Security Research

Scope

This procedure applies to all research and coursework that involves interacting with hosts and networks outside of your own lab environment. Examples of this type of interaction include:

  • Port scanning the internet
  • Port scanning the Georgia Tech network
  • Malware analysis allowing for callbacks
  • Sending malicious email
  • Operating Tor (or similar) exit nodes
  • Operating Darknets or Honeypots

 

Procedure

Click on the following link to complete the policy exception form.

Note that submission of the form does not constitute an approved policy exception. Please await a response from the Cyber Security team prior to proceeding with your work.

The form will require you enter the following information. You may wish to take a moment and collect this information prior to clicking the above link:

  • Name and contact information of the Principal Investigator or Professor
  • Name of the research project or course
  • A list of all Georgia Tech hosts involved in the research/coursework
  • A list of all Georgia Tech IP addresses involved in the research/coursework
  • A list of all student user IDs involved in the class project (for coursework only)
  • Primary point of contact name, email address, and phone number
  • Secondary point of contact name, email address, and phone number
  • Project website URL (for any project/coursework that may generate abuse complaints)

 

For any research project that is likely to generate abuse complaints (e.g. port scanning the internet), the following actions must be taken

  • Create a project website and include your host and IP address information on the website. The website should give visitors a description of what you are doing and give people direction on how to contact you and request that you no longer scan their hosts and networks.
  • Create a whitelist of hosts/networks that have requested to be removed from future scans. This whitelist must be implemented.

 

For any abuse complaints, third party security notifications, or Georgia Tech generated alerts, the Georgia Tech Cyber Security team will send a notification to the primary point of contact for action. A response is required to the Cyber Security team within 24 hours. If no response is received within 24 hours, the secondary point of contact will be alerted and a response expected within 12 hours. If no response is received and appropriate action taken, the Cyber Security team is authorized by Institute policy to take the following actions as needed:

  • Physically or logically remove the device from the GT network
  • Physically power down the host in question
  • Physically seize the host in question (if it is a GT owned asset), if the host presents a threat to the Institute or others and forensic analysis is required
  • Lockout user accounts

In any case where the Cyber Security team believes a system to be compromised and is actively attacking Institute systems or networks, or outside systems or networks, the Cyber Security team is authorized to immediately take action as noted above.

 

Prohibited Actions

The following actions are expressly prohibited and will result in the Cyber Security team taking action as stated above:

  • Launching scanning activities or other research directly from the campus VPN subnets
  • Releasing malware into the wild
  • Exploiting hosts outside of your own lab environment without explicit permission from the owner of the systems you are attempting to exploit
  • Launching denial of service attacks outside of your own lab environment without explicit permission from the owner of the systems you are attempting to attack