The latest round of the Cybersecurity Challenge took place last weekend at the Blue Fin Building in London. The goal is to find those with the talent and skills to fill some of the demand for cybersecurity skills in the industry. Entrance to the grand final is by winning one of the regular competitions. BAE Systems and HMGCC sponsored this latest round.
There were 9 teams taking part with all bar one team having three members. Assessments looked at both technical and soft skill including teamwork. This is important. Cybersecurity is no longer the province of the lone wolf anti-social individual. Today’s cybersecurity researchers have to be as comfortable with social engineering as they are with digging through code dumps. This is a skill that is sadly lacking in many security teams. It is something that companies need to address when they are building their security response team.
It was interesting to see a wide spread of ages involved. The youngest competitor was just 17 while the oldest was 56. All those we spoke to saw the competition as their route into a job in cybersecurity.
What do the contestants have to do?
The competition is scenario based with some interesting stretch goals. An unnamed country has invested heavily in a national 4G network. The country has also deployed a mobile banking app on a website which runs on the network. Hackers have compromised the app and replaced it with a malicious version which is being downloaded by users.
Teams begin by downloading the app with the goal of discovering the Command and Control (C&C) server. This means identifying the port over which it is communicating and the IP address it is using. This is a good practical test and an early opportunity to discover the limits of the technical skills and teamwork of the candidates. Once they have identified the data they have to make a presentation as part of their incident response. At this stage they do not do a security assessment of the app. That comes later as one of the stretch goals.
Another challenge involved a tablet computer with a compromised chip on board. Teams had to identify this issue and then write an app to discover more information about what the compromised chip allows. This is a very interesting challenge. The majority of chip design companies today are software companies. They design the chips but send them out to be manufactured. This means that there are many opportunities for hackers to insert modified code that would end up in the production chip.
Tapping the network was a real challenge
One of the interesting stretch challenges was the network tap challenge. This involved the need to intercept traffic between two network devices. The cables must not be disconnected from the devices or cut. To carry out the task teams have wire cutters, wire strippers, a network tap and an RJ45 cable. Once the network is tapped the teams were able to recover a passphrase being sent between the two devices. All of this had to happen inside 20 minutes.
The reponse of the teams was surprising. There was no Googling of the product details on the network tap. Teams even had to be reminded that there was more than one generation of RJ45 cable with different wiring options. For some teams this even meant pointing to what was written on the cable. The ‘guided’ walk through didn’t end there. Some teams struggled to work together. The fastest time was around 12 minutes with 2 teams failing to complete.
As an observer the task was simple to understand. A search for network tapping on Google brought up instructions and the correct wires for different RJ45 cables. There are several network sniffers available on the market obvious. A quick Google search and several walkthroughs were obtained. Installing a network sniffer on my laptop took just over a minute. Observer status meant not actually playing with the wires but best guess, including factoring in making a cup of tea, was that this should have taken no more than 5 minutes.
The need for people with hardware and software skills
Why have a hardware hacking test, especially as the teams struggled with it? The assessors wanted to see if people could think outside of a software challenge. The art of cable hacking and creating a hardware solution is apparently getting rare. This is creating a skills gap. Hackers are investing time in understanding the hardware especially as IoT continues to take off.
It also turns out that the teams didn’t perform as badly as it might appear. Despite running this as a directed test only two of nine teams failed the 20 minute limit. This is lower than normal and the assessors were broadly happy with this. It will be interesting to see if this opens the door for older IT staff to join cybersecurity teams.
Conclusion
The winning team and the top ten contestants as scored by the assessors have all progressed to the Masterclass in November. Interestingly the winning team, the Red team, contained just one of the top three contestants. Those progressing also include the oldest at 56 years of age and the youngest at 17 years of age. This is just what cybersecurity candidates need to realise. There is no ideal age group or generation.
