Ethical Hacking: Educating Future Cybersecurity Professionals
2017 Proceedings of the EDSIG ConferenceAustin, Texas USAISSN: 2473-3857v3 n4341Ethical Hacking: Educating FutureCybersecurity ProfessionalsRegina Hartleyhartleyrd@appstate.eduDawn Medlinmedlinbd@appstate.eduZach Houlikhoulikzj@appstate.eduAppalachian State UniversityComputer Information Systems and Supply ChainBoone, NC 28608AbstractBusinesses, governments, and individuals are all aware how important information security is today,and unfortunately, that fact may be due in part to their financial losses, damage to their brand, loss ofcustomer trust, and personal consequences of fraudulent activities. Due to the severity of these actions,it is incumbent for students interested in information security to obtain an education that will allow themto communicate with the entire user community. Ethical hacking education can provide futureprofessionals with the knowledge and skills to combat current and future cybersecurity issues. Thisresearch will define ethical hacking, current information security trends, offer pedagogical methods, anoverview of information security instruction, and lastly, best practices in the field are examined.Keywords: Ethical hacking education, information security instruction, ethical hacking pedagogy.1. INTRODUCTIONThe prominence of information technologies res continues to infiltrate all of thesociety. It may be argued that some concernstems from the apparent lack of security inherentin information technologies and systems. Ofparticular importance is our growing reliance onthe Internet and networking capabilities. TheInternet has provided vast opportunities in a widearray of areas not possible in prior years, as wellas the need to educate individuals on topicsrelated to this expansive growth.Along with the positive capabilities provided bythe Internet and the networking of globalcomputing devices, unpleasant aspects have alsoproduced unexpected results such as ransomwareand DYN DDoS Attacks, as well as other highlypoliticized and publicized hacks. While variouscrimes have existed for many years, the Internetand information technology have broughtcomputer crime into our societies in unthinkableways. Criminals have a new platform forconducting activities, and many individuals are sobewildered at the subsequent onslaught fromthese endeavors that in many cases only reactivemeasures may be implemented.The purpose of this paper is to analyze the use ofan ethical hacking pedagogical approach toimprove information security instruction.Ahacking methodology appears to be a more 2017 ISCAP (Information Systems & Computing Academic Professionals)http://iscap.infoPage 1
2017 Proceedings of the EDSIG ConferenceAustin, Texas USAISSN: 2473-3857v3 n4341offensive and proactive approach for informationsecurity instruction.This approach may beeffective to better prepare future informationsecurity professionals to combat unethical hackerintrusions associated with the Internet andcomputer networks. Future information securityprofessionals would be better equipped to combatintrusions if equipped with the knowledge andskill sets currently used by attackers, and thosethat can only be imaged by security professionals.In order to equip security/cyber professionals,students must be prepared to fight the evergrowing challenges associated with effectivelysecuring computer networks.Following the brief review of the history ofhacking, this research will examine more recenttrends and concerns related to cybersecurity. Byexamining current events, it becomes veryapparent that incidents and breaches areoccurring more rapidly. As attackers create newmethods of attack, future information securityprofessionals will need to be better prepared andbetter equipped to handle the increasing and everpresent number of attacks and intrusions.While there are increasing cybersecurity eventsthere are several prominent attacks addressed inthe headlines within the past year that haverequired advanced technical knowledge. As anexample, the Democratic National Conventionhack of 2016-2017 (DNC Hack) causedtremendous upheaval concerning the possibilityof Russian sponsored hackers trying to influencethe 2016 Presidential election. The hack appearedto be the work of two Russian groups known asCozy Bear and Fancy Bear based on their methodsand tactics (Greene, 2016; van Der Walt, 2017).Many have suggested that the alleged hack intothe system is not the important issue at hand.The outcome of the hack by alleged Russianhackers caused many Americans to lose trust inthe political system within the United States (vanDer Walt, 2017).A second significant attack in 2017 identified as aDyn DDoS Attack affected thousands of Internetof Things (IoT) devices. The attack was used asa “botnet” to carry out the attack. As more andmore devices are connected to the Internet, anattack of this type no longer requires regularcomputer machines as was in the case in the past.2. LITERATURE REVIEWTo better understand the need for proactivemeasures relating to the education of futuresecurity professionals, attention will briefly focuson the history of hacking. Hacking began for themost part in the 1960s and originated on thecampusesofMassachusettsInstituteofTechnology (MIT) and Stanford University. At thattime, the word “hack” referred to programmingshortcuts and was considered a better way tocomplete anything more efficiently. These original“old school hackers” were not interested inmalicious intent, but rather simply enjoyedtechnology (Slatalla, 2005).Through the passage of time hackers have losttheir romantic appeal to the public as the Internethas