Hacking Young Minds: How to get Students interested in Infosec

hi I'm a Brian roads and I'll talk to you today about getting kids and students interested in infosec this also goes towards people that are canna in the industry or have done computer work in the past and want to break into the computer security field so it's kind of good for everybody I [Music] am Brian roads again and I'll probably cover that again the next slide as well so I'm going to talk about emphasize careers what are they in general and how to get into them how you can go from a student level where you're just beginning and to gain more experience and what you can do as far as he TS and how cts can

help you build those skills and then I'm going to end with some cyber defense competitions that are both at the high school and college level and the palmetto cyber defense competition that we host locally here in Charleston I am a red team operator and pen tester in my day job I've also been part of the PCB see gold Team and Red Team so I've helped build the network as well as Tara down I've also participated in the southeast regional and national CCDC competitions and was part of the team that won besides charlson here last year for the CTF and my co-presenter will be Tilson Galloway and his team actually just won the 2016 CTF [Music]

so what is infosec it's this giant conglomeration of all these different diverse fields of expertise right so you have system administrators you have forensic people you have Network Analyst you have legal people you have policy people it's kind of everything right so how do you from no experience into learning about these jobs right so hacks for pancakes put out a great megamix article about how to get started in infosec she breaks down Blue Team and Red Team or defensive and offensive job descriptions and what skills you need to be successful in each of those as you can see here it's pretty much the spectrum of technologies right for the opt-ins of things you have the stuff that I do which is penetration

testing you also have physical penetration testers and those are people that actually try to like jump the fence or break you know pick locks and stuff like that to get into buildings vulnerability researchers exploit development people that need a lot of reverse engineering skills bug bounties have become popular as they've been more better funded over the last couple years and a lot of these blue team jobs are ones that have been around for decades just maybe under different names right so sometimes you know a decade ago somebody that was a system administrator was responsible for all of these positions to some degree or another so now they've become slightly more specialized but the the tools and techniques that they use

are all pretty much the same right so how do you break into infosec you have to start somewhere and then you're an infosec before you know what you've done your kind of already there but you you have to start somewhere and build some very basic skills and experience because even as a penetration tester you first have to know how to edit administer systems right like once I'm able to get onto a box I have to know what to do when I get there so how do we gain these skills there's traditional methods like classrooms and conferences like we're at now which are great but a lot of the stuff that you'll be doing you have to learn on your own and

for that there's the internet it's not just for porn and Facebook anymore so there's a wealth of information out there for all of these different jobs and skill sets you just have to know where to find the resources to use them so if you're a high schooler looking to learn these new skills the best option is to practice practice practice practice right practice makes perfect there's a whole number about 10,000 hours makes you an expert in something but you can also do the same thing for 10,000 hours and never get any better at it because you're never challenging yourself to improve right so the best thing you can do is find something that's engaging and

entertaining usually to keep you on the right path and something challenging to make it harder so that you're continuously learning new things so you can do this in a couple different ways you can build a lab at home you can do social engagement such as going finding your favorite people on Twitter and following them there's some great information about new exploits or new forensic techniques or new threat actors that people are constantly releasing into their Twitter feeds and then generating blog posts and publishing reports so it's very important to say up to date with the latest techniques and stuff like that other options or conferences obviously I'm speaking to the choir here since you're all at a b-sides conference but

there are great ways to interact with other people in your field and meet new colleagues and meet new friends and perhaps find a mentor right if you can find somebody that is doing and arresting work in your field follow their work and do some of your own and maybe see if they can help you as well once you become more knowledgeable in that field you're in a position to take other new people under your wing to help them as they're learning right so let's talk about this deliberate practice the first thing you want to do is set very clear goals for yourself what are you trying to accomplish you can say I want to be a

great pen tester or I want to be a great forensics guy but that's very generic and very general so you need to set clear goals for yourself and break it down into sub skills such as I want to know how to do memory analysis I want to be able to recover files from a file system I want to know about the specific policies or techniques to ensure that I'm getting clean images of a recovered drive right pretty much everything can be broken down into smaller and smaller pieces that are a lot easier to master individually than trying to accomplish a generic goal as a whole it's very important to track your progress to see we're going and what

