The concept of the Capture the Flag is a feature of many conferences, where teams compete to score the most points combining skills of attack and defense.
One competition was held by Cyber@UC, a division of an OWASP chapter which has enabled members to learn new skills, attend conferences and visit companies in the Cincinnati area - Cyber@UC is the official student led Information Security OWASP Organization for the University of Cincinnati.
President and Founder AJ Cardarelli said “the main goal is to educate our members and the community on cybersecurity” and he talked to Infosecurity about the group’s aims and where its members come from.
Is it important to develop offensive security tactics as well as defensive, can events such as hackathons teach you both sides?
I believe that to have a good understanding of the defensive side of cybersecurity you really need to know what attacks you are defending against.
There are two tactics that go into creating a secure digital environment. On one side, you have intrusion detection systems that play the role of looking for indicators of compromise (IOC’s). Suricata is a popular one for network intrusion detection. Yara can be used to detect for malicious files; Cuckoo can be used to tie these tools together to sandbox files to get a big picture.
The other half is active security auditing. This is where having a working knowledge of offensive tactics come into play. Actively pen testing your network and devices to find the vulnerabilities before the hackers do is critical. Defense focuses on reactive security, which can only be updated with knowledge from active pen testing work. OpenVAS or Nessus are some great vulnerability scanners that will tell you what known vulnerabilities are present for all devices on your network.
Sadly, these tools and methods will not protect you from zero-days, which are vulnerabilities that have never been reported before and need to be found by white hat security researchers before black hat hackers. A good defense needs a great offense working with it in order to predict what could be coming.
Hackathons are great, but some seem to be focused more on solving a problem specifically for the sponsor of the event. It seems there’s a nice split between hackathons like this and others that encourage attendees to work on any project. Still, I have yet to attend a hackathon that focused on or had any judges for cybersecurity related projects.
I highly recommend anyone to attend a hackathon and work on a project of their choice, something they are really passionate about. So, long answer short, I do not think hackathons really teach you offensive or defensive security tactics. In my opinion, they are great to just force you and some pals to sit down for 24 hours and just work on something. It is all self-taught.
Cyber@UC is part of OWASP, how valuable is the training via that network?
The Open Web Application Security Project is a great source of information and training material. We have used their Buggy Web Application a number of times to teach about different forms of Cross Site Scripting (XSS). Their wiki is chock full of helpful information. I think one of the most valuable features of OWASP is their network of professional members. We have partnered up with Cincinnati OWASP and plan to collaborate much more in the future.
I think it is important to view OWASP as a great technical contributor in addition to Mitre, Offensive Security, and the large crowdsourced network of infosec knowledge. At the end of the day, the more organizations like OWASP that exist to spread knowledge of cybersecurity the better. We need to recognize that cybersecurity is a cultural problem that needs to be solved by educating students who are the future of information security.
How do people get involved with your events, and how can others set up events?
We promote all our events on Facebook, Email, Slack, and our website. You can follow or contact us, and we encourage all our peers to take action by joining or founding their own student cybersecurity organization.