William Seymour MBCS, PhD Student at the University of Oxford, discusses the opportunities that Capture the Flag events hold for both students and employers.

In the past year a number of technology firms I’ve talked to have mentioned facing problems when trying to hire security staff. The Financial Times reports a similar story - on average cyber security jobs are harder to fill than other roles, something which is only going to get worse as demand for experts grows faster than supply.

According to industry association (ISC)2, two thirds of UK companies do not have enough information security personnel to meet their needs, with the global shortfall in cyber security experts predicted to rise to over 1.8 million by 2022. As events like the recent WannaCry attack continue to raise the profile of cyber security in the public consciousness, an increasing number of businesses are going to find themselves facing a problem without a solution.

It’s true that cyber security related courses and certifications are becoming more popular. But it will take a long time to build and develop a workforce of the size that is needed, both globally and in the UK. For less experienced employers the broadness of the field and lack of universal certifications can make it difficult to get what they want. That these certifications are practical in nature undoubtedly increases their appeal to organisations, but very few of them reflect the adversarial nature of the security game in reality.

Static questions, like those you’ll find on the CIISP exam, won’t adapt and fight back. A real attacker will. So with a number of years before the industry slows its growth and begins to mature, and a disconnect between the nature of certifications and reality, what’s the best way for employers to fill the security related positions they have now?

Introducing Capture the Flag

While terms like Penetration testing, offensive security, ethical hacking might be familiar, Capture the Flag (CTF) may not be. CTF takes the above and moves away from a production setting while adding a competitive spin. The CTF scene has taken off in the UK over the past few years: across the country hundreds of students regularly get together to take part in cyber security themed competitions, with Cyber Security Challenge UK (CSCUK) coordinating the majority of the nation’s events.

The online community is even larger; international events take place every week, open to both teams and individuals. Perhaps better thought of as competitive security, challenges require a combination of problem solving and technical prowess to solve. Competitions vary from groups attacking and defending infrastructure to individuals solving small puzzles. Any topic is fair game: cryptography, forensics and reverse engineering are favourites, but it’s not unusual to see participants tackling phishing emails or physical locks.

Knowing how to use the industry standard tools required to solve these problems is a valuable skill. Hands-on experience cements good practice - you can be told WEP secured networks are bad, but breaking one in 5 minutes with Aircrack really drives it home. CTFs thrive because they focus on the thrill of solving problems, which means that there’s plenty of discussion about solutions.

This environment fosters learning and collaboration, with newcomers being encouraged to grow rather than being put off due to inexperience. And it’s easy to forget that while these skills are obviously applicable to a career in cyber security, knowing how the bad guys get in is beneficial for developers, managers, and other IT roles as well.

The new InfoSec interview

CTFs represent a unique opportunity for employers to directly connect with the best and the brightest when it comes to cyber security skills. As the introduction to this article suggests, the benefits of competitive security are not limited to those competing.

Many companies are already waking up to the opportunity; CSCUK alone has 35 sponsors and 41 affiliates. Because participants attend events out of a passion for computer security, many are actively looking for jobs or internships and are only too happy to be approached by employers looking for talent.

In this way, the downtime between competition rounds acts like an informal interview process - sponsors are able to see how candidates work and highlight their own offerings, while students are given the opportunity to ask questions about life in the industry. It represents a lowcost, high-impact way to engage with students who may miss schemes buried in the usual deluge of marketing material given to soon-to-be graduates.

Beyond technical skills

One would be forgiven for thinking that CTFs are focused solely on technical knowledge. While there are rewards for the most technically adept, competition organisers are looking for more than just hard skills. Students advancing to the CSCUK Face to Face (F2F) events must show maturity and leadership. These events have a dress code and the atmosphere is more of professionals at work than hooded teenagers staring at screens in their bedrooms.

On the international stage, the Atlantic Council runs a yearly cyber security policy competition - Cyber 9/12. Taking place in Geneva, Washington, and Sydney, it simulates the day after a cyber crisis. Participants are given a briefing from which they must develop policy options that are judged by a panel of diplomats, industry practitioners, and military personnel.

The realworld application is clear - this year’s scenario depicted ransomware attacks on hospitals and public transport a month before the NHS and Deutsche Bahn fell victim to the Wannacry attack.

Summary

All indications point to the continued growth of the competitive security scene. Students are seeing cyber security as an increasingly accessible and fulfilling career path. Changes to the national curriculum also promise to engage upcoming generations with computing.

For companies, being part of CTF events (either alone or in collaboration) presents a golden opportunity for recruitment, PR, and outreach. Active involvement in hands-on cyber security events can also sharpen your own technicians’ skills, drawing on their experiences to craft devious challenges. And for students? It’s certainly more exciting than the traditional interview process.

Further information

Financial Times information sourced from https://www.ft.com
(ISC)2 information sourced from https://www.isc2.org/pressreleasedetails.aspx?id=14570