SlideShare a Scribd company logo

Finding vulnerabilities - networkshop44

Download as PPTX, PDF
Jisc, profile picture
Jisc

The document discusses responsible disclosure in higher education. It surveys policies at universities regarding cyber issues and outlines additional approaches used in industry, like bug bounties. There were complications in directly applying industrial practices to universities. Outcomes of consulting key stakeholders included utilizing interested student groups to test low-risk systems during off-hours. Current work involves selecting initial systems for students to penetration test, with the goal of establishing a formal responsible disclosure policy.

Education
1 of 8
Download to read offline
1
2
3
4
5
6
7
8
Responsible disclosure in Higher Education Giles Howard
Surveying Higher Education for good responsible disclosure practice » Public-facing policies indicating a commitment or understanding of cyber issues and the risk that they represent » Dedicated email addresses representing a route to report cyber issues » A brief survey of acceptable use policies or disciplinary policies to indicate the penalties for unauthorised access to systems » Any whistleblowing policies that might extend to students or cyber issues specifically » Any mention of leveraging students as assets for ‘white-hat’ hacking or any process by which systems may be tested involving students A holistic, qualitative approach – we were looking around other Higher Education providers for: 23/03/2016 Responsible disclosure in Higher Education
Additional work (undertaken simultaneously) » Bug bounties » Whitelists of systems that can be attacked » Leaderboards » Guarantee of safe disclosure if flaws are reported using a defined procedure instead of being simply publically disclosed » Assurances that flaws reported via the defined process will be afforded high priority » Test accounts for performing exploitation testing without damaging own/other accounts Surveying industrial practice in responsible disclosure: 23/03/2016 Responsible disclosure in Higher Education
Complications » Professional services (student services, finance, HR, etc.) could not risk interruptions to core business due to unregulated attempts to exploit their systems » Concerns from multiple stakeholders as to which students/staff this was going to apply to and in particular, how the students would be vetted » Further concerns that this may need doing at a much higher level (i.e. an institutional policy of responsible disclosure of a variety of situations, not purely cyber security ones) » Not all University systems are directly managed by the IT service – reporting out to vendors and manufacturers might take substantial time before fixes are available Consulting with key stakeholders within our institution resulted in the following issues being highlighted: 23/03/2016 Responsible disclosure in Higher Education
Primary outcomes » Utilising either the student-run cyber security society or a self-selected population of interested students to exploit systems with some further constraints » Usage of ‘at-risk’ periods (as are used for schedule maintenance/system upgrades at present) outside of core business hours which would allow the systems to be tested with little-to-no risk to business processes » Coordination with the Chief Information Officer and others to determine systems which both had value in being tested as well as not representing a substantial risk in letting students make attempts to exploit them Initial groundwork for a localised responsible disclosure process: 23/03/2016 Responsible disclosure in Higher Education
Current work » HEA-funded project led by Federica Paci (F.M.Paci@soton.ac.uk) at University of Southampton under the title of “Enhancing campus cyber security through constructivist student learning” » Work is beginning on selecting systems for the first round of penetration testing by a group of interested students » There is no official policy on responsible disclosure (yet!) but multiple parties are working together on this initial activity to hopefully iron out a more structured and policy-backed process for doing this in future 23/03/2016 Responsible disclosure in Higher Education
23/03/2016 Responsible disclosure in Higher Education Questions?
Thank you 23/03/2016 Responsible disclosure in Higher Education Giles Howard University of Southampton giles.howard@soton.ac.uk

More Related Content

PPTX
Transforming assessment and feedback with technology - Jisc Digifest 2016
Jisc
 
PPTX
Implemententing analytics part 1 - Niall Sclater
Jisc
 
PPTX
Scaling upon online learning project update_22.04.15
Heather Price
 
PPTX
Collaboration through technology: moving from possibility to practice - Noel ...
Jisc
 
