Organised by BCS and sponsored by BT, the Cyber Crime Cup saw a world first: a cyber security competition held live and as a spectator sport. All the action, learning and sharing of cyber skills took place at the Etihad Stadium in Manchester.
Cyber ranges - virtual training grounds where attackers and defender teams can hone their skills - are, of course, nothing new; many events and organisations host capture the flag style cyber challenges. By contrast, The Cyber Cup borrowed its format from esports: competitive and live computer gaming that turned red teaming into a spectacle that was enjoyed, understood and applauded by a live audience.
Along with being exciting to watch, the Cyber Crime Cup was an invaluable learning experience for competitors and the audience.
In all, over 200 students from 65 teams at 35 universities entered the Cyber Crime Cup challenge. Through elimination, these were whittled down to 10 teams of five, who battled and hacked through elimination phases at the Etihad.
Two teams emerged on top to secure places in the live final: Royal Holloway University of London and The University of Manchester.
The live final was fought out in front of an audience and saw the teams compete for the impressive 150cm tall trophy and a £1,000 prize.
The hacking wargame involved attacking a fictitious online bank, with the winning team being the one that stole most the most money.
During the half hour challenge, teams exploited logic flaws in the site, uncovered errors made by developers, outflanked defences and leveraged components that shouldn’t have been visible to the web.
Victory went to Royal Holloway University, who stole £27,000 of virtual currency from the besieged bank, despite two factor authentication with mobile one time passcode (OTP)!
Dubbed SegFault Squad, the Royal Holloway team said: ‘We entered mostly because we wanted to have fun. We’re friends and we’re looking at info security. It was a surprising experience - a good opportunity to learn, and it was very relevant to computing and the future. It’s nice that we can showcase our university’s excellence in cyber security, too.’
In second place were The University of Manchester, who won £750 and said: ‘It was a surreal experience - really interesting, exciting and full of surprises.’
Adrian Thompson facilitated the day and commentated on the live final, along with Katerina Tasiopoulou, Business Development, EU at IBM X-Force IRIS. Summing up the experience, Thompson said: ‘I was amazed by the teams’ ingenuity. It was an inspiring event and we’re really pleased with how it all turned out. Up until now, cyber security has never been considered an eSport, but this event changed that.’
Along with the live hacking competition, the Manchester event also saw a host of live talks, keynote speeches, presentations, an exhibition, networking opportunities and a conference. A varied and valuable day, here are some of the key themes, messages and concepts that dominated the event:
1. Gaming and cyber security are cousins
Tris Morgan, Director at BT Security sees strong links between eSports and cyber security. Morgan, in his conference keynote, explored how the two disciplines both demand traits such as teamwork, problem-solving skills, pace and the need for commonality of purpose among colleagues. Cyber security and eSports both also require that their practitioners dedicate themselves to life-long learning and constant self-improvement.
2. The need for speed
When it comes to surviving and recovering from a cyber attack, software engineer and event organiser Adrian Thompson explained that having adept defenders and recovery specialists isn’t enough. Your response needs to be planned, practised and deployed quickly. Addressing the audience, he said: ‘The first thing you need ask is “how do the attackers do their work?” We need to be aware of how they operate.
We gave students this opportunity and it shows that speed is important. When you think of an attack on your network, your servers, or your personal devices, it’s all about speed. How quickly can you react when a data breach is happening? If you don’t react immediately, the loss is far greater. The impact is far greater. It’s not enough to understand how an attack happened; you need to be quick, you need to be fast. And that’s what this sporting element - this eSports element - is all about. You have speed and you have knowledge.’
3. Get the basics right
The day ended with a two hour conference. Speakers included Katerina Tasiopoulou, Business Development, EU at IBM X-Force IRIS; Holly Grace Williams, Technical Director, Secarma; Helen Williams, Cyber Protect Officer, Police; LU Hack (Lancaster University); and Dr Heather Taylor, Behavioural Psychologist, Frazer-Nash Consultancy. Across the broad spectrum of techniques, insights and assessments that were offered, one unifying thread tied the evening together: get the basics right.
Exotic malware, crypto fraud and advanced persistent threats might steal the headlines, but all of these - and more - can be tempered if businesses follow basic cyber security processes. These, we learned, were prosaic processes such as observing solid password hygiene, limiting network and application privileges, taking regular back-ups and storing them offline, staff awareness training and patching.
Across the event, speakers also explored the need for physical security, imploring attendees to think beyond just logical security.
4. The need for pathways and professionalism
Rob Partridge, Head of Commercial Development for Offensive Security at BT, explored how cyber security needs to consider, codify and communicate career pathways. ‘Traditional professions like doctors, vets and electricians - if I want to become one of those, there’s a really nice pathway.’
By contrast, he noted that in cyber security there are no pathways. ‘Cyber security is like the London Tube map: there are over two hundred places to get on and two hundred to get off. There are an infinite number of routes and paths you can take through a career journey. And the problem is, when people think about cyber security, they think about penetration testing. They don’t think about the other ninety roles that exist.
Some of those roles don’t even need technical skills.’ The challenge for the industry, he believes, is getting the right people to start their career journey at the right time and place.
Brian Higgins, Project Manager for the Cyber Foundry at The University of Manchester said: ‘We’ve been rubbish at filling the skills gap over the last decade; there aren’t any defined career pathways. Nobody has a clue. People just think they need to study maths and computer science and with a bit of luck they’ll find a job. We need to get the word out there and support people from different backgrounds.’
5. Diversity matters
When addressing the need for more diversity in cyber security, Tris Morgan said: ‘It brings new ways of thinking into the company and gives greater organisational flexibility. [This is important] as the industry and types of jobs required continue to evolve. Evidence shows that having a great level of diversity in the workplace positively increases business performance and profitability.’
Morgan mentioned the importance of diversity when recruiting for candidates. ‘More must be done to clarify what cyber security is and to explain the role that these professionals play in keeping individuals safe in their daily lives. This includes looking at what the barriers and the enablers of someone’s careers are. For example, using language that more people can identify with - such as focusing on using terminology like ‘problem solving’, ‘making a difference’ and ‘improving people’s lives’ - can help a more diverse range of candidates see how a career in cyber security can directly benefit society.’
6. Fill the skills gap early
Lastly, Tris Morgan addressed cyber security’s need to make itself interesting and relevant - to people of all ages. ‘Showcasing cyber security through eSports is a way of talking about it in a whole new way,’ Morgan said. ‘Cyber security isn’t just about writing software, defence and remediation; it runs right through from strategy to analysis. We’ve got to really work hard to publicise the range of roles that exist.’
This drive to engage even the very youngest people from their earliest years finds its most tangible manifestation in the Barefoot Computing project. Barefoot is a national BT and Computing at School (CAS) partnership that supports primary educators as they teach and explore computer science with their pupils. Barefoot was created by BCS and the Department of Education in 2014.
Winners: Royal Holloway, University of London team
Runners up: The University of Manchester team