SlideShare a Scribd company logo

Presentation

Colin McLean
Colin McLean

This document summarizes the development of the world's first undergraduate degree in ethical hacking at Abertay University in Dundee, Scotland. It describes how the idea for the program came from a risk analysis project that required thinking like attackers. The early days of the program faced challenges validating the unconventional title and curriculum. Over time, the program has matured and now includes hands-on hacking projects and involvement from industry partners. Graduates have been successful in finding security jobs, showing the value and success of the unique ethical hacking degree.

Related slideshows

Learning from failure: The Blackboard Perspective
Learning from failure: The Blackboard Perspective Learning from failure: The Blackboard Perspective
Learning from failure: The Blackboard Perspective
 
Computer Security
Computer SecurityComputer Security
Computer Security
 
Soil experiment
Soil experimentSoil experiment
Soil experiment
 
1 of 37
Hacking Tay’les of the 1 st Degree Doctor_Hacker @ twitter BSides London, 25th April 2012 (My opinions...not my employers).
Who he?  Colin McLean (Dad) ◦ Lecturer at Abertay University, Dundee for 213/4 years 7907 days – 28,465,200 secs  Mech Eng, Mechatronics, Computing  Developed the B Sc in Ethical Hacking at Abertay University, Dundee in 2006.  The first undergraduate degree in the world with the word “Hacking” in the title.
The story… ◦ The idea ◦ The early days ◦ B Sc EH 2.0 ◦ End Games. ◦ Quickly!
The idea.. How did this come about?
2005 – KTP Project  Two year government funded project with NCR R&D, Dundee.  Risk analysis of an NCR ATM. ◦ “Identify all possible risks to an NCR ATM, their possible dangers and their mitigations”. ◦ Involved security staff at NCR and me identifying all the possible ways of hacking into an ATM.
Colin had a thought…  We weren’t thinking like defenders.  We were thinking like attackers.  We MUST think like the opposition in order to know how to stop them. The more devious we are the better we can defend.
Security in Education  Other degrees in “Computer Security” were looking mainly at the mitigations.  They did not appear to examine the hacks.  Graduates who think like hackers?  Hence the world’s first undergraduate degree in “Ethical Hacking”.
Programme design  Input to the content of the degree from NCR.  Input and support from various other companies.  Programme validation panel included Head of School @ Northumbria University.
In truth…  The course was not as first imagined.  “Internal” validation was difficult. ◦ Had to fight off “not enough ethics” and “more law modules”.  It took some years before the course matured.
Hacking interests the media we publicly released the degree…. In June 2006,  BBC Reporting Scotland & STV News  Polish TV, Brazilian TV.  Live on Canadian Radio.  Interviewed live on French TV  Newspapers had a field day… “Doctor Hacker!” The Sun Newspaper. “Lord Voldemort” (PC1 News) “Les Pirates Ecosse”  There was also resistance.
Academics comments  “A title like that would be a catastrophe for the University.”  “Crass programme names that bring our discipline into disrepute.”  “I doubt it would look good to prospective employers.” http://www.ics.heacademy.ac.uk/resources/faqs/answers.php?id=56
The “establishment” had a go  If penetration testing is what is being taught, then that is how it should be labeled  Rather than seeking to use marketing spin to gain credibility within an industry that is seeking to improve its professional image.  “Ethical hacking should not be considered to be an accepted professional industry term. http://www.bcs.org/content/ConMediaFile/7266
A stolen slide.. Security, Social + Physical Engineering, Educating Staff etc. link
And by the way…  The BCS validated the Ethical hacking degree at Abertay University in 2010.  This is the earliest that it could have been validated.
