Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Networking Security Stats Worms

In Survey of American Universities, MIT Scores Worst In Cybersecurity 47

An anonymous reader writes: In a cybersecurity survey of 485 large colleges and universities, the Massachusetts Institute of Technology came in at the bottom of the list. In a report released today, SecurityScorecard analyzed the educational institutions based on web application security, network security, endpoint security, IP reputation, patching, and other security indicators. That might not seem intuitive, but according to the linked article, it's not purely mistaken. Some of that low ranking can be chalked up to things like intentional security holes created in the course of researching vulnerabilities, but some of it comes from "exposed passwords, old legacy systems, and a bunch of administrative subdomains that seem to have been forgotten about," as well as pockets of malware.
This discussion has been archived. No new comments can be posted.

In Survey of American Universities, MIT Scores Worst In Cybersecurity

Comments Filter:
  • I bet a place like MIT just has many times the IT systems of most other places, and they didn't take that into account. Not reading the actual TFA because it requires me to register or something dumb like that.
    • Well, the summary does state "In a cybersecurity survey of 485 large colleges and universities"

      Which would at least imply that their targets were all of a similar size...

    • by hey! ( 33014 ) on Friday September 11, 2015 @10:54AM (#50503241) Homepage Journal

      I bet a place like MIT just has many times the IT systems of most other places, and they didn't take that into account.

      That might have been true fifteen years ago, but really these days computers are ubiquitous everywhere. I think it's more likely to do with two things: an early embrace of computers combined with an almost uniquely dysfunctional administrative culture that makes change even harder than it would be most places. It's what comes from taking a group of people who are used to being right when everyone around them is wrong and make them run a large, complex institution. The results are astounding, sometimes in a good way but by no means always.

      • by Anonymous Coward on Friday September 11, 2015 @11:17AM (#50503429)

        So... I'm at another university and have another take on this, which is that freedom and security are often inversely related.

        My university is pretty locked down when it comes to security, and it's also annoying as @#(! if you need to do anything creative or nonstandard research-wise. Sure, it's secure as @#$*, but also Orwellian and ignorant as @#$* also.

        That is, if you want to have an institutional culture that's built around "hey! take this stuff and play around with it without any restrictions" you can't also be saying "hey! don't do that!" to every thing they do.

        My guess is something like that is going on.

        • So... I'm at another university and have another take on this, which is that freedom and security are often inversely related.

          My university is pretty locked down when it comes to security, and it's also annoying as @#(! if you need to do anything creative or nonstandard research-wise.

          That's how I remember it. When I was at MIT, there wasn't really a centralized IT administration per se. I mean sure there was for the general campus-wide network and the public computer labs. But if your research lab wan

        • by mlts ( 1038732 )

          I have encountered a wide spectrum of administration styles, from "unless it has an IT sticker on it, has all the corpware and can be managed by domain GPOs, it doesn't get near a Wi-Fi AP or a switch" to "Here is your subnet/subdomain in DNS, if something happens, don't blame us."

          Some autonomy is good. If a network is isolated from everything else [1], with an IDS/IPS watching the exit traffic just in case there is an infection, someone can be notified if it wasn't part of a test, then if the segment gets

        • I know a guy who works for the local university IT department, and at the beginning of every semester, there's the hassle of ensuring minimum security/virus protection protocols on all the new computers and laptops (and probably tablets too) that students bring to campus.

          You'd be surprised by the number of students who get a case of the chapped ass over installing the mandated virus protection before using the university's network.

        • by sribe ( 304414 )

          My guess is something like that is going on.

          The network is extremely open by design (ref: Aaron Schwarz), as is the physical campus.

    • by FranTaylor ( 164577 ) on Friday September 11, 2015 @10:59AM (#50503277)

      laissez-faire has been the status quo for networking at MIT for decades. The attitude seems to be that "policies" just get in the way. I was a sys admin there a long time ago, there were no firewalls, no nothing. We didn't have DHCP. We got IP addresses for the systems and we hardcoded them. Of course it was a mess. But the professors and grad students are 100% focused on their theses and projects and they really didn't care about anything as long as they could get their work done, so it was all very very sloppy. I always felt that they needed much more structure and I am really surprised that it seems like nothing has changed there.

      • by LaurenCates ( 3410445 ) on Friday September 11, 2015 @11:19AM (#50503465)

        Sounds to me like that's probably the attitude in a high-performance, high-pressure environment ("policies get in the way of getting work done"), and if the culture hasn't changed since your time there, then the attitude has only scaled up with the complexity of the system.

