Computer hacking skills should be taught to cybersecurity students to "know the enemy" and ensure they will be equipped to effectively prevent and defend against attacks in the real world. But academia and security experts add that schools must emphasize law and ethics so students "don't cross the line" and misuse their hacking abilities.
Liew Chin Chuan, course manager of the Diploma in Infocomm Security Management (DISM) at Singapore Polytechnic (SP), said as part of the course curriculum, students learn about hacking techniques--which are taught in the context of understanding how hacking attacks are carried out, and the countermeasures that can be put in place to prevent the attacks.
"As mentioned in Sun Tzu's Art of War, we need to know our enemy in order to defeat them. Hence, understanding the attackers' techniques is important for cyber defenders to set up effective defenses for their systems," he told ZDNet Asia in an e-mail interview.
The diploma, which was set up in 2006, aims to produce graduates who have the skills and knowledge to detect, respond to and minimize security threats, he said. Besides ethical hacking techniques, other topics included in course are network security, application security, operations security, security policies, computer forensics, IT audit, law and ethics, computer forensics, and business continuity and disaster recovery planning.
Colin McLean, ethical hacking lecturer at University of Abertay Dundee in Scotland, concurred, adding that examining computer hacking behavior means that the most effective countermeasures can be adopted. The university is known for its graduate and postgraduate degrees in Ethical Hacking and Countermeasures, set up in 2006 and 2008 respectively.
"In every other area of security, the defender must know the tactics and behavior of the attacker before they can effectively secure their assets," he explained in an e-mail. "To secure one's home, people would imagine themselves as a burglar and think how they would try to break into their own house. Only then can they decide where to put locks and sensors for alarms and so on, that will help to secure their home. Computer security is no different to this."
McLean added: "Only someone with a firm understanding of hackers' tools and tactics can make a real difference to a company who are trying to stop hackers breaking into their systems. Our aim is to produce graduates who have this knowledge."
Real-world simulation, scenarios enhance readiness
McLean stated that the university actively seeks collaboration with various companies facing security issues, so as to keep up to date with computer hacking behavior and incidences, and uses these cases to enhance lessons.
For instance, security staff at self-service company NCR give guest lectures to students, who in return undertake research-based project work guided by NCR.
SP's Liew said it is important to provide students undertaking security modules an environment that is as realistic a workplace as possible. Use of simulated and real-world scenarios greatly enhances the industry readiness of students in using their offensive, defensive and investigative skills to deal with threats in different real-world situations, he pointed out.
For instance, SP's infocomm security labs are equipped with networking devices, servers and virtual machines to create simulated networks and systems. These systems are intentionally left unsecured so that students can practise their offensive and defensive skills, he said.
Liew added that the learning facility will be upgraded to create an integrated scenario-based learning space to expose students to more networks and systems of varying sizes, composition and complexity. War-gaming concepts will also be used to conduct two-sided exercises to test the skills of students.
Course participants also gain authentic work experience through internship programs, the apex of their diploma course, he said.
Guillaume Lovet, senior manager of FortiGuard Labs threat response team at Fortinet, also supports studying and simulating real-life hacking situations to groom security professionals.
In an e-mail, Lovet said looking at case studies of hacking incidents in the real world are "utterly useful" for students to learn from the rather big mistakes that companies have been making lately.
He also noted that hands-on exercises in attacking or defending computer systems are essential, well-accepted and should be part of the curriculum, adding that simulations called "Capture the Flag" are popular in the computer security world.
Emphasis on law, ethics a must
Asked how school's cybersecurity courses and real-world hacking simulations can balance providing a realistic environment for students to learn and improve without them being negatively influenced, Lovet recommended "Capture the Flag" type of simulations--where two teams compete to penetrate the stronghold of the other--much like paintball.
"People don't shoot each other with real guns in the streets just because they played paintball. But if they get assaulted, they might have a couple of good reflexes that will save their lives," he said.
Educators also pointed out that it is necessary to have safeguards to ensure students themselves do not end up as "blackhat" hackers, and stressed that besides hacking, ethics and legal matters must be part of the syllabus.
To prevent students from "crossing the line", SP uses a multi-prong approach, said Liew. Among the measures, the labs at Singapore Polytechnic are isolated from the campus network and there are ground rules about the students' conduct in using such facilities.
However, technical controls may not be sufficient, hence the tertiary institute also has strong emphasis in covering law and ethics, he pointed out.
Through a law module, students are also taught Singapore's laws and the penalty for committing cybercrime, he said. In addition, to reinforce the ethical mindset and commitment, every student signs the code of conduct in the first year and subsequently during modules that teaches them hacking techniques.
Liew noted: "To produce graduates with sound ethic values, students need to be given a holistic view of infocomm security, so we not only teach our students how attackers work, but also show them how they can detect and defend attacks. This reinforces the concept that others can also track them down should they abuse their knowledge and skills."
At Abertay University, a specialist ethical hacking lab allows students to experiment in a safe environment. This is also where typical company scenarios with security threats are also set up, so students can fully investigate how hackers behave without breaking any laws, said McLean.
He added that the university has mirrored the entry procedures for its ethical hacking courses on medical degrees--prospective students are interviewed for their suitability and their backgrounds are checked.
Also, the first module that students are taught are the laws affecting computer misuse, and they must pass an assessment on those laws. Thereafter, law and ethics are an integral part of every subject that is examined, he said.
Fortinet's Lovet concluded: "As long as there is a strong accent on ethics, the teaching of computer hacking competences that can serve computer security as a whole cannot be a bad thing."