Slashdot Mirror

← Back to Stories (view on slashdot.org)

In Survey of American Universities, MIT Scores Worst In Cybersecurity

Posted by timothy on from the damn-statistics-and-what-they-don't-say dept.

An anonymous reader writes: In a cybersecurity survey of 485 large colleges and universities, the Massachusetts Institute of Technology came in at the bottom of the list. In a report released today, SecurityScorecard analyzed the educational institutions based on web application security, network security, endpoint security, IP reputation, patching, and other security indicators. That might not seem intuitive, but according to the linked article, it's not purely mistaken. Some of that low ranking can be chalked up to things like intentional security holes created in the course of researching vulnerabilities, but some of it comes from "exposed passwords, old legacy systems, and a bunch of administrative subdomains that seem to have been forgotten about," as well as pockets of malware.

6 of 47 comments (clear)

  1. Re:Is this proportional to the number of systems? by hey! · · Score: 4, Interesting

    I bet a place like MIT just has many times the IT systems of most other places, and they didn't take that into account.

    That might have been true fifteen years ago, but really these days computers are ubiquitous everywhere. I think it's more likely to do with two things: an early embrace of computers combined with an almost uniquely dysfunctional administrative culture that makes change even harder than it would be most places. It's what comes from taking a group of people who are used to being right when everyone around them is wrong and make them run a large, complex institution. The results are astounding, sometimes in a good way but by no means always.

    --
    Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
  2. Re:Is this proportional to the number of systems? by FranTaylor · · Score: 3, Interesting

    laissez-faire has been the status quo for networking at MIT for decades. The attitude seems to be that "policies" just get in the way. I was a sys admin there a long time ago, there were no firewalls, no nothing. We didn't have DHCP. We got IP addresses for the systems and we hardcoded them. Of course it was a mess. But the professors and grad students are 100% focused on their theses and projects and they really didn't care about anything as long as they could get their work done, so it was all very very sloppy. I always felt that they needed much more structure and I am really surprised that it seems like nothing has changed there.

  3. Re:This reminds me of Our Savior, Richard Stallman by FranTaylor · · Score: 3, Interesting

    It was common knowledge that rms's password on mit-mc was rms. I think a lot of people learned macsyma by using rms's account.

  4. Re:Is this proportional to the number of systems? by Anonymous Coward · · Score: 5, Interesting

    So... I'm at another university and have another take on this, which is that freedom and security are often inversely related.

    My university is pretty locked down when it comes to security, and it's also annoying as @#(! if you need to do anything creative or nonstandard research-wise. Sure, it's secure as @#$*, but also Orwellian and ignorant as @#$* also.

    That is, if you want to have an institutional culture that's built around "hey! take this stuff and play around with it without any restrictions" you can't also be saying "hey! don't do that!" to every thing they do.

    My guess is something like that is going on.

  5. Re:Is this proportional to the number of systems? by LaurenCates · · Score: 3, Interesting

    Sounds to me like that's probably the attitude in a high-performance, high-pressure environment ("policies get in the way of getting work done"), and if the culture hasn't changed since your time there, then the attitude has only scaled up with the complexity of the system.

    Not a knock on you, of course, and I hope you don't take it that way. You still have to rely on the user base to be the last lines of security within a system.

    --
    Some people don't believe in fairies. I don't believe in The Patriarchy.
  6. Security only where it really matters? by chipschap · · Score: 4, Interesting

    As an MIT alum, I'm gratified that the postings here didn't turn into a giant attack on MIT. Heaven knows the place is far from perfect, but I did get an outstanding education that stood me well in the course of a long career.

    Although this is purely anecdotal, some people I talked to tell me this. There's a lot of freedom at MIT (and there always has been), and the emphasis is on breakthrough creativity. So for the most part security issues, strict rules, locking things down, etc., all take a back seat.

    But there are a few systems--- just a few--- that are highly protected and known in the culture to be strictly off-limits. Have we heard of major data breaches and MIT student data being stolen on a large scale? I haven't. I suspect it's because the emphasis is on security in those few places where it really matters.

    Can someone who is currently at MIT comment on this? As I said, this is anecdotal and could be dated and/or inaccurate.