Colleges Training Students to be “Ethical Hackers”

Did you know college courses and degree programs are sprouting out on the subjecting matter of “Ethical Hacking?” Ethical hacking can be defined as the methodology adopted by [ethical] hackers to discover the vulnerabilities in existing in information systems’ operating environments with the intent of protecting the security of the target/client. According to the EC-Council, ethical hacking is one the fastest growing areas in network security, and certainly an area that generates much discussion about whether such practice right or wrong; warranted or unwarranted; an invasion of privacy or a necessary security step in this age of cyber-attacks.

Computer hacking skills should be taught to cyber-security students to "know the enemy" and ensure they will be equipped to effectively prevent and defend against attacks in the real world. Both academia and security experts add that schools must emphasize law and ethics so students "don't cross the line" and misuse their hacking abilities.

The growing dependence and importance regarding information technology present within our society is increasingly demanding that professionals find more effective solutions relating to security concerns. Individuals with unethical behaviors are finding a variety of ways of conducting activities that cause businesses and consumers much grief and vast amounts annually in damages. As information security continues to be foremost on the minds of information technology professionals, improvements in this area are critically important. One area that is very promising is penetration testing, a key aspect of Ethical Hacking.

Penetration testing activities focus on the identification and exploitation of vulnerable areas of security and subsequent implementation of corrective measures. According to those within the security field, more information technology professionals are going back to class to learn the "latest hacking techniques." In fact, many consider the three to five day seminars to be less expensive than hiring consultants. The average cost is $2,000 to $8,000 per person while consulting services range from $10,000 to $100,000.

According to a Computer Crime and Security Survey, virus attacks continue as the source of greatest financial loss. Unauthorized use increased slightly over the previous year, while unauthorized access to information and theft of proprietary information significantly increased in average dollar loss per respondent.

A wide range of educational opportunities exist for individuals interested in pursuing information security. Many of these are being offered in the public sector within community colleges and universities. It is interesting to note that while many schools offer such education and training, a number of professionals express concern about teaching hacking techniques. This apprehension stems from a fear that students may use the information unethically. In other words, they may use the information against the very company hiring them to protect their security.

To help government and businesses minimize security risk, colleges and universities are increasingly offering courses and security training programs. Syracuse University offers a Cyber Security Boot Camp to prepare future technology security professionals. Topics include cyber-security, cryptography, steganography, digital forensics, network security, and wireless security. There are stringent rules for entry into the program, and the Boot Camp ends with "Hackfest" which is a hands-on event putting into practice the theoretical concepts covered within the course.

Rochester Institute of Technology offers courses in security education that have been added to the curriculum. Students are divided into two teams; they set up networks and try to hack each other. As security flaws are found, they patch their systems and continue to secure the networks more and more as the semester progresses.

Northern Virginia Community College offers a network security certificate program. Leaders at the college interviewed their community and found that people were being educated at “too high of a level,” and programs were needed to help day-to-day security professional. There are 7 courses, 3 theory and concept, 3 labs, and a capstone course. The capstone is a free vulnerability analysis of a local non-profit organization or small business. The capstone is important in that it provides a hands-on opportunity to put into practice everything learned in the classroom.

George Mason University also offers a course in information warfare. Students divide into different country teams, and attempt to hack into each other’s network. The course motto is that “anyone can hack but defending a system is the real mark.”

In the United Kingdom, a hands-on ethical hacking course called The Training Company is being offered. A variety of topics are included such as social engineering techniques, wireless security, internal hacking, denial of service attacks, and penetration testing.

A group of individuals called the Ghettohackers are trying to change way society views hackers. They enable people that are curious about information security to get hands -on experience without any harm to others. Their mission is to change culture from within and to better educate the public at large concerning hacking. In addition, their main focus is to stress the importance of teaching ethics as well general hacking concepts. Let’s hope they are successful because ethical hackers may be drawn to the “dark side” and wind up hacking the hackers.

Blog posted by Steven Mintz, aka Ethics Sage, on October 3, 2011