Announcement

Collapse
No announcement yet.

Can CTFs Help Close The Cybersecurity Skills Gap? by Corey Nachreiner, forbes.com, DEF CON 27,

Collapse
X
Collapse
  •  

  • Can CTFs Help Close The Cybersecurity Skills Gap? by Corey Nachreiner, forbes.com, DEF CON 27,

    Title: Can CTFs Help Close The Cybersecurity Skills Gap?
    By: Corey Nachreiner
    Forbes.com
    November 22, 2019

    URL1=https://www.forbes.com/sites/forbest...ty-skills-gap/

    Originally posted by URL1
    In 2018, almost 3 million cybersecurity jobs were left unfilled globally, according to (ISC)2’s 2018 Cybersecurity Workforce Study. This isn’t the first we’ve heard of the cybersecurity skills gap. Five years of ESG surveys have shown that the lack of qualified candidates has left organizations with a cybersecurity skills shortage since at least 2015. Most recently, 74% of ESG respondents (via Security Boulevard) said that this shortage has affected their organizations.

    This problem doesn’t have a simple solution, but surely education, training and recruiting play key roles. Until recently, many universities didn't offer an extensive cybersecurity curriculum. Even now, the information security (infosec) programs at colleges are often just a few basic classes. Those wanting broader cybersecurity training generally learn through independent research or by pursuing third-party industry certifications. Even though the volume of cybersecurity graduates has grown significantly since 2013, open positions are still growing more than twice as fast. Why aren’t more students interested in cybersecurity?

    I think the answer might have to do with fun — or lack thereof.

    Cybersecurity has an image problem. From the outside, it probably doesn’t seem like the most enticing career path. It has a reputation for requiring deep technical knowledge that many consider academic and nerdy, for involving arduous rules and guidelines, and for laying some pretty heavy responsibility on its practitioners, with hefty consequences for failure.



    Based on these assumptions, it’s clear why students might choose a different path. In reality, the field has a wide range of roles that require much more creativity and imagination than people think. We need a way to help convince newbies how cool cybersecurity can be. That’s where capture the flag (CTF) and badge competitions come in.

    Like the childhood game, CTF competitions involve two or more teams battling it out to catch their adversary’s flag. But in cybersecurity, the battlefield consists of attacking and defending IT infrastructure, and the flag is a data file you protect on your server. These kinds of CTF competitions provide a fun and engaging way to learn and practice cybersecurity skills. More importantly, I believe the gamification of hacking and cyber defense can attract the younger generation, which enjoys these sorts of entertaining multiplayer competitions.




    Over the past decade, CTFs have evolved into many categories, all of which attract different types of talent. For example, we still have the original attacker/defender competitions mentioned above, but now you also see:
    • Hardware hacking CTFs: Participants focus on hacking a specific device.
    • Jeopardy-style CTFs: Teams compete by properly answering various cybersecurity questions.
    • Badge CTF challenges: Groups or individuals solve puzzles to unlock cool digital badges.
    • King of the hill challenges: An individual attacker/defender challenge where the person who survives the longest wins.

    If a young student has interest in IT security but isn’t sure it’s for them, a few minutes at one of these events will help them realize how fun and interesting the profession and its members can be.

    Whether you’re trying to crack an encryption scheme, find a tiny hole into a network or figure out how to exploit an obscure software vulnerability, hacking is about solving puzzles. Likewise, guessing and preventing what hackers will do next and forensically investigating breaches are also forms of puzzle solving. Cybersecurity is a great field for those who like solving puzzles, and CTF challenges can help us as an industry spark that passion in a new generation.

    Badge challenges specifically were born at DEF CON 14 in 2006, when the conference switched from a typical conference lanyard badge to a digital one. From that point on, the creators of DEF CON’s digital badge hid secrets in the badge’s hardware and design for attendees to uncover. Eventually, this whole thing evolved into a badge challenge, where the first person to unlock the mysteries in the badge would win a coveted black badge, also known as the Uber Badge. This badge wins you free entry into DEF CON conferences for life.

    The DEF CON Badge CTF has become so popular it has spawned many new ones, including popular challenges like DC Darknet and AND!XOR. Entering these badge competitions is simply a matter of buying a badge and trying to solve its many hidden puzzles. Meanwhile, the entrants have fun solving puzzles while subtly learning about various aspects of cybersecurity.

    The WatchGuard Threat Lab and I believe so strongly that CTFs attract cybersecurity talent and can help grow the industry that we’ve hosted a free digital badge CTF challenge at the annual Black Hat and DEF CON security conference for the past three years.

    All you needed to do to get our digital badge was solve our first 12 “basic to intermediate” puzzles online. Solving these puzzles gave participants primers on various ciphers and hopefully got them excited about cybersecurity. By the second day of DEF CON, we’d given out all of the 500-plus digital badges we had. Everyone from teenagers who were new to the show to industry veterans joined the competition. We even had cybersecurity teachers participate and ask us if we could help them create their own badge competitions for students.

    It’s clear that these types of challenges are a good way to engage and inspire a new generation of cybersecurity pros. It’s also important to note that cybersecurity skills go stale fast when not maintained. In addition to attracting new talent to the industry, putting on your own CTF challenge can help you train and reinvigorate the security teams you already have.

    Although many think education is the answer to the cybersecurity skills gap, we know that education is pointless unless a topic is interesting and fun enough that someone wants to learn about it. CTF challenges could be one highly effective way to bridge the gap. If you want to learn more about how we started our own badge CTF, read this blog post, and make sure to join us at Black Hat and DEF CON next year.
      Posting comments is disabled.

    Article Tags

    Collapse

    Latest Articles

    Collapse

    Working...
    X