Responsible disclosure inHigher Education

Giles Howard

Surveying Higher Education for good responsible disclosure practice

» Public-facing policies indicating a commitment or understanding of cyber issues and the risk that they represent

» Dedicated email addresses representing a route to report cyber issues

» A brief survey of acceptable use policies or disciplinary policies to indicate the penalties for unauthorised access to systems

» Any whistleblowing policies that might extend to students or cyber issues specifically

» Any mention of leveraging students as assets for ‘white-hat’ hacking or any process by which systems may be tested involving students

A holistic, qualitative approach – we were looking around other Higher Education providers for:

23/03/2016

Responsible disclosure in Higher Education

Additional work (undertaken simultaneously)

» Bug bounties» Whitelists of systems that can be attacked» Leaderboards» Guarantee of safe disclosure if flaws are reported using a

defined procedure instead of being simply publically disclosed

» Assurances that flaws reported via the defined process will be afforded high priority

» Test accounts for performing exploitation testing without damaging own/other accounts

Surveying industrial practice in responsible disclosure:

23/03/2016

Responsible disclosure in Higher Education

Complications

» Professional services (student services, finance, HR, etc.) could not risk interruptions to core business due to unregulated attempts to exploit their systems

» Concerns from multiple stakeholders as to which students/staff this was going to apply to and in particular, how the students would be vetted

» Further concerns that this may need doing at a much higher level (i.e. an institutional policy of responsible disclosure of a variety of situations, not purely cyber security ones)

» Not all University systems are directly managed by the IT service – reporting out to vendors and manufacturers might take substantial time before fixes are available

Consulting with key stakeholders within our institution resulted in the following issues being highlighted:

23/03/2016

Responsible disclosure in Higher Education

Primary outcomes

» Utilising either the student-run cyber security society or a self-selected population of interested students to exploit systems with some further constraints

» Usage of ‘at-risk’ periods (as are used for schedule maintenance/system upgrades at present) outside of core business hours which would allow the systems to be tested with little-to-no risk to business processes

» Coordination with the Chief Information Officer and others to determine systems which both had value in being tested as well as not representing a substantial risk in letting students make attempts to exploit them

Initial groundwork for a localised responsible disclosure process:

23/03/2016

Responsible disclosure in Higher Education

Current work

» HEA-funded project led by Federica Paci (F.M.Paci@soton.ac.uk) at University of Southampton under the title of “Enhancing campus cyber security through constructivist student learning”

» Work is beginning on selecting systems for the first round of penetration testing by a group of interested students

» There is no official policy on responsible disclosure (yet!) but multiple parties are working together on this initial activity to hopefully iron out a more structured and policy-backed process for doing this in future

23/03/2016

Responsible disclosure in Higher Education

23/03/2016

Responsible disclosure in Higher Education

Questions?

Thank you

23/03/2016

Responsible disclosure in Higher Education

Giles HowardUniversity of Southamptongiles.howard@soton.ac.uk