Knight, senior co-design manager, Jisc. With contributions from Sarabjit Borrill, lead tutor (English), Leicestershire Adult Learning. In this session there will be a focus on how technology can support learning and teaching for a better student experience. Local providers will be sharing how their technology-based approaches have made a difference for learners and teachers. Connect more in Nottingham, Tuesday 12 July 2016.

Introducing professionalism as an assessed element of the nursing undergradua...

Jisc

The benefits and challenges of open access: lessons from practice - Helen Bla...

Jisc

Digital leadership

Jisc

Student experience experts meeting

Jisc

IPv4 address planning - Networkshop44

Jisc

As the number of network connected devices grows in a campus environment, pressure to use our organisation’s limited global IPv4 address space as efficiently as possible increases. While IPv6 may provide the longer-term solution, in this presentation we explore the challenges faced by sites in maximising the utilisation of their existing IPv4 address space, and handling address space exhaustion.

Ipv6 deployment at the university of reading - Networkshop44

Jisc

What's hot

Electronic Management of Assessment

Jisc

Implementing analytics part 2 - Moriamo Oduyemi

Jisc

Implementing analytics - Paul Bailey and Dr Nick Moore

Jisc

Leveraging change through digital capability - Lawrie Phipps, Terri Smith and...

Jisc

Delivering online learning: are you ready?

Jisc

Making a difference with technology enhanced learning - Esther Barrett, Andre...

Jisc

Designing and developing great courses together - Jisc Digifest 2016

Jisc

Student digital experience tracker 2017: summary of key findingsJisc

Digital Diagnostic: identifying staff digital capabilities at Staffordshire U...

Jisc

Keeping learners safe online presentation

Jisc

Facilitating your registration with the Office for Students using the Jisc st...

Jisc

YSJ and Jisc: standing on the shoulders of giants - Phil Vincent

Jisc

Jisc toolkit: supporting the digital experience of new students

Jisc

Making a difference with technology-enhanced learning - Esther Barrett, Debbi...

Jisc

Supporting staff to teach effectively online

Jisc

Making a difference with technology-enhanced learning - Sarah Knight and Sara...

Jisc

Introducing professionalism as an assessed element of the nursing undergradua...

Jisc

The benefits and challenges of open access: lessons from practice - Helen Bla...

Jisc

Digital leadership

Jisc

Student experience experts meeting

Jisc

What's hot (20)

Electronic Management of Assessment

Implementing analytics part 2 - Moriamo Oduyemi

Implementing analytics - Paul Bailey and Dr Nick Moore

Leveraging change through digital capability - Lawrie Phipps, Terri Smith and...

Delivering online learning: are you ready?

Making a difference with technology enhanced learning - Esther Barrett, Andre...

Designing and developing great courses together - Jisc Digifest 2016

Student digital experience tracker 2017: summary of key findings

Digital Diagnostic: identifying staff digital capabilities at Staffordshire U...

Keeping learners safe online presentation

Facilitating your registration with the Office for Students using the Jisc st...

YSJ and Jisc: standing on the shoulders of giants - Phil Vincent

Jisc toolkit: supporting the digital experience of new students

Making a difference with technology-enhanced learning - Esther Barrett, Debbi...

Supporting staff to teach effectively online

Making a difference with technology-enhanced learning - Sarah Knight and Sara...

Introducing professionalism as an assessed element of the nursing undergradua...

The benefits and challenges of open access: lessons from practice - Helen Bla...

Digital leadership

Student experience experts meeting

Viewers also liked

IPv4 address planning - Networkshop44

Jisc

Ipv6 deployment at the university of reading - Networkshop44

Jisc

SafeShare - Networkshop44

Jisc

Network engineering surgery - Networkshop44

Jisc

Find out about Jisc - Networkshop44 2016

Jisc

Ipv6 deployment at the university of warwick - networkshop44

Jisc

Development of Jisc security programme - Networkshop44

Jisc

IPv6 experience from a large enterprise - Networkshop44

Jisc

Trust and identity services and architecture - Networkshop44

Jisc

IPv6 at Mythic Beasts - Networkshop44

Jisc

The simplification of the campus network Juniper - Networkshop44

Jisc

Telephony developments at pirbright - Networkshop44

Jisc

Data networking at UCL - Networkshop44

Jisc

Session initiation protocol (sip) the force awakens in the Janet network comm...