you're both what you have done and what you have left to do right and feedback loops to make sure that you're on the right track to make sure you're doing the correct things and accountability is where other people hold you accountable for the work that you are doing so maybe you come and present at a b-sides conference and [Music] you know let people mock you so code Academy and code wars are good examples of deliberate practice it's you can say I want to become a better Python programmer it's a very generic topic right so how do you do that you go to somewhere like Codecademy and it has step-by-step lessons that teach you how to do python programming

this helps build sub skills such as mastery of you know sockets reading and writing files manipulating data and structures it lets you track progress to see what you have done and what you have left to do then you start getting into feedback loops with websites like code Wars where they present challenges to you and then you you complete the challenge and you get to see how other programmers tackle the same problems so you get to compare your code to theirs and your solution gets posted online as well so other people can comment on your code so this forces you into a habit of both learning new skills and reinforcing the skills that as you're learning them

for building a lab this is kind of an old image from a rapid seven document but it kind of speaks to the point that I want to get at is it's very easy to build labs these days there's equipment that you can get this very cheap or you can do pretty much everything virtually these days this is just one example this is more for penetration tests example because it has metasploit Oh bull which is vulnerable vm has a lamp stack which is a linux server running various servers and applications has an old version of windows XP has old version of windows 2003 server and a couple versions of Linux again this is kind of for penetration

testing but it could be expanded to do anything you want so you can download windows VMs for modern IE that allow you 30 days or 60 days of a windows 7 box with a specific version of internet explorer for testing things out on there's a lot of versions of turnkey Linux is a Linux distribution with specific servers that are enabled by default so if you want to you can grab a web server distribution that already has my sequel and PHP admin and stuff like that on there or you can get like an elk stack or a couple other things for firewalls and networking there's open source stuff like pfsense or free stuff like pfsense that you can practice

your firewall to and monitor your traffic with snort or sericata or a lot of programs like that it's very easy that easy enough so that you can set it up at home and monitor your own traffic as it's going out to the Internet and then you can generate traffic to see how it looks on the wire there's other if you're interested in web application stuff there's a project from a wasp called web goat it's built as a web penetration testing vm but there is also a developer version that allows you to go in and fix the vulnerabilities as you find them so you have both the knowledge of how to break it and the knowledge of how to patch it

so it's a little bit of both as I mentioned there's also cheap hardware you can go to goodwill and pick up you know an old 2900 cisco router and learn to play on iOS right or there's wireless aps if you want to get into wireless technologies for twenty bucks thirty bucks so the barrier to entry into Mpho sec has really dropped in recent years so once we start to have these skills how do we reinforce them more and build upon them is by challenging ourselves particularly with capture the flag competitions there are several types and we'll kind of go through these a little bit more in detail jeopardy is broken out in the categories and point values it's what

you see a lot of times for online CTFs there is king of the hill competitions like we had here besides Charleston where you attack a box and you try to maintain control of that while other teams attack the box as well there are attack and defend CTFs kind of like Def Con where you are attacking other teams and defending your services from other teams and trying to those are very tend to be at least Def Con is very binary and reverse engineering specific because you're trying to like watch for other people's exploits as they attack your services while your reverse engineering your services to develop exploits to attack their servers with buchta root is normally a vm or a CD

that's given out that you can put in with specific flags or vulnerable services on that disk they did this at Scott Caan this year and I believe last year where they just give everybody a disk it avoids a lot of the network congestion problems with some of the other CTFs you'll find a lot of these on on bolt hub which I'll mention again in a minute and finally there's cyber defense competitions where you act as a defender or a protector of the network and you're trying to harden your system as opposed to trying to exploit other ones there's also hybrids of these like sands net wars starts out has five levels and the first two levels are a boot to route to they

give you a CD with challenge questions and kind of a jeopardy Sal challenges and then levels three and four of that are kind of an attack and defend our at king of the hill where you're actually trying to exploit other servers on the network and then level five is an attack and defend scenario where you're trying to protect your castle against attackers while you're trying to attack their servers so lots of different varieties of these this is a quick example of jeopardy you can see how there are lots of different disciplines in areas each one is a little different but they normally have some similar main topics like web exploitation reversing and crypto challenges this

