Capture The Flag for Cybersecurity Education

Gamification as an educational Cybersecurity solution

Nowadays, more and more companies have their products and resources exposed to the Internet to facilitate ease of access and faster adoption rates.  As the number of components that are exposed publicly continues the grow, companies expand the attack surface that can be targeted by an attacker causing harm to the organization.

Educating the majority of employees on cybersecurity

With the fast-paced technological evolution, the rules of the game have changed. The hide and seek game, mainly played by the white hats and the black hats, has moved to a new level of sophistication, and it keeps evolving. When it comes to knowledge and tooling, both parties are at the same level, but the white hats are at a great disadvantage because of the unaware and uneducated human factor. This is basically everybody who is not involved with or intrigued by security matters.

The unaware and uneducated group of employees is one of the greatest vulnerabilities within an organization. Unintentionally they can cause a huge amount of harm unless properly educated, trained, and made aware of the potential risks and threats that surround them. And, with well-invested effort and efficient measures, these employees could be turned into the greatest asset that a company has. But you need to present them the right educational tools whereby you create a mentality shift that could make a difference in an attack scenario.

“It is my judgment that the Internet itself is for the most part secure, though there are steps we know can be taken to improve security and resilience. Most of the vulnerabilities arise from those who use the Internet – companies, governments, academic institutions, and individuals alike – but who do not practice what I refer to as good cyber hygiene. They are not sufficiently sensitive to the need to protect the security of the Internet community of which they are a part. The openness of the Internet is both its blessing and its curse when it comes to security.”
by Vinton Cerf, United States Congress Joint Economic Committee on 23 February 2000

Gamification 

In the past years, the Yonder Tech board held many presentations and workshops on security-related topics. We started with less technical subjects like security hygiene, best practices, common cyber threats, known vulnerabilities, and went all the way to real-world threats’ analysis or reverse engineering. 

But in time, they discovered that more and more colleagues aren’t interested in advanced topics, or they have gaps in the required security knowledge. Yonder created a new team internally to design more engaging resources and to avoid a lack of security principles in the future.

After some research, the team concluded that one of the most effective approaches would be to apply gamification. So, that meant they would prepare an interesting game script for cybersecurity-related quests.  

“Games are the only force in the known universe that can get people to take actions against their self-interest, in a predictable way, without using force.”

by Gabe Zichermann   

Yonder Capture the Flag Competition 

The team designed an interactive event with all the security topics that should be discussed during periodical security meetings and presented them as puzzles, technical challenges, and quests. 

The whole idea behind this type of event was to see what would be the benefit of introducing gamification within the cybersecurity context to the general public (individuals from the organization. We offered everybody within the organization the setup to experiment with security in a controlled environment, under the guidance of people and at their pace.

Until now, there were three editions of security competitions within Yonder, each of them using a slightly different approach. At the start of this initiative, we invited the infrastructure teams because of their background and security related day to day tasks. Based on their feedback, the organizers then recommended teams with colleagues from different departments to extend the team’s expertise. The events used the Capture the Flag competition format and included challenges from the following categories:  

• Security Hygiene – all the recommendations, actions and the best practices that should be applied on the day to day online activities used to avoid common cyber threats; 
• Puzzle – various pieces of information, following the breadcrumbs and a lot of dead ends for the people that enjoy a good riddle; 
• Automation and Programming – nowadays the automation of common jobs is encouraged, and we would like to promote that idea designing challenges that are very hard or even impossible to solve by manual work; 
• Best Practices in Software Development – from our experience most of the problems that are hard to fix or mitigate were introduced into the project when the team tried to cut some corners or ignored the best practices or recommendations; some of the effects of those decisions can be seen in the applications from this topic; 
• Known Vulnerabilities – To keep your applications safe is critical to learn from other people’s mistakes, and to keep an eye on what the bad guys are doing; 
• OWASP Top 10 – OWASP refers to the Top 10 as an ‘awareness document,’ and they recommend that all companies incorporate the report into their processes to minimize and/or mitigate security risks; 
• Exploits – during the competition the participants will discover various environments with applications vulnerable to some of the most impressive or interesting 0-days published in the last couple of months; in this way, they will have the change to say what the impact on not patching in time can be; 
• Networking – today all the devices are tied together and interact one which each other more and more; because of that knowledge of common communication protocols and basic troubleshooting skill start to become a must; 
• Cryptography – we all like privacy, and when it comes to client data, we would do whatever it takes to keep it as secure as possible; this topic will bring to light some of the challenges or common mistakes that we encountered in attempting of keep data safe; 
• Social Engineering – the perfect way of seeing how easy it is for some people to divulge confidential information; 

We believe that practice and lessons learned are the key when it comes to security. After each competition, we gathered feedback from the participants to create a better simulation and a better user experience in the future. Furthermore, using the challenges that weren’t solved, we can prepare more relevant training and workshops to improve the security skills of our colleagues. 

For this article we asked the team with the most impressive evolution between events (from the bottom of the rank to the winners of the latest competition) to summarize the CTF experience to share those thoughts with you: 

I think the best part about this particular CTF was the level of involvement and different challenges that were up for ‘capturing.’ Those sudden rush moments when another team has overtaken you, are also part of the ‘CTF’ magic, trying to get back to your previous place by social engineering or by resorting to other ‘dirty tricks.’ 

One thing that could’ve been better would have been to have more competition and have it last a bit longer. All in all, I’d recommend participating in CTFs to anyone if they have the opportunity, the things you get to learn and experience with your peers, surely feel rewarding and fun. 

Interested in a Capture The Flag for your company?

The Yonder Cyber Threat Aware solutions also include games to increase security awareness within your company. Security is always important, but now that most companies have moved to working from home and completely in the cloud, security is even more imperative. Your employees can no longer walk to the IT department to check suspicious communications they receive. They now have to be more vigilant by themselves, especially as cybercriminals are ramping up their activity and the sophistication of their attacks.

So reach out to our [email protected], and we can see if a security game or any of the other solutions we offer can be of benefit to keep your company and its data safe. Please click here for our Cyber Threat Aware solution page.

Be Cyber Threat Aware; we’re here to help!
By Alex Coman and Remy Toma.