In Survey of American Universities, MIT Scores Worst In Cybersecurity

An anonymous reader writes: In a cybersecurity survey of 485 large colleges and universities, the Massachusetts Institute of Technology came in at the bottom of the list. In a report released today, SecurityScorecard analyzed the educational institutions based on web application security, network security, endpoint security, IP reputation, patching, and other security indicators. That might not seem intuitive, but according to the linked article, it's not purely mistaken. Some of that low ranking can be chalked up to things like intentional security holes created in the course of researching vulnerabilities, but some of it comes from "exposed passwords, old legacy systems, and a bunch of administrative subdomains that seem to have been forgotten about," as well as pockets of malware.

Re:Is this proportional to the number of systems?

[hey!]

I bet a place like MIT just has many times the IT systems of most other places, and they didn't take that into account.

That might have been true fifteen years ago, but really these days computers are ubiquitous everywhere. I think it's more likely to do with two things: an early embrace of computers combined with an almost uniquely dysfunctional administrative culture that makes change even harder than it would be most places. It's what comes from taking a group of people who are used to being right when everyone around them is wrong and make them run a large, complex institution. The results are astounding, sometimes in a good way but by no means always.

Re:Is this proportional to the number of systems?

So... I'm at another university and have another take on this, which is that freedom and security are often inversely related.

My university is pretty locked down when it comes to security, and it's also annoying as @#(! if you need to do anything creative or nonstandard research-wise. Sure, it's secure as @#$*, but also Orwellian and ignorant as @#$* also.

That is, if you want to have an institutional culture that's built around "hey! take this stuff and play around with it without any restrictions" you can't also be saying "hey! don't do that!" to every thing they do.

My guess is something like that is going on.

Security only where it really matters?

[chipschap]

As an MIT alum, I'm gratified that the postings here didn't turn into a giant attack on MIT. Heaven knows the place is far from perfect, but I did get an outstanding education that stood me well in the course of a long career.

Although this is purely anecdotal, some people I talked to tell me this. There's a lot of freedom at MIT (and there always has been), and the emphasis is on breakthrough creativity. So for the most part security issues, strict rules, locking things down, etc., all take a back seat.

But there are a few systems--- just a few--- that are highly protected and known in the culture to be strictly off-limits. Have we heard of major data breaches and MIT student data being stolen on a large scale? I haven't. I suspect it's because the emphasis is on security in those few places where it really matters.

Can someone who is currently at MIT comment on this? As I said, this is anecdotal and could be dated and/or inaccurate.