Educational Security Assessment project for Northern Virginia Community College students.

From: Djiali (djiali@speakeasy.net)
Date: Mon Jan 24 2005 - 06:29:32 EST


Good morning list,
I'm a student enrolled in the Information Systems Security Certification
program offered at Northern Virginia Community College. This
certification is considered a specialization for students who already
have a degree in a network related field and have completed the course
load required for the InfoSec certification. The final course is an
independent study supervised by the most senior InfoSec faculty member.
The goal of this course is to offer students real world experience in
conducting a security assessment on a real company. The whole course is
structured to protect both the company and students from any
harm...we've had to sign an ethics contract with the college, and we
will have to enter into a contractual agreement with the company we
would be working with.
As the team leader, I've decided to proceed using the OSSTMM methodology
for Information Systems (we're not going to try any war dialing, site
surveys, or try to enter the company's physical location). From our
side, we're going to conduct the port scanning, enumeration, and web
application testing on the live systems, but then take the "proof of
findings" stage into our test lab where we'll replicate the company's
production environment and attempt to exploit any holes we find. No harm
will be done to your production systems.
Now for the dilemma part. As you can imagine, it's been a little hard
for us to find someone to work with...companys would rather leave their
holes undiscovered then have some students do identify them for free!! I
can't say that I blame them entirely...I don't know what I would do if
the tables were turned. This is why I'm turning to the list...I'm hoping
that if we can discuss the project with security folks who understand
what we're trying to do, we'd have better luck.
In any event, if you think that you might help out a group of students
trying to break into the InfoSec world, please email me directly, I have
some preliminary project plans, the course syllabus which outlines
everything, and of course, the contact information for our professor if
you wish to contact him for validation.
Thanks!!
Wade



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:15 EDT