goes back to the disciplines needed for infosec right so each of these speaks specifically to different jobs and different skill sets and it also helps students identify what their passions are right you might be very interested in doing web stuff or you might be very interested in doing network stuff or forensic challenges and doing the CTS helps you identify the things you really like to do and gives you a little bit more focus as to what career opportunities you might want later Facebook just release a framework for doing CTF challenges this is basically the same thing as that last slide except much fancier this is also a jeopardy style challenge just broken up into more of a risk

format where they have countries instead of categories there's a couple other frameworks that have been set up so that you can actually build your own CTF and host it yourself

that was no not really that was the intention of it is that they provide the framework and you provide the challenges and fill it in so you can run your own CTF this is kind of an old slide but it still holds true a lot of the tools that are used in these CTF challenges are the same tools that are being used by people in the industry today right you still have networking people using wireshark and TCP dump and in map and telnet you sell reverse engineers using Ida pro and GD v and r adair same for forensics crypto tools not as much segun ography in the real world as in CTF challenges but that's

still in there so by doing the CTS not only do you know more about the the individual fields but you become comfortable with the tools that you would then use working in these professions there's a couple really good starter capture the flag competitions pico CTF an easy CTF are designed for high school level challenges they're also up year-round there's a 2013 in the 2014 version of pico CTF I believe that's available now but mitre stem CTF just ended it's an annual event but it's also aimed at high schoolers but it's open to anybody that wants to play ball hub is good for the boot to route challenges that I mentioned a couple slides ago where they have a vulnerable

vm that you can download such as web goat and i think the sky dog butta route compass ETF is also up there and you've got kind of go through and find flags and try to escalate on that image each year sands also does a holiday hacking challenge that they put lots and lots of time and effort into I believe this year it starts on in december nine and they also leave old versions up on the internet so you can continue to play them from their website finally the link at the bottom to CTF time is a website that tracks and monitors CTF events there's a giant calendar if you are super interested in cts there's one happening every couple

of weekends and random parts of the world and there's there's always something going on next we're going to focus on cyber defense competitions right so these are where you are protecting your network and your computers from attackers cyber Patriot is was created by the Air Force Association they give you on their website they give you training materials and practice images that are focused at a high school level but they are a very good foundational material for anybody that's interested in hardening boxes so they have Windows and Linux hardening they have some router documents on there some policy documents on there it's a great place to start for pretty much anybody interested in getting an infosec

during the actual competition I was able to see one on yesterday actually I went out to one of the high schools that was going through their first round of the competition they're given VMs to download and at the time allowed to start they're given a key to unlock those beams and unencrypted them they were given one window seven box and one ubuntu workstation they also had a cisco packet tracer challenge where they had to build out a networking infrastructure and submitted for scoring there was a networking quiz they had to complete that was I think 10 to 15 questions of network questions multiple choice for the most part couple fill in the blanks and on the workstations they also had

forensic challenges so they were given a scenario email that basically said you are now the IT person for this company we want you to harden these workstations there were a couple task included such as adding user accounts or they were given a list of authorized users that should have accounts on the system and then the students were required to try to lock down those boxes the nice thing about this is they got immediate feedback so if it says Harry needs a user account and his username needs to be you know Harry as soon as the kids go into the box and add Harry it plays a little noise and it shows up that says like you added Harry's user account you

get five points or if you find somebody in the user account list that is not on the authorized users from the email and you delete that email a delete the user account it plays in other noise and gives you five more points so the students know exactly what they're doing right or wrong as the scenario progresses beyond that it's it's somewhat open it scored out of 100 for each of the two boxes other than doing user accounts it's fairly generic other than it says things like there should be no unauthorized software or media on the machines so then the kids have to go look through and find out that user Bob downloaded some mp3s and you delete the mp3s out of Bob's

folder and you get more points for that and then they have to do policy enforcement and things like that in order to continuously lock down the boxes until you get 100 points so there's a couple rounds of this and then it goes into like three tiers like Silver Gold and Platinum I guess and in students work their way up this is also available for middle school students now I believe so getting getting kids started in a very early age right for the college level there is the collegiate cyber defense competition or CCDC where students are given a small business scenario and there are active red teams on the system attacking them while they are trying to defend the

