Ethical hacking: the next generation security specialists

Ethical hacking: the next generation security specialists

Summary: I've written before about the two halves of the student-hacking area; the positive learning background behind ethical hacking, and the side where black hat hackers attack websites in attempt to gain exposure and cause damage.

SHARE:
TOPICS: Security, Hardware
10

Zack Whittaker is busy saving the world once again. This post was set to be released now in his absence.

I've written before about the two halves of the student-hacking area; the positive learning background behind ethical hacking, and the side where black hat hackers attack websites in attempt to gain exposure and cause damage.

There are a handful of universities which offer degree courses on ethical hacking, the side of hacking which students learn how to hack to prevent attacks from the outside. Not only that, security implications and designing security procedures into networks and corporate perimeters are integral in this learning process.

I spoke to Christopher Laing, the Digital Security programme leader and teaching fellow at Northumbria University about the course they offer, the content, the prerequisites and how these next generation students go into the workplace and even outside the security arena.

How can ethical hacking change the ways for students, but also companies, governments and corporations?

If you mean how can ethical hacking change the way in which organizations deal with computer/data security – in short it can't. Only legislation, pressure from insurance business, the loss of reputation, or the PCI DSS can change the way in organizations handle data securely.

While a programme such as the Northumbria University's ‘Ethical Hacking for Computer Security' can provide individuals with the hi-tech skills necessary to secure an organizations infrastructure, it cannot force companies to do so. Legislation and fines are obvious and given this government's and businesses pitiful attempts at securing public data a necessary requirement. Insurance is not so obvious – but insurance companies are now starting to view data as a very valuable asset; one that has a replacement cost.

If you left your house unlocked and had something stolen – how do you think your insurance company would view this? In the same way, if valuable data was stolen/lost, then insurance companies may begin to ask about the level of protection that was in place to prevent such an occurrence.

Loss of reputation is also not so obvious, but if an organization (HM Revenue & Customs, US military, Bank of New York Mellon) loses your personal data, would you use them again? And finally the PCI DSS – a credit card transaction security standard, that provides protection to individual users, provided that the company processes more than 20,000 credit card transactions per year.

Small online retailers that conduct less than 20,000 credit card transactions annually are not covered by this security standard – but I understand that this is going to change, and this will have a major impact on the way in which small-to-medium online retailers conduct their business.

How extensive are the modules and the access to equipment?

The students have their own dedicated ‘state-of-the-art' laboratory, where they undertaken research, individual projects and case work, such work includes testing a web security application prior to commercialization; information gathering and vulnerability assessment for regional, national and international companies. The laboratory is equipped with the latest hardware and software necessary for their studies – in fact our equipment so up-to-date, that we loan hardware to the Computer Crime Unit of Northumbria Police.

How much hands on experience and practical work is given?

The programme at Northumbria is a sandwich course, and as such during their placement year the students will be expected to, and do undertake real work for real companies (i.e., PricewaterhouseCoopers, 7Safe, etc), and get paid in real money. If they didn't have extensive practical skills then they wouldn't be so highly sought.

Typically, a 20-credit module would consist of approximately 100 hours of practical laboratory work; 50 hours of independent study/research; 50 hours of seminars and lectures, including guest lectures from industrial experts.

How would you envisage a prospective an employer seeing a CV with "Ethical Hacking" on; won't the word "hacking" automatically bring negative connotations?

It depends on they type of employment being sought – ‘ethical hacking' would be an essential element of a resume directed at companies that undertake to develop polices/procedures or indeed audit the protection of an organisation's information/data assets. Given the specialized nature of an ‘ethical hacking for computer security' programme, then I would expect the majority of graduates from such a programme to direct their employment seeking at companies that need their particular skill sets.

What about outside the security company perimeter? Will people who decide to work in other sectors suffer with a specialised CV?

I accept that some graduates from such a programme may have no desire to work within the computer security industry. In this situation, their resume may seem slightly strange, but remember, to be an expert on computer security will require detailed knowledge of computer networks and operating systems, including in-depth knowledge of the legal and evidential implications of digital security – skills that the majority of businesses require.

Which steps are taken to vet students before the course begins, to ensure those selected do not go rogue?

Medical students are not vetted, and Harold Shipman was this country's greatest mass murder; at the last count around 236. It will be unethical to vet one particular cohort, while not vetting the whole university student body and we cannot insist that one particular student cohort undergoes an additional entry requirement. Students who are a work-based learning programme (i.e., teachers, medics etc) and who will have contact with vulnerable individuals (children, etc) are required to have a CRB check, but this is a legal requirement, and not part of the university entry requirements.

Would a Criminal Records Check (CRB) even be effective?

The majority of students have just left school, and I doubt that a CRB check would reveal very much – it would offer no indication of possible ‘rogueness'. In addition, even if they had a criminal record, restricting their access to an educational programme because of this conviction, is illegal (with some exceptions, based on type of conviction and course to be studied). I should point out that we provide learning and teaching environments that emphasizes the positive ethics of being an ‘ethical hacker' throughout the entire programme.

