Hacking Tay’les of the 1 st Degree Doctor_Hacker @ twitter BSides London, 25th April 2012(My opinions...not my employers).
Who he? Colin McLean (Dad) ◦ Lecturer at Abertay University, Dundee for 213/4 years 7907 days – 28,465,200 secs Mech Eng, Mechatronics, Computing Developed the B Sc in Ethical Hacking at Abertay University, Dundee in 2006. The first undergraduate degree in the world with the word “Hacking” in the title.
The story… ◦ The idea ◦ The early days ◦ B Sc EH 2.0 ◦ End Games. ◦ Quickly!
2005 – KTP Project Two year government funded project with NCR R&D, Dundee. Risk analysis of an NCR ATM. ◦ “Identify all possible risks to an NCR ATM, their possible dangers and their mitigations”. ◦ Involved security staff at NCR and me identifying all the possible ways of hacking into an ATM.
Colin had a thought… We weren’t thinking like defenders. We were thinking like attackers. We MUST think like the opposition in order to know how to stop them.The more devious we are the better we candefend.
Security in Education Other degrees in “Computer Security” were looking mainly at the mitigations. They did not appear to examine the hacks. Graduates who think like hackers? Hence the world’s first undergraduate degree in “Ethical Hacking”.
Programme design Input to the content of the degree from NCR. Input and support from various other companies. Programme validation panel included Head of School @ Northumbria University.
In truth… The course was not as first imagined. “Internal” validation was difficult. ◦ Had to fight off “not enough ethics” and “more law modules”. It took some years before the course matured.
Hacking interests themedia we publicly released the degree….In June 2006, BBC Reporting Scotland & STV News Polish TV, Brazilian TV. Live on Canadian Radio. Interviewed live on French TV Newspapers had a field day… “Doctor Hacker!” The Sun Newspaper. “Lord Voldemort” (PC1 News) “Les Pirates Ecosse” There was also resistance.
Academics comments “A title like that would be a catastrophe for the University.” “Crass programme names that bring our discipline into disrepute.” “I doubt it would look good to prospective employers.” http://www.ics.heacademy.ac.uk/resources/faqs/answers.php?id=56
The “establishment” had ago If penetration testing is what is being taught, then that is how it should be labeled Rather than seeking to use marketing spin to gain credibility within an industry that is seeking to improve its professional image. “Ethical hacking should not be considered to be an accepted professional industry term. http://www.bcs.org/content/ConMediaFile/7266
A stolen slide.. Security, Social + Physical Engineering, Educating Staff etc.link
And by the way… The BCS validated the Ethical hacking degree at Abertay University in 2010. This is the earliest that it could have been validated.
Hurrah! The people waved him goodbye with hearty cheer.
Timeline….. (alleged) Troll went missing 1st September 2006 ◦ Abertay’s Ethical Hacking degree started around then. (alleged) Troll went back to FD January 5th 2007. ◦ One of Abertay’s students did not return in January. He was welcomed back.
Some serious questions.1. What about hacking group members? ◦ Difficult to identify. ◦ Whistle-blowing would be a possibility. ◦ Abertay reserves the right to remove any student. ◦ We NEED to educate about hacking techniques.3. Many people have proved not to be suitable for an EH degree. ◦ How does the industry effectively make use of the talents of these people?
BSc EH 2.0 What it’s become… PS The students still volatile!
The syllabus (briefly!) Themed:- ◦ Programming. ◦ Networking. ◦ Ethical Hacking. Four year honours degree in Scotland. ◦ Year 1 and 2 still geared towards “basics”. ◦ Year 3 and 4 much more research and self- learn.
“You should teach us X” Culture of project work as assessments:- ◦ Year 1 Ethical Hacking – Mini project ◦ Year 2 Ethical Hacking – Project ◦ Year 2 Smart Programming – Project ◦ Year 3 Ethical hacking - Web security project ◦ Year 3 Ethical Hacking – Mini-project ◦ Year 3 Ethical Hacking – Exploit development ◦ Year 3 Group Project - Student chosen ◦ Year 4 Network Management – Network Security project ◦ Year 4 Honours project
Student Centred Learning Students encouraged to create their own CV’s, mould their own careers. In many cases, students can learn what THEY think is important. Documentation skills (& feedback on this) are more prominent.
E-Hacking modules. General security Internal & External Pen testing - Firstbase techies (2 staff) Penetration testing Web Application testing Exploitlab 5.0 Exploit Development - Saumil Shah & SK Chong 2011 Reverse Engineering Password security CEH (3 members of staff) NCR work Malware analysis “Other” companies Etc.Staff training & company involvement essential.
Students talking @cons BruCon Security Conference 2011 ◦ “Smart Phones – The Weak Link in the Security Chain, Hacking a network through an Android device” by Nick Walker and Werner Nel BruCon Security Conference 2011 ◦ “Script Kiddie Hacking Techniques by Ellen Moar BSides London Security Conference 2011 ◦ “DNS Tunnelling: Its all in the name!”, Arron "finux" Finnon BSides Berlin Security Conference 2011 ◦ A Salesmans Guide to Social Engineering by Gavin Ewan
A question So are there jobs? ◦ We are a vocational University. ◦ Companies are coming to us (e.g. NGS). ◦ Qinetiq interested after 3 summer placements. ◦ PwC stole(!) two of our students this year! ◦ Current grads are out there. ◦ Current hons year are easily getting jobs.
Finally.. Is the sensationalistic title necessary? ◦ Security mindset, culture is VERY important. ◦ All aspects of security are important. ◦ Ethical Hacking is what we are doing. The future? ◦ Graduates are now out there. ◦ Summary – course has been a success.