The Use of Digital Security Penetration Testing in Information-based Pedagogy
Security on the Internet relies on privacy, data integrity and data theft prevention. Much of this security was and still is supported using open source software provided and developed by peer groups (hacker collectives) as a method for resource discovery. The ethic of this informal education supposes that security breaches in software and protocol shall be maintained and documented for data protection, although it is now formalized in educational institutions. Studies on the impact of security within education focus primarily on the financial aspect or types of attacks. Little resources on investigating security penetration testing in education exists. In the discussion of the different types of study, there is a required necessity to find a correlation between ethics, education and security. The discussion in this paper attempts to define these contexts to outline the misuse of information resources, and consolidate these three themes. To what degree do we institute digital security penetration testing in information pedagogy without compromising ethics?
Keywords: computer education, network security, internet security, privacy, internet ethics
Security on the Internet relies on privacy, data integrity and data theft prevention. In the past, much of this security was and is supported using open source software provided and developed by peer groups (hacker collectives) as a method to innovate. The ethic of this informal education supposes that security breaches in software and protocols shall be maintained and documented for data protection, although now formalized in educational institutions. While the informal education continues, the formalization of the instruments for digital security penetration in course curricula in security programs at higher education institutions continues.
In this formalization of curricula based on information security, a dynamic of three themes must be considered. One, the rationale within the educational context, how security penetration testing is applied within the sphere of the applied curricula it is being taught. Two, the methodologies and instruments of security being utilized and are applied appropriately within the learning outcomes of the curricula in which they are taught. Finally, the scopeof ethics being taught in a field in which misuse of the technology can be misappropriated to unethical means.
Within an educational context, the notion of teaching new ideas for further development is definitely not explosive. However, the application of how it should be achieved and stated in theory has been in place and often forgotten. Philipp Melanchthon initialized this stating “without presenting any radically new research findings, nevertheless summarize the knowledge of time in an encyclopedically-oriented manner that is exemplary as regards both content and method and which would pass that knowledge on to young students and scholars.” (Horst Rupp trans. 1999)
In no means does this proposal suggest the stifling of new ideas based upon possible miscalculations of the effects of potential security tool risks. In fact, Kiril Stoichev suggests the implementation of a set of standards for establishing security levels (Stoichev, 2014). If applied in an educational context, this could be a useful tool in the establishment of curricula programming. By examining current security methodologies being taught currently, achieving these standards becomes a far more effective model for curricula.
Finally, the ethical context of teaching security penetration testing in an educational context must be examined. As misuse of the penetration testing tools could result in the unintended dissemination of sensitive personal data in a networked environment, it is necessary to examine whether the programs in place now have an instrument in place to show the learners the ethical and legal implications in the misuse of security penetration tools.
The primary purpose of the study is to analyze the co-dependency and co-relationship of these three maxims. An educational environment could utilize the findings to develop and incorporate these three, with an effective methodology by which digital security penetration testing could enable curricula development.
The study is qualitative in nature. In research on working with Information Systems, Michael D. Myers stated that the qualitative method is the most useful in this field (Myers, 1997, 2015). In further determining the approach, a grounded theory is to be applied in which data collection and analysis for empirical interpretation based on the systematic approach of symbiotically using the two to produce a result (Myer).
The target data collection is to be in higher education at thirty institutions in English speaking countries. The primary data collection would be for analysis of the core curricula of institutions currently teaching security-penetration testing. An analysis of the tools and security protocols taught in the curricula would determine whether the institutions are currently working to a security standard.
A further analysis of ten MOOC programs currently in educating this material will determine whether the same standards are in place. This would decipher whether the MOOC’s offered on the same curricula taught in primary core programs in security is applicable. This would be applied in a hermeneutic approach.
The secondary data collection is to be gathered through a survey of the curricula developers and professors of the security curricula. In this survey, security and ethics course would be investigated. The sampling would be 120 of these or a number willing to match that from other institutions. This survey would include core security protocols, security penetration testing tools in use and the prevalence of security ethics courses taught in the curricula.
