The offensive and defensive nature of information security makes it an excellent field for competitions. Cyber competitions called ‘Capture The Flag’ (CTF) take on a variety of formats, in most cases individuals and teams race against each other to solve programming, forensics, and networking challenges in an attempt to gain access to systems, applications, files, or other resources. These are not real-world systems, but rather virtual machines that have been designed solely for the sake of of practice. By breaking into (‘exploiting’) these practice systems, players inevitably begin to understand their weaknesses (‘vulnerabilities’), as well as how they can be secured.
Many of these events take place entirely online: teams can compete from the comfort of their own home or anywhere else with a reliable internet connection. There is an additional class of challenges known as wargames – these are essentially CTFs, however aspiring hackers are able to work at their own pace without the pressure of competition.
When I suggest to aspiring security professionals that they take part in these competitions. I’m often met with some variation of the same concern:
‘This sounds really interesting, but I’m not ready to compete’ or ‘I don’t know everything yet’. Both of these are valid concerns, however in response to these humble responses (*we certainly need more humility in infosec*), I point out two things:
- The first is that no security professional knows or will ever know everything. There are far too many areas of specializations and the industry is rapidly changing: New threats are being discovered, and as a result new technologies and best practices are being implemented.
- The second thing is that it doesn’t matter if you are not ready. You’re not there to win: The value of a CTF is simply in the actual experience: You’ll be able to identify gaps in your knowledge and discover what you still need to learn. Additionally, these cyber competitions will reinforce theoretical learning with hands-on activities and help you discover what area or areas of security are most interesting to you. Finally, you’ll also learn about the soft skills that are important in any careers: Effective communication, teamwork, learning how to learn, teaching yourself, working against deadlines and time constraints.
It’s useful to note that many CTFs and wargames have been solved. A quick search online will help you find not only the solution, but in many cases a detailed explanation of the solution. Reverse engineering – or working backwards – is an excellent way to learn these skills and concepts.
Here’s a growing list of CTFs and Wargames: http://captf.com/practice-ctf/