My uOttawa PhD thesis exploring ethical hacking teaching practices in Canadian higher education, completed in 2020 at uOttawa engineering (the PhD in DTI uOttawa Program), contributed a set of implementable policy recommendations to inform effective ethical hacking teaching practices in computer science, computer engineering, and software engineering undergraduate programs – spanning instruction (approach), curricula content (what professional ethical hacking skills taught should be), and S&T innovation/technology governance (a public policy initiative). This post is a discussion of the recommendations for the curricula content – these recommendations are presented as a professional ethical hacking body of knowledge (BoK) foundation framework.
The professional ethical hacking body of knowledge foundation framework outlined here was synthesized from literature reviews, in-depth interviews, organizational document reviews, a technology impact assessment using STEI-DMG, and theory (STEI-KW as a knowledge-making epistemology or technology). See The case study methodology. The professional ethical hacking body of knowledge foundation framework represents a working model of ethical hacking professional training and is comprised of several knowledge areas and skillsets that together constitute a body of knowledge foundational framework for ethical hacking education in postsecondary education.
The framework can serve as a basis for an introduction course to cybersecurity in undergraduate computer science, computer engineering, software engineering, and business school (Information Systems Management, and Business IT) programs or as a base model for security awareness training in higher education.
- Cybersecurity threats
- Social digitization
- Technical hacking skills
- What do ethical hackers do?
- The penetration testing process
- OSINT analyst competency areas
- Software security – software design and software security testing
- Network security – network design and network security testing
- Types and techniques of network attacks
- Networking layers and classes of cyberattacks
- Social hacking skills
- Social engineering in ethical hacking
- Cybersecurity risk mitigation skills
You may also be interested in The ethical teaching of ethical hacking.
Cybersecurity threats
Societal level threats
Cyberwarfare/cyberattacks on critical infrastructure
Cyberwarfare/cyberattacks on public service institutions – on essential services and sensitive information
Business level threats
Businesses face an increasing risk of cybercrime, especially data breaches from commercial espionage, commercial data theft, and social engineering schemes.
Individual level threats
Canadians face a rising cyber risk of falling victim to cybercrime, especially identity theft.
State and business surveillance
Political interference -malicious online influence activity
Table 1: Cybersecurity Threats Facing Individuals, Businesses, and Society (CSE, 2018)
Social digitization
- Social digitization
- Digital transformation in higher education
Technical hacking skills
- What do ethical hackers do?
- The penetration testing process
- Teaching ethical hacking skillset (framework)
- Key cybersecurity risks/threats to businesses
- Information security risk governance
Key information security risks/threats to businesses:
DoS and other network attack techniques against information confidentiality, integrity, and availability.
A combination of social engineering and malware, especially ransomware.
Identity theft through social engineering and phishing schemes.
What do ethical hackers do? Practices, responsibilities, and roles
- Penetration testing
- Vulnerability assessment vs penetration testing
- Risk assessment
- Security assessment vs security audit
- Responsibilities of ethical hackers
- Roles of ethical hackers
Various types of penetration tests can be performed, depending on the strategic objectives of the security assessment: social engineering, network penetration testing, Website security testing, physical premises hacking, and cloud-based system hacking.
The penetration testing process
- Steps of the penetration testing process
- Penetration testing methodologies and standards
- The penetration test report
OSINT analyst competency areas
- What is OSINT?
- Who uses OSINT technologies and tactics?
- OSINT analyst cybersecurity role
- Technical competency areas
- Social competency areas
Software security – software design and software security testing
Vulnerability discovery and vulnerability assessment and knowledge of exploits, scripts, and viruses and how they work (PPT3, PPT8, PPT14, PPT6, PPT12).
Software coding and programing skills include knowledge of software languages, especially C, C++, and JavaScript (PPT3, PPT14, PPT12).
Network security – network design and network security testing
Skills to protect a future employer’s IT infrastructure or IT network system against unauthorized use or access, including how to test a company’s defences (PPT3, PPT8, PPT14, PPT6, PPT12).
Defense in depth (layered security to protect data/mission critical assets and information management systems).
A solid understanding of network protocols – common network protocols, the TCP/IP model, and the OSI model.
A solid understanding of network services – IP addressing, Domain Name System (DNS), primary domain email service, Internet access, web content filtering, firewalls, VPN termination, and intrusion prevention systems (IPS).
Use of multiple information gathering techniques and technologies to identify and enumerate targets running various operating systems and services.
Ability to identify existing vulnerabilities and to execute organized attacks in a controlled manner.
Ability to identify and exploit XSS, SQL injection and file inclusion vulnerabilities in web applications.