Using this data and comparing it to studies in each of the three themes to be applied in this study, should give a clearer indication of gaps in educational delivery in the field of digital security. This can be applied to models of curricula development or curricula revision in existing programs at educational institutions.
Discussion of Education, Security and Learning
There are a variety of approaches to handling security in an institutional environment. Primarily, these can form two disparate methodologies in approaching security: exclusive or proactive. In analyzing the risk factor, Universities UK proposes the latter. The purpose of using a proactive approach is an effort to manage the risk factor based upon an institutions’ reputation for delivering the content of the curricula and maintaining the integrity of the delivery model (Universities UK, 2013). If using an exclusive approach in delivery, it limits the ability of the learner to explore themes in the curricula in their interests of enquiry.
Similar to this, Frederico Waitoller et. al (2013) examined the educational aspect outside of a security theme, and investigated it from a cultural and environmental basis. Inclusive education they state is “an ongoing and systematic process of changing school culture and stressed ability differences went beyond the technicalities of including students with diverse abilities in the general education classroom.”
Prior to formalized education, hacker collectives formed the basis of education in security in networked environments. It was done so with a high level of integrity in order to maintain an ethical context (Himanen, 2001). However, upon the advent of the World Wide Web and how it has since become ubiquitous to the degree of the ability to use it in our telephone systems through cellphones, its’ misuse has been invading our privacy. For instance, one of the most alarming abuse of these tools occurred when an untrained hacker used the tools to supplement newspaper articles through listening to victims’ phone conversations (News of the World Scandal http://www.bbc.com/news/uk-11195407 ).
The exclusive approach to security does not involve potential learners of broader techniques is a responsible fashion. It has been pointed out that “security through obscurity” where the exclusive approach does not allow learning of the tools is a not a deterrent to misuse (Garfinkel and Spafford, 2002). In fact, human nature of curiosity promotes misuse. The example above demonstrates this and known security vulnerabilities by those known as “script kiddies” or those without knowledge is on the rise (Clemente, 2007).
Although the inclusive and proactive approaches stress openness in education, which within context of a monitored, moderated environment, if taken out of this context the potential for misuse of security penetration becomes greater.
The hacker collective model used a peer and self-monitoring system to maintain ethical standards, while maintaining the integrity of security penetration (Himanen). With the advent of mass communication on the internet, this model can no longer be relied upon.
The recent push for Massive Open Online Courses (MOOCs) and Open Education Resourses (OER) in security penetration may not be ready for public consumption. Adapted by many educational institutions across Canada, the United States and Europe, the movement pushes the openness of education and is seen as a model for future learning (deLaat et al, 2014). The learning model of Social Learning Analytics they suggest, encourages the social networking and open access that leads to a better model of education.The second argument made for MOOCs etc. is that educational institutions do not have instructional pedagogy to teach some disciplines and the teachers are not qualified by a pedagogical preparation standpoint (Valla, 2014). The study furthers this by asserting teaching methodologies will not progress, and the use of experts worldwide educating the learners, is the future of education. However, within education of learners in security penetration testing, the courses in MOOC’s have little to no standard for requisites to acquire the knowledge. Individual courses can be taken one at a time, regardless of the background of the learner. This introduces the learner to security penetration tools without any of the necessary theoretical knowledge. As an example, I registered at a security course offered the Stanford University MOOC without any regard for my prior education.
In this MOOC’s are offering this freely, to any individual wishing to educate themselves and the course enrolment number in the thousands without any background in security or ethics. This opens up the opportunity for abuse and misuse of the technology which as demonstrated earlier causes concern for privacy with no ethical considerations.
Little study has been done on MOOC’s, ethics and security. The approach as necessity will have to be hermeneutic in this matter of the proposed study. My predisposition will be to demonstrate in the development of MOOC’s educating in security there is little regard to the ethical standard of teaching security penetration tools.Security penetration testing relies on certain educational parameters. A thorough knowledge of networking protocols within standards are required (Souppaya et. al. 2013). In order to use educational institutions as an effective delivery tool for security education, the standards for networking protocols must be in place. The use of mobile devices in a classroom should adhere to the standards Souppaya et. al set for the NIST.
