Jump to content

Capture the flag (cybersecurity)

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by Shuri42 (talk | contribs) at 14:18, 26 November 2022 (putting back the image, not sure why it was removed). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

A team competing in the CTF competition at DEF CON 17

Capture the Flag (CTF) in computer security is an exercise in which "flags" are secretly hidden in purposefully-vulnerable programs or websites. It can either be for competitive or educational purposes. Competitors steal flags either from other competitors (attack/defense-style CTFs) or from the organizers (jeopardy-style challenges). Several variations exist. Competitions can including hiding flags in hardware devices, they can be both online or in-person, and can be advanced or entry-level. The game is based on the traditional outdoor sport of the same name.

History

Capture the Flag (CTF) is a cybersecurity competition that is used as a test of security skills. It was first developed in 1993 at DEFCON, the largest cybersecurity conference in the United States hosted annually in Las Vegas, Nevada.[1] The conference hosts a weekend of cybersecurity competitions including CTF. There are two ways CTF can be played: Jeopardy and Attack-Defense.[2] Both formats test participant’s knowledge in cybersecurity, but differ in objective. In the Jeopardy format, participating teams must complete as many challenges of varying point values from a given category. Some examples of categories are programming, networking, and reverse engineering.[3] In the attack-defense format, competing teams must defend their vulnerable computer systems while attacking the opponents.[2] This is done through attempting to replace the opponents “flag” or data file with their own. Since CTF’s creation at DEFCON, there have been other CTF competitions hosted including CSAW CTF and Plaid CTF.[3]

Applications

CTF is mainly used for cybersecurity education, as studies show students tend to respond better to interactive methods demonstrated through CTF exercises as opposed to a traditional classroom setting.[4] A study conducted by researchers at Adelphi University found using CTF exercises was a highly effective way to instill cybersecurity concepts in an enjoyable manner.[5] They can also be incorporated in a classroom setting, and have been included in undergraduate computer science classes such as Introduction to Security at the University of Southern California.[6]

CTF is also popular in military academies. They are often included as part of the curriculum for cybersecurity courses. For example, a report released by the Cyber Defense Review, a journal from the Army Cyber Institute (ACI) at West Point, highlights CTF exercises pursued by students in the Air Force Academy and the Naval Academy who are members of cybersecurity clubs.[7] Furthermore, many cybersecurity concepts are taught through CTF exercises in the Advanced Course in Engineering on Cyber Security, an immersive summer program offered to ROTC cadets, active duty members, and undergraduates.[8]

Drawbacks

One drawback of CTF exercises is the presumption of a foundational level of computer operational knowledge.[4] Basic computer operations such as opening multiple tabs are important and cannot be taught through the exercises since the focus of these exercises is to teach cybersecurity concepts. Similarly, those running CTF exercises have encountered difficulty supervising and managing competitions and training exercises, as people need to be trained to understand the workflow of the challenges. CTF competitions have tried giving facilitators early access to the exercise environments to help them understand it in advance, but most facilitators still felt underprepared to supervise CTF events.[4] Another drawback is the generational gap between the exercise developers and the players which lead to impractical and sometimes outdated challenges.[4] Students may have a hard time understanding the importance of a security concept without grasping the severity of consequences from vulnerabilities.[4]

Another hindering factor to CTF effectiveness is cost, which includes hardware and software costs, as well as administrative salaries. Some competitions require user terminals for players, so machines need to be bought for each player.[9] In open source competitions such as PicoCTF where students play on their personal computers, such costs are saved but there are still server costs. CTF events also require hiring experts in cybersecurity, which can be more expensive than hiring non-specialist educators or less experienced engineers.[9]

Competitions

Company-sponsored competitions

While CTF is mainly used for cybersecurity education, some studies show that companies use CTF as a form of recruitment and evaluation for high performers. It can be used to source and screen for potential employees.[5][10]

Recent competitions

Computer Science Annual Workshop (CSAW) CTF is one of the largest open-entry competitions for students learning cybersecurity from around the world.[3] In 2021, it hosted over 1200 teams during the qualification round.[11] Another popular competition is DEFCON CTF, one of the first CTF competitions to exist, which aims its competition for those who are already familiar with cybersecurity, introducing more advanced problems.[11]

See also

References

  1. ^ Cowan, C.; Arnold, S.; Beattie, S.; Wright, C.; Viega, J. (April 2003). "Defcon Capture the Flag: defending vulnerable code from intense attack". Proceedings DARPA Information Survivability Conference and Exposition. 1: 120–129 vol.1. doi:10.1109/DISCEX.2003.1194878.
  2. ^ a b Says, Etuuxzgknx (2020-06-10). "Introduction To 'Capture The Flags' in CyberSecurity - MeuSec". Retrieved 2022-11-02.
  3. ^ a b c Chung, Kevin; Cohen, Julian (2014). "Learning Obstacles in the Capture The Flag Model". {{cite journal}}: Cite journal requires |journal= (help)
  4. ^ a b c d e McDaniel, Lucas; Talvi, Erik; Hay, Brian (January 2016). "Capture the Flag as Cyber Security Introduction". 2016 49th Hawaii International Conference on System Sciences (HICSS): 5479–5486. doi:10.1109/HICSS.2016.677.
  5. ^ a b Leune, Kees; Petrilli, Salvatore J. (2017-09-27). "Using Capture-the-Flag to Enhance the Effectiveness of Cybersecurity Education". Proceedings of the 18th Annual Conference on Information Technology Education. SIGITE '17. New York, NY, USA: Association for Computing Machinery: 47–52. doi:10.1145/3125659.3125686. ISBN 978-1-4503-5100-3.
  6. ^ Vykopal, Jan; Švábenský, Valdemar; Chang, Ee-Chien (2020-02-26). "Benefits and Pitfalls of Using Capture the Flag Games in University Courses". Proceedings of the 51st ACM Technical Symposium on Computer Science Education: 752–758. doi:10.1145/3328778.3366893.
  7. ^ Spidalieri, Francesca; McArdle, Jennifer (2016). "Transforming the Next Generation of Military Leaders into Cyber-Strategic Leaders: The role of cybersecurity education in US service academies". The Cyber Defense Review. 1 (1): 141–164. ISSN 2474-2120.
  8. ^ Argles, Christopher; Zaluska, Ed (2018). "A Conceptual Review of Cyber-Operations for the Royal Navy". The Cyber Defense Review. 3 (3): 43–56. ISSN 2474-2120.
  9. ^ a b Taylor, Clark; Arias, Pablo; Klopchic, Jim; Matarazzo, Celeste; Dube, Evi (2017). "{CTF}: {State-of-the-Art} and Building the Next Generation". {{cite journal}}: Cite journal requires |journal= (help)
  10. ^ Bashir, Masooda; Lambert, April; Wee, Jian Ming Colin; Guo, Boyi (2015). "An Examination of the Vocational and Psychological Characteristics of Cybersecurity Competition Participants". {{cite journal}}: Cite journal requires |journal= (help)
  11. ^ a b "CSAW Capture the Flag". CSAW. Retrieved 2022-11-02.
Retrieved from "https://en.wikipedia.org/w/index.php?title=Capture_the_flag_(cybersecurity)&oldid=1123937546"