PPTX
Understanding learning gain and why this might matter to you
Jisc
 
PPTX
The changing face of assessment and feedback: how technology can make a diffe...
Jisc
 
PPTX
FE digital student findings and recommendations
Jisc
 
PPTX
Networks and DDoS
Jisc
 
Transforming assessment and feedback with technology - Jisc Digifest 2016
Jisc
 
Implemententing analytics part 1 - Niall Sclater
Jisc
 
Scaling upon online learning project update_22.04.15
Heather Price
 
Collaboration through technology: moving from possibility to practice - Noel ...
Jisc
 
Understanding learning gain and why this might matter to you
Jisc
 
The changing face of assessment and feedback: how technology can make a diffe...
Jisc
 
FE digital student findings and recommendations
Jisc
 
Networks and DDoS
Jisc
 

What's hot (20)

PPTX
Electronic Management of Assessment
Jisc
 
PPTX
Implementing analytics part 2 - Moriamo Oduyemi
Jisc
 
PPTX
Implementing analytics - Paul Bailey and Dr Nick Moore
Jisc
 
PPTX
Leveraging change through digital capability - Lawrie Phipps, Terri Smith and...
Jisc
 
PPTX
Delivering online learning: are you ready?
Jisc
 
PPTX
Making a difference with technology enhanced learning - Esther Barrett, Andre...
Jisc
 
PPTX
Designing and developing great courses together - Jisc Digifest 2016
Jisc
 
PPTX
Student digital experience tracker 2017: summary of key findings
Jisc
 
PPTX
Digital Diagnostic: identifying staff digital capabilities at Staffordshire U...
Jisc
 
PDF
Keeping learners safe online presentation
Jisc
 
PPTX
Facilitating your registration with the Office for Students using the Jisc st...
Jisc
 
PPTX
YSJ and Jisc: standing on the shoulders of giants - Phil Vincent
Jisc
 
PPTX
Jisc toolkit: supporting the digital experience of new students
Jisc
 
PPTX
Making a difference with technology-enhanced learning - Esther Barrett, Debbi...
Jisc
 
PPTX
Supporting staff to teach effectively online
Jisc
 
PPTX
Making a difference with technology-enhanced learning - Sarah Knight and Sara...
Jisc
 
PDF
Introducing professionalism as an assessed element of the nursing undergradua...
Jisc
 
PPTX
The benefits and challenges of open access: lessons from practice - Helen Bla...
Jisc
 
PPTX
Digital leadership
Jisc
 
PPTX
Student experience experts meeting
Jisc
 
Electronic Management of Assessment
Jisc
 
Implementing analytics part 2 - Moriamo Oduyemi
Jisc
 
Implementing analytics - Paul Bailey and Dr Nick Moore
Jisc
 
Leveraging change through digital capability - Lawrie Phipps, Terri Smith and...
Jisc
 
Delivering online learning: are you ready?
Jisc
 
Making a difference with technology enhanced learning - Esther Barrett, Andre...
Jisc
 
Designing and developing great courses together - Jisc Digifest 2016
Jisc
 
Student digital experience tracker 2017: summary of key findings
Jisc
 
Digital Diagnostic: identifying staff digital capabilities at Staffordshire U...
Jisc
 
Keeping learners safe online presentation
Jisc
 
Facilitating your registration with the Office for Students using the Jisc st...
Jisc
 
YSJ and Jisc: standing on the shoulders of giants - Phil Vincent
Jisc
 
Jisc toolkit: supporting the digital experience of new students
Jisc
 
Making a difference with technology-enhanced learning - Esther Barrett, Debbi...
Jisc
 
Supporting staff to teach effectively online
Jisc
 
Making a difference with technology-enhanced learning - Sarah Knight and Sara...
Jisc
 
Introducing professionalism as an assessed element of the nursing undergradua...
Jisc
 
The benefits and challenges of open access: lessons from practice - Helen Bla...
Jisc
 
