Ethical hacking: the next generation security specialists

I've written before about the two halves of the student-hacking area; the positive learning background behind ethical hacking, and the side where black hat hackers attack websites in attempt to gain exposure and cause damage.
Written by Zack Whittaker, Contributor

Zack Whittaker is busy saving the world once again. This post was set to be released now in his absence.

I've written before about the two halves of the student-hacking area; the positive learning background behind ethical hacking, and the side where black hat hackers attack websites in attempt to gain exposure and cause damage.

There are a handful of universities which offer degree courses on ethical hacking, the side of hacking which students learn how to hack to prevent attacks from the outside. Not only that, security implications and designing security procedures into networks and corporate perimeters are integral in this learning process.

I spoke to Christopher Laing, the Digital Security programme leader and teaching fellow at Northumbria University about the course they offer, the content, the prerequisites and how these next generation students go into the workplace and even outside the security arena.

How can ethical hacking change the ways for students, but also companies, governments and corporations?

If you mean how can ethical hacking change the way in which organizations deal with computer/data security – in short it can't. Only legislation, pressure from insurance business, the loss of reputation, or the PCI DSS can change the way in organizations handle data securely.

While a programme such as the Northumbria University's ‘Ethical Hacking for Computer Security' can provide individuals with the hi-tech skills necessary to secure an organizations infrastructure, it cannot force companies to do so. Legislation and fines are obvious and given this government's and businesses pitiful attempts at securing public data a necessary requirement. Insurance is not so obvious – but insurance companies are now starting to view data as a very valuable asset; one that has a replacement cost.

If you left your house unlocked and had something stolen – how do you think your insurance company would view this? In the same way, if valuable data was stolen/lost, then insurance companies may begin to ask about the level of protection that was in place to prevent such an occurrence.

Loss of reputation is also not so obvious, but if an organization (HM Revenue & Customs, US military, Bank of New York Mellon) loses your personal data, would you use them again? And finally the PCI DSS – a credit card transaction security standard, that provides protection to individual users, provided that the company processes more than 20,000 credit card transactions per year.

Small online retailers that conduct less than 20,000 credit card transactions annually are not covered by this security standard – but I understand that this is going to change, and this will have a major impact on the way in which small-to-medium online retailers conduct their business.

How extensive are the modules and the access to equipment?

The students have their own dedicated ‘state-of-the-art' laboratory, where they undertaken research, individual projects and case work, such work includes testing a web security application prior to commercialization; information gathering and vulnerability assessment for regional, national and international companies. The laboratory is equipped with the latest hardware and software necessary for their studies – in fact our equipment so up-to-date, that we loan hardware to the Computer Crime Unit of Northumbria Police.

How much hands on experience and practical work is given?

The programme at Northumbria is a sandwich course, and as such during their placement year the students will be expected to, and do undertake real work for real companies (i.e., PricewaterhouseCoopers, 7Safe, etc), and get paid in real money. If they didn't have extensive practical skills then they wouldn't be so highly sought.

Typically, a 20-credit module would consist of approximately 100 hours of practical laboratory work; 50 hours of independent study/research; 50 hours of seminars and lectures, including guest lectures from industrial experts.

How would you envisage a prospective an employer seeing a CV with "Ethical Hacking" on; won't the word "hacking" automatically bring negative connotations?

It depends on they type of employment being sought – ‘ethical hacking' would be an essential element of a resume directed at companies that undertake to develop polices/procedures or indeed audit the protection of an organisation's information/data assets. Given the specialized nature of an ‘ethical hacking for computer security' programme, then I would expect the majority of graduates from such a programme to direct their employment seeking at companies that need their particular skill sets.

What about outside the security company perimeter? Will people who decide to work in other sectors suffer with a specialised CV?

I accept that some graduates from such a programme may have no desire to work within the computer security industry. In this situation, their resume may seem slightly strange, but remember, to be an expert on computer security will require detailed knowledge of computer networks and operating systems, including in-depth knowledge of the legal and evidential implications of digital security – skills that the majority of businesses require.

Which steps are taken to vet students before the course begins, to ensure those selected do not go rogue?

Medical students are not vetted, and Harold Shipman was this country's greatest mass murder; at the last count around 236. It will be unethical to vet one particular cohort, while not vetting the whole university student body and we cannot insist that one particular student cohort undergoes an additional entry requirement. Students who are a work-based learning programme (i.e., teachers, medics etc) and who will have contact with vulnerable individuals (children, etc) are required to have a CRB check, but this is a legal requirement, and not part of the university entry requirements.

Would a Criminal Records Check (CRB) even be effective?

The majority of students have just left school, and I doubt that a CRB check would reveal very much – it would offer no indication of possible ‘rogueness'. In addition, even if they had a criminal record, restricting their access to an educational programme because of this conviction, is illegal (with some exceptions, based on type of conviction and course to be studied). I should point out that we provide learning and teaching environments that emphasizes the positive ethics of being an ‘ethical hacker' throughout the entire programme.

What is the likelihood of a graduate student in Ethical Hacking turning black hat?

I have no idea – but who would have believed that a member of profession dedicated to saving life, would become Britain's greatest mass murder? All we can do is provide a learning and teaching environment that emphasizes the positives of being an ‘ethical hacker'.

It is worth noting, that the students feel very positive about the programme giving/or having a ‘value to society'. It should also be noted that the students have nothing but contempt for the ‘script-kiddies'; they feel that they have acquired a set of hi-tech skills, a level of understanding of how networks and computer systems work, and a professional and ethical attitude to business needs, that these ‘script-kiddies' will never have, nor have the ability to obtain.

Some of the students are already planning to start their own computer security company when they graduate – a sure sign that the positive emphasize is having an effect.

Editorial standards