DinoBank definitely had its issues: in the final environment, there ended up being over 170 known vulnerabilities, ranging from insecure passwords available on Twitter to fundamental logical flaws in the banking core application and implementation of business processes.
Findings are scored on a matrix of severity and difficulty, with the most difficult to locate and the most significant vulnerabilities scoring the most points.
Tech + Business FTW!
Historically, we’ve found that teams with an understanding of their client’s business processes as well as a solid technical footing perform the best.
This means a team that finds a large number of vulnerabilities–and thus has a higher number of scored findings–can actually be outclassed by a team that locates only a few vulnerabilities, provided those vulnerabilities have a defined business impact.
In other words, chaining technical and business process issues together often results in findings that yield the highest amount of points. In the context of DinoBank, this means that findings such as “the ATM will accept any PIN as valid” or “the notary service allows for remote code execution” are worth more points than “the domain admin password is easily derived based on information disclosed on Twitter.”
2018 vs. 2019
The 2019 event brought a number of new additions to the competition. For the first time, we expanded to an international footprint; we are excited to include a region in Dubai, which was hosted at RIT’s campus.
The winning team from RIT Dubai joined the other top 9 teams from around the United States in Rochester for the International CPTC finals on November 22-24th.
Different Series of Events
Teams were given 2.5 hours to access the environment on Friday night. This time allowed them the opportunity to validate remediation on previous findings, set up scans, and prepare for overnight work on reporting.
After the participants completed their work on Saturday, we ended the finals with our first-ever DinoBanquet. This “client” dinner, which was held on Saturday night, permitted competitors to interact with sponsors–including myself and Meredith Kasper from Hurricane Labs!
The weekend’s event culminated with team presentations, an in-depth session with the competition organizers reviewing the work involved in environment creation, and the awards presentation on Sunday.
Congratulations and Thank You’s