One of the most prestigious schools in information technology also ranks first among its peers in information security in a new study—first among the worst, that is. In a recent security survey of 485 colleges and universities around the world with 1,000 or more public Internet Protocol addresses, the Massachusetts Institute of Technology ranked at the bottom, earning just above an overall failing grade. The assessment, performed by the information security assessment company SecurityScorecard, gave MIT a nearly failing grade, putting the school in the basement below New Mexico State University and Cambridge University.

"One of the most prestigious and recognized schools of higher learning in the world, Massachusetts Institute of Technology, is not displaying strength in its security posture," the SecurityScorecard researchers reported. "With nearly 80,000 IP addresses discovered in the SecurityScorecard platform, the Cambridge college is showing a plethora of security risks, vulnerabilities, and weaknesses. To receive an overall ‘D’ grade, an organization needs to rank poorly in many of the 10 categories captured in SecurityScorecard. In this case, MIT has four ‘F’ grades, and two ‘D’ grades out of ten."

Of course, whether the grading criteria really apply to a university network with a huge public IP address is open to interpretation.

Based on data collected in late August, MIT scored low in:

IP reputation: a score based on incidents of malware detected coming from the IP range of the institution. MIT had an average malware infection duration on IP addresses scanned of 1.678 days, "which is higher than 80% of the education vertical," the researchers noted.

Network security: a score based on the number of vulnerable services running directly exposed to the Internet, based on a scan that audits version numbers of exposed software and open ports on those systems correlated with a database of known exploits, according to SecurityScorecard Chief of Research Alex Heid.

Hacker chatter: a score based on the frequency with which the school was mentioned in hacker forums, and amount of user credentials, e-mail addresses and other breached data circulating on those forums over the observed period.

Password exposure—the degree to which students, faculty, and employees are using weak passwords). This score was in part based on the user credential data discovered in hacker chatter."Our signals and sensors found 6 credentials for accounts associated with student and employee email discovered in 4 data leaks," SecurityScorecard reported.

Patching cadence—how quickly known vulnerabilities in software are patched as they are announced over the period of the scan.

Susceptibility to social engineering.

MIT wasn't alone in weakness on patching software. For seven of the bottom 10 schools in the survey, there were 51 or more individual pieces of software that were unpatched. "In one of the most extreme cases in this bottom grouping, our platform detected 67 insecure software instances," the authors of the study reported. And saving MIT from an overall failing grade, however, were the school's A grades in Web application security, the health of its DNS records, and the quality of its endpoint security.

Ars reached out to MIT for comment on the survey, but the school was unable to supply a response in time for publication. We will update this story when one becomes available.