What is the likelihood of a graduate student in Ethical Hacking turning black hat?

I have no idea – but who would have believed that a member of profession dedicated to saving life, would become Britain's greatest mass murder? All we can do is provide a learning and teaching environment that emphasizes the positives of being an ‘ethical hacker'.

It is worth noting, that the students feel very positive about the programme giving/or having a ‘value to society'. It should also be noted that the students have nothing but contempt for the ‘script-kiddies'; they feel that they have acquired a set of hi-tech skills, a level of understanding of how networks and computer systems work, and a professional and ethical attitude to business needs, that these ‘script-kiddies' will never have, nor have the ability to obtain.

Some of the students are already planning to start their own computer security company when they graduate – a sure sign that the positive emphasize is having an effect.

Topics: Security, Hardware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

10 comments
Log in or register to join the discussion
  • Message has been deleted.

    Andrew Merrick
  • RE: Ethical hacking: the next generation security specialists

    hacking is hacking. There is no ethical hacking. If some one is terrorists for you its the same form their point of you. You can not do bad things becuse they are doing it.
    mjbad2
    • I would agree . . .

      I would agree . . . especially if they're excusing themselves from doing background checks. Sounds pretty suspicious.
      CobraA1
    • Different Line of Thought

      My understanding from the article is that students learn how security breaks in order to create better security.

      A similar analogy would be the engineering discipline. Engineers often learn how things fail in order to ensure that something they design doesn't fail, or fails in a certain way.
      aeriform
  • RE: Ethical hacking: the next generation security specialists

    "If you left your house unlocked and had something stolen ??? how do you think ... "
    Criminals think like this. It was left unlocked so its the victims fault! It may be viewed as quaint to some but it should be the prevalent thought out there that people who steal (hack, break-in, burgle, whatever you want to call it) are sociopaths and are therefore a danger to "good people". I am frustrated that way too much effort is spent locking up the house and not enough is done to track down these people and bring them to justice.
    ronpittser@...
    • RE: Ethical hacking: the next generation security specialists

      "If you left your house unlocked and had something stolen ? how do you think your insurance company would view this? In the same way, if valuable data was stolen/lost, then insurance companies may begin to ask about the level of protection that was in place to prevent such an occurrence."

      That is the whole paragraph which is a valid point if insurance companies which they are, class data as valuable which it is, then if it is left unprotected then why should they pay out when there is ways and means of protecting it............makes perfect sense really, so therefore there is a need for "Ethical Hackers" as they can help protect that data.

      Also in regards to no screening of students, why is there a need it can all be learnt from the internet anyway, so why would someone who wanted to cause harm spend four years doing a degree while they could learn an cause harm at the same time????
      ltr90
  • RE: Ethical hacking: the next generation security specialists

    Price Waterhouse Cooper and Carnegie-Mellon???s CyLab have recent surveys that show the senior executive class to be, basically, clueless regarding IT risk and its tie to overall enterprise (business) risk. Data breaches and thefts are due to a lagging business culture ??? and people aren???t getting the training they need. For example: Microsoft patched for the worm affecting this Heartland breach 4 months ago. As CIO, I???m constantly seeking things that work, in hopes that good ideas make their way back to me - check your local library: A book that is required reading is "I.T. WARS: Managing the Business-Technology Weave in the New Millennium." It also helps outside agencies understand your values and practices.
    The author, David Scott, has an interview that is a great exposure: http://businessforum.com/DScott_02.html -
    The book came to us as a tip from an intern who attended a course at University of Wisconsin, where the book is an MBA text. It has helped us to understand that, while various systems of security are important, no system can overcome laxity, ignorance, or deliberate intent to harm. Necessary is a sustained culture and awareness; an efficient prism through which every activity is viewed from a security perspective prior to action.
    In the realm of risk, unmanaged possibilities become probabilities ??? read the book BEFORE you suffer a bad outcome ??? or propagate one.
    johnfranks999
  • Think of it in the sense of Consumer Reports...

    They take brand new vehicles and smash them into walls to test the efficacy of their safety systems. The same needs to be done to computer security systems. You can't just take someone's word that a security system is effective. You need to be able to prove it yourself in order to feel comfortable.
    MGP2
  • RE: Ethical hacking: the next generation security specialists

    Hey thanks a lot for sharing such a nice and informative article.i had gone through the article really a very nice and detailed review. I definitely concur with your views that Ethical hacking: the next generation security specialists.

    By the way for more information on Ethical Hacking check this link: http://www.eccouncil.org/certification/certified_ethical_hacker.aspx
    smith.dyer
  • ceh training

    IT innovation has wide empire and you need guards to secure the system from cyber spies. CEH is a threat assessment training to detect the security vulnerabilities in the computer system. Security audit is done to safeguard the system from malicious hackers who could eventually exploit the data.Certified ethical hacking boot camp endures ethics of hacking. A certified ethical hackers use the same tools and methods to unearth the covert techniques used by notorious counterparts.
    http://internetworksolutions.net/ethical-hacker/ceh-training/
    internetworksolution