evolved and become more widely utilized(Slatalla, 2005). Though newer groups areemerging with the title of “suicide hackers,” oldercategories and titles have remained such as“script kiddies and coders.” The new suicidehackers are known as individuals who attack toprove a point, but unlike “hacktivists” they do notcover their tracks and are not concerned if theyget caught (Oriyano, 2014).Recent cybersecurity events are quite disturbingand offer evidence that security ionals require a more proactive approach.Another major attack occurred in 2016, when theShadow Brokers hacked into the Equation Group,stole their tools for exploiting softwarevulnerabilities, and then essentially offered themonline for free (van Der Walt, 2017). It isbelieved that the Shadow Brokers haveconnections to Russia, and the Equation Grouphave connections to the NSA (National SecurityAgency). Some have theorized that Russiawanted to expose NSA tools to embarrass themand weaken the U.S. response to the alleged hackof the DNC (Greene, 2016). As a result of theNSA Shadow Brokers leak, attackers were able toutilize the tools to target vulnerabilities incomputer systems worldwide.Almost 100countries were hit with the largest ransomwareattack in history. “Cyberattackers took over thecomputers, encrypted the information on themand then demanded payment of 300 or morefrom users to unlock the devices” (Scott &Wingfield, 2017). This attack was significant,because it is believed to be the first in the usageof “a cyberweapon developed by the NSA,” and tobe used by attackers on a global scale (Scott &Wingfield, 2017). The attack was particularlysuccessful because cybercriminals could target“large institutions with a track record of notkeeping their technology systems up-to-date”(Scott & Wingfield, 2017). 2017 ISCAP (Information Systems & Computing Academic Professionals)http://iscap.infoPage 2
2017 Proceedings of the EDSIG ConferenceAustin, Texas USAISSN: 2473-3857v3 n43413. ETHICAL HACKINGThis research examines ethical hacking bydefining what it is along with the effectiveness ofusing an ethical hacking pedagogical approach toinstruct future information security professionals.Based on a review of the literature, there appearto be two primary approaches concerningcomputer security instruction.One methodfocuses on the instruction of the theoreticalconcepts alone, and the other includes a handson laboratory component to reinforce thetheoretical concepts. One approach that appearsto be effective in computer security instruction isthat of ethical hacking.McMaster University’s Department of Computingand Software defines ethical hacking as “thecontroversial act of locating weaknesses andvulnerabilities of computer and informationsystems by duplicating the intent and actions ofmalicious hackers” (Jaskolka, 2009).Ethicalhacking is also commonly referred to as redteaming, intrusion testing, and penetrationtesting (Jaskolka, 2009).Ethical hacking may be thought of as amethodology for assisting computer professionalsand administrators in their efforts to securenetworks. As such, this topic will be reviewed inlight of its effectiveness for instructing proactiveoffensive measures to students in informationsecurity courses.The basic assumption associated with ethicalhacking is merely that of a different approach tosecurity. Ethical hacking is primarily penetrationtesting and includes penetrating the “system likea hacker but for benign purposes” (Oriyano,2014). It is felt by many researchers, thatstudents need to experience first-hand what theattacker will be doing and what tools will be used(Ethical Hacking: Student courseware, 2005).Ethical hacking may be further defined as the“methodology adopted by ethical hackers todiscover the vulnerabilities existing in informationsystems’operatingenvironments” (EthicalHacking: Student courseware, 2005). Finally, itmay be defined as someone with the same skillsets as an attacker, but differs in the fact thatpermission has been granted from the owner totest the security system of the target (Oriyano,2014).There are a number of classes of hackers such asBlack Hats who are highly skilled but havemalicious and destructive intent. They are alsothe ones whose actions fall outside of what isconsidered legal. White Hats, in contrast, arehackers who use their expertise for defensivesecurity analyses, and who have permission toperform the tasks. Gray Hats hack for differentreasons either ethically or unethically dependingon the situation, and they may performoffensively as well as defensively (EthicalHacking: Student courseware, 2005; Oriyano,2014).A hacker may be defined as a “person who enjoyslearning the details of computer systems and howto stretch their capabilities” (Ethical hacking:Student courseware, 2005). Originally hackers, orenthusiasts, were people who were merelycuriousandpassionateaboutwhatevertechnology was new at the time (Oriyano, 2014).Greene (2004) suggests, “Ethical hackers andmalicious hackers both attack computers, onlytheir intent differs.”Pashel (2006) furtherelaborates that “Ethical hacking can be defined asthe practice of hacking without malicious intent.”Floyd, Harrington, and Hivale (2007) believe thatit is important to determine how a hacker startedand for what reasons. They suggest that thereare two types of hackers, one that does it moreout of curiosity and the “autotelic” thrill. Thoseare the ones that would make good ethicalhackers. In contrast, some individuals may havebeen prone to unethical or illegal actions and havelater turned to computers to assist with the crime.Ethical hacking or penetration testing is similar inconcept to hiring