Jisc

Handling vulnerability reports - Networkshop44

Jisc

Data centre networking at the University of Bristol - Networkshop44

Jisc

IPv6 deployment status - Networkshop44

Jisc

Vscene - Networkshop44

Jisc

Data centre networking at London School of Economics and Political Science - ...

Jisc

Software defined networking - huawei - Networkshop44

Jisc

Viewers also liked (20)

IPv4 address planning - Networkshop44

Ipv6 deployment at the university of reading - Networkshop44

SafeShare - Networkshop44

Network engineering surgery - Networkshop44

Find out about Jisc - Networkshop44 2016

Ipv6 deployment at the university of warwick - networkshop44

Development of Jisc security programme - Networkshop44

IPv6 experience from a large enterprise - Networkshop44

Trust and identity services and architecture - Networkshop44

IPv6 at Mythic Beasts - Networkshop44

The simplification of the campus network Juniper - Networkshop44

Telephony developments at pirbright - Networkshop44

Data networking at UCL - Networkshop44

Session initiation protocol (sip) the force awakens in the Janet network comm...

Handling vulnerability reports - Networkshop44

Data centre networking at the University of Bristol - Networkshop44

IPv6 deployment status - Networkshop44

Vscene - Networkshop44

Data centre networking at London School of Economics and Political Science - ...

Software defined networking - huawei - Networkshop44

Similar to Finding vulnerabilities - networkshop44

Jisc's FE and skills strategic priorities and opportunities to get involved

Jisc

Right Here; Right Now: Providing the Information your Students Need and your...

Marieke Guy

Avoiding Invasive Surveillance, Ensuring Trust: ENSURING TRUST UNED’S AvEx

EADTU

PreventionMitigation_Philadelphia_Breakout.ppt

JessaEraldinOrigines

Digital Proctor Whitepaper #1Course Glue - Increase Student Retention

introduction of data structure and design and analysis of algorithm

YerosanTafesse

introduction of data structure and design and analysis of algorithm

YerosanTafesse

Slides - Leveraging institutional open practices to promote access- AVU Confe...

Kathleen Ludewig Omollo

These slides are from a workshop called Leveraging Institutional Open Practices to Promote Access to Education at the African Virtual University 1st International Conference on November 20, 2013 (http://www.avu.org/1st-International-Conference-of-the-AVU-2013/pre-conference-workshops-november-20th-2013.html). The workshop was facilitated by Kathleen Ludewig Omollo and James Glapa-Grossklag. This and other materials from the workshop are available at http://tinyurl.com/levopenws-avu13. Editable versions are available at http://open.umich.edu/node/7497/. Workshop materials are copyright 2013 The Regents of the University of Michigan and College of the Canyons, shared under a CC BY license (http://creativecommons.org/licenses/by/3.0/).

Access denied? Managing access to the Web within the NHS in England: technolo...

Catherine Ebenezer

METRAC's Campus Safety Audit Process

METRAC

Learn more about METRAC's Campus Safety Audit Services and process. METRAC’s Campus Safety Audit Process invigorates partnerships to improve the safety track record of campuses, from those in urban centres and suburban communities to rural areas and distance/online learning programs. More information: - web: http://www.metrac.org/what-we-do/safety/campus/ - email: info@metrac.org - phone: 416-392-3135

Are you really ready to roll out learning analytics across your entire instit...

Jisc

Speaker: Steve Hoole, senior analytics consultant. This workshop will enable delegates to consider a process to assist them finding suitable solution for learning analytics implementation. It will discuss how to move from small pilots to institutional wider implementation for learning analytics considering issues such as legal and ethical requirements such as GDPR compliance, planning for intervention management and ensuring staff and student engagement and support.

What data from 3 million learners can tell us about effective course design

John Whitmer, Ed.D.

Kuali - Building a Community (KDUK14)

Martin Hamilton

Slides from our UK Kuali Day talk on Building a Community in June 2014. Simon Whittemore and I outline Jisc's new strategic focus, the "co-design" pipeline of new products and services that we are lining up, including our student lifecycle challenge: From Prospect to Alumnus. We also present feedback from event delegates on their interests and priorities, and potential next steps in building and sustaining the nascent UK Kuali community.

Information security at University of East London: the benefits (and pitfalls...

