We spoke with Dr. Colin McLean of Abertay University, the man behind one of the world’s first ethical hacking courses. With more than 30 years of experience in the field, Dr. McLean is now training the next generation of penetration testers.
From the personal characteristics that define a hacker’s success to the potential of AI to revolutionise the industry, we discussed the future of penetration testing and the skills it requires.
NordVPN: You developed the first ethical hacking degree back in 2006. What motivated you to start the course?
Dr. Colin McLean: In 2005, I was the academic lead in a government-funded project involving Abertay University and NCR R&D in Dundee. The outcome of the project was the first risk analysis of an NCR ATM. In order to imagine all the possible attacks, my role involved thinking like a hacker and demonstrating practical attacks in the ATM labs. At the end of a demo, I was asked whether I had any graduates who had these offensive skills.
This planted the seed for the Ethical Hacking course and we released it the following year.
N: What do you think makes a good penetration tester?
Dr. McLean: As far as core knowledge for an ethical hacker is concerned, the basics of any computer science degree are required. The basics of programming, system internals, operating systems principles, computer networking and TCPIP are required to be known and understood. As far as practical skills are concerned, I think an ethical hacker should have excellent experimentation and “think outside the box” skills. In order to develop these skills, at Abertay we try to incorporate case study and individual project work in most of our modules.
N: You contributed to research in 2016 suggesting that certain “autistic traits” may be beneficial for hackers. Beyond technical proficiency, what other personal and mental traits do you think are advantageous for ethical hackers and penetration testers?
Dr. McLean: The paper actually illustrated that autistic traits are a feature of many ethical hackers. Many of our students are someplace on the autistic spectrum and also many people I have met at conferences have the same type of traits. Some of the best ethical hackers I know have a gritty determination to solve problems and many would also rate their hobby as hacking. In summary, a deep interest is beneficial.
“Although technology will give us tools to partially mitigate hacking, it wouldn’t be a wild prediction to say that developers, sysadmins, and users will be making mistakes for years to come. These mistakes will obviously lead to security issues and successful attacks.”
N: What do you think employers are looking for when they consider hiring a penetration tester?
Dr. McLean: Several of my graduates have come back to Abertay looking to recruit. The main aspects of what they seem to be looking for are perhaps as expected – technical skills and enthusiasm. However, communication skills are often mentioned as being vital. For example, penetration testing companies make their money when they hand over a report and being able to effectively communicate the results is a very important aspect of an ethical hacker’s role.
N: Where do you think there is the most demand for ethical hacking right now?
Dr. McLean: The demand for our graduates has come from many different areas. Many of our graduates have taken jobs as penetration testers but over the last 5 years or so, there has been an increase in them undertaking defensive roles. Understanding the hacking process is vital to being good defensively.
Generally, someone going into a company at entry-level will be trained in that job. We advise our students to get a general knowledge and skillset but to also specialise in an area that interests them. The premise being that if someone can own a particular subject area then they are capable of learning anything that is presented to them.
N: Will AI and deep-learning systems trained to identify cybersecurity threats and weaknesses ever lower or eliminate demand for human penetration testers?
Dr. McLean: There has been some fantastic work done by researchers to try to eliminate security issues. It is not difficult to conclude that in the future, technological solutions will obviously reduce any security issues. I certainly don’t see the human factor being eliminated for some time. There will still be software bugs and zero days, misconfigurations, and social engineering for the foreseeable future.
Although technology will give us tools to partially mitigate hacking, it wouldn’t be a wild prediction to say that developers, sysadmins, and users will be making mistakes for years to come. These mistakes will obviously lead to security issues and successful attacks.
N: Besides courses like yours, are there other viable entry-points to the industry for an aspiring ethical hacker?
Dr. McLean: There is more than one way of cracking a nut. Some of the biggest names in ethical hacking do not have a degree so it is obviously not compulsory. A degree offers a broad-based and structured learning path into the industry. However, I know several companies who also provide excellent training that achieves the same goal. Although rare in my experience, some people are capable of personal research and development that makes them suitable for the industry.
N: What advice would you give someone who may be considering pursuing a career in ethical hacking and has yet to take the first step?
Dr. McLean: To be successful in the security industry, the ability to problem solve and self-learn are essential. For technical roles, I would recommend researching areas of interest and also improving practical and experimental skills. For those more interested in human factors, psychology is a fascinating area for research. My advice for anyone applying for a job in the areas is to show enthusiasm, knowledge of at least one area, and a willingness to research.
Check out our video on ethical hackers below.
Staying secure with NordVPN
While businesses can hire professional penetration testers to make sure their networks are protected, what can individuals do for their own security? A good first step is personal encryption, available through a VPN, or virtual private network.
If hackers access your router, they can spy on your data. Your passwords and payment information could be stolen by cybercriminals, and if you use any kind of public Wi-fi, the risks are compounded. With NordVPN on your device, you can encrypt your browsing activity and protect yourself from prying eyes.
One NordVPN account will cover up to six devices, ensuring that you always have access to high-quality encryption wherever you go. Take control of your internet security today with the click of a button.
NordVPN also has the Threat Protection feature that helps you identify malware-ridden files, stops you from landing on malicious websites, and blocks trackers and intrusive ads on the spot.
We’re always looking for talented ethical hackers and penetration testers to help make NordVPN even stronger. Check out our bug bounty program on HackerOne.