The delivery models of BYOD (Bring Your Own Device) now reaching into classrooms is becoming more adaptable and educators are using it as another teaching tool (Bradford, 2013 and 2015). When examined through a security penetration testing context in a classroom, the core internet protocols must be delivered to the learner. As wireless technologies such as cellphone or tablet hacking are introduced in a security education, a high degree of ethical standards must also be present. Khokhar et al. demonstrated wireless network attacks available to “script-kiddies”. This topic in security education is highly valued but must also be examined in the context of educational delivery.
Clemente points this out in his study on System Hardening (2012). In his findings on the appropriate security penetration tools that should be used within a network, a learner must have an ethical standard in the use of such tools. An “in the wild” security attack is generally launched by those with any educational knowledge of the security protocols that govern network communication. From an ethical perspective, this can pose a problem when using such tools, and education from an ethical perspective is imperative.
The ethical implications of teaching security penetration testing in information pedagogy is problematic. From an ethical perspective, Slade et.al in their study on Learning Analytics many primary considerations must be considered. Slade states to”provide an ethical framework for higher education institutions to offer context-appropriate solutions and strategies to increase the quality and effectiveness of teaching and learning” (Slade, 2013). This aspect of Learning Analytics, taken from an ethical perspective, rather than Waitoller’s environmental and cultural perspective of SLA, adds the ethical context
From an ethical perspective, the importance of ethics in security as it pertains to information pedagogy is a necessity for a better delivery model. Of pre-eminence is using the security penetration testing tools, while maintaining a level of ethical standard in the classroom environment.Conclusion
As demonstrated in the discussion, there is a symbiotic relationship between education, security and ethics with each interspersed with each other if looked at within the proper context. In reviewing past studies on these three themes, little research has been done attempting to show how the relationship between the three are co-dependent within information pedagogy. The study attempts to propose a framework which will not only demonstrate this relationship, but also provide theoretical and empirical data. The study ca examine this relationship, and give a context for the development of security education, and in particular, the ethical basis for the inclusion of security penetration testing in information pedagogy, and considerations for said curricula.
Hacker Ethic:1. The belief that information-sharing is a powerful positive good, and that it is an ethical duty of hackers to share their expertise by writing open-source code and facilitating access to information and to computing resources wherever possible. 2. The belief that system-cracking for fun and exploration is ethically OK as long as the cracker commits no theft, vandalism, or breach of confidentiality(Raymond, 2004).
Cracker: A malicious meddler who tries to discover sensitive information by poking around (Raymond).
MOOC - a new online medium for course delivery and learning. .It enables thousands of learners to participate in the same course with high quality content and interactive tools for learning. ( http://mooconmooc.org )
OER - .is the simple and powerful idea that the world’s knowledge is a public good and that technology in general and the Worldwide Web in particular provide an extraordinary opportunity for everyone to share, use, and reuse knowledge. ( https://wiki.creativecommons.org/ )
Script Kiddie: Thee lowest form of cracker; script kiddies do mischief with scripts and rootkits written by others, often without understanding the exploit they are using. Used of people with limited technical expertise using easy-to-operate, pre-configured, and/or automated tools to conduct disruptive activities against networked systems. Since most of these tools are fairly well-known by the security community, the adverse impact of such actions is usually minimal (Raymond).
In the wild: refers to viruses or other malware that are actively circulating or actively infecting users' computers - as opposed to malware that exists in a laboratory testing environment only (About Tech http://ivirus.about.com/od/antivirusglossary/g/inthewild.htm).
_, Cyber Security and Universities: Managing the Risk.(2013). Universities UK, Cyber Security Information Sharing Partnership. Retrieved from http://www.universitiesuk.ac.uk/highereducation/Documents/2013/CyberSecurityAndUniversities.pdf
, The Impact of BYOD in Education (2013 and 2015). Retrieved from http://www.bradfordnetworks.com and interview with Jonathan Randall, Bradford Networks.