network there are automated scoring engines but unlike the one for cyber Patriot that are on the host these are external that are pulling their services and checking them at specific intervals to make sure that they're still up and running there is usually simulated network traffic on the competition Network sometimes you even have what's known as an arm's team that actually plays user roles that goes and tries to buy things off the website or sends email using the email server in the competition network to verify that things are still functionally as they should in case the scoring server isn't intelligent enough to detect certain misconfigurations the volunteer red team is made up of people from industry or from academia

that will provide external threat to give the kids a little bit of a challenge keep it interesting for them so the students have to maintain availability of services so if you have a commercial web server where you're selling a product you have to try to keep that online sometimes you have a database or a mail server or Active Directory server that are constantly being polled to make sure that they're still up and running I the students were also given business in Jack's so it depends per competition but usually these are like every hour so they'll be given certain challenges to do that are supposed to fit whatever business scenario they're currently playing out it depends on where you are

but some of these can be more policy related or more hoarding related or they can be more technically challenging for example I've seen in the past where students were expected to like write a disaster recovery policy which they may or may not just copy from somewhere off the internet and submit or they could be giving something like here's a new firewall I want you to evaluate it and tell me if it's good or bad I've also seen ones where it was much more IT focused like I want you to add a printer or I want you to add a specific user or remove a user from the network students are also expected to detect and

respond to outside threats so you have these red team guys that are attacking the network and the students have to figure out where they're coming from and how to lock down their services enough to prevent attacks they get bonus points for writing reports saying for successful detection like an incident of responder would so if you saw an attack come from a specific IP address using a certain method to get in hey I found a web shell on the web server I think they used a sequel injection in this form to get in it's been patched then the students get bonus points for submitting reports like that the goal of this is the balance security needs against business needs this is a

little bit different than the others ETFs that are strictly challenge focus this is supposed to a help prepare them for real-world scenarios as well as get them to a point where they can talk intelligently and professionally about the security of their network right so a lot of times you will have someone acting as a CTO or a CEO that will come in and talk to the students and ask them how they're doing and to get updates from them it's broken up into ten regions each region does it slightly differently which can be a bit of a challenge when you go to a national competition because maybe one region's red team isn't as strong as another region Trek

red team or the index of one region are different from the index of another region so they all do things a little bit differently but that could still keep things interesting the last two years have been won by University of Central Florida from the southeast region so congratulation to them usually at a CCD see you also have a lot of job offers for the students that are winning these competitions so it makes for a great resume builder to say that you have participated in these types of events and also an opportunity to get internships or to get jobs once they once they graduate here's a quick slide just showing you the registration schedule it's coming up

for Southeast so if you're involved in and if you have students that are in the colleges or if you know somebody that's interested this is the website to go and register speaking more locally we do one here called the Palmetto cyber defense competition we've been doing it for a couple years now and it's based off of the CCDC model CCDC is a two-day competition where it's the same team over a weekend usually we do it a little differently we have a three-day competition but one day is for high school students one day is for college students and one team is for pro teams that work in the industry we've also had some military teams come in to

also compete on today as well student teams and the same fashion or responsible for a small business while they were being attacked by a red team and teams are scored for maintaining access while responding to these threats so in that case it's very similar the Palmetto digital forensic competition was a new addition last year where we had one of spay Wars forensics guys come out and do a kind of a jeopardy style challenge specific to forensics so there were some data recovery challenges some malware analysis some Network pcap traffic analysis to get flags that you could then submit for points this happens at the same time as PC DC so anybody that's not actually competing in

the PC DC event can show up and try their hand at this there has been some criticism of the cyber defense competitions by people that prefer the other types of cts some say it's not real with regard to some of the business injects some of the challenges some of the reporting requirements and some of the red team attacks that are set up a lot of times in some of the other competitions they'll have very old workstations or servers that haven't been patched in many many years and people say that's unrealistic until you actually work in the industry and you see that people still have that one XP box running that one service that they're not allowed to patch

because that would break the custom applications that they have installed on there some people complain about the lack of offense by the students they either want the students to be able to hack the red team back or to attack the other students obviously from a running the competition standpoint lots of things could potentially go wrong so for the sake of this we don't allow the students to do that it also gets into a very great area with regard to legal stuff of businesses in the real world attacking doing active countermeasures against people that are attacking them so we try not to encourage that we also try not to teach the students anything that they would then go back to their schools and