Digital leadership
Jisc
 
Student experience experts meeting
Jisc
 
Ad

Viewers also liked (20)

PPTX
IPv4 address planning - Networkshop44
Jisc
 
PPTX
Ipv6 deployment at the university of reading - Networkshop44
Jisc
 
PPTX
SafeShare - Networkshop44
Jisc
 
PPTX
Network engineering surgery - Networkshop44
Jisc
 
PPTX
Find out about Jisc - Networkshop44 2016
Jisc
 
PPTX
Ipv6 deployment at the university of warwick - networkshop44
Jisc
 
PPTX
Development of Jisc security programme - Networkshop44
Jisc
 
PPTX
IPv6 experience from a large enterprise - Networkshop44
Jisc
 
PPTX
Trust and identity services and architecture - Networkshop44
Jisc
 
PPTX
IPv6 at Mythic Beasts - Networkshop44
Jisc
 
PPTX
The simplification of the campus network Juniper - Networkshop44
Jisc
 
PPTX
Telephony developments at pirbright - Networkshop44
Jisc
 
PPTX
Data networking at UCL - Networkshop44
Jisc
 
PPTX
Session initiation protocol (sip) the force awakens in the Janet network comm...
Jisc
 
PPTX
Handling vulnerability reports - Networkshop44
Jisc
 
PPTX
Data centre networking at the University of Bristol - Networkshop44
Jisc
 
PPTX
IPv6 deployment status - Networkshop44
Jisc
 
PPTX
Vscene - Networkshop44
Jisc
 
PPTX
Data centre networking at London School of Economics and Political Science - ...
Jisc
 
PPTX
Software defined networking - huawei - Networkshop44
Jisc
 
IPv4 address planning - Networkshop44
Jisc
 
Ipv6 deployment at the university of reading - Networkshop44
Jisc
 
SafeShare - Networkshop44
Jisc
 
Network engineering surgery - Networkshop44
Jisc
 
Find out about Jisc - Networkshop44 2016
Jisc
 
Ipv6 deployment at the university of warwick - networkshop44
Jisc
 
Development of Jisc security programme - Networkshop44
Jisc
 
IPv6 experience from a large enterprise - Networkshop44
Jisc
 
Trust and identity services and architecture - Networkshop44
Jisc
 
IPv6 at Mythic Beasts - Networkshop44
Jisc
 
The simplification of the campus network Juniper - Networkshop44
Jisc
 
Telephony developments at pirbright - Networkshop44
Jisc
 
Data networking at UCL - Networkshop44
Jisc
 
Session initiation protocol (sip) the force awakens in the Janet network comm...
Jisc
 
Handling vulnerability reports - Networkshop44
Jisc
 
Data centre networking at the University of Bristol - Networkshop44
Jisc
 
IPv6 deployment status - Networkshop44
Jisc
 
Vscene - Networkshop44
Jisc
 
Data centre networking at London School of Economics and Political Science - ...
Jisc
 
Software defined networking - huawei - Networkshop44
Jisc
 
Ad

Similar to Finding vulnerabilities - networkshop44 (20)

PPTX
Jisc's FE and skills strategic priorities and opportunities to get involved
Jisc
 
PDF
Travel ppt presentation of travel bla bl
GautamJain437256
 
PPTX
Right Here; Right Now: Providing the Information your Students Need and your...
Marieke Guy
 
PDF
Avoiding Invasive Surveillance, Ensuring Trust: ENSURING TRUST UNED’S AvEx
EADTU
 
PPT
PreventionMitigation_Philadelphia_Breakout.ppt
JessaEraldinOrigines
 
PDF
10 Essential Considerations in Selecting a School Management System.pdf
https://www.tsmapp.in/
 
PDF
Digital Proctor Whitepaper #1
Course Glue - Increase Student Retention
 
DOCX
introduction of data structure and design and analysis of algorithm
YerosanTafesse
 
DOCX
introduction of data structure and design and analysis of algorithm
YerosanTafesse
 
PDF
Slides - Leveraging institutional open practices to promote access- AVU Confe...
Kathleen Ludewig Omollo
 
PPTX
Access denied? Managing access to the Web within the NHS in England: technolo...
Catherine Ebenezer
 
PPTX
METRAC's Campus Safety Audit Process
METRAC
 
PPTX
Are you really ready to roll out learning analytics across your entire instit...
Jisc
 
PPTX
What data from 3 million learners can tell us about effective course design
John Whitmer, Ed.D.
 