        Not a knock on you, of course, and I hope you don't take it that way. You still have to rely on the user base to be the last lines of security within a system.

      • No security is better than bad security. Bad Security is false security, where no security doesn't.

        If everyone knows the system isn't secure, then they take all the steps needed to be secure by themselves.

        • If everyone knows the system isn't secure, then they take all the steps needed to be secure by themselves.

          No, they don't do anything at all. When you are up to your eyeballs in your master's thesis you don't care about security or backups or clean clothing or deodorant or any of those things. You expect someone else to do it for you, but guess what? Due to budget cuts, there is nobody tasked to make backups or update systems. Welcome to university life.

      • laissez-faire has been the status quo for networking at MIT for decades. The attitude seems to be that "policies" just get in the way. I was a sys admin there a long time ago, there were no firewalls, no nothing. We didn't have DHCP. We got IP addresses for the systems and we hardcoded them. Of course it was a mess.

        Yes, and much of that is still the same. MIT has the entire 18.x.x.x block. There are plenty of direct IP addresses to give out to every single computer on campus, and I believe that's still the case [mit.edu].

        If you have a look at the Ars Technica story [arstechnica.com] on this report, they identify major components of the ranking, which include things like:

        Network security: a score based on the number of vulnerable services running directly exposed to the Internet, based on a scan that audits version numbers of exposed software and open ports on those systems correlated with a database of known exploits, according to SecurityScorecard Chief of Research Alex Heid.

        Hacker chatter: a score based on the frequency with which the school was mentioned in hacker forums, and amount of user credentials, e-mail addresses and other breached data circulating on those forums over the observed period.

        Password exposure: the degree to which students, faculty, and employees are using weak passwords). This score was in part based on the user credential data discovered in hacker chatter."Our signals and sensors found 6 credentials for accounts associated with student and employee email discovered in 4 data leaks," SecurityScorecard reported.

        In other words, they dropped MIT to the bottom of the list because they have most computers and systems on actual IP addresses connected directly to the internet, and because

    • I bet a place like MIT just has many times the IT systems of most other places, and they didn't take that into account. Not reading the actual TFA because it requires me to register or something dumb like that.

      As I think anyone who has ever done IT to support an engineering or software team would attest, supporting these teams is about like herding cats. We all want to use whatever technology we know, that does the function we want it to do. We will not tolerate anything Microsoft or Oracle (mostly becaus

  • by Anonymous Coward

    Their whole network's just a honeypot, as Aaron Swartz found out.

  • The difference is that when their shit breaks, they can fix it.

    • Except that you can't recover data once it is stolen...

      Being able to fix a problem is not the point.... any monkey can fix a hacked computer by wiping it and re-installing the OS. It is the data that is important...

      • by chipschap ( 1444407 ) on Friday September 11, 2015 @11:43AM (#50503703)

        As an MIT alum, I'm gratified that the postings here didn't turn into a giant attack on MIT. Heaven knows the place is far from perfect, but I did get an outstanding education that stood me well in the course of a long career.

        Although this is purely anecdotal, some people I talked to tell me this. There's a lot of freedom at MIT (and there always has been), and the emphasis is on breakthrough creativity. So for the most part security issues, strict rules, locking things down, etc., all take a back seat.

        But there are a few systems--- just a few--- that are highly protected and known in the culture to be strictly off-limits. Have we heard of major data breaches and MIT student data being stolen on a large scale? I haven't. I suspect it's because the emphasis is on security in those few places where it really matters.

        Can someone who is currently at MIT comment on this? As I said, this is anecdotal and could be dated and/or inaccurate.

  • n Survey of American Universities, MIT Scores Worst In Cybersecurity

    That's because MIT is trying to prepare students for the corporate environment. It's job training, really.

  • ..they are so brilliant that they can just simply work around the impact of any kind of attack. Duh.
  • It's more of a sales pitch than a report. They make you give them an email address and then only give you meaningless highlights and the results in vaguely explained categories for the top 10 schools.
  • Look, you are going to attract the people who will bring back doors with them. They try out all sorts of stuff that then gets defunded, or the guy leaves and doesn't clean up. The thing is, when they find a new problem, they have they guys there to figure it out too. I would bet the actual systems (financial and acemdemic) are tighter than fort nox. But, it is an engineers playground, So everything is covered in beer and Mtn Dew.
  • I am guessing the nature of MIT lends itself to having lots of odd and end networks around. I would hope whomever runs the segment that contains administration is at least securing their network (student data, financial data, financial transactions, grading, etc.).

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (10) Sorry, but that's too useful.

Working...