Ethical Hacking Degrees – the good, the bad, the ugly


I often get emails (yes, people actually email me) around September time from young students who have come across this blog wanting to know more about doing Ethical Hacking at university level. I am writing this blog post in part to prevent myself from asking these young people for money for my time in replying to all of their questions. Also there seems to be a lot of misinformation about doing degrees related to computer/information security within the community.

Now, you maybe thinking… Ryan has invested countless thousands of pounds and four years of his life to his Ethical Hacking degree so he is bound to be biased. Well, I guess if I wasn’t a little biased then I wouldn’t be human, but I am going to try to be as honest as possible.

Ethical Hacking or Information Security or Computer Security or Network Security… are all included within titles of university level undergraduate degrees within the UK. No matter what they title their courses or whether or not you agree with the use of certain terms within their titles is irrelevant as they are all attempting to teach the same things.

Often the question I get from prospective students is, should I do a degree in Ethical Hacking?

I cannot answer this question. The answer is completely individual. I can only answer for myself. For me, at least, it was the right decision. I did not finish secondary school for various reasons, from the age of 15 I had worked in undesirable jobs with little career prospects. I had always been interested in computers and especially the security aspect of them. After being declined for lack of qualifications, further pestering got me a seat on the course at the age of 21.

For me, university was a chance to gain an education in a subject I was passionate about and related to the career path I wanted to take. I doubt I would have gone to university if it was not for the specialised degree in information security. I did not know that a career in this field was even viable until I had seen the course advertised.

If I could turn back time, knowing what I know now, would I still enroll on the Ethical Hacking for Computer Security degree from Northumbria University? Yes, I would.

Sure, I have had my doubts over the four year sandwich course, but don’t all students have these doubts now and then?!

OK, so now moving away from personal reasons to actual content.

If you are leaving college at 17, choosing the Ethical Hacking degree because you think ‘it sounded cool’ and expect to be a 1337 h@x0r within four years. Then, I am sorry, this course is not for you. Go and waste 4 years doing a degree in [INSERT_UNDESIRABLE_DEGREE_HERE].

If you are interested in computing and security and expect to learn everything these is to know about computer security within 4 years, you will soon be moaning you are not learning enough! [insert baby cry here]

You make your degree. You can’t expect to be spoon fed. Take responsibility for your own learning.

I agree, the content of the course is far from perfect, can be disorganised, can be a little ‘n00bish’ at times. Going over Nmap, Metasploit and ‘famous’ hackers exploits over and over again is shitty, boring and useless. But, from my experience as these degrees are new, they are *very* flexible at taking on student feedback. Tell them what you want to be taught! They won’t teach it?! Teach yourself!

People have the misconception that Ethical Hacking degree modules are all security related, this is untrue. On my degree at least, we have networking, programming, business consulting, relational databases, computer system fundamentals, modern communication systems, forensics and others. These are all modules which are shared with other students on other degrees such as Networking or Computer Science. In essence my Ethical Hacking degree is like a Computer Science degree with security tacked on the side. (some will disagree)

If your career path is to be a security professional then I would do a Ethical Hacking degree over a Computer Science degree if the option is available to you. Like any security professional, do not expect to sit in a class room from 1pm till 3pm 4 days a week and expect to be writing custom exploits within 2-3 years. Security is a passion, not a job.

Admittedly it’s not for everyone, but I can say with my hand on my heart, that it was the right decision for me.

My degree: http://www.northumbria.ac.uk/?view=CourseDetail&code=UUSETH1

My modules: http://www.northumbria.ac.uk/?view=CourseDetail&code=UUSETH1&page=modules

18 thoughts on “Ethical Hacking Degrees – the good, the bad, the ugly

  1. Dale Pearson

    A great post and well thought out.
    Like you say people need to make their own choice in life, and dont expect to be spoon fed.
    Any degree is what you make it. The one advantage of Infosec is the community is mostly helpful, except for some of the elite who think everyone is below them, however is still important to fact check and make your own opinion.
    From the InfoSec courses I have reviewed and made recommendations on, I do worry that there is the expectation some of these people will walk into a top notch security role. These things take time, progression, exposure, and a reality check.

    Reply
  2. Christian G

    Hi,
    nice article, enjoyed reading it. “Tell them what you want to be taught! They won’t teach it?! Teach yourself!” << this is such a pretty good point.
    I figured out for myself, learning something for yourself is, most of the time, more effective as just being 'passive' like in school/lectures :-)
    Regards
    Chriss

    Reply
  3. Gillis

    Great article, wish I could articulate this point on a regular basis with those around me. If you don’t love security, you will quickly grow tired of it.

    Reply
  4. RobertM

    re:”you will soon be moaning you are not learning enough”

    Ain’t that the truth! Security involves knowing something about everything because the attack vectors are so vast.