Jisc

Blue Futuristic Illustrative Artificial Intelligence Project Presentation.pdf

erickamangaring25

OLI Findings and Innovations PanelBill Jerome

Privacy & Ethical Impact Assessment Workshop_RAMSES Project

Trilateral Research

A Review On Recommender Systems For University Admissions

Becky Gilbert

Ivins, "E-Learning Systems and Content"

National Information Standards Organization (NISO)

Rcademy pitch 2012

Jonathan Cornelissen

Similar to Finding vulnerabilities - networkshop44 (20)

Jisc's FE and skills strategic priorities and opportunities to get involved

Right Here; Right Now: Providing the Information your Students Need and your...

Avoiding Invasive Surveillance, Ensuring Trust: ENSURING TRUST UNED’S AvEx

PreventionMitigation_Philadelphia_Breakout.ppt

Digital Proctor Whitepaper #1

introduction of data structure and design and analysis of algorithm

Slides - Leveraging institutional open practices to promote access- AVU Confe...

Access denied? Managing access to the Web within the NHS in England: technolo...

METRAC's Campus Safety Audit Process

Are you really ready to roll out learning analytics across your entire instit...

What data from 3 million learners can tell us about effective course design

Kuali - Building a Community (KDUK14)

Information security at University of East London: the benefits (and pitfalls...

Blue Futuristic Illustrative Artificial Intelligence Project Presentation.pdf

OLI Findings and Innovations Panel

Privacy & Ethical Impact Assessment Workshop_RAMSES Project

A Review On Recommender Systems For University Admissions

Ivins, "E-Learning Systems and Content"

Rcademy pitch 2012

Recently uploaded

Unit 8 - Information and Communication Technology (Paper I).pdf

Thiyagu K

Francesca Gottschalk - How can education support child empowerment.pptx

EduSkills OECD

Thesis Statement for students diagnonsed withADHD.ppt

EverAndrsGuerraGuerr

The basics of sentences session 5pptx.pptx

heathfieldcps1

Guidance_and_Counselling.pdf B.Ed. 4th Semester

Atul Kumar Singh

The Roman Empire A Historical Colossus.pdf

kaushalkr1407

The Roman Empire, a vast and enduring power, stands as one of history's most remarkable civilizations, leaving an indelible imprint on the world. It emerged from the Roman Republic, transitioning into an imperial powerhouse under the leadership of Augustus Caesar in 27 BCE. This transformation marked the beginning of an era defined by unprecedented territorial expansion, architectural marvels, and profound cultural influence. The empire's roots lie in the city of Rome, founded, according to legend, by Romulus in 753 BCE. Over centuries, Rome evolved from a small settlement to a formidable republic, characterized by a complex political system with elected officials and checks on power. However, internal strife, class conflicts, and military ambitions paved the way for the end of the Republic. Julius Caesar’s dictatorship and subsequent assassination in 44 BCE created a power vacuum, leading to a civil war. Octavian, later Augustus, emerged victorious, heralding the Roman Empire’s birth. Under Augustus, the empire experienced the Pax Romana, a 200-year period of relative peace and stability. Augustus reformed the military, established efficient administrative systems, and initiated grand construction projects. The empire's borders expanded, encompassing territories from Britain to Egypt and from Spain to the Euphrates. Roman legions, renowned for their discipline and engineering prowess, secured and maintained these vast territories, building roads, fortifications, and cities that facilitated control and integration. The Roman Empire’s society was hierarchical, with a rigid class system. At the top were the patricians, wealthy elites who held significant political power. Below them were the plebeians, free citizens with limited political influence, and the vast numbers of slaves who formed the backbone of the economy. The family unit was central, governed by the paterfamilias, the male head who held absolute authority. Culturally, the Romans were eclectic, absorbing and adapting elements from the civilizations they encountered, particularly the Greeks. Roman art, literature, and philosophy reflected this synthesis, creating a rich cultural tapestry. Latin, the Roman language, became the lingua franca of the Western world, influencing numerous modern languages. Roman architecture and engineering achievements were monumental. They perfected the arch, vault, and dome, constructing enduring structures like the Colosseum, Pantheon, and aqueducts. These engineering marvels not only showcased Roman ingenuity but also served practical purposes, from public entertainment to water supply.

