CPTC is unique among other security competitions in that it focuses on both technical and business skills. Teams that do well not only excel technically, but they are able to be effective consultants.
In this case, they were able to help their client, DinoBank, understand the issues in their environment and ultimately collaborate to fix them. Teams that approach this event like any other hacking competition or CTF won’t do as well as they might hope. To be successful, teams must display solid professional communication skills.
Throughout the event, we–the other CPTC organizers and I–interacted with the students as though we were actual employees at the organization, performing the before-mentioned roles. Students are given an RFP and scope as if they were bidding for the pentest contract, and they are then asked to communicate with their new client in a professional manner via email.
While constructing and maintaining these characters significantly increases the overhead for my team of email-responders during the event (college students can write a ton of email), we feel that this approach most accurately represents the experience that students will encounter when they enter the workforce.
Additionally, throughout the day, teams will be given a number of requests. These could be in the form of in-person questions, requests to give a presentation to a group of management, or a quick email. All of these interactions are scored and make up part of the team’s overall performance in the event.
Adventures in Ethics
One of the professional challenges of pentesting involves the application of ethics. Some pentesters believe they are above the law and can take any actions necessary to be successful. This not only isn’t in the best interest of the client, but it can also result in a negative portrayal for the entire industry.
App and Process Validation
Additionally, pentesters are tasked with validating the security of critical business processes or applications prior to these becoming available for customers or after a security incident. There can be immense business pressure to produce a result that does not jeopardize a release date–but this pressure should never compromise the pentest team’s ability to deliver an honest and accurate assessment. Furthermore, clients may encourage pentesters to minimize the severity of an issue or even remove it entirely from a report.
In the CPTC event, we attempt to expose students to these ethical dilemmas so they will be aware of their existence and be better prepared to handle them professionally when they occur. We understand there’s sometimes a gray area when faced with these types of issues, while other times there are lines that cannot be crossed.
A Lesson in Flexibility
When evaluating team responses, we rely on our professional experiences to assess how reasonably a team handled each issue. This allows for some degree of flexibility, and it encourages the understanding that these types of situations don’t have just one correct (or even a best) answer.
Some of these ethical challenges are planned parts of the event, whereas others come up organically as the competition progresses. One completely unplanned issue that came up this year involved the mishandling of client information by a number of teams.
In the next post in this series, we’ll explore this issue in more detail.