,2600: The Hacker Quarterly. New York, www.2600.org
, Academia EDU, San Francisco, www.academia.edu.
,The Software Engineering Institute (CERT). Pittsburgh: Carnegie-Mellon University
_,The Internet Engineering Task Force (IETF). Fremont: Internet Society. www.ietf.org.
_,Scholars Portal. Toronto: Ontario Council of University Libraries . http://scholarsportal.info/
Basham,Matt (2007). Why Computer Security Courses Are Failing in Community Colleges and the Pitfalls to Avoid: A Retrospect of Seven Years of Being a Computer Security Educator. Journal of Security Education 2(4).
Burke, James (1999). The Knowledge Web. New York: Simon & Schuster.
Cardwell, Kevin. BackTrack - Testing Wireless Network Security. Birmingham: Packt
Clemente, Nick (2007). System Hardening: The Process of Defending and Securing Today’s Information Systems. Journal of Security Education, 2 (4), 89-118. DeLaat, Maarten and Fleur R. Prinsen (2014).Social Learning Analytics: Navigating the Changing Settings of Higher Education. Research and Practice in Assessment 9(1), 51-60.
Garfinkel, Simson with Gene Spafford (2002). Web Security. Privacy and Commerce. Sebastopol:O'Reilly & Associates.
Hall, Eric A. Internet Core Protocols. Sebastopol:O'Reilly & Associates, 2000.
Harris, Shon, Allen Harper, Chris Eagle, Jonathan Ness, and Michael Lesser. Gray Hat Hacking: The Ethical Hacker's Handbook. New York: McGraw-Hill/Osborne, 2005.
Himanen, Pekka. The Hacker Ethic New York: Random House, 2001.
Kokhar, Rashid Hafeez, Md. Asri Ngadi and Safir Mandalat (2012) . A Review of Current Routing Attacks in Mobile Ad Hoc Networks. International Journal of Computer Science and Security, 2 (3) 18-28.
Markham, Annette and Elizabeth Buchanan (2012). Ethical Decision-Making and Internet Research. Association Of Internet Researchers. Retrieved from http://www.aoir.org/reports/ethics2.pdf
Myers, M. D. “Qualitative Research in Information Systems,” MIS Quarterly (21:2), June 1997, pp. 241-242. MISQ Discovery, archival version, June 1997, http://www.misq.org/supplements/. Association for Information Systems (AISWorld) Section on Qualitative Research in Information Systems, updated version, last modified: February 3, 2015 www.qual.auckland.ac.nz
Pope, Julian, “What are MOOC's Good For?”(2015). MIT Technical Review, Vol. 118 No.1, 69 .
Rasmussen, Rod (2011). The College Cyber Security Tightrope: Higher Education Institutions Face Greater Risks. Retrieved from http://www.securityweek.com.
Raymond, Eric. The Jargon File 2004. Retrieved from https://www.catb.org/jargon
Slade, Sharon and Prinsloo, Paul (2013).Learning analytics: ethical issues and dilemmas. American Behaviorial Scientist (In press). Retrieved from The Open University http://oro.open.ac.uk
Souppaya, Muruguah and Karen Scarfone (2013).Guidelines for Managing the Security of Mobile Devises in the Enterprise. United States Department of Commerce, National Institute of Standardized Technology. NIST Special Publication 800-124.
Stoichev, Kiril (2014). Selection of an Alternative Method for Establishing Security Levels. Journal of Applied Security Research, 10, 48-59.
Waitoller, Fredrico R. and Alfredo J. Artiles (2013). A Decade of Professional Development for Inclusive Education: A Critical Review and Notes for a Research Program. Review of Educational Research, 83 (3), 319-356.
Valla, Sara (2014). A readiness gap for Opening Up education by OER and MOOC’s at the University? UniPR Co-Lab, Universitia di Parma. Retrieved from http://www.academia.edu.