Lapbook sobre os Regimes Totalitários.pdf

Jean Carlos Nunes Paixão

CACJapan - GROUP Presentation 1- Wk 4.pdf

camakaiclarkmusic

Honest Reviews of Tim Han LMA Course Program.pptx

timhan337

Introduction to AI for Nonprofits with Tapp Network

TechSoup

Overview on Edible Vaccine: Pros & Cons with Mechanism

DeeptiGupta154

The French Revolution Class 9 Study Material pdf free download

Vivekanand Anglo Vedic Academy

The French Revolution, which began in 1789, was a period of radical social and political upheaval in France. It marked the decline of absolute monarchies, the rise of secular and democratic republics, and the eventual rise of Napoleon Bonaparte. This revolutionary period is crucial in understanding the transition from feudalism to modernity in Europe. For more information, visit-www.vavaclasses.com

The Challenger.pdf DNHS Official Publication

Delapenabediema

The geography of Taylor Swift - some ideas

GeoBlogs

Polish students' mobility in the Czech Republic

Anna Sz.

Operation Blue Star - Saka Neela Tara

Balvir Singh

Operation “Blue Star” is the only event in the history of Independent India where the state went into war with its own people. Even after about 40 years it is not clear if it was culmination of states anger over people of the region, a political game of power or start of dictatorial chapter in the democratic setup. The people of Punjab felt alienated from main stream due to denial of their just demands during a long democratic struggle since independence. As it happen all over the word, it led to militant struggle with great loss of lives of military, police and civilian personnel. Killing of Indira Gandhi and massacre of innocent Sikhs in Delhi and other India cities was also associated with this movement.

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

siemaillard

June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...

Levi Shapiro

Letter from the Congress of the United States regarding Anti-Semitism sent June 3rd to MIT President Sally Kornbluth, MIT Corp Chair, Mark Gorenberg Dear Dr. Kornbluth and Mr. Gorenberg, The US House of Representatives is deeply concerned by ongoing and pervasive acts of antisemitic harassment and intimidation at the Massachusetts Institute of Technology (MIT). Failing to act decisively to ensure a safe learning environment for all students would be a grave dereliction of your responsibilities as President of MIT and Chair of the MIT Corporation. This Congress will not stand idly by and allow an environment hostile to Jewish students to persist. The House believes that your institution is in violation of Title VI of the Civil Rights Act, and the inability or unwillingness to rectify this violation through action requires accountability. Postsecondary education is a unique opportunity for students to learn and have their ideas and beliefs challenged. However, universities receiving hundreds of millions of federal funds annually have denied students that opportunity and have been hijacked to become venues for the promotion of terrorism, antisemitic harassment and intimidation, unlawful encampments, and in some cases, assaults and riots. The House of Representatives will not countenance the use of federal funds to indoctrinate students into hateful, antisemitic, anti-American supporters of terrorism. Investigations into campus antisemitism by the Committee on Education and the Workforce and the Committee on Ways and Means have been expanded into a Congress-wide probe across all relevant jurisdictions to address this national crisis. The undersigned Committees will conduct oversight into the use of federal funds at MIT and its learning environment under authorities granted to each Committee. • The Committee on Education and the Workforce has been investigating your institution since December 7, 2023. The Committee has broad jurisdiction over postsecondary education, including its compliance with Title VI of the Civil Rights Act, campus safety concerns over disruptions to the learning environment, and the awarding of federal student aid under the Higher Education Act. • The Committee on Oversight and Accountability is investigating the sources of funding and other support flowing to groups espousing pro-Hamas propaganda and engaged in antisemitic harassment and intimidation of students. The Committee on Oversight and Accountability is the principal oversight committee of the US House of Representatives and has broad authority to investigate “any matter” at “any time” under House Rule X. • The Committee on Ways and Means has been investigating several universities since November 15, 2023, when the Committee held a hearing entitled From Ivory Towers to Dark Corners: Investigating the Nexus Between Antisemitism, Tax-Exempt Universities, and Terror Financing. The Committee followed the hearing with letters to those institutions on January 10, 202

Synthetic Fiber Construction in lab .pptx

Pavel ( NSTU)

Synthetic fiber production is a fascinating and complex field that blends chemistry, engineering, and environmental science. By understanding these aspects, students can gain a comprehensive view of synthetic fiber production, its impact on society and the environment, and the potential for future innovations. Synthetic fibers play a crucial role in modern society, impacting various aspects of daily life, industry, and the environment. ynthetic fibers are integral to modern life, offering a range of benefits from cost-effectiveness and versatility to innovative applications and performance characteristics. While they pose environmental challenges, ongoing research and development aim to create more sustainable and eco-friendly alternatives. Understanding the importance of synthetic fibers helps in appreciating their role in the economy, industry, and daily life, while also emphasizing the need for sustainable practices and innovation.

