This document summarizes the development of the world's first undergraduate degree in ethical hacking at Abertay University in Dundee, Scotland. It describes how the idea for the program came from a risk analysis project that required thinking like attackers. The early days of the program faced challenges validating the unconventional title and curriculum. Over time, the program has matured and now includes hands-on hacking projects and involvement from industry partners. Graduates have been successful in finding security jobs, showing the value and success of the unique ethical hacking degree.

1. Hacking Tay’les of
the 1 st Degree
Doctor_Hacker @ twitter
BSides London, 25th April 2012
(My opinions...not my employers).

2. Who he?
 Colin McLean (Dad)
◦ Lecturer at Abertay University, Dundee for
213/4 years 7907 days – 28,465,200 secs
 Mech Eng, Mechatronics, Computing
 Developed the B Sc in Ethical Hacking at
Abertay University, Dundee in 2006.
 The first undergraduate degree in the
world with the word “Hacking” in the
title.

3. The story…
◦ The idea
◦ The early days
◦ B Sc EH 2.0
◦ End Games.
◦ Quickly!

4. The idea..
How did this come about?

5. 2005 – KTP Project
 Two year government funded project with
NCR R&D, Dundee.
 Risk analysis of an NCR ATM.
◦ “Identify all possible risks to an NCR
ATM, their possible dangers and their
mitigations”.
◦ Involved security staff at NCR and me identifying all
the possible ways of hacking into an ATM.

6. Colin had a thought…
 We weren’t thinking like
defenders.
 We were thinking like
attackers.
 We MUST think like the
opposition in order to
know how to stop them.
The more devious we are the better we can
defend.

7. Security in Education
 Other degrees in “Computer Security” were
looking mainly at the mitigations.
 They did not appear to examine the hacks.
 Graduates who think like hackers?
 Hence the world’s first undergraduate degree
in “Ethical Hacking”.

8. Programme design
 Input to the content of the degree from NCR.
 Input and support from various other
companies.
 Programme validation panel included Head of
School @ Northumbria University.

9. In truth…
 The course was not as first imagined.
 “Internal” validation was difficult.
◦ Had to fight off “not enough ethics” and “more law
modules”.
 It took some years before the course
matured.

10. Hacking interests the
media we publicly released the degree….
In June 2006,
 BBC Reporting Scotland & STV News
 Polish TV, Brazilian TV.
 Live on Canadian Radio.
 Interviewed live on French TV
 Newspapers had a field day…
“Doctor Hacker!” The Sun Newspaper.
“Lord Voldemort” (PC1 News)
“Les Pirates Ecosse”
 There was also resistance.

11. Academics comments
 “A title like that would be a catastrophe for
the University.”
 “Crass programme names that bring our
discipline into disrepute.”
 “I doubt it would look good to prospective
employers.”
http://www.ics.heacademy.ac.uk/resources/faqs/answers.php?id=56

12. The “establishment” had a
go
 If penetration testing is what is being taught,
then that is how it should be labeled
 Rather than seeking to use marketing spin to
gain credibility within an industry that is
seeking to improve its professional image.
 “Ethical hacking should not be considered to be
an accepted professional industry term.
http://www.bcs.org/content/ConMediaFile/7266

13. A stolen slide.. Security, Social
+ Physical
Engineering, Educating
Staff etc.
link

14. And by the way…
 The BCS validated the Ethical hacking degree
at Abertay University in 2010.
 This is the earliest that it could have been
validated.

15. The early days….

16. Entry procedures
 Tried to mirror medical degrees.
◦ Interview.
◦ Ethical scenarios.
◦ Disclosure check.
◦ Sign on the dotted line.
 Also, legal issues are paramount in early
stages.

17. Who is suitable for EH?

18. Cohort #0
 They could certainly think outside the box.
◦ Not the usual cohort.

19.  2 students over 50.
 1 student aged 16.
 2 female students.
 2 English students.
 Only 4 completed the
honours degree.
 3 completed degrees in
other subjects.

20. Within 18 months, 6
babies.
 Did I mention that this
isn’t a penetration testing
degree?

21. Taking a side step…
 A troll had lived in the
(alleged)
“Full Disclosure mailing list” (2002’ish).
 He was one of the earliest known (alleged)
trolls.

23. The people gasped..
 The troll was leaving….

24. Hurrah!
 The people waved him goodbye with hearty cheer.

25. Timeline…..

(alleged) Troll went missing 1st September 2006
◦ Abertay’s Ethical Hacking degree started around then.

(alleged) Troll went back to FD January 5th 2007.
◦ One of Abertay’s students did not return in January.
 He was welcomed back.

26. Some serious questions.
1. What about hacking group members?
◦ Difficult to identify.
◦ Whistle-blowing would be a possibility.
◦ Abertay reserves the right to remove any student.
◦ We NEED to educate about hacking techniques.
3. Many people have proved not to be
suitable for an EH degree.
◦ How does the industry effectively make use of the
talents of these people?

27. BSc EH 2.0
What it’s become…
PS The students still volatile!

28. New facilities (Sep 2010)

29. The syllabus (briefly!)
 Themed:-
◦ Programming.
◦ Networking.
◦ Ethical Hacking.
 Four year honours degree in Scotland.
◦ Year 1 and 2 still geared towards “basics”.
◦ Year 3 and 4 much more research and self-
learn.

30. “You should teach us X”
 Culture of project work as assessments:-
◦ Year 1 Ethical Hacking – Mini project
◦ Year 2 Ethical Hacking – Project
◦ Year 2 Smart Programming – Project
◦ Year 3 Ethical hacking - Web security project
◦ Year 3 Ethical Hacking – Mini-project
◦ Year 3 Ethical Hacking – Exploit development
◦ Year 3 Group Project - Student chosen
◦ Year 4 Network Management – Network Security project
◦ Year 4 Honours project

31. Student Centred Learning
 Students encouraged to create their own
CV’s, mould their own careers.
 In many cases, students can learn what THEY
think is important.
 Documentation skills (& feedback on this) are
more prominent.

32. E-Hacking modules.
 General security Internal & External Pen testing
- Firstbase techies (2 staff)
 Penetration testing
 Web Application testing
Exploitlab 5.0
 Exploit Development - Saumil Shah & SK Chong 2011
 Reverse Engineering
 Password security CEH (3 members of staff)
NCR work
 Malware analysis “Other” companies
 Etc.
Staff training & company involvement essential.

33. End games
Random ramblings.

34. Students talking @cons
 BruCon Security Conference 2011
◦ “Smart Phones – The Weak Link in the Security Chain,
Hacking a network through an Android device” by Nick
Walker and Werner Nel
 BruCon Security Conference 2011
◦ “Script Kiddie Hacking Techniques by Ellen Moar
 BSides London Security Conference 2011
◦ “DNS Tunnelling: It's all in the name!”, Arron "finux"
Finnon
 BSides Berlin Security Conference 2011
◦ A Salesman's Guide to Social Engineering by Gavin Ewan

35. A question
 So are there jobs?
◦ We are a vocational University.
◦ Companies are coming to us (e.g. NGS).
◦ Qinetiq interested after 3 summer
placements.
◦ PwC stole(!) two of our students this year!
◦ Current grads are out there.
◦ Current hons year are easily getting jobs.

36. Finally..
 Is the sensationalistic title necessary?
◦ Security mindset, culture is VERY
important.
◦ All aspects of security are important.
◦ Ethical Hacking is what we are doing.
 The future?
◦ Graduates are now out there.
◦ Summary – course has been a success.

37.  Questions?