finding vulnerabilities - networkshop44
Post on 19-Jan-2017
1.502 Views
Preview:
TRANSCRIPT
Responsible disclosure inHigher Education
Giles Howard
Surveying Higher Education for good responsible disclosure practice
» Public-facing policies indicating a commitment or understanding of cyber issues and the risk that they represent
» Dedicated email addresses representing a route to report cyber issues
» A brief survey of acceptable use policies or disciplinary policies to indicate the penalties for unauthorised access to systems
» Any whistleblowing policies that might extend to students or cyber issues specifically
» Any mention of leveraging students as assets for ‘white-hat’ hacking or any process by which systems may be tested involving students
A holistic, qualitative approach – we were looking around other Higher Education providers for:
23/03/2016
Responsible disclosure in Higher Education
Additional work (undertaken simultaneously)
» Bug bounties» Whitelists of systems that can be attacked» Leaderboards» Guarantee of safe disclosure if flaws are reported using a
defined procedure instead of being simply publically disclosed
» Assurances that flaws reported via the defined process will be afforded high priority
» Test accounts for performing exploitation testing without damaging own/other accounts
Surveying industrial practice in responsible disclosure:
23/03/2016
Responsible disclosure in Higher Education
Complications
» Professional services (student services, finance, HR, etc.) could not risk interruptions to core business due to unregulated attempts to exploit their systems
» Concerns from multiple stakeholders as to which students/staff this was going to apply to and in particular, how the students would be vetted
» Further concerns that this may need doing at a much higher level (i.e. an institutional policy of responsible disclosure of a variety of situations, not purely cyber security ones)
» Not all University systems are directly managed by the IT service – reporting out to vendors and manufacturers might take substantial time before fixes are available
Consulting with key stakeholders within our institution resulted in the following issues being highlighted:
23/03/2016
Responsible disclosure in Higher Education
Primary outcomes
» Utilising either the student-run cyber security society or a self-selected population of interested students to exploit systems with some further constraints
» Usage of ‘at-risk’ periods (as are used for schedule maintenance/system upgrades at present) outside of core business hours which would allow the systems to be tested with little-to-no risk to business processes
» Coordination with the Chief Information Officer and others to determine systems which both had value in being tested as well as not representing a substantial risk in letting students make attempts to exploit them
Initial groundwork for a localised responsible disclosure process:
23/03/2016
Responsible disclosure in Higher Education
Current work
» HEA-funded project led by Federica Paci (F.M.Paci@soton.ac.uk) at University of Southampton under the title of “Enhancing campus cyber security through constructivist student learning”
» Work is beginning on selecting systems for the first round of penetration testing by a group of interested students
» There is no official policy on responsible disclosure (yet!) but multiple parties are working together on this initial activity to hopefully iron out a more structured and policy-backed process for doing this in future
23/03/2016
Responsible disclosure in Higher Education
23/03/2016
Responsible disclosure in Higher Education
Questions?
Thank you
23/03/2016
Responsible disclosure in Higher Education
Giles HowardUniversity of Southamptongiles.howard@soton.ac.uk
top related