Professional ethical hacking body of knowledge

This interdisciplinary ethical hacking body of knowledge foundation framework represents a working model for ethical hacking professional training and is comprised of several knowledge areas and ...

This interdisciplinary ethical hacking body of knowledge foundation framework represents a working model for ethical hacking professional training and is comprised of several knowledge areas and skillsets.

A set of implementable policy recommendations to inform effective ethical hacking teaching practices in computer science, computer engineering, and software engineering undergraduate programs – spanning instruction (approach), curricula content (what professional ethical hacking skills taught should be), and S&T innovation/technology governance (a public policy initiative). This post is a discussion of the recommendations for the curricula content – these recommendations are presented as a professional ethical hacking body of knowledge (BoK) foundation framework.

The professional ethical hacking body of knowledge foundation framework outlined here was synthesized from literature reviews, in-depth interviews, organizational document reviews, a technology impact assessment using STEI-DMG, and theory (STEI-KW as a knowledge-making epistemology or technology). See The case study methodology. The professional ethical hacking body of knowledge foundation framework represents a working model of ethical hacking professional training and is comprised of several knowledge areas and skillsets that together constitute a body of knowledge foundational framework for ethical hacking education in postsecondary education.

The framework can serve as a basis for an introduction course to cybersecurity in undergraduate computer science, computer engineering, software engineering, and business school (Information Systems Management, and Business IT) programs or as a base model for security awareness training in higher education.

• Cybersecurity threats

• Social digitization

• Technical hacking skills

• What do ethical hackers do?

• The penetration testing process

• OSINT analyst competency areas

• Software security – software design and software security testing

• Network security – network design and network security testing

• Types and techniques of network attacks

• Networking layers and classes of cyberattacks

• Social hacking skills

• Social engineering in ethical hacking

• Cybersecurity risk mitigation skills

Cybersecurity threats

Societal level threats Cyberwarfare/cyberattacks on critical infrastructure Cyberwarfare/cyberattacks on public service institutions – on essential services and sensitive information

Business level threats Businesses face an increasing risk of cybercrime, especially data breaches from commercial espionage, commercial data theft, and social engineering schemes.

Individual level threats Canadians face a rising cyber risk of falling victim to cybercrime, especially identity theft. State and business surveillance Political interference -malicious online influence activity

Table 1: Cybersecurity Threats Facing Individuals, Businesses, and Society (CSE, 2018)

Social digitization

• Social digitization

• Digital transformation in higher education

Technical hacking skills

• What do ethical hackers do?

• The penetration testing process

• Teaching ethical hacking skillset (framework)

• Key cybersecurity risks/threats to businesses

• Information security risk governance

Key information security risks/threats to businesses: DoS and other network attack techniques against information confidentiality, integrity, and availability. A combination of social engineering and malware, especially ransomware. Identity theft through social engineering and phishing schemes.

What do ethical hackers do? Practices, responsibilities, and roles

• Penetration testing

• Vulnerability assessment vs penetration testing

• Risk assessment

• Security assessment vs security audit

• Responsibilities of ethical hackers

• Roles of ethical hackers

Various types of penetration tests can be performed, depending on the strategic objectives of the security assessment: social engineering, network penetration testing, Website security testing, physical premises hacking, and cloud-based system hacking.

The penetration testing process

• Steps of the penetration testing process

• Penetration testing methodologies and standards

• The penetration test report

OSINT analyst competency areas

• What is OSINT?

• Who uses OSINT technologies and tactics?

• OSINT analyst cybersecurity role

• Technical competency areas

• Social competency areas

Software security – software design and software security testing

Vulnerability discovery and vulnerability assessment and knowledge of exploits, scripts, and viruses and how they work (PPT3, PPT8, PPT14, PPT6, PPT12).

Software coding and programing skills include knowledge of software languages, especially C, C++, and JavaScript (PPT3, PPT14, PPT12).

Network security – network design and network security testing

Skills to protect a future employer’s IT infrastructure or IT network system against unauthorized use or access, including how to test a company’s defences (PPT3, PPT8, PPT14, PPT6, PPT12).

Defense in depth (layered security to protect data/mission critical assets and information management systems). A solid understanding of network protocols – common network protocols, the TCP/IP model, and the OSI model. A solid understanding of network services – IP addressing, Domain Name System (DNS), primary domain email service, Internet access, web content filtering, firewalls, VPN termination, and intrusion prevention systems (IPS). Use of multiple information gathering techniques and technologies to identify and enumerate targets running various operating systems and services. Ability to identify existing vulnerabilities and to execute organized attacks in a controlled manner. Ability to identify and exploit XSS, SQL injection and file inclusion vulnerabilities in web applications.

Table 9: Hacking Skills Coding Table (Network Penetration Testing) Table 23: High-Level Network Security Risk Management Concepts

Types and techniques of network attacks

Information theft, such as stealing passwords, is a confidentiality attack because it allows someone other than the intended recipient to access data (Graves, 2010; Reynolds, 2012; Stamp, 2001). Information confidentiality network attack techniques include packet capturing (e.g., using Wireshark, a network protocol analyzer), port scanning (where an attacker tries to discover the services running on a target computer by scanning the TCP/UDP ports), and wiretapping (where an attacker hacks the telecommunication devices to listen to phone calls).