PPTX
Kuali - Building a Community (KDUK14)
Martin Hamilton
 
PPTX
Information security at University of East London: the benefits (and pitfalls...
Jisc
 
PDF
Blue Futuristic Illustrative Artificial Intelligence Project Presentation.pdf
erickamangaring25
 
PPTX
OLI Findings and Innovations Panel
Bill Jerome
 
PPTX
Privacy & Ethical Impact Assessment Workshop_RAMSES Project
Trilateral Research
 
PDF
A Review On Recommender Systems For University Admissions
Becky Gilbert
 
Jisc's FE and skills strategic priorities and opportunities to get involved
Jisc
 
Travel ppt presentation of travel bla bl
GautamJain437256
 
Right Here; Right Now: Providing the Information your Students Need and your...
Marieke Guy
 
Avoiding Invasive Surveillance, Ensuring Trust: ENSURING TRUST UNED’S AvEx
EADTU
 
PreventionMitigation_Philadelphia_Breakout.ppt
JessaEraldinOrigines
 
10 Essential Considerations in Selecting a School Management System.pdf
https://www.tsmapp.in/
 
Digital Proctor Whitepaper #1
Course Glue - Increase Student Retention
 
introduction of data structure and design and analysis of algorithm
YerosanTafesse
 
introduction of data structure and design and analysis of algorithm
YerosanTafesse
 
Slides - Leveraging institutional open practices to promote access- AVU Confe...
Kathleen Ludewig Omollo
 
Access denied? Managing access to the Web within the NHS in England: technolo...
Catherine Ebenezer
 
METRAC's Campus Safety Audit Process
METRAC
 
Are you really ready to roll out learning analytics across your entire instit...
Jisc
 
What data from 3 million learners can tell us about effective course design
John Whitmer, Ed.D.
 
Kuali - Building a Community (KDUK14)
Martin Hamilton
 
Information security at University of East London: the benefits (and pitfalls...
Jisc
 
Blue Futuristic Illustrative Artificial Intelligence Project Presentation.pdf
erickamangaring25
 
OLI Findings and Innovations Panel
Bill Jerome
 
Privacy & Ethical Impact Assessment Workshop_RAMSES Project
Trilateral Research
 
A Review On Recommender Systems For University Admissions
Becky Gilbert
 

More from Jisc (20)

PPTX
Strengthening open access through collaboration: building connections with OP...
Jisc
 
PPTX
Andrew-Brown-JUSP-showcase-20240730.pptx
Jisc
 
PPTX
JUSP Showcase - Rebuilding Data presentation
Jisc
 
PPTX
Adobe Express Engagement Webinar (Delegate).pptx
Jisc
 
PPTX
FE Accessibility training matrix partnership - information session
Jisc
 
PPTX
Procuring a research management system: why is it so hard?
Jisc
 
PPTX
Adobe Express Engagement Webinar (Delegate).pptx
Jisc
 
PPTX
How libraries can support authors with open access requirements for UKRI fund...
Jisc
 
PPTX
Supporting (UKRI) OA monographs at Salford.pptx
Jisc
 
PPTX
The approach at University of Liverpool.pptx
Jisc
 
PPTX
Jisc's value to HE: the University of Sheffield
Jisc
 
PPTX
Towards a code of practice for AI in AT.pptx
Jisc
 
PPTX
Jamworks pilot and AI at Jisc (20/03/2024)
Jisc
 
PPTX
Wellbeing inclusion and digital dystopias.pptx
Jisc
 
PPTX
Accessible Digital Futures project (20/03/2024)
Jisc
 
PPTX
Procuring digital preservation CAN be quick and painless with our new dynamic...
Jisc
 
