FOR - Prof. Ken Bahn, James Madison University
At first sight, teaching security professionals how to hack into a computer system in an academic lab environment looks like good practice. But when you consider exactly what is being taught and to whom, it becomes harder to justify.
Security professionals already possess ample knowledge about computer networks and most likely have the skills to cause havoc for their organization. Therefore, the costs and the benefits of teaching hacking skills should be present in the minds of people developing this specialized curriculum.
Consider this: teaching hacking skills to security professionals should never be done in isolation, and needs to be done within a moral framework.
Placing unethical skills in the hands of security professionals could have a devastating effect to all organizations in which those professionals do business. Therefore, the caveat for those institutions teaching hacking skills is that a strong dose of ethics must accompany these courses.
AGAINST - Ralph Echemendia, Intense School
Ethical hacking, or penetration testing, is a crucial aspect of risk assessment and mitigation for every corporate IT system. Organizations must test and implement security solutions with the mindset of an attacker in order to understand the strengths and weaknesses of the IT system.
Ethical hacking courses pay off on a regular basis, for CTOs who use the information to make better security decisions, to system and network administrators who use the techniques learned to test the configuration of network applications and devices.
Corporations can make significant savings by utilizing security testers internally, rather than outsourcing to a large auditing firm. Automated testing tools are an important part of a security tester's arsenal, but there is no replacement for a trained, skilled person who can correlate data, identify false positives and perform analysis and determine the correct countermeasures.
The future of information security is a kind of arms race, and we in the training business are arming organizations to consistently and vigilantly protect themselves.