external auditors. Organizationsare increasingly using this methodology toevaluate the effectiveness of informationsecurity. These activities are used to identify andexploit security vulnerabilities thereby providingthe organization with the necessary informationto implement corrective measures (Sheoran, P.,& Singh, S. 2014).Logan and Clarkson (2005) propose thatinformation security is a type of “audit” forcomputer systems. As such, hackings skills maybe viewed as something similar to auditing skillsas both attempt to uncover issues. They go on tosuggest “Just as auditors test systems for securityor operational flaws, hackers ‘test’ systemsthrough attack” (Logan, & Clarkson, 2005).Greene (2004) offers that testing of a computersystem is similar to the example of crash-testingcars. In both examples, as an audit or crash-test,the objective is to make something better by 2017 ISCAP (Information Systems & Computing Academic Professionals)http://iscap.infoPage 3
2017 Proceedings of the EDSIG ConferenceAustin, Texas USAISSN: 2473-3857v3 n4341identifying the weaknesses within a system. Astaunted by many researchers, humans are theweakest link in computer security.Ideas and definitions of information security havevaried over the last few decades, however, acontemporary definition was proposed by Lundinin 2013. “Information security, or InfoSec, is use,disclosure,access,modification, or destruction. This term is appliedto all information regardless of the form it takesand is comprised of two major categories:information assurance, which is the ability toensure data is not lost to a breakdown in systemsecurity, due to theft, natural disasters, ortechnological malfunction; and IT (informationtechnology) security, which is the security appliedto computer networks.”Yurcik and Doss (2001) offer that the “security ofthe Internet is broken and 'ethical hacking' hasevolved as part of the potential solution." Theygo on to suggest that ethical hacking may be oneof the most effective ways to proactively plugrampant security holes” (Yurcik, & Doss, 2001).An increasing number of security professionalsare advising companies to elicit the assistance ofwhite hat hackers or ethical hackers for testingand consulting purposes (Sheoran, P., & Singh,S., 2014).As noted earlier in the discussion, there appear tobe two basic approaches in information securityinstruction. One focuses on theoretical conceptsonly, while the other highlights the concepts witha hands-on component. Trabelsi and McCoey(2016) feel strongly that covering only“theoretical aspects of information security maynot prepare students for overcoming thedifficulties associated with the efficient protectionof complex computer systems and informationassets.” They further maintain that students musthave an opportunity to be engaged with securitytechnologies in order to acquire the knowledgeand skillset that is needed to be successful in thefield of computer security.4. ETHICAL HACKING EDUCATIONWith the culmination of the definition of ethicalhacking, the conversation will now offer anoverview of ethical hacking education to trainfuture security professionals. Teaching studentshow to hack ethically may be seen as a worthyendeavor, and most researchers agree that it iscritical for security professionals. Pashel (2006)proposes that the ability to determineweaknesses in computer systems can assistsecurity professionals in preventing attacks. Hegoes on to offer that ethical hacking may bedeemed a crucial element in a security program(Pashel, 2006).An increasing number of researchers feel that itis important that computer administrators havecomparable knowledge and skills as that of theattackers. It is important to determine whatskillsets are needed by security professionals inorder to help educate students appropriately(Logan, & Clarkson, 2005). Another researchergoes on to suggest, “As quickly as the field ofInformation Security is changing, the ‘good guys’need all of the information and help that they canget” (Greene, 2004).Many of the skills used in ethical hacking may beviewed as more proactive rather than reactive innature. Security educators feel that teaching“offensive methods” produces better preparedsecurity professionals than teaching “defensivetechniques” (Trabelsi, 2011).A number of researchers and educators agreethat practicing ethical hacking skills are crucial indeveloping necessary skillsets for computersecurity professionals. Trabelsi (2011) statesthat students should receive instruction topreparethemforrobustresearch anddevelopment in their career. He goes on topropose, “One cannot perfectly design or builddefenses for attacks that one has not trulyexperienced, first-hand” (Trabelsi, 2011).In another study, Trabelsi (2012) argues that bynot providing information and knowledge gleanedfrom hacking, computer security professionalsare not adequately being prepared for theircareer. He goes on to suggest that teachingattacks are considered a necessary element ofsecurity education. A 2013 book, titled Hands-OnEthical Hacking and Network Defense, suggests anoverview of an ethical hacking curricula. Theauthor's reason that the specific role ofpenetration testers should be constructed,propose different models for penetration testing,observe what can be done legally and illegally,separate federal and state laws through casestudy analysis, and examine different ethicalhacking certifications (Simpson, et al., 2013).Finally, Trabelsi and Alketbi (2013) state thattechniques of ethical hacking should be includedin a curriculum to better prepare securityprofessionals. 2017 ISCAP (Information Systems & Computing Academic Professionals)http://iscap.infoPage 4
