Ethical hacking and pentesting

The course can be part of the following programmes:

1. Computer Science, Master´s programme (N2COS)
2. Software Engineering and Management, Master´s programme (N2SOF)
3. Game Design and Technology, Master´s programme (N2GDT)

The course is a also a single-subject course at Gothenburg University.

• Completed at least 7.5 hec in programming.
• Completed one of the courses Computer Security (7.5 hec) or Cyber Security (7.5 hec), or equivalent.
• Completed at least 7.5 hec in computer networks.
• Completed, in addition to the above, 7.5 hec in the second cycle within cybersecurity or equivalent, for example, Network Security or Cryptography.

Applicants must prove knowledge of English: English 6/English level 2 or the equivalent level of an internationally recognized test, for example TOEFL, IELTS.

As computer systems become increasingly critical for society, understanding how attackers think and work when attacking them is crucial to being able to protect such a critical asset.

Consequently, this course aims to provide the necessary foundations for students to be able to perform offensive security analysis in an ethical and legal way and successfully report their findings so they can be fixed.

To do so, the course will teach students how to perform the different stages of a common vulnerability assessment assignment, including a final report.

Furthermore, to ensure students make appropriate use of the acquired knowledge, the course also has the focus of making students understand the legal, societal and ethical implications of their cybersecurity operations.

Finally, to ensure the knowledge acquired by the students remains relevant, the course aims to teach students how to expand their knowledge to approach offensive cybersecurity assignments in areas on which they lack experience and expertise.

After completion of the course the student should be able to:

Knowledge and Understanding

• Localize independently adequate resources to further develop their own knowledge into ethical hacking, penetration testing, and offensive security.
• Explain based on current practices the importance of risk, impact, and likelihood when communicating and modeling cybersecurity issues.
• Describe in detail the different stages of a penetration test and which tools and procedures can be useful on each of them.
• Present overall the laws, regulations, policies and ethical implications related to ethical hacking and cybersecurity.
• Distinguish and describe in outline the different principles and techniques used by cybercriminals to gain access to IT systems.

Skills and Abilities

• Perform professional security assessments in an ethical and legal way.
• Identify, find, and use adequately the appropriate tools for offensive security tasks.
• Report comprehensively the results of a security engagement, both in writing and orally, in an understandable way using a risk-based approach.

Judgement Ability and Approach

• Assess critically the ethical and societal implications of cybersecurity operations, including the implications from the perspective of the United Nations’ Sustainable Development Goals.
• Prioritize methodically vulnerability assessment tasks in time-constrained settings utilizing risk, impact and likelihood.
• Evaluate systematically vulnerability impact using industry standards.
• Recommend with clear support on current best practices, the most appropriate course of action to strengthen IT security in IT systems.

The course consists of a series of pre-recorded lectures, guest lectures, seminars, laboratory exercises, and a final report.

• The pre-recorded lectures serve as an aid for students lacking certain knowledge to perform their tasks.
• The guest lectures aim at providing an external perspective into the procedures and realities of ethical hacking. After the lecture, optional assignments may be provided.
• The seminars are compulsory and deepen into ethics, legal context, and other areas for which the project might not be appropriate. Some may also include compulsory assignments.
• The project makes the students perform the different stages of a normal security engagement.
• A compulsory final report may be required at the end of the course.

The course is given in English; Swedish will be used sparingly with agreement from all the students participating on the activity.

The course will be assessed through the following components:

• Completion of assignments after the guest lectures and seminars related to their contents.
• Participation in the mandatory seminars. This may be replaced by an alternative assignment if deemed adequate by the examiner.
• Completion of the project stages by the pre-established deadlines and presentation of results at the mandatory seminars established to that end.
• Contents and insights from the final report and the prior peer review process.
• Extra credit can be achieved from additional course-related tasks deemed appropriate by the examiner.

If a student who has been failed twice for the same examination element wishes to change examiner before the next examination session, such a request is to be granted unless there are specific reasons to the contrary (Chapter 6 Section 22 HF).

If a student has received a certificate of disability study support from the University of Gothenburg with a recommendation of adapted examination and/or adapted forms of assessment, an examiner may decide, if this is consistent with the course’s intended learning outcomes and provided that no unreasonable resources would be needed, to grant the student adapted examination and/or adapted forms of assessment.

If a course has been discontinued or undergone major changes, the student must be offered at least two examination sessions in addition to ordinary examination sessions. These sessions are to be spread over a period of at least one year but no more than two years after the course has been discontinued/changed. The same applies to placement and internship (VFU) except that this is restricted to only one further examination session.

If a student has been notified that they fulfil the requirements for being a student at Riksidrottsuniversitetet (RIU student), to combine elite sports activities with studies, the examiner is entitled to decide on adaptation of examinations if this is done in accordance with the Local rules regarding RIU students at the University of Gothenburg.

Sub-courses

1. Project, 7,5 credits
   Grading scale: Pass with distinction (5), Pass with credit (4), Pass (3) and Fail (U)

The grade for the entire course will be determined by the project.

The course is evaluated through meetings both during and after the course between teachers and student representatives. Further, an anonymous questionnaire is used to ensure written information. The outcome of the evaluations serves to improve the course by indication which parts could be added, improved, changed or removed.

The course is a joint course together with Chalmers.

Students need access to a PC with Internet access to perform some of the mandatory assignments.

Students may be required to sign an NDA and MoU establishing rules of engagement before being allowed to perform the project.

To succeed in this course, students should have prior knowledge of the innerworkings of the protocols TCP, UDP, IP and HTTP. Also, they should have some knowledge on ethics applied to computer science or cybersecurity, computer security, network security and cryptography, security metrics, risk analysis, operating system security and common attacks.

Ethical hackers need a good base of knowledge to be able to succeed in their tasks. Consequently, and although not mandatory for entry, prior knowledge on various areas significantly increases the chances of succeeding at the course. These areas are: computer architectures (assembly, and the programmer’s model of a processor), networks (various protocols, and knowledge navigating RFCs), operating systems (how to use the operating system shell, how processes are executed and run and how the OS system call interface works), network security (TLS, IDS, port scanning, and firewalls), cryptography (different primitives and their usage to guarantee security properties), and language-based security (how compiler hardening techniques work).