attack their schools with because we've been questioned about that in the past where they said hey somebody got in the grading system is this something that they learned at pc DC and we said absolutely not we would never do that there's a question about the host being previously compromised again this is one of the things for CCDC that is a little different by region some regions pre install malware on the host others do not so at the beginning of the competition it becomes a race against the students to see who can get access to the boxes first whereas other ones install backdoors and saw keyloggers install malware that will be convey plant devices inside of the network so

then gain access later some people complain about this and say it's not very fair other people that have worked in entering response that are coming into an unknown network say it's very common that you don't know what the last sysadmin did or how secure he made the network or maybe he made back doors for himself so that he could you know connect from home so that you didn't have to come into work one day there are some complaints about the boring injects such as the policy paper drills a lot of IT stuff the kids don't really like to do sometimes they're repetitive at pc vce we have tried to adjust our injects so they are a little

more technical to put the kids in a little bit more of an incident respond to roll and kind of give them similar forensics challenges as the ones that they're seeing in these other CTF competitions to help key things a little bit interesting okay with scoring with normal CTFs you do a challenge you get a flag you submit the flag and you're you get to watch your score go up so you get immediate feedback about what you're doing right or what you're doing wrong with CCDC and PCD see you don't get to see that there is a scoreboard but it shows teams ranked without scores because a lot of different things go into that score as

opposed to these normal CTS where it's either binary you either get it right or you get it wrong with this it's some combination of your service uptime combined with the points that you're getting for Incident Response reports and the reports that you do as part of injects are the challenges you get as partisan engine X so it's a little bit more complicated when it comes down to this alright so let's talk a little bit more about the teams for PC DC and CCDC so you have your white team down in front those are your judges those are the people that will score and decide read their reports and and give points back to the teams

you have your goal team in the back those are the people that are building and designing this lab network which sometimes takes months to do a lot goes into building these networks and these challenges the Black team is usually the same people as the Gold team but not always these are the people that maintain the network during the competition so a lot of good Network folks are part of the Black team to make sure everything runs smoothly the day of days of on the far right you have your blue team those are your students that are there to defend your team they're also the mentors that go out to the schools to help educate the kids on the competition

spawar has mentors for both cyber Patriot that go out to the schools and volunteer as well as the high school for PC DC to go out and help train them on some of these defensive tools and defensive techniques to prepare them for this competition in the back we have the red team those are the attackers these are the ones that will hopefully give the students a little bit keep things interesting for the students by providing a little adversarial action and a little network traffic for them to help detect and respond to pink team there really is no pink team but we're going to call these like red team light so its favor we have some

people that don't get the red team during their normal day job but they like the idea of it and they are kind of like red teamers and training so we're gonna call those guys were a team white this might be like one day or the one weekend out of the year where they get to come and participate in this stuff right not pictured is the arms team who is the users because apparently he didn't show up and the power rangers very often as I found out the Google's cartridge exactly so this is this is kind of the breakdown of the different teams but by the end of the day the students kind of feel like

it was just like the judges and red team against them for the entire day so this is the the end of day scenario right so how do we how do we overcome that how do we overcome all those Red Team guys right some very simple practices can help team the victorious number one keep calm and change your password a lot of the times red teams are not using secret tools or zero-day exploits to gain access to your network they found your admin login that still set to admin admin for the password right this is how it is in the real world too it's for the most part it's a lot of default credentials if you look at all

the Internet of Things botnet denial of service attacks those botnets just scan the network for devices with default credentials that's how they got access into those devices so this is part of what we as the mentors teach the students and try to get the students to do this is also what sands list is critical security controls for all businesses to do right these are things everyone should be doing to ensure the safety of their network they should be taking a hardware and software inventory you should know what's on your network you should know if maybe there's a Raspberry Pi that somebody taped under your table right that's beaconing out to the to the world maybe it's just a dns server that

somebody locked in a closet and completely forgot about for years and years and years all right secure configurations going back to default credentials the ftp server does your ftp server allow anonymous access does it allow read access outside of directories that you intended admin privileges who has admin rights does everybody on the network or is it only specific users I defenses host-based and network based application whitelisting and firewall privileges these are things that we have worked to get into our PCD competition p cdc competition to give the students some control of their boundary defenses you're also seeing this and a lot of the CCDC competitions as well and are starting to get into the cyber Patriot competitions with the