    Reply
  5. Sh3llc0d3

    I’ve accepted an offer onto this course (at northumbria) and it’s nice to hear (being an older student) that people with a mature attitude towards these degrees such as yourself are on these courses and not just people thinking it sounds cool. Ironically I know people who are doing it for those reasons (which annoys me).

    It’s taken me a lot of ‘self-study’ to get to the point I am now, legitimate pen-testing career here I come!

    Great post and great site mate

    Reply
  6. DjSatansfur3h

    I’m very grateful for you taking out the time to respond to my email a few months ago. It was most informative, as is this post.

    Reply
  7. ForHacSec.com

    This article is all too familiar. I’m currently studying Digital Forensics and Ethical hacking else where in the North East and often come in to contact with people who are needing/wanting to be spoon fed with very little effort or interest of their own.

    People have to realise, you have to buy the books, attend the seminars and conferences and read the news as appose to just expect to get all the answers during the few days your on campus and simply forget your at Uni at all the rest of the time and then switch back on again.

    Your right, security is a passion.

    Reply
  8. thiefcraft

    While I am not heavily critical of the courses themselves, I feel that computer security is a field that maybe does not lend itself well to the way in which the ‘Education System’ works, they like to teach courses based on materials, for a lot of industries these real ‘basics’ do not often change, but with computers their trends and uses are subject to more rapid change due to trends, real industry is based on the trade of ‘physical’ objects, computing is more like a trade of ideas and logical constructs, and these are not subject to the same kind of physical limitations as real products. Of course there is a hardware aspect, but as a computer is really just a maths sandbox where you can do the calculations that you want, then running things through different processes can vastly change how and when they are implemented.
    For example, the rapid increase of people using web-apps based on SQL databases has caused SQL injection to rise to one of the most well known attacks today.
    The truth is that these courses should never really try to teach you any live hacks, they can show you them so you can get your hands dirty (I think experience in the field helps solidify theoretical understanding better than any amount of reading), but what they should really be allowing you to understand is exactly what these vulnerabilities are, they are loopholes in logic. Instead of teaching us how to buffer overflow, or XSS, the real key knowledge is understanding *why* they work as this is more valuable than just how to patch this instance and/or what pre-built exploit module to run against it.

    In before tl;dr. Peace out.

    - thiefcraft

    Reply
  9. Pingback: Ethical Hacking Degrees – the good, the bad, the ugly | National Cyber Security

  10. harikishore

    I want to do ethical hacking degree, i completed SSLC and diploma was discontinued…,, please contact me by mobile number-9449880948;9916416947

    Reply
  11. bob

    Interesting post. I know this is quite subjective, but if you had the chance of
    either doing this degree again, or doing security focused certs, CISSP, CEH, SANs etc
    to the same level financially which do you think (gut feeling if you haven’t done any
    of the other certs, and excluding the UNI ladies) is better?

    Reply
  12. Ryan

    @bob

    Personally, I don’t know if I would have done many certs if I didn’t need to do them, i.e. be in a class room and have a schedule. Again, personally before uni I wouldn’t have been able to afford a CISSP or a SANS, my uni degree was completely funded for by a government loan. (side note: CEH is a complete shambles which I got offered to do for free but it’s so crap I declined)

    From a purely learning point of view, would you learn more at uni or through certs? I’d say that you probably would learn more about security through certs but I think uni is useful for non-security knowledge as well as it starts with the basics of programming, networking, computing, communication systems, business consulting, etc.

    Most of my time at university I was employed (in a security job I managed to land after starting uni) but only worked 1 or 2 days per week which left me a lot of time to pursue a lot of self learning and work on large personal projects which contributed to my learning.

    It’s a very difficult question to answer and depends on your own situation. I was young, no kids and in very low paying work with little career prospects. If I was already employed in IT, was older and already had an established career I might have gone the cert route.

    Reply
  13. bob

    Thanks for taking the time Ryan. It’s not for myself but have been speaking to a number of young people who are interested in infosec and not sure
    what path to take, your response will be very relevant. Appreciate CEH is not the best, (hold it having done it cheaply) it’s a starting block
    none the less, and sans stuff is anything but cheap if you go via the commercial route. Thanks once again.

    Reply
  14. Chris

    This is a very nicely written article. I am just starting out with Information Security / Ethical Hacking. I love the security aspect of computing. I just recently earned my certification as an Ethical Hacker through EC-Council, along with Computer Hacking Forensic Investigator, and Certified Security Analyst. I had thought that once I had gotten these certifications I would be able to walk into a job no problem doing Infosec. I was, however, completely wrong. I have knowledge of how things are done and some of the tools that are used for pen testing, but I am in no way a hacker. I wish anyone luck that is passionate about this field. Those that are not will not get very far.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>