PPTX
International students’ digital experience: understanding and mitigating the ...
Jisc
 
PPTX
Digital Storytelling Community Launch!.pptx
Jisc
 
PPTX
Open Access book publishing understanding your options (1).pptx
Jisc
 
PPTX
Scottish Universities Press supporting authors with requirements for open acc...
Jisc
 
Strengthening open access through collaboration: building connections with OP...
Jisc
 
Andrew-Brown-JUSP-showcase-20240730.pptx
Jisc
 
JUSP Showcase - Rebuilding Data presentation
Jisc
 
Adobe Express Engagement Webinar (Delegate).pptx
Jisc
 
FE Accessibility training matrix partnership - information session
Jisc
 
Procuring a research management system: why is it so hard?
Jisc
 
Adobe Express Engagement Webinar (Delegate).pptx
Jisc
 
How libraries can support authors with open access requirements for UKRI fund...
Jisc
 
Supporting (UKRI) OA monographs at Salford.pptx
Jisc
 
The approach at University of Liverpool.pptx
Jisc
 
Jisc's value to HE: the University of Sheffield
Jisc
 
Towards a code of practice for AI in AT.pptx
Jisc
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jisc
 
Wellbeing inclusion and digital dystopias.pptx
Jisc
 
Accessible Digital Futures project (20/03/2024)
Jisc
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Jisc
 
International students’ digital experience: understanding and mitigating the ...
Jisc
 
Digital Storytelling Community Launch!.pptx
Jisc
 
Open Access book publishing understanding your options (1).pptx
Jisc
 
Scottish Universities Press supporting authors with requirements for open acc...
Jisc
 

Recently uploaded (20)

PPTX
Pharmacology of Heart Failure /Pharmacotherapy of CHF
Rajshri Ghogare
 
PDF
VCE English Exam - Section C Student Revision Booklet
jpinnuck
 
PDF
O5-L3 Freight Transport Ops (International) V1.pdf
labyankof
 
PPTX
Pharma ospi slides which help in ospi learning
rameetkumar304
 
PDF
BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH 9 GLOBAL SUCCESS - CẢ NĂM - BÁM SÁT FORM Đ...
Nguyen Thanh Tu Collection
 
PDF
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
PDF
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Raji Murugan
 
PDF
RMMM.pdf make it easy to upload and study
sajedul2
 
PPTX
human mycosis Human fungal infections are called human mycosis..pptx
shilpa939953
 
PDF
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 
PDF
TR - Agricultural Crops Production NC III.pdf
avgilmegino3
 
PPTX
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
PPTX
Institutional Correction lecture only . . .
limvtheghins
 
PPTX
master seminar digital applications in india
ananyaray35
 
PPTX
Lesson notes of climatology university.
sgladness67
 
PDF
Supply Chain Operations Speaking Notes -ICLT Program
labyankof
 
PDF
Saundersa Comprehensive Review for the NCLEX-RN Examination.pdf
sreejithcareers
 
PPTX
PPH.pptx obstetrics and gynecology in nursing
SrideviDevaraj5
 
PPTX
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
PDF
102 student loan defaulters named and shamed – Is someone you know on the list?
Kweku Zurek
 
Pharmacology of Heart Failure /Pharmacotherapy of CHF
Rajshri Ghogare
 
VCE English Exam - Section C Student Revision Booklet
jpinnuck
 
O5-L3 Freight Transport Ops (International) V1.pdf
labyankof
 
Pharma ospi slides which help in ospi learning
rameetkumar304
 
BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH 9 GLOBAL SUCCESS - CẢ NĂM - BÁM SÁT FORM Đ...
Nguyen Thanh Tu Collection
 