2017 Proceedings of the EDSIG ConferenceAustin, Texas USAISSN: 2473-3857v3 n43415. ETHICAL AND LEGAL CONCERNSREGARDING ETHICAL HACKINGEDUCATIONAfter the review of ethical hacking education,ethical and legal implications of this approach toprepare security professionals must be addressedin light of concerns of educators and researcherswithin the field. Our discussion will address theuse of a computer ethics policy as a means ofreducing or prevented inappropriate behavior asa result of ethical hacking instruction.Teaching ethical hacking may be viewed withskepticism concerning the ethics of providingstudents with a knowledge that may cause themto behave like the cybercriminals they areattempting to catch. Additionally, others contendthat teaching hacking techniques could causeinstitutions to be faced with ethical and legaldilemmas.It is interesting to note that while many collegesand universities offer such education and training,a number of security professionals expressconcern about teaching hands on hackingtechniques. This apprehension may stem from afear that students may use the knowledge of “howto” unethically. Educational institutions prevailover this assumption by offering concepts withinan ethical framework (Sanders, 2003).A large number of those in favor of ethical hackingfor teaching computer security also highly favorethical and legal instruction.Pashel (2006)suggests that while some students may use theirnewly acquired skills to perform unethicalactivities, they should all receive the sameinstruction in ethical and legal implications thatmay result. Security instruction should assiststudents in developing ethics and what isexpected as security professionals (Greene,2004).The majority of researchers studied wereemphatic about the legal and ethical instructionto accompany ethical hacking. It appears thatsome educators have felt that a hands-on coursein ethical hacking is unethical and that there is apotential for students to use “tools andtechniques in an irresponsible manner” (Trabelsi,2011).Most researchers recognize and identify thenecessity of offering ethical and legal informationand training along with teaching hackingtechniques to students. Logan and Clarkson(2005) feel there is a lack of ethical and legalinstruction relating to computing and networking.They go on to suggest “Training students toattack systems without the ethical or legalconstructs to understand their actions carries therisk of training future security professional andhackers side-by-side” (Logan & Clarkson, 2005).Others offer legitimate concerns regarding whatstudents will do with their newly acquired skillsets in computer hacking. One researcher posesthe possibility of educating ethical hackers as wellas “malicious hackers” at the same time (Greene,2004). Still, another argues that some questionthe “legality of teaching students to hack, in orderto improve th
research will define ethical hacking, current information security trends, offer pedagogical methods, an overview of information security instruction, and lastly, best practices in the field are examined. Keywords: Ethical hacking education, information security instruction, ethical hacking pedagogy. 1. INTRODUCTION
Hacking Concepts 1.10 What is Hacking? 1.11Who is a Hacker? 1.12 Hacker Classes 1.13 Hacking Phases o Reconnaissance o Scanning o Gaining Access o Maintaining Access o Clearing Tracks Ethical Hacking Concepts 1.14 What is Ethical Hacking? 1.15 Why Ethical Hacking is Necessary 1.16 Scope and Limitations of Ethical Hacking
private sectors is ethical hacking. Hacking and Ethical Hacking Ethical hacking can be conceptualized through three disciplinary perspectives: ethical, technical, and management. First, from a broad sociocultural perspective, ethical hacking can be understood on ethical terms, by the intentions of hackers. In a broad brush, ethical
Benefits of Ethical Hacking Topic 1: Ethical Hacking Discuss the main benefits and risks of ethical hacking. Provide examples and/or details to support your ideas. If you have seen examples of ethical hacking, please share thes
to as “ethical hacking”—hacking for an ethical reason—whereby it will be argued that law and policy ought not to be the same here as for those hacking activities that are purely for economic gain or to cause harm or mischief. As will be seen, I have grouped ethical hacking int
what is ethical hacking?-what is hacking and it's intent?-what determines if a person is a hacker? - what is ethical hacking?-in what ways can hackers gain unauthorized access into system?-common tools used by malicious hackers-ethical hacking and how it plays a role in combating unauthorized access by malicious hackers?
Why Ethical Hacking is Necessary Ethical Hacker needs to think like malicious Hacker. Ethical hacking is necessary to defend against malicious hackers attempts, by anticipating methods they can use to break into a system. To fight against cyber crimes. To protect information from getting into wrong hands.
Definition: Ethical Hacking Hacking - Manipulating things to do stuff beyond or contrary to what was intended by the designer or implementer. Ethical Hacking - Using hacking and attack techniques to find and exploit vulnerabilities for the purpose of improving security with the following: Permission of the owners
Agile Development and Scrum The agile family of development methods were born out of a belief that an approach more grounded in human reality – and the product development reality of learning, innovation, and change – would yield better results. Agile principles emphasize building working software that
