Save content
Have you found this content useful? Use the button above to save it to your profile.
AIA

Courses train 'good guys' to tackle hackers

by
13th Oct 2009
Save content
Have you found this content useful? Use the button above to save it to your profile.

As IT security continues to hit the headlines, Jon Wilcox hears about how the next generation of hackers is being trained to do battle with the online marauders. 
 
Maintaining IT network security is an issue for small businesses, multi-nationals, and governments alike; the threat from hackers remains very real indeed. In February this year, rumours circulated that IT security company Kaspersky had been hacked and US government agencies are regularly the subject of unauthorised intrusions.

While British hacker Gary McKinnon waits to hear whether he will be extradicted to the US to stand trial for this kind of activity back in 2000-01, many companies are now fighting fire with fire by hiring “good guy” consultants to test and enhance their IT security. UK universities including Dundee Abertay and Northumbria now offer degrees in the subject.

“If you’re trying to secure [a branch of] Marks & Spencer, you imagine yourself as a criminal first, and then work out how you’d stop it,” says Colin McLean, programme tutor for the BSc degree in ethical hacking and counter measures at Dundee Abertay. “That was really the rationale for [our] course.” The Dundee course began three years ago and is the first of its type in the UK. Places are very popular.

In 2008 Dundee Abertay began offering a post-graduate diploma in the subject aimed at people who wanted to improve IT and network security at their companies. When he conceived the course, McLean realised that rather than training people to think like like security specialists, they should be thinking like hackers.

The risk of this approach is that students might be tempted to cross into the “dark side” of hacking, as McLean has heard many times before.

“If you look at the knowledge gained in virtually any degree, it could be used for good and bad,” he argues. “Someone with a degree in biology I’m sure could do one hell of a lot of damage in the world as well. We have procedures probably the equivalent to students going into a medical degree; we vet the students beforehand with an advanced Disclosure Scotland check, [that] comes up with any crime committed including speeding parking fines. We interview each of the students, we monitor every activity during the course to ensure they’re still legit, and we also have a whistle-blowing policy.”

As celebrity hackers such as Gary McKinnon have found, the sentences meted out to hackers are punitive. “I think these case studies are a big deterrent,” says McLean. “If someone says to me, ‘Why don’t you hack into a website?’ I would say, ‘Because I don’t want to spend 20 years in prison.’

Other universities have followed Dundee Abertay’s example. The University of Northumbria offers a similar course that stresses the legal repercussions of unethical behaviour. Students on both courses have access to their own ethical hacking labs that are separated from the main university networks.

The first set of Honours students are due to graduate from Dundee Abertay in 2010, with Northumbria following suit in a few years’ time to bring a new defence force into play.

“Companies really must do something active about their security. They can no longer say ‘We have a firewall, we have anti-virus, and therefore our systems are secure’. Most companies are being told by their auditors that they should have their systems tested by a third party,” says McLean.

“It’s very difficult to test your own site because you probably already know the flaws before you start, so you’re not really investigating anything. I think it’s easier for someone outside coming in to go with an open mind.”
 
For a longer version of this article, see TrainingZone.co.uk, where the piece first appeared.

Tags:

Replies (0)

Please login or register to join the discussion.

There are currently no replies, be the first to post a reply.