[IS&T Security-FYI] Security FYI Newsletter, January 29, 2015

Thu Jan 29 11:17:41 EST 2015

In this issue:

1. Cambridge v. Cambridge Face-Off
2. “Responsible” Vulnerability Disclosure
3. Higher Education and Information Security

-------------------------------------------------
1. Cambridge v. Cambridge Face-Off
-------------------------------------------------

As part of a series of cybersecurity initiatives made public during British Prime Minister David Cameron’s visit with President Barack Obama, the two nations announced that MIT’s Computer Science and Artificial Intelligence Lab (CSAIL) will face off against the University of Cambridge this fall for a special student hackathon dubbed “Cambridge v. Cambridge.”

The multi-day competition is part of continued efforts by the two nations to collaborate on cybersecurity and harness their collective brainpower to help combat global cyberattacks.

Read the full story on the MIT News page<http://newsoffice.mit.edu/2015/david-cameron-cybersecurity-competition-csail-0116>.

------------------------------------------------------
2. “Responsible” Vulnerability Disclosure
------------------------------------------------------

The recent conflict between Microsoft and Google regarding Google’s adherence to their 90-day disclosure policy of software vulnerabilities has brought a debate to light that has raged on for several years now.

Responsible disclosure has been a problem that has yet to be resolved in a way that both parties can agree on. On one hand there are the researchers who discover vulnerabilities in software that criminals can exploit and use to target unwitting and innocent users; on the other hand are the companies who make the software and are responsible for patching these vulnerabilities.

The question is not who is right, for that depends upon which side you’re on.

The researchers<http://googleonlinesecurity.blogspot.com/2014/07/announcing-project-zero.html> are right to be concerned about a vulnerability that they know exists and which could potentially put those who don’t know about it at risk. Their view is that if a security researcher was able to find the bug, then criminals, who search for such bugs in order to exploit them, could find them too and use them for nefarious means.

The software developers<http://blogs.technet.com/b/msrc/archive/2015/01/11/a-call-for-better-coordinated-vulnerability-disclosure.aspx> are right to be concerned about a vulnerability becoming public before they have been able to provide a patch. Their view is that it is irresponsible to disclose an exploitable security vulnerability, complete with exploit code, prior to a patch because it is essentially inviting a criminal to exploit it.

The debate rages online at TechRepublic.com<http://www.techrepublic.com/article/security-experts-weigh-in-on-microsoft-google-vulnerability-disclosure-debate/>.

------------------------------------------------------------
3. Higher Education and Information Security
------------------------------------------------------------

Higher education leaders face a challenge when making choices regarding using new technologies — such as whether or not to move enterprise applications and infrastructure to the cloud — and minimizing risk. How do they ensure adequate protection is in place for the vast amounts of information being collected, processed and stored?

The focus of a recent article posted on Educause.edu<https://www.educause.edu/ero/article/achieving-often-delicate-balance-between-technology-and-information-security> looks at the advantages that can be gained by achieving a balance between these two objectives.

Highlights of the article include:

  *   Ongoing challenges such as the relative obscurity of information security and a lack of buy-in from a school’s administrators and staff.
  *   Are schools ready and structured in a way to face these challenges?
  *   The benefits of effective collaboration between the security staff, IT and leadership.

Read the full article at Educause.edu<https://www.educause.edu/ero/article/achieving-often-delicate-balance-between-technology-and-information-security>

=======================================================================================
Read all archived Security FYI Newsletter articles and submit comments online at http://securityfyi.wordpress.com/.
=======================================================================================

Monique Buchanan
IT Security Communications Coordinator
Information Systems & Technology (IS&T)
Massachusetts Institute of Technology
http://ist.mit.edu/secure
tel: 617.253.2715

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20150129/9595ee8b/attachment.htm