March 5, 2006
A recent story about a university professor assigning students the task of vulnerability scanning live hosts has been circulating through Security Space. (see http://www.securityfocus.com/brief/151)
In an effort to educate, this action on the part of the professor crosses the line of ethical standards a Information Security Professionals. I would like to investigate what conditions should be set for network vulnerability testing in the standard IT curriculum. Because the computers in question are on a network that is a shared infrastructure, and not a controlled (closed) network, there is probability approaching 1 that the course activity is can cause outage and damage to production systems- hosts supporting business functions of the University. I call this collateral damage.
Collateral damage is reduced if not eliminated when the ethical standards of respect are applied. Let me illustrate.
If had asked my Chemistry 201 students to make plastic explosives, they may be educated in the manner to safely handle and produce hazardous materials in the lab. They may soon understand the balance between stability and instability. They would learn the value of oxygen ratio, or the impact of the rapid state change between solid and gas. But if they did not learn this in a controlled laboratory environment, with extremely small quantities, they may kill me and themselves, and potentially all the other students nearby that had nothing to do with the experiment. All these things need to be thought through, by me, your professor, out of respect for the student's safety, the educational institution, and the community as a whole. Yes, there may also be the potential that some students will take some home and blow up their garage. This is avoided when we have regular inventory of chemicals and products from the lab, and advise the students that they will be held accountable for breaking the rules, the policy, and the law.
Another similar example is the US Marine Corps. They take young people, 18 years old, from all walks of life in the USA, and turn them into warriors. The Discovery Channel put toghether a good film on the indoctrination process.
They have a specific, closed environment for training, and when they 'graduate' they are not on their own in the world carring weapons. They are managed as professional soldiers with strict regimens. They may die for us, but they won't cause collateral damage.
The University network, being interconnected with other networks, is not a controlled laboratory environment. I welcome when a user of the network finds an obvious flaw in a University system that supports the business of the University, but remind all that it is a production network. Unsanctioned (meaning Case ITS hired you to perform vulnerability testing) security testing is counter to the University's Acceptable Use Policy in that it will consume inordinate network resources and interferes with reasonable use of servers and services by the University. Using the University's network resources to probe and test other networks is against the law. I'm working on an outreach program for Faculty to help develop guidelines for teaching in this area, that will not impact any IT based business or expose the University to civil legal action.
There is also the opinion that a good way to learn to secure your servers (and applications you've developed to run on it) is to use published techniques to attack it. A great way to to this is to build a controlled environment on your own machine and test in a virutal nework. I recommend you look at VMWare. They have a VMWare Player, that reminds me of the Adobe Acrobat Player, that you can run virtual machines in. If you like it, you are encouraged to buy VMWare.
In summary, you are best suited to avoid performing activities tantamount to the precursors to network based intrusion, such as reconaissance like vulnerability scanning. If you cause an outage of a University system that supports the mission of the University, you're be swimming in Kim-Chee.
Happy Computing.
Posted by Thomas Siu at 09:16 AM
