Capture the Experience

Does your security team need a workout? Here's one way to get them in shape

3:57 PM -- Did you ever play Capture the Flag? When you're a kid, it teaches you something about tactics and teamwork. When you're a security pro, it teaches you something about tactics and technology.

The rules are simple: There are two teams, each with a base and a flag. To win, one team has to capture the other team's flag and transport it back to its base. When I played it at the YMCA as a kid, we ran around in the woods with paintball guns. Now that I'm a security pro, we get to sit in an air conditioned room in front of laptops, drinking Starbucks and Red Bull.

Capture the Flag (CTF) exercises can be an invaluable IT security training opportunity for both companies and individuals. Unfortunately, very few organizations take advantage of the experience and skills that can be gained by playing. Maybe some security pros are afraid of being shown up by their peers.

CTFs can be as simple as two teams securing their respective Web servers and then trying to hack into the other team's environment to steal the flag. A CTF can also be a complex, multi-day event where teams are given a server, or three, running multiple services that must be enumerated, secured, and maintained while coming up with ways to attack the other team.

Want to put together your own CTF? You can start by getting a free copy of VMware Server -- if you don't already have the workstation version. Then, download a pre-built VMware appliance -- or install your own operating system and services to test in the CTF.

Make sure that the services are default installs, need patching, or are vulnerable in some way, so that the participants will actually have a challenge. Then give a copy of your VMware image to both teams and let them hack each other.

If you aren't ready to host your own CTF, consider sending some players to one of the security conferences that host them, such as DefCon, Hack in the Box, and even SANS. If you work in an educational institution, there are several CTFs geared toward students, including the UCSB iCTF, USF CTF, and Cipher.

Practice makes perfect.

— John H. Sawyer is a security geek on the IT Security Team at the University of Florida. He enjoys taking long war walks on the beach and riding pwnies. When he's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading