ETHICAL HACKING AND PENTESTING - 2024/5

Module code: COM3031

Module Overview

This module introduces students to the techniques and tools to discover known vulnerabilities in systems and applications, and use appropriate techniques to carry out attacks. A practical project-based assessment allows students to demonstrate their ability to successfully exploit vulnerable systems to exfiltrate data and circumvent access controls. The module will introduce students to the legal and ethical considerations of ethical hacking, as well as the processes by which vulnerabilities are reported, classified, documented, and mitigated by security practitioners.

Module provider

Computer Science and Electronic Eng

Module Leader

FRYMANN Nick (CS & EE)

Number of Credits: 15

ECTS Credits: 7.5

Framework: FHEQ Level 6

Module cap (Maximum number of students): N/A

Overall student workload

Independent Learning Hours: 82

Lecture Hours: 24

Laboratory Hours: 22

Guided Learning: 11

Captured Content: 11

Module Availability

Semester 2

Prerequisites / Co-requisites

None

Module content

Indicative content includes:


  • an introduction to the terminology used in ethical hacking and pentesting;

  • legal and ethical considerations, management and mitigation of vulnerabilities;

  • classification, disclosure, and documentation of known vulnerabilities, and the CVE programme;

  • common web security exploits, primarily server-side vulnerabilities, such as SQL injection, cross site forgeries and scripting, and the OWASP top 10;

  • exploits in software security, such as buffer overflows and format-string flaws;

  • malware, flawed cryptography, and human error leading to vulnerable systems; and,

  • case studies on real-world attacks, such as Heartbleed, Spectre/Meltdown: their classification, impact, disclosure, and mitigation.


Assessment pattern

Assessment type Unit of assessment Weighting
Coursework Individual Coursework 50
Examination Invigilated Exam (2hrs) 50

Alternative Assessment

N/A

Assessment Strategy


The assessment strategy is designed to provide students with the opportunity to demonstrate all the learning outcomes of this module.

Thus, the summative assessment for this module consists of:


  • an individual coursework consisting of a selection of vulnerable applications and systems, which require that students discover and exploit their flaws, gaining access to their unique flag, and documenting their findings, to assess LOs 1 and 2; and,

  • an invigilated 2-hour exam, assessing students' understanding of the broader context of ethical hacking and pentesting, its legal and ethical considerations, as well as the classification, impact, mitigation and disclosure of vulnerabilities, exemplified through case studies, in order to address LOs 3 and 4.



The formative assessment and feedback for this module consists of:


  • quizzes to assess the understanding of key concepts and provide immediate feedback;

  • PollEverywhere offering formative feedback opportunities during lectures;

  • general feedback provided to support student learning;

  • verbal feedback given in lab sessions as students attempt the lab exercises; and,

  • an online discussion forum for providing feedback to students, to support the module material and coursework project.



Module aims

  • Explore various techniques and tools for identifying vulnerabilities and carrying out attacks
  • Understand how vulnerabilities are documented, classified and exploited
  • Introduce key terminology and understand legal considerations in ethical hacking
  • Investigate and analyse systems and networks to discover known vulnerabilities and evaluate the security of these systems
  • Gain an appreciation for mitigating vulnerabilities and their impact on real-world systems through the use of case studies

Learning outcomes

Attributes Developed
001 Analyse and identify vulnerabilities in systems and applications using suitable tools and methods CKP
002 Demonstrate the ability to systematically carry out attacks against common vulnerabilities by applying appropriate techniques KPT
003 Understand the processes by which vulnerabilities are disclosed, categorised, and mitigated CKT
004 Identify the legal and ethical principles that underpin ethical hacking, penetration testing, and their implications CK

Attributes Developed

C - Cognitive/analytical

K - Subject knowledge

T - Transferable skills

P - Professional/Practical skills

Methods of Teaching / Learning

The learning and teaching strategy is designed to encourage a broad understanding of concepts and techniques in ethical hacking and penetration testing. It is designed to: 


  • help students appreciate the importance of legal and ethical considerations of vulnerability discovery, exploitation, and disclosure;

  • explain terminology used in ethical hacking, as well as introduce a range of tools used to systematically undertake penetration testing;

  • enable students to identify appropriate techniques to use in carrying out attacks on known vulnerabilities in systems and applications; and,

  • demonstrate and exemplify the impact of real-world vulnerabilities and their mitigation through the use of real case studies.



The lectures provide an introduction to the core concepts, which are reinforced through examples and activities. Students will apply their knowledge in the practical lab sessions.

Thus, the learning and teaching methods consist of:


  • 24 hours of lectures, two hours per week (including revision lecture);

  • 22 hours of laboratory sessions comprising practical hands-on activities, two hours per week;

  • 11 hours of captured content, one hour per week to complement the laboratories; and,

  • 11 hours of guided learning, one hour per week to complement the taught materials.



Students will also undertake independent study (82 hours) to reinforce understanding of the module content and lab sessions. It will allow for time to read supporting textbooks, work through additional exercises, prepare for the examination, and complete the coursework.

Indicated Lecture Hours (which may also include seminars, tutorials, workshops and other contact time) are approximate and may include in-class tests where one or more of these are an assessment on the module. In-class tests are scheduled/organised separately to taught content and will be published on to student personal timetables, where they apply to taken modules, as soon as they are finalised by central administration. This will usually be after the initial publication of the teaching timetable for the relevant semester.

Reading list

https://readinglists.surrey.ac.uk
Upon accessing the reading list, please search for the module using the module code: COM3031

Other information

Digital Capabilities

Security is a key component of modern networked computer systems. Students will demonstrate the ability to identify and exploit security vulnerabilities using a number of digital techniques and tooling. This provides students with digital capabilities and technical skills that are directly applicable to industry.

Employability

Students will gain valuable skills sought out by employers looking for cyber security experts and security practitioners. In this module, students are equipped with the theoretical understanding and analytical problem-solving skills that allow them to systematically discover security flaws in often-critical computer and networked systems.

Global and Cultural Skills

Computer Science is a global language and the tools and languages used on this module can be used internationally. This module allows students to build skills that will allow them to evaluate the security of computer systems with global reach and collaborate with their peers around the world.

Resourcefulness and Resilience

This module teaches both the theory and practical skills to allow students to identify and exploit vulnerable systems using a range of techniques and approaches, with a view to improve the security of global systems.  It provides the tools to reason about the security of software systems and to work towards the resilience of the these systems by identifying and patching vulnerabilities.

Programmes this module appears in

Programme Semester Classification Qualifying conditions
Cyber Security MSc 2 Optional A weighted aggregate mark of 40% is required to pass the module
Cyber Security with Professional Postgraduate Year MSc 2 Optional A weighted aggregate mark of 40% is required to pass the module

Please note that the information detailed within this record is accurate at the time of publishing and may be subject to change. This record contains information for the most up to date version of the programme / module for the 2024/5 academic year.