OverviewLast Updated: 2/11/2017
The security assessment will allow individual competitors to utilize their cyber security skills to prove their knowledge through the completion of a qualifying exam, and then a final Capture-The-Flag (CTF) challenge.
The Security Challenge is an individual event (“Teams” are limited to one student).
The Qualifying exam will take place promptly at 9 am on Saturday April 8, 2017, and will be ending promptly at 10 am, with the CTF immediately following the qualifying exam for the competitors with the top 10 scores. Every effort will be made to start the CTF Challenge promptly after the qualifying exam, although it will take a few minutes to add the finalists’ names to the CTF system. The CTF Challenge will end at 1 pm.
The qualifying round will consist of 50-70 multiple choice questions similar to questions found on the CompTIA Security+ exam, Certified Ethical Hacker (CEH) exam, as well as questions that will relate to the CTF Finals Competition.
In addition to CompTIA Security+ topics, students should be knowledgeable with topics and tools such as those listed below. Please note this list is not exhaustive, and that not all of the following topics will necessarily be included in the qualifying exam or the CTF finals.
- IP configuration and testing
- Database Security Vulnerabilities
- Web Server Vulnerabilities
- Web Application Vulnerabilities
- Social Engineering
- Password Crackers
- Penetration Testing Tools
- Open Source Intelligence
- Log Analysis
- Network Traffic Analysis
- Reconnaissance Techniques
- Vulnerability Identification and Exploitation
- High-level understanding of security regulations
- Physical security/access control
- Policy implementation in a Windows environment
- Current business security regulations, U.S.A. laws involved with trans-border data flow (PCI, PATRIOT Act, etc.)
Competitors should have a laptop with security tools installed. These security tools should be openly available tools, and not commercial products. The suite of tools found in security distributions such as Kali Linux (http://tools.kali.org/tools-listing) is a good place to start looking.
An excellent reference to help practice for this final can be found at https://wraysec.com/2015/11/02/how-to-win-the-ncl/
Each contestant will take a web based exam. As with all AITP NCC® contests, to take the exam you must bring your own computer (BYOC).
The top 10 scores (displayed on the leaderboard outside the contest lab) will move onto the final capture the flag (CTF) challenge round.
The CTF Challenge
The final CTF round will challenge competitors with questions, puzzles, and tasks that may be covered in Security+ and CEH curricula, and may also be beyond those objectives. Be prepared for anything!
Free and open source tools, as well as home grown scripts, are allowed, however, no commercial or paid software can be used for the analysis or remediation of security issues — i.e., the playing field must be level, and you cannot “buy” success in the contest!
During both the qualifying exam and the CTF Finals, you are not allowed to communicate with other people regarding the competition, or launch any disruptive communications against fellow competitors or the scoring engine.
CTF Challenge Theme
Industrial Control Systems are a fundamental component of modern infrastructure, automating and improving the efficiency of almost EVERY aspect of process control. Simultaneously, these systems may introduce real threats to national infrastructures from all sorts of vulnerabilities in Industrial Control Systems and SCADA. Consider the STUXNET malware – Windows XP machines infected with very sophisticated malware that targeted a very specific type of control system. What about the power grid in Ukraine in December of 2015?
The 2017 CTF challenges will revolve around topics related to the protection and defense of industrial control systems.
WraySec, LLC (WraySec) will be sponsoring the 2017 AITP CTF Challenge. WraySec is a cyber security startup dedicated to leveraging cyber exercises to help train cyber security students and professionals alike. WraySec’s cyber exercises provide hands-on, practical, team-based training to help organizations prepare for today’s cyber threats. Additionally, WraySec provides traditional cyber security related services ranging from patch management to penetration testing.
The qualifying round will be scored as 1 point for each correct answer. In the case of a tie, the contestant with the fastest time will be ranked higher.
The top ten participants from the qualifying exam will proceed to the final hands on round, which will include several objectives of varying difficulty and point values, allocated as follows:
Individual challenges (Flags) within this CTF will be rated in difficulty as “Easy,” “Medium,” and “Hard.” The Hard flags will have a higher score associated with them. In the event of a tie, the fastest time wins.
General Tips for CTF
- Time management is very important. Start with the basics and do not overthink puzzles. Be prepared with a strategy of either completing the easiest puzzles first or focusing on the more difficult puzzles that are worth the most points. If you get stuck, move on to another puzzle.
- Be familiar with the following puzzle areas: Cryptography, Network Traffic Analysis, Web Application Exploitation, Reverse Engineering, Steganography, …
- Practice ahead of time with various open-source tools using a platform such as Kali
- Focus on your strengths. Puzzles will exist in various cyber categories. If you excel in Reverse Engineering, focus on those puzzles first.
- Clear your head. If you are becoming frustrated with a puzzle, take a break and work on another puzzle or collect your thoughts. This can help give you a fresh perspective and think about the puzzle differently.