Table 9: Hacking Skills Coding Table (Network Penetration Testing)
Table 23: High-Level Network Security Risk Management Concepts
Types and techniques of network attacks
Information theft, such as stealing passwords, is a confidentiality attack because it allows someone other than the intended recipient to access data (Graves, 2010; Reynolds, 2012; Stamp, 2001). Information confidentiality network attack techniques include packet capturing (e.g., using Wireshark, a network protocol analyzer), port scanning (where an attacker tries to discover the services running on a target computer by scanning the TCP/UDP ports), and wiretapping (where an attacker hacks the telecommunication devices to listen to phone calls).
Information sabotage via viruses or malware is a data integrity attack that compromises the accuracy and reliability of data. Information integrity network attack techniques include session hijacking (where an attacker exploits a computer session to gain unauthorized access to information or services in a computer system with the goal of modifying data accuracy and reliability), and man-in-the-middle attacks (where an attacker sits between two devices that are communicating to manipulate the data as it moves between the two devices).
In a denial-of-service (DoS) attack, a hacker attacks the availability element of information systems. Ransomware can be used by malicious hackers to lock out users until the user pays a ransom to regain access to their information. Information availability network attack techniques include SYN flood attacks and ICMP flood attacks. In SYN flood attacks, an attacker sends many TCPSYN packets to initiate a TCP connection but never sends a SYN-ACK packet back causing a TCP connection failure. In ICMP flood attacks, a targeted computer is inundated with false ICMP packets, causing it to become unresponsive to legitimate traffic.
Networking layers and classes of cyberattacks
Network security risk mitigation best practices
The seven layers of the OSI model
The five layers of the TCP/IP model
Four classes/types of network attacks
The 15 Layer Cyber Terrain Model (Riley, 2014A)
Social hacking skills
- The case for ethics instruction
- Social hacking skills – What ethics to teach/ethics instruction
- Social engineering in ethical hacking
- Karl Weick – sensemaking through organizing
- Canada’s cybersecurity threat landscape
- Social digitization
- Technology impact assessment (using STEI-DMG)
What ethics to teach/ethics instruction
1) Countermeasures component:
Prevention component: ethical-legal consequences of unlawful/unauthorized hacking
Teaching hacking skills as a comprehensive audit/as skills in QA/IA/IT governance (process focused)
2) The ethics of ethical hackers/professionalism/professional practice in society:
Professional ethics/professional codes of conduct and professional values
Social values underlying the behavior of professional ethical hackers/computer scientists and computer engineers – sociopolitical values, scientific values, and normative ethics/values
Social engineering in ethical hacking
- What is social engineering?
- Social engineering in penetration testing
- The four most common types of social engineering attacks
Cybersecurity risk mitigation skills
An information security policy covering:
- Software development and testing/software security
- Network design and testing/network security
- Hardware security policy
- Standard operating procedures/information command and control policy
- Ethical code of conduct
- Security awareness training
- User responsibility/usage policies (AUP)
- Information security risk governance (cybersecurity regulations and IT governance compliance frameworks)
Cybersecurity risk mitigation framework
Technical hacking skills | ||
IT governance | Cybersecurity regulations/regulatory requirements Security and privacy policies and regulations • Regulatory compliance—FERPA • Regulatory compliance—PCI DSS | |
IT security governance | Key IT governance/cybersecurity compliance frameworks GRC/IA/QA approaches to IT security governance to help implement regulatory requirements/achieve compliance | SDLC/agile software development/Design of security system and components DevSecOps/security-by-design |
Security testing | ||
Security awareness | ||
Defense in depth | Access management | Access control Access and authentication IAM User security (passwords, identity, biometry) |
Social engineering and critical thinking skills | ||
Application security | Cross site scripting attacks SQL injection attacks | |
Operating system security | ||
Layered security: IDS/IPS, firewalls, software security | ||
Basic Cryptography and Tools | Cryptography, Key exchange, Security Policies; Encryption | |
Network protocols | Common network protocols Internet Protocol Suite (the TCP/IP protocol suite) The TCP/IP model and the OSI model | |
Network enumeration and scanning techniques and technologies | Open technologies AI based intelligence gathering/surveillance technologies | |
Types of network attacks (passive and active) | ||
Social hacking skills | ||
Risk mitigation component Countermeasures component | Ethical-legal consequences/prevention component Security audit/comprehensive approach to hacking/security testing (vulnerability discovery and mitigation) | |
Interdisciplinary educational lens (a social science content/context) The ethics of ethical hackers (professionalism/professional practice in society) | Social hacking values (tacit sociopolitical values made explicit) Philosophy of science/scientific method Science of security content |
Related content
Canadian identity as an academic idea
Ethical assessment of teaching ethical hacking
The ethical teaching of ethical hacking
Back to DTI Courses