The early days….
Entry procedures  Tried to mirror medical degrees. ◦ Interview. ◦ Ethical scenarios. ◦ Disclosure check. ◦ Sign on the dotted line.  Also, legal issues are paramount in early stages.
Who is suitable for EH?
Cohort #0  They could certainly think outside the box. ◦ Not the usual cohort.
 2 students over 50.  1 student aged 16.  2 female students.  2 English students.  Only 4 completed the honours degree.  3 completed degrees in other subjects.
Within 18 months, 6 babies.  Did I mention that this isn’t a penetration testing degree?
Taking a side step…  A troll had lived in the (alleged) “Full Disclosure mailing list” (2002’ish).  He was one of the earliest known (alleged) trolls.
Presentation
The people gasped..  The troll was leaving….
Hurrah!  The people waved him goodbye with hearty cheer.
Timeline…..  (alleged) Troll went missing 1st September 2006 ◦ Abertay’s Ethical Hacking degree started around then.  (alleged) Troll went back to FD January 5th 2007. ◦ One of Abertay’s students did not return in January.  He was welcomed back.
Some serious questions. 1. What about hacking group members? ◦ Difficult to identify. ◦ Whistle-blowing would be a possibility. ◦ Abertay reserves the right to remove any student. ◦ We NEED to educate about hacking techniques. 3. Many people have proved not to be suitable for an EH degree. ◦ How does the industry effectively make use of the talents of these people?
BSc EH 2.0 What it’s become… PS The students still volatile!
New facilities (Sep 2010)
The syllabus (briefly!)  Themed:- ◦ Programming. ◦ Networking. ◦ Ethical Hacking.  Four year honours degree in Scotland. ◦ Year 1 and 2 still geared towards “basics”. ◦ Year 3 and 4 much more research and self- learn.
“You should teach us X”  Culture of project work as assessments:- ◦ Year 1 Ethical Hacking – Mini project ◦ Year 2 Ethical Hacking – Project ◦ Year 2 Smart Programming – Project ◦ Year 3 Ethical hacking - Web security project ◦ Year 3 Ethical Hacking – Mini-project ◦ Year 3 Ethical Hacking – Exploit development ◦ Year 3 Group Project - Student chosen ◦ Year 4 Network Management – Network Security project ◦ Year 4 Honours project
Student Centred Learning  Students encouraged to create their own CV’s, mould their own careers.  In many cases, students can learn what THEY think is important.  Documentation skills (& feedback on this) are more prominent.
E-Hacking modules.  General security Internal & External Pen testing - Firstbase techies (2 staff)  Penetration testing  Web Application testing Exploitlab 5.0  Exploit Development - Saumil Shah & SK Chong 2011  Reverse Engineering  Password security CEH (3 members of staff) NCR work  Malware analysis “Other” companies  Etc. Staff training & company involvement essential.
End games Random ramblings.
Students talking @cons  BruCon Security Conference 2011 ◦ “Smart Phones – The Weak Link in the Security Chain, Hacking a network through an Android device” by Nick Walker and Werner Nel  BruCon Security Conference 2011 ◦ “Script Kiddie Hacking Techniques by Ellen Moar  BSides London Security Conference 2011 ◦ “DNS Tunnelling: It's all in the name!”, Arron "finux" Finnon  BSides Berlin Security Conference 2011 ◦ A Salesman's Guide to Social Engineering by Gavin Ewan
A question  So are there jobs? ◦ We are a vocational University. ◦ Companies are coming to us (e.g. NGS). ◦ Qinetiq interested after 3 summer placements. ◦ PwC stole(!) two of our students this year! ◦ Current grads are out there. ◦ Current hons year are easily getting jobs.
Finally..  Is the sensationalistic title necessary? ◦ Security mindset, culture is VERY important. ◦ All aspects of security are important. ◦ Ethical Hacking is what we are doing.  The future? ◦ Graduates are now out there. ◦ Summary – course has been a success.
 Questions?

