At the end of last year, Edinburgh Napier University student Charlie Hosier was named the 2018 winner of the Cyber Security Challenge. Infosecurity caught up with him after the event awards evening to talk about being involved in the Challenge, and his career aspirations for the future.
How did you get involved in the Cyber Security Challenge in the first place?
I first got involved with the Cyber Security Challenge when the previous president of ENUSEC (Edinburgh Napier’s cybersecurity society) – which I am now vice-president of – wanted to send a team of first-year students to the Cyber Security Challenge Scottish Universities competition. As I previously had an interest and a little bit of experience, me and three others were chosen to go to Glasgow and compete on behalf of the university.
This was the first onsite competition I had been to and we actually surprised ourselves and came third. This was when I really wanted to continue competing at the Cyber Challenge events. It was such a good atmosphere and I learned a lot from other people. I also felt that there wasn't a sense of elitism which you find at other competitions. Here everyone seemed to speak to each other and it didn't matter if you were a first-year student or doing your PhD, no one judged anyone else which I feel is a reflection of the industry.
Do you feel the challenge, and your university course, are preparing you with the skills to take on a job?
Yes, absolutely. In the time that I have spent competing in challenge events, I have had exposure to lots of different scenarios that I would not have been able to experience otherwise. The challenge has given me the opportunity to experience what a blue team scenario is like, improve on my knowledge regarding infrastructure and experiment with tools and equipment that I would not have had the opportunity to experiment with elsewhere.
The competitions often place you in situations which you are not expecting, and you have to come up with a solution immediately and think on your feet, which I feel really reflects what it is like in a job, and has given me some exposure to an actual job in cybersecurity. Currently, my course has not specialized in any security yet – we looked a little into secure coding, but so far my course has given me a really strong foundation which I feel is important in this industry.
If you don't understand the fundamentals and how the technology works, to progress and do anything with the technology is extremely difficult. Previously before my course, I had never looked at languages such as C and C++. After doing a module on these I feel I understand memory management a lot more, therefore exploit development has become a lot easier. By having a strong foundation and understanding of how things work I am gaining what I need to build my knowledge and skills set so that when I go into the industry I will have a strong foundation to expand on.
Have you done any work experience in cybersecurity? If so, where?
So far I haven't done any work experience in cybersecurity. I am a hobbyist Bug Bounty hunter and slowly finding more vulnerabilities and following organizations’ responsible disclosure policies. This is giving me some experience in security research and writing reports. However, it can be quite difficult to fit this in around university.
I have done casual work for my university and earlier this year I helped one of my friends with part of their internship and we went to London to deliver a workshop on cybersecurity to a secondary school. I am, however, really looking forward to next year when I will be participating in a year-long placement at NCC Group, as this will give me lots of experience in the industry and allow me to learn lots about security and industry.
At university, you're part of the Hacking Society - was this important to you in getting experience of working in a team and sharing knowledge and ideas?
I feel my experience in the cybersecurity society has been really helpful in giving me insight into how to work in a team. I have now been part of the committee for around four months where we organize events and run workshops.
It has been really important to communicate with the members as well as the other people in the committee in order to retain the success of the society. I feel being part of a community is really important: it gives you the opportunity to share ideas and learn from others.
By sharing ideas, this improves on your ability to communicate to people and make sure that they understand what you are saying. I think because of this, and also my other experiences in teaching, it has helped a lot. Particularly in the Cyber Challenge Masterclass, where I made it my role to ensure everyone in the team knew what they and everyone else in the team were doing.
Have you been involved with local DEFCON groups, or any ‘professional’ meet-ups?
I regularly attend meetups. Living in Edinburgh is brilliant as there is always meet-ups and events happening. I regularly attend Edinburgh 2600, Security Scotland and also the Edinburgh OWASP chapter meet. These are great events where I can speak to professionals and the talks are also really good.
My plan is to one day talk at one of these meetups. Other than meetups I try and attend as many security conferences as possible. I have been to a few BSides events and also attended Black Hat EU multiple times which is a phenomenal conference. One day I wish to go to DEFCON in Las Vegas.
Do you know what kind of career you are looking for at this stage?
At this point, I am unsure of the kind of career I want to go into. Obviously, it will be in cybersecurity, but I don't feel I have enough experience to decide between red team or blue team. The small amount of forensics I have done I have found really interesting, however I don't feel I have done enough of it.
The same goes for malware analysis and reverse engineering. In theory, it sounds really exciting and interesting, however I don't have the experience to say that's what I want to do in the future. I probably have more experience at pen testing and the offensive side of security due to it being a lot more accessible.
There are many online resources which allow you to practice these skills. I think for now the best thing for me is to keep my options open and just try and get involved with as much as possible. This way I will meet different people and be able to learn more about different career paths and what is possible.
Finally, how did it feel to win the Cyber Security Challenge in 2018, and what did you get as a prize(s)?
It was amazing. I was lost for words and so grateful for the opportunity. When they announced me as the winner it was really overwhelming, I had people coming up and congratulating me and I was able to meet all sorts of people from lots of different companies and professions.
The whole competition was so rewarding. For the past year, I had worked really hard and spent so much time researching security techniques and completing projects. It was really nice to feel like the hard work had paid off. The prizes I won were also amazing, tickets to BlackHat EU 2018, Crestcon, I even won a SANS course of my choice which is going to be extremely beneficial and I am really grateful for. These were only a few of a number of prizes I won, which are all brilliant!
Charlie Hosier is Vice President of the Cyber Security Society ENUSEC where he runs workshops, competes on behalf of the society and also helps organize events. He has competed for the UK in the European Cyber Security Challenge 2018 where the UK came third. More recently he became the Cyber Security Masterclass Champion. Charlie often takes part in bug bounty programs and frequently engages in his own research. If he is not hacking computers you will find him climbing up walls as he is an avid climber.