ETHICAL HACKING AND PENTESTING - 2024/5
Module code: COM3031
Module Overview
This module introduces students to the techniques and tools to discover known vulnerabilities in systems and applications, and use appropriate techniques to carry out attacks. A practical project-based assessment allows students to demonstrate their ability to successfully exploit vulnerable systems to exfiltrate data and circumvent access controls. The module will introduce students to the legal and ethical considerations of ethical hacking, as well as the processes by which vulnerabilities are reported, classified, documented, and mitigated by security practitioners.
Module provider
Computer Science and Electronic Eng
Module Leader
FRYMANN Nick (CS & EE)
Number of Credits: 15
ECTS Credits: 7.5
Framework: FHEQ Level 6
Module cap (Maximum number of students): N/A
Overall student workload
Independent Learning Hours: 82
Lecture Hours: 24
Laboratory Hours: 22
Guided Learning: 11
Captured Content: 11
Module Availability
Semester 2
Prerequisites / Co-requisites
None
Module content
Indicative content includes:
- an introduction to the terminology used in ethical hacking and pentesting;
- legal and ethical considerations, management and mitigation of vulnerabilities;
- classification, disclosure, and documentation of known vulnerabilities, and the CVE programme;
- common web security exploits, primarily server-side vulnerabilities, such as SQL injection, cross site forgeries and scripting, and the OWASP top 10;
- exploits in software security, such as buffer overflows and format-string flaws;
- malware, flawed cryptography, and human error leading to vulnerable systems; and,
- case studies on real-world attacks, such as Heartbleed, Spectre/Meltdown: their classification, impact, disclosure, and mitigation.
Assessment pattern
Assessment type | Unit of assessment | Weighting |
---|---|---|
Coursework | Individual Coursework | 50 |
Examination | Invigilated Exam (2hrs) | 50 |
Alternative Assessment
N/A
Assessment Strategy
The assessment strategy is designed to provide students with the opportunity to demonstrate all the learning outcomes of this module.
Thus, the summative assessment for this module consists of:
- an individual coursework consisting of a selection of vulnerable applications and systems, which require that students discover and exploit their flaws, gaining access to their unique flag, and documenting their findings, to assess LOs 1 and 2; and,
- an invigilated exam, assessing students' understanding of the broader context of ethical hacking and pentesting, its legal and ethical considerations, as well as the classification, impact, mitigation and disclosure of vulnerabilities, exemplified through case studies, in order to address LOs 3 and 4.
The formative assessment and feedback for this module consists of:
- quizzes to assess the understanding of key concepts and provide immediate feedback;
- PollEverywhere offering formative feedback opportunities during lectures;
- general feedback provided to support student learning;
- verbal feedback given in lab sessions as students attempt the lab exercises; and,
- an online discussion forum for providing feedback to students, to support the module material and coursework project.
Module aims
- Explore various techniques and tools for identifying vulnerabilities and carrying out attacks
- Understand how vulnerabilities are documented, classified and exploited
- Introduce key terminology and understand legal considerations in ethical hacking
- Investigate and analyse systems and networks to discover known vulnerabilities and evaluate the security of these systems
- Gain an appreciation for mitigating vulnerabilities and their impact on real-world systems through the use of case studies
Learning outcomes
Attributes Developed | ||
001 | Analyse and identify vulnerabilities in systems and applications using suitable tools and methods | CKP |
002 | Demonstrate the ability to systematically carry out attacks against common vulnerabilities by applying appropriate techniques | KPT |
003 | Understand the processes by which vulnerabilities are disclosed, categorised, and mitigated | CKT |
004 | Identify the legal and ethical principles that underpin ethical hacking, penetration testing, and their implications | CK |
Attributes Developed
C - Cognitive/analytical
K - Subject knowledge
T - Transferable skills
P - Professional/Practical skills
Methods of Teaching / Learning
The learning and teaching strategy is designed to encourage a broad understanding of concepts and techniques in ethical hacking and penetration testing. It is designed to:
- help students appreciate the importance of legal and ethical considerations of vulnerability discovery, exploitation, and disclosure;
- explain terminology used in ethical hacking, as well as introduce a range of tools used to systematically undertake penetration testing;
- enable students to identify appropriate techniques to use in carrying out attacks on known vulnerabilities in systems and applications; and,
- demonstrate and exemplify the impact of real-world vulnerabilities and their mitigation through the use of real case studies.
The lectures provide an introduction to the core concepts, which are reinforced through examples and activities. Students will apply their knowledge in the practical lab sessions.
Thus, the learning and teaching methods consist of:
- Lectures (including revision lecture)
- Laboratory sessions comprising practical hands-on activities
- Captured content, to complement the laboratories; and,
- Guided learning, to complement the taught materials.
Students will also undertake independent study to reinforce understanding of the module content and lab sessions. It will allow for time to read supporting textbooks, work through additional exercises, prepare for the examination, and complete the coursework.
Indicated Lecture Hours (which may also include seminars, tutorials, workshops and other contact time) are approximate and may include in-class tests where one or more of these are an assessment on the module. In-class tests are scheduled/organised separately to taught content and will be published on to student personal timetables, where they apply to taken modules, as soon as they are finalised by central administration. This will usually be after the initial publication of the teaching timetable for the relevant semester.
Reading list
https://readinglists.surrey.ac.uk
Upon accessing the reading list, please search for the module using the module code: COM3031
Other information
Digital Capabilities
Security is a key component of modern networked computer systems. Students will demonstrate the ability to identify and exploit security vulnerabilities using a number of digital techniques and tooling. This provides students with digital capabilities and technical skills that are directly applicable to industry.
Employability
Students will gain valuable skills sought out by employers looking for cyber security experts and security practitioners. In this module, students are equipped with the theoretical understanding and analytical problem-solving skills that allow them to systematically discover security flaws in often-critical computer and networked systems.
Global and Cultural Skills
Computer Science is a global language and the tools and languages used on this module can be used internationally. This module allows students to build skills that will allow them to evaluate the security of computer systems with global reach and collaborate with their peers around the world.
Resourcefulness and Resilience
This module teaches both the theory and practical skills to allow students to identify and exploit vulnerable systems using a range of techniques and approaches, with a view to improve the security of global systems. It provides the tools to reason about the security of software systems and to work towards the resilience of the these systems by identifying and patching vulnerabilities.
Programmes this module appears in
Programme | Semester | Classification | Qualifying conditions |
---|---|---|---|
Computing and Information Technology BSc (Hons) | 2 | Optional | A weighted aggregate mark of 40% is required to pass the module |
Cyber Security MSc | 2 | Optional | A weighted aggregate mark of 40% is required to pass the module |
Cyber Security with Professional Postgraduate Year MSc | 2 | Optional | A weighted aggregate mark of 40% is required to pass the module |
Computer Science BSc (Hons) | 2 | Optional | A weighted aggregate mark of 40% is required to pass the module |
Computer Science MEng | 2 | Optional | A weighted aggregate mark of 40% is required to pass the module |
Information Security MSc | 2 | Optional | A weighted aggregate mark of 40% is required to pass the module |
Please note that the information detailed within this record is accurate at the time of publishing and may be subject to change. This record contains information for the most up to date version of the programme / module for the 2024/5 academic year.