Wireless networks, remote controlled flying drones, revolutionary educational cheap PCs and 25 hackers. This is the story of a weekend hackathon, but first let me tell you why you should care. Technology has become a supporting pillar of the economy and our every day lives. As we adopt it more and more so too security becomes a critical pillar.
There have been a large number of reports covering the shortage of talent in security both in the US and the UK (though the issue certainly seems to be international) and I have seen the issue first hand. This blog, however, is not about the skills gap so I will summarise the situation simply by stating that many businesses don’t know how to hire security roles, that there aren’t enough internships for people to gain experience (which is always a pre-requisite on posted roles) and despite the importance of this area not enough people are growing up wanting to get in to security, or with the right skills to do it.
Whilst fundamental changes are required in education and awareness to rectify this issue, this blog is about a group of people with the needed skills in abundance and an interesting approach to hiring and talent identification.
This Saturday challengers gathered at Sophos HQ for the latest face to face competition in the UK Cyber Security Challenge.
The UK Cyber Security Challenge is a body consisting of all manor of public and private sector organisations trying to develop the security talent pool.
The 25 attendees were identified by their participation in online competitions designed to find those with aptitude and talent for a career in security. The challengers varied significantly in age, background and education but all shared a common interest in technology and how to break it and fix it. The challengers worked in teams of 5 testing their ability to work as a team and demonstrating that they could make the most of the strengths and weaknesses of each in the group. They were faced with 4 wireless networks running a variety of different security configurations (with classic security configuration errors just like you see in businesses today) and told an attacker was still hanging around aiming to confuse them as they worked through the scenarios.
The teams had to organise themselves and the kit they were given demonstrating their penetration testing and forensic skills whilst combatting all manor of subterfuge from the adversary (me in this instance). I may have gone too far when I created over 500 fake networks with similar lyrics to the Carly Rae Jepsen song Call Me Maybe (sorry about that chaps). After they filtered the noise and managed to work through each of the networks they had to configure their Raspberry Pi(a brilliant single board computer that costs as little as $25 and is being used in all kinds of interesting education projects in schools and at home) to bypass a variety of security controls and connect to the wireless drone. The first team to successfully take it over and do a lap of victory won the game. The challenge was designed to identify people with an aptitude for problem solving and a knack for security but also taught how actions in digital systems can have real world kinetic impact – a connection becoming significantly stronger every day.
Skilled security practitioners are very valuable assets indeed and are becoming all the more important as technology evolves. Challenges such as these demonstrate that there is noteworthy talent waiting to be identified for those prepared to go beyond conventional hiring procedures. It also shows that recruitment and talent identification can be fun and that games can be a powerful talent identification tool for employers. As much as these challenges are about identifying talent they also serve the purpose of building confidence and interest.
One of the most interesting things I heard from a challenger (who had just demonstrated extreme talent many businesses could use immediately) was that he “nearly didn’t enter the competition because he thought he wasn’t good enough”. Every business and every nation should be thinking about how they develop these skills to support the security sector of tomorrow. If you are interested in participating in the UK Cyber Security Challenge you can find more details on their website . This competition is only open to those in the UK, but there are many challenges like this in countries all over the world. I for one want to see more of these hackathons and more initiatives to bring new people and ideas in to security – I would love to hear about your ideas and experiences. If you know someone who is interested in technology, maybe a friend or even your own child, why not encourage them to get involved and see if they are a future security pro?
P.S. I will shortly be releasing a specification for the competition including the software developed to make everything work for those that would like to modify it or enhance it. I would like to thank everyone involved in putting together this challenge and those working on other initiatives to develop the industry. My personal thanks to Roger Neal and Mike Yates who tirelessly set up equipment to make the game on the day such fun.