Information sabotage via viruses or malware is a data integrity attack that compromises the accuracy and reliability of data. Information integrity network attack techniques include session hijacking (where an attacker exploits a computer session to gain unauthorized access to information or services in a computer system with the goal of modifying data accuracy and reliability), and man-in-the-middle attacks (where an attacker sits between two devices that are communicating to manipulate the data as it moves between the two devices).

In a denial-of-service (DoS) attack, a hacker attacks the availability element of information systems. Ransomware can be used by malicious hackers to lock out users until the user pays a ransom to regain access to their information. Information availability network attack techniques include SYN flood attacks and ICMP flood attacks. In SYN flood attacks, an attacker sends many TCPSYN packets to initiate a TCP connection but never sends a SYN-ACK packet back causing a TCP connection failure. In ICMP flood attacks, a targeted computer is inundated with false ICMP packets, causing it to become unresponsive to legitimate traffic.

Networking layers and classes of cyberattacks

Network security risk mitigation best practices The seven layers of the OSI model The five layers of the TCP/IP model

Four classes/types of network attacks/Network security layers

The 15 Layer Cyber Terrain Model (Riley, 2014A)

Social hacking skills

• The case for ethics instruction

• Social hacking skills – What ethics to teach/ethics instruction

• Social engineering in ethical hacking

• Karl Weick – sensemaking through organizing

• Canada’s cybersecurity threat landscape

• Social digitization

• Technology impact assessment (using STEI-DMG)

What ethics to teach/ethics instruction

1) Countermeasures component: Prevention component: ethical-legal consequences of unlawful/unauthorized hacking Teaching hacking skills as a comprehensive audit/as skills in QA/IA/IT governance (process focused)

2) The ethics of ethical hackers/professionalism/professional practice in society: Professional ethics/professional codes of conduct and professional values Social values underlying the behavior of professional ethical hackers/computer scientists and computer engineers – sociopolitical values, scientific values, and normative ethics/values

Social engineering in ethical hacking

• What is social engineering?

• Social engineering in penetration testing

• The four most common types of social engineering attacks

Cybersecurity risk mitigation skills

An information security policy covering:

• Software development and testing/software security

• Network design and testing/network security

• Hardware security policy

• Standard operating procedures/information command and control policy

• Ethical code of conduct

• Security awareness training

• User responsibility/usage policies (AUP)

• Information security risk governance (cybersecurity regulations and IT governance compliance frameworks)

Cybersecurity risk mitigation framework

Technical hacking skills
IT governance	Cybersecurity regulations/regulatory requirements Security and privacy policies and regulations • Regulatory compliance—FERPA • Regulatory compliance—PCI DSS
IT security governance	Key IT governance/cybersecurity compliance frameworks GRC/IA/QA approaches to IT security governance to help implement regulatory requirements/achieve compliance	SDLC/agile software development/Design of security system and components DevSecOps/security-by-design
	Security testing
	Security awareness
Defense in depth	Access management	Access control Access and authentication IAM User security (passwords, identity, biometry)
	Social engineering and critical thinking skills
	Application security	Cross site scripting attacks SQL injection attacks
	Operating system security
	Layered security: IDS/IPS, firewalls, software security
	Basic Cryptography and Tools	Cryptography, Key exchange, Security Policies; Encryption
Network protocols	Common network protocols Internet Protocol Suite (the TCP/IP protocol suite) The TCP/IP model and the OSI model
Network enumeration and scanning techniques and technologies	Open technologies AI based intelligence gathering/surveillance technologies
Types of network attacks (passive and active)
Social hacking skills
Risk mitigation component Countermeasures component	Ethical-legal consequences/prevention component Security audit/comprehensive approach to hacking/security testing (vulnerability discovery and mitigation)
Interdisciplinary educational lens (a social science content/context) The ethics of ethical hackers (professionalism/professional practice in society)	Social hacking values (tacit sociopolitical values made explicit) Philosophy of science/scientific method Science of security content

Cybersecurity risk mitigation skills/framework

Technical hacking skills
IT governance	Cybersecurity regulations/regulatory requirements Security and privacy policies and regulations • Regulatory compliance—FERPA • Regulatory compliance—PCI DSS
IT security governance	Key IT governance/cybersecurity compliance frameworks GRC/IA/QA approaches to IT security governance to help implement regulatory requirements/achieve compliance	SDLC/agile software development/Design of security system and components DevSecOps/security-by-design
	Security testing
	Security awareness
Defense in depth	Access management	Access control Access and authentication IAM User security (passwords, identity, biometry)
	Social engineering and critical thinking skills
	Application security	Cross site scripting attacks SQL injection attacks
	Operating system security
	Layered security: IDS/IPS, firewalls, software security
	Basic Cryptography and Tools	Cryptography, Key exchange, Security Policies; Encryption
Network protocols	Common network protocols Internet Protocol Suite (the TCP/IP protocol suite) The TCP/IP model and the OSI model
Network enumeration and scanning techniques and technologies	Open technologies AI based intelligence gathering/surveillance technologies
Types of network attacks (passive and active)
Social hacking skills
Risk mitigation component Countermeasures component	Ethical-legal consequences/prevention component Security audit/comprehensive approach to hacking/security testing (vulnerability discovery and mitigation)
Interdisciplinary educational lens (a social science content/context) The ethics of ethical hackers (professionalism/professional practice in society)	Social hacking values (tacit sociopolitical values made explicit) Philosophy of science/scientific method Science of security content

Cybersecurity risk mitigation framework

References

Reference