This section of the toolkit aims to provide you with strategies for implementing professionalism and ethics into your competitions. It includes several competitions that can be easily implemented.
Cybersecurity competitions are frequently seen as solely technical, but this overlooks the professional skills that are also crucial. While adding injects can enhance the technical aspects, there is much more that businesses and corporations require. Our hope is for these ideas, suggestions, and materials to help you create competitions that are as engaging as possible, allowing students to benefit to the fullest extent!
Overview
Cyber competitions offer students more than just an opportunity to learn technical concepts; they allow them to apply their classroom knowledge and practice in an environment that resembles real-world work settings. Competitions can reveal surprising results from students who are given the chance to showcase their skills. However, this toolkit aims to address the limitation of these skills when individuals are unable to effectively explain, lead, or adhere to an organization’s policies.
This section of the toolkit includes four different directories: Out of Box Competitions, CTF Ethics, Team Ethics and Professionalism, and Network Ops Challenge – Level 1 in v0.1 of the toolkit. Each of these directories is designed to incorporate professionalism and ethical challenges into familiar scenarios (coming soon).
Team Ethics & Professionalism
Hardening Competition: This competition is designed to be versatile and useful for anyone using this toolkit, although it may not be as immersive as a Collegiate Cyber Defense Competition (CCDC), it should be treated with similar gravitas. Teams will work to defend their box from unknown threats, documenting their steps along the way. Throughout the competition, teams may receive injects that, at some point, conflict with policy and procedure. Students should raise alarms on this rather than blindly following them, and hold appropriate meetings with their supervisor or boss.
After spending the designated time working within their environment, a script will be run to check for completion of each inject (with malicious ones scoring negatively) and for various hardening points (such as ports, firewall, antivirus, etc.). Teams will not receive their scores immediately; the instructor will have an initial score report based on their actions. Instructors can formulate questions around this report or accept it as is.
During debriefing, students have an opportunity to increase their score by discussing their steps. If it is found that they performed hardening skills outside the script check that improved the defense of the device or network, they shall be awarded additional points. This aspect of the competition rewards students for their professional reporting, as in a real-world scenario, their boss or Chief Information Security Officer (CISO) is unlikely to double-check their work in the working environment.
If you have the means to set up the environment for actual attacks (for example, in an upper-level pen test or operations class), then consider having students attack the environment while others defend it. In this scenario, allow students a few hours beforehand to set up initial defenses. This situation is ideal as it closely simulates other Collegiate Cyber Defense Competitions (CCDC) and even some real-world incidents. If this is applicable to you, include a debrief from the “red team” (attackers), so all students can learn from both sides of the experience.
For all else, ensure students understand the importance of documentation and thoroughly checking their system. If you, as the instructor, are setting up images or devices, intentionally leave security holes for students to fix. Adjust the script accordingly to check for these as well.
While friendly competition can be enjoyable, remind students that the goal of these competitions is to benefit and improve their knowledge and abilities. Encourage them to help and support one another, and consider involving past competitors in competitions with new teams. The aim is to provide you with a foundation or a competition/challenge you can implement with relative ease.
Additionally, there are many more resources in the CAE community related to cybersecurity competitions. Be sure to reach out and check on the CAE community site!