Hacker training: Fighting fire with fire

Jon Wilcox

Sift

Technology Correspondent

Hacker training: Fighting fire with fire

By Jon Wilcox

Tags: Skills, Technology

As IT security continues to hit the headlines, Jon Wilcox looks at the next generation of hackers set to do battle with the online marauders.

Maintaining IT network security is an issue for small businesses, multi-nationals, and governments alike; the threat from hackers remains very real indeed. British citizen, Gary McKinnon is currently appealing against his extradition to the US for hacking into government agency networks, including NASA, over a 13 month period between 2001 and 2002.

In February this year, claims arose that IT security company Kaspersky had been hacked. Even the US Federal Aviation Authority (FAA) has been hacked into, with a report published this year revealing its IT systems had been compromised several times in recent years. And so it goes on.

Good versus evil

So what are companies doing to protect their systems against illegal hackers (so-called ‘black hats’)? It may come as a surprise, but many are fighting fire with fire, hiring legal hackers to test and enhance the security if their IT infrastructure. As illegal hacking becomes more and more sophisticated, companies will look for evermore robust IT networks.

As such, there’s increasing demand for ethical hackers to prod, poke, and penetrate systems. Events are held across the globe, including one run by Microsoft (BlueHat Conference), and another by security think-tank, Shmoo Group.In fact, some UK universities even offer degrees on the subject! But how do lecturers go about developing the knowledge base required to tackle today’s illegal hackers? How do they ensure students don’t turn to the dark side and wear a black hat? And what’s the top tip for companies looking to check the security and robustness of their IT systems?

“If you look at the knowledge gained in virtually any degree, it could be used for good and bad. Someone with a degree in biology could do one hell of a lot of damage in the world as well." Colin McLean, University of Dundee Abertray

“If you’re trying to secure [a branch of] Marks & Spencer you imagine yourself as a criminal first, and then work out how you’d stop it,” says Colin McLean at the University of Dundee Abertay. “That was really the rationale for the course.” McLean is the programme tutor for BSc (Hons) Ethical Hacking and Counter measures at the university, the UK’s first degree in the subject. The course began three years ago, and has already experienced a high demand in applicants.

So much so, that in 2008 Dundee Abertay began offering a post-graduate diploma in the subject, targeted at people looking to improve IT and network security at their companies. “The original reason for the degree was number one, my work with NCR Dundee [which produces technologies for the business and financial sector],” says McLean. “We were looking at all the possible risks to an ATM, and it occurred to me that we were sitting there not thinking like security specialists, we were actually sitting there thinking like criminals. We were sitting there like hackers.”

Sitting around a table and tackling an IT security issue like hackers is one thing, but teaching students in a four -year course in the subject is quite another. One major issue has to be tackled before the course even begins: How does the university ensure students are likely to remain ‘white hat’ ethical hackers rather than dive into the proverbial ‘dark side’, or are joining for legitimate reasons? It’s a question McLean has heard thousands of times.

“If you look at the knowledge gained in virtually any degree, it could be used for good and bad,” he argues. “Someone with a degree in biology I’m sure could do one hell of a lot of damage in the world as well. We have procedures probably the equivalent to students going into a medical degree; we vet the students beforehand with an advanced Disclosure Scotland check, a government scheme [that] comes up with any crime committed including speeding parking fines. We interview each of the students, we monitor every activity during the course to ensure they’re still legit, and we also have a whistle-blowing policy.”

Hacking within the law

So checks and balances are in situ, but there’s another tool in McLean’s armament – the law. “In the first six weeks we look at the legal issues. These days the sentences given to hackers are quite phenomenal.” He points to the ongoing extradition proceedings against Gary McKinnon, describing it as a good case study for students. “We look at the Computer Misuse Act; we look at various other acts that would affect students, but I think these case studies are a big deterrent.” But what it really boils down to is this: “If someone says to me, ‘Why don’t you hack into a website?’ I would say, ‘Because I don’t want to spend 20 years in prison.’”

"By the time I’ve finished with them, I’d expect them to be very proficient, very technically skilled, and very employable. Already, companies are lookng at the first years for when they go out on work placement."
Christopher Laing, University of Northumbria

Since the start of the Dundee Abertay degree, other universities have begun to offer their own ethical hacking programmes, including the University of Northumbria. Like its Scottish counterpart, covering the legal standpoint plays an important part of the degree through its duration. “When we validated the programme, we made sure each year built on the legal and ethical issues...we’re talking about very general legal, ethical, and professional issues,” says Northumbria’s Christopher Laing. “As they move forward through the years and the degree becomes more demanding, the legal aspects have to match that.”

Aside from the legal issues addressed by the institutions, both sets of degree students have access to their own Ethical Hacking lab. The labs are closed networks, “Obviously because of the nature of the work, we can’t have it on the university network,” says Laing, giving students the freedom and safe environment needed to put their developing knowledge into practice.

Abertay’s McLean explains the structure of the lab at Dundee: “The students can attack these networks very much in safety; we go through each of the procedures. When it comes to the later years, when it comes to project and case study work we’ve been using the university because we’ve got the legal documents in place.” For both course leaders, the importance their students will eventually play out in the field and in the real world of IT security cannot be over-played.

Applying the skills

“Companies really must do something active about their security,” says McLean. “They can no longer say ‘We have a firewall, we have anti-virus, and therefore our systems are secure’. Most companies are being told by their auditors that they should have their systems tested by a third party.” Laing spoke of the interest his students are already attracting: “By the time I’ve finished with them, I’d expect them to be very proficient, very technically skilled, and very employable. Already, companies are looking at the first years for when they go out on work placement.”

The first set of Honours students are due to graduate from Dundee Abertay in 2010, with Northumbria following suit in a few years time. Until then, what would be the top tip for companies concerned with the robustness of their IT infrastructure? McLean answers simply enough: “Go to professionals. It’s very difficult to test your own site because you probably already know the flaws before you start, so you’re not really investigating anything. I think it’s easier for someone outside coming in to go with an open mind.”

Jon Wilcox is technology correspondent for the Sift Media portfolio, which includes TrainingZone.co.uk. You can follow Jon and Sift Media’s technology editor, John Stokdyk, on Twitter.