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Raji Murugan
 
RMMM.pdf make it easy to upload and study
sajedul2
 
human mycosis Human fungal infections are called human mycosis..pptx
shilpa939953
 
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 
TR - Agricultural Crops Production NC III.pdf
avgilmegino3
 
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
Institutional Correction lecture only . . .
limvtheghins
 
master seminar digital applications in india
ananyaray35
 
Lesson notes of climatology university.
sgladness67
 
Supply Chain Operations Speaking Notes -ICLT Program
labyankof
 
Saundersa Comprehensive Review for the NCLEX-RN Examination.pdf
sreejithcareers
 
PPH.pptx obstetrics and gynecology in nursing
SrideviDevaraj5
 
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
102 student loan defaulters named and shamed – Is someone you know on the list?
Kweku Zurek
 

Finding vulnerabilities - networkshop44

  • 1. Responsible disclosure in Higher Education Giles Howard
  • 2. Surveying Higher Education for good responsible disclosure practice » Public-facing policies indicating a commitment or understanding of cyber issues and the risk that they represent » Dedicated email addresses representing a route to report cyber issues » A brief survey of acceptable use policies or disciplinary policies to indicate the penalties for unauthorised access to systems » Any whistleblowing policies that might extend to students or cyber issues specifically » Any mention of leveraging students as assets for ‘white-hat’ hacking or any process by which systems may be tested involving students A holistic, qualitative approach – we were looking around other Higher Education providers for: 23/03/2016 Responsible disclosure in Higher Education
  • 3. Additional work (undertaken simultaneously) » Bug bounties » Whitelists of systems that can be attacked » Leaderboards » Guarantee of safe disclosure if flaws are reported using a defined procedure instead of being simply publically disclosed » Assurances that flaws reported via the defined process will be afforded high priority » Test accounts for performing exploitation testing without damaging own/other accounts Surveying industrial practice in responsible disclosure: 23/03/2016 Responsible disclosure in Higher Education
  • 4. Complications » Professional services (student services, finance, HR, etc.) could not risk interruptions to core business due to unregulated attempts to exploit their systems » Concerns from multiple stakeholders as to which students/staff this was going to apply to and in particular, how the students would be vetted » Further concerns that this may need doing at a much higher level (i.e. an institutional policy of responsible disclosure of a variety of situations, not purely cyber security ones) » Not all University systems are directly managed by the IT service – reporting out to vendors and manufacturers might take substantial time before fixes are available Consulting with key stakeholders within our institution resulted in the following issues being highlighted: 23/03/2016 Responsible disclosure in Higher Education
  • 5. Primary outcomes » Utilising either the student-run cyber security society or a self-selected population of interested students to exploit systems with some further constraints » Usage of ‘at-risk’ periods (as are used for schedule maintenance/system upgrades at present) outside of core business hours which would allow the systems to be tested with little-to-no risk to business processes » Coordination with the Chief Information Officer and others to determine systems which both had value in being tested as well as not representing a substantial risk in letting students make attempts to exploit them Initial groundwork for a localised responsible disclosure process: 23/03/2016 Responsible disclosure in Higher Education
  • 6. Current work » HEA-funded project led by Federica Paci (F.M.Paci@soton.ac.uk) at University of Southampton under the title of “Enhancing campus cyber security through constructivist student learning” » Work is beginning on selecting systems for the first round of penetration testing by a group of interested students » There is no official policy on responsible disclosure (yet!) but multiple parties are working together on this initial activity to hopefully iron out a more structured and policy-backed process for doing this in future 23/03/2016 Responsible disclosure in Higher Education
  • 7. 23/03/2016 Responsible disclosure in Higher Education Questions?
  • 8. Thank you 23/03/2016 Responsible disclosure in Higher Education Giles Howard University of Southampton giles.howard@soton.ac.uk