SAN DIEGO -- Need to boost morale? Find flaws in your systems? Enhance employees' security
skills? Consider Capture the Flag competitions.
At last week's Usenix Security Symposium, experts advocated these hacking contests to improve
security programs by allowing employees or students to attack simulated networks. In the process,
enterprises can become more adept at finding soft spots in their real-life systems while
employees discover weaknesses in their own skills.
"Pretty much any security practitioner will tell you that you need to know how to attack to know
how to defend," noted Marc Dougherty, a recent Northeastern University graduate who came to
enhance his campus's Capture the Flag program after initially exploiting a weakness to win.
The goal of most games is to gain root access to privileged areas and retrieve a token. Then it's
just as important to hold off attackers trying to steal that booty.
"The competition creates teamwork, and that's something most security classes do not focus on,"
said Giovanni Vigna, a University of California, Santa Barbara, computer science professor who
incorporates student competitions into his curriculum.
"One criticism has been that it's not realistic," he continued. Usually defense is a
slow-building process, he explained, "while this is concentrated Campbell's soup. But I think
it's well suited for education because it can really put people in a crisis situation -- and
that's something normally not taught in classrooms."
Nor in the workplace. Capture the Flag contests are used increasingly as a corporate training
tool, according to Tina Bird, a Stanford University network security expert who moderated a panel
on the competitions. Intel, for example, has fielded a team for DefCon. "I know that it's in a
lot of companies now," she said.
The panel also included professor Chris Eagle, whose Naval Postgraduate School team captured the
flag this year at DefCon, and Riley Eller, better known in hacker circles as Caesar. His group,
Ghetto Hackers, has run DefCon's game for several years and will create competitions for private
groups (including companies) upon request.
Though growing in popularity, the competitions are still difficult to orchestrate.
First and foremost, the games must be done on isolated networks. "Never, ever wire a contest to a
real network," Eller warned.
Some contests allow Internet access to retrieve online tools, but this can create liabilities if
the game gets out of hand. Ethics need to be stressed and repercussions for violators well
outlined. "There's an element of trust that they're going to keep it inside the trusted network,"
Eagle said. Dougherty added, "It's in everyone's best interest to behave."
Scoring can be difficult. "It's not like a 40-year dash. It's just difficult to quantify," Bird
remarked. The reward system must be explained and enforced -- and fair to both attackers and
defenders. Be sure to use licensed copies of any commercial software, too.
"And don't try to reverse engineer the scoring system," Vigna advised. "That's lame."