CRC was originally designed by Symantec for in-house training, but later evolved into a global open competition. It started from a specially developed infrastructure that could be used for attack training and monitoring, and is now the centerpoint of a global competition. Prizes, according to the CRC rules, “are awarded based on completing each IT security task and are accumulative during the Challenge. The top three (3) participants with the highest number of total points at the end of the Challenge are eligible to win the following prizes:” $2500 Visa gift card (1st), $750 (2nd) and $500 (3rd).
“We’ve built an infrastructure that allows competitors to act like hackers and try to break in,” Symantec's Sian Jones explained to Infosecurity Magazine. “Competitors connect into the infrastructure and have to perform various tasks to capture various flags. There are hints or clues that can be taken in the process, but each hint used will reduce the competitor’s final score.Basically, whoever captures the most flags on the day will win this stage of the competition,” and be invited to the next stage and on to the final competition against the world’s elite.
The competition is open to anyone attending Infosecurity Europe, whether professionals in the security industry or just interested parties. Headphones are available with a running commentary for those who aren’t competing, and an electronic scoreboard will show how the competition is progressing. “There are some rules,” said Sian, “for example, hacking the scoreboard will lead to praise and instant disqualification – and we’ve had that happen internally although not yet externally. Nor can you attack the infrastructure itself,” she added; “the challenge is to hack within the infrastructure.” That aside, competitors can pretty well do what they want – just like genuine hacking. They can bring their own tools or employ anything – like Metasploit and BackTrack – that they can find on the internet. “In fact,” said Sian, “we encourage it. The tools will get you so far, but you need to know how to use them.”
CRC differs from the Cyber Security Challenge UK competitions. The latter aims to seek out and attract talent into the industry. CRC, however, aims to raise awareness of attack techniques for those that are likely already security professionals. “What we’re trying to do is raise the awareness of people involved in security on how hacking and pen testing actually works,” Sian told Infosecurity. “If you’re a techie, you can sit down and have a go; if you’re not, we’ve got head phones at the back where you can receive a running commentary on the progress of the competition. People can listen in and get talked through some of the processes being used by the competitors.”