More Related Content

Presentation

  • 1. Hacking Tay’les of the 1 st Degree Doctor_Hacker @ twitter BSides London, 25th April 2012 (My opinions...not my employers).
  • 2. Who he?  Colin McLean (Dad) ◦ Lecturer at Abertay University, Dundee for 213/4 years 7907 days – 28,465,200 secs  Mech Eng, Mechatronics, Computing  Developed the B Sc in Ethical Hacking at Abertay University, Dundee in 2006.  The first undergraduate degree in the world with the word “Hacking” in the title.
  • 3. The story… ◦ The idea ◦ The early days ◦ B Sc EH 2.0 ◦ End Games. ◦ Quickly!
  • 4. The idea.. How did this come about?
  • 5. 2005 – KTP Project  Two year government funded project with NCR R&D, Dundee.  Risk analysis of an NCR ATM. ◦ “Identify all possible risks to an NCR ATM, their possible dangers and their mitigations”. ◦ Involved security staff at NCR and me identifying all the possible ways of hacking into an ATM.
  • 6. Colin had a thought…  We weren’t thinking like defenders.  We were thinking like attackers.  We MUST think like the opposition in order to know how to stop them. The more devious we are the better we can defend.
  • 7. Security in Education  Other degrees in “Computer Security” were looking mainly at the mitigations.  They did not appear to examine the hacks.  Graduates who think like hackers?  Hence the world’s first undergraduate degree in “Ethical Hacking”.
  • 8. Programme design  Input to the content of the degree from NCR.  Input and support from various other companies.  Programme validation panel included Head of School @ Northumbria University.
  • 9. In truth…  The course was not as first imagined.  “Internal” validation was difficult. ◦ Had to fight off “not enough ethics” and “more law modules”.  It took some years before the course matured.
  • 10. Hacking interests the media we publicly released the degree…. In June 2006,  BBC Reporting Scotland & STV News  Polish TV, Brazilian TV.  Live on Canadian Radio.  Interviewed live on French TV  Newspapers had a field day… “Doctor Hacker!” The Sun Newspaper. “Lord Voldemort” (PC1 News) “Les Pirates Ecosse”  There was also resistance.
  • 11. Academics comments  “A title like that would be a catastrophe for the University.”  “Crass programme names that bring our discipline into disrepute.”  “I doubt it would look good to prospective employers.” http://www.ics.heacademy.ac.uk/resources/faqs/answers.php?id=56
  • 12. The “establishment” had a go  If penetration testing is what is being taught, then that is how it should be labeled  Rather than seeking to use marketing spin to gain credibility within an industry that is seeking to improve its professional image.  “Ethical hacking should not be considered to be an accepted professional industry term. http://www.bcs.org/content/ConMediaFile/7266
  • 13. A stolen slide.. Security, Social + Physical Engineering, Educating Staff etc. link
  • 14. And by the way…  The BCS validated the Ethical hacking degree at Abertay University in 2010.  This is the earliest that it could have been validated.
  • 16. Entry procedures  Tried to mirror medical degrees. ◦ Interview. ◦ Ethical scenarios. ◦ Disclosure check. ◦ Sign on the dotted line.  Also, legal issues are paramount in early stages.
  • 17. Who is suitable for EH?
  • 18. Cohort #0  They could certainly think outside the box. ◦ Not the usual cohort.
  • 19.  2 students over 50.  1 student aged 16.  2 female students.  2 English students.  Only 4 completed the honours degree.  3 completed degrees in other subjects.
  • 20. Within 18 months, 6 babies.  Did I mention that this isn’t a penetration testing degree?
  • 21. Taking a side step…  A troll had lived in the (alleged) “Full Disclosure mailing list” (2002’ish).  He was one of the earliest known (alleged) trolls.
  • 23. The people gasped..  The troll was leaving….
  • 24. Hurrah!  The people waved him goodbye with hearty cheer.
  • 25. Timeline…..  (alleged) Troll went missing 1st September 2006 ◦ Abertay’s Ethical Hacking degree started around then.  (alleged) Troll went back to FD January 5th 2007. ◦ One of Abertay’s students did not return in January.  He was welcomed back.
  • 26. Some serious questions. 1. What about hacking group members? ◦ Difficult to identify. ◦ Whistle-blowing would be a possibility. ◦ Abertay reserves the right to remove any student. ◦ We NEED to educate about hacking techniques. 3. Many people have proved not to be suitable for an EH degree. ◦ How does the industry effectively make use of the talents of these people?
  • 27. BSc EH 2.0 What it’s become… PS The students still volatile!
  • 28. New facilities (Sep 2010)
  • 29. The syllabus (briefly!)  Themed:- ◦ Programming. ◦ Networking. ◦ Ethical Hacking.  Four year honours degree in Scotland. ◦ Year 1 and 2 still geared towards “basics”. ◦ Year 3 and 4 much more research and self- learn.
  • 30. “You should teach us X”  Culture of project work as assessments:- ◦ Year 1 Ethical Hacking – Mini project ◦ Year 2 Ethical Hacking – Project ◦ Year 2 Smart Programming – Project ◦ Year 3 Ethical hacking - Web security project ◦ Year 3 Ethical Hacking – Mini-project ◦ Year 3 Ethical Hacking – Exploit development ◦ Year 3 Group Project - Student chosen ◦ Year 4 Network Management – Network Security project ◦ Year 4 Honours project
  • 31. Student Centred Learning  Students encouraged to create their own CV’s, mould their own careers.  In many cases, students can learn what THEY think is important.  Documentation skills (& feedback on this) are more prominent.
  • 32. E-Hacking modules.  General security Internal & External Pen testing - Firstbase techies (2 staff)  Penetration testing  Web Application testing Exploitlab 5.0  Exploit Development - Saumil Shah & SK Chong 2011  Reverse Engineering  Password security CEH (3 members of staff) NCR work  Malware analysis “Other” companies  Etc. Staff training & company involvement essential.
  • 33. End games Random ramblings.
  • 34. Students talking @cons  BruCon Security Conference 2011 ◦ “Smart Phones – The Weak Link in the Security Chain, Hacking a network through an Android device” by Nick Walker and Werner Nel  BruCon Security Conference 2011 ◦ “Script Kiddie Hacking Techniques by Ellen Moar  BSides London Security Conference 2011 ◦ “DNS Tunnelling: It's all in the name!”, Arron "finux" Finnon  BSides Berlin Security Conference 2011 ◦ A Salesman's Guide to Social Engineering by Gavin Ewan
  • 35. A question  So are there jobs? ◦ We are a vocational University. ◦ Companies are coming to us (e.g. NGS). ◦ Qinetiq interested after 3 summer placements. ◦ PwC stole(!) two of our students this year! ◦ Current grads are out there. ◦ Current hons year are easily getting jobs.
  • 36. Finally..  Is the sensationalistic title necessary? ◦ Security mindset, culture is VERY important. ◦ All aspects of security are important. ◦ Ethical Hacking is what we are doing.  The future? ◦ Graduates are now out there. ◦ Summary – course has been a success.
  • 37. Questions?