The Accursed House by Émile Gaboriau.pptx

DhatriParmar

Recently uploaded (20)

Unit 8 - Information and Communication Technology (Paper I).pdf

Francesca Gottschalk - How can education support child empowerment.pptx

Thesis Statement for students diagnonsed withADHD.ppt

The basics of sentences session 5pptx.pptx

Guidance_and_Counselling.pdf B.Ed. 4th Semester

The Roman Empire A Historical Colossus.pdf

Lapbook sobre os Regimes Totalitários.pdf

CACJapan - GROUP Presentation 1- Wk 4.pdf

Honest Reviews of Tim Han LMA Course Program.pptx

Introduction to AI for Nonprofits with Tapp Network

Overview on Edible Vaccine: Pros & Cons with Mechanism

The French Revolution Class 9 Study Material pdf free download

The Challenger.pdf DNHS Official Publication

The geography of Taylor Swift - some ideas

Polish students' mobility in the Czech Republic

Operation Blue Star - Saka Neela Tara

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...

Synthetic Fiber Construction in lab .pptx

The Accursed House by Émile Gaboriau.pptx

Finding vulnerabilities - networkshop44

1. Responsible disclosure in Higher Education Giles Howard

2. Surveying Higher Education for good responsible disclosure practice » Public-facing policies indicating a commitment or understanding of cyber issues and the risk that they represent » Dedicated email addresses representing a route to report cyber issues » A brief survey of acceptable use policies or disciplinary policies to indicate the penalties for unauthorised access to systems » Any whistleblowing policies that might extend to students or cyber issues specifically » Any mention of leveraging students as assets for ‘white-hat’ hacking or any process by which systems may be tested involving students A holistic, qualitative approach – we were looking around other Higher Education providers for: 23/03/2016 Responsible disclosure in Higher Education

3. Additional work (undertaken simultaneously) » Bug bounties » Whitelists of systems that can be attacked » Leaderboards » Guarantee of safe disclosure if flaws are reported using a defined procedure instead of being simply publically disclosed » Assurances that flaws reported via the defined process will be afforded high priority » Test accounts for performing exploitation testing without damaging own/other accounts Surveying industrial practice in responsible disclosure: 23/03/2016 Responsible disclosure in Higher Education

4. Complications » Professional services (student services, finance, HR, etc.) could not risk interruptions to core business due to unregulated attempts to exploit their systems » Concerns from multiple stakeholders as to which students/staff this was going to apply to and in particular, how the students would be vetted » Further concerns that this may need doing at a much higher level (i.e. an institutional policy of responsible disclosure of a variety of situations, not purely cyber security ones) » Not all University systems are directly managed by the IT service – reporting out to vendors and manufacturers might take substantial time before fixes are available Consulting with key stakeholders within our institution resulted in the following issues being highlighted: 23/03/2016 Responsible disclosure in Higher Education

5. Primary outcomes » Utilising either the student-run cyber security society or a self-selected population of interested students to exploit systems with some further constraints » Usage of ‘at-risk’ periods (as are used for schedule maintenance/system upgrades at present) outside of core business hours which would allow the systems to be tested with little-to-no risk to business processes » Coordination with the Chief Information Officer and others to determine systems which both had value in being tested as well as not representing a substantial risk in letting students make attempts to exploit them Initial groundwork for a localised responsible disclosure process: 23/03/2016 Responsible disclosure in Higher Education

6. Current work » HEA-funded project led by Federica Paci (F.M.Paci@soton.ac.uk) at University of Southampton under the title of “Enhancing campus cyber security through constructivist student learning” » Work is beginning on selecting systems for the first round of penetration testing by a group of interested students » There is no official policy on responsible disclosure (yet!) but multiple parties are working together on this initial activity to hopefully iron out a more structured and policy-backed process for doing this in future 23/03/2016 Responsible disclosure in Higher Education

7. 23/03/2016 Responsible disclosure in Higher Education Questions?

8. Thank you 23/03/2016 Responsible disclosure in Higher Education Giles Howard University of Southampton giles.howard@soton.ac.uk

Finding vulnerabilities - networkshop44

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Finding vulnerabilities - networkshop44

Similar to Finding vulnerabilities - networkshop44 (20)

More from Jisc

More from Jisc (20)

Recently uploaded

Recently uploaded (20)

Finding vulnerabilities - networkshop44