cisco packet tracer stuff also at the end you start getting into data recovery making sure you have backups what happens if the red team wipes your database at the end of the day what happens if you're running a ecommerce server and suddenly you no longer have track of any of your sales or your inventory or your customers right so that speaks specifically to the business needs of these competitions a couple other things in their Incident Response trying to detect people doing bad stuff on your network trying to block it all of these things are obviously important they have to be prioritized by the team and they have to be learned by the team muaks is an individual that has played a

large part in both regional CCDC competitions and national CCD competitions I got to be on his team this year at Nationals he has actually created a document how to win CCD see where he goes and deaf as to what teens should be doing to win these competitions specifically with team roles so if you have you should know who is the leader and who is responsible for reporting and talking to those CEOs or CTOs you shouldn't know who is going to be your Linux guy who's gonna be your windows guy who's gonna be your networking guy your forensics guy or lady and to know who to talk to if it's something happens right if you get an inject to go

do something on the Linux box you need to know who to give it to or who is available as the leader they can accomplish that quickly create playbooks this is the same thing in real-world scenarios in real-world businesses if something happens you need to know how to respond to it you need to have a solid list of people to contact when certain things happen you need to know like what to do in specific scenarios like how to how to recover your database if it should go down right you need password sheets this is somewhat competition specific obviously all the teams should change their passwords so they they're not allowed to bring electronic media in but they are allowed

to bring a binder with written notes so a lot of times he suggests printing out a list of password sheets that you can rotate throughout the day cheat sheets for specific commands and networking to move through quickly and and make changes or specific websites that you know you need to go download software from you also need to know what services and users are supposed to be on that network is that ftp server on your network was that edited by you or was that added by the red team to exfiltrate files from your network right so that's one of the things you have to know is that SSH server was that there before I got there

does it say in the notes that needs to be running on this system are all questions the students kind of have to ask themselves is that wheel user was he there before is that part of the link system right in the end it's it's really about having fun and learning so this is one example of a blog that we stood up on one of the team's servers for them just to let them know that we cared about them and to see if they were watching to notice that their active directory box now was running web services we also this was part of last year scenario where they had delivery trucks we thoughtfully changed to pop tart debt

named cat there to try to you know add a little levity we know there's a lot of stress for all the student teams so we try to supply them with solid memes throughout the day to kind of keep them moving and keep them entertained we also installed keystroke loggers a to make sure that we knew how to get back into the system but also to kind of keep track on the students and make sure that we could give them advice afterwards so you can kind of see the bottom they want to know how to get rid of the red team and that's something that the red team gets to go after the competition to speak

with each of the teams and provide feedback so we if we are on the box and monitoring what they are doing that allows us to provide better feedback to the teams if we're locked out from the start of the competition and we don't see anything that the teams do they say oh like you know did I did I do well did I you know you know was that successful did I didn't detecting your events and all you can say is you did a great job locking down the firewall but that's all we saw right sometimes you are monitoring the box as they're running search queries and you can watch what defensive actions they're trying to do to remove you from the

network all right and that's something you could provide the students like hey I saw you trying to remove me here but I had persistence mechanisms that would add it back later right so you have to look for those backup services just a few slides one year we also replace the boot loader on the laptops with man cat that was a big hit with all the kids in the end I think for the most part they can they learn a lot during the process it is kind of a stressful day but every time we do this competition we have kind of an out brief with the students and they give presentations and talk about all the things they liked and

didn't like and the things they learned during the competition what's very critical is motivation critical thinking and self-study this is true for cts as it is true in life these skills that they are learning also roll into those careers so as these students are doing these competitions whether it's cts or the cyber defense challenges these are things that they can talk to future employers about and have something to show for it right so you can say you know hey I worked at a fast-food restaurant you know all summer or you can say like hey I did fast food restaurants all summer but I also learn how to do pfsense firewalls and I learn web exploitation and web development and I

did this competition and it's much more impressive as an employer to see that someone is willing to go that extra distance to learn new things especially in this field right so next up I have a couple resources these are just general practice CTFs there are hundreds of them out on the internet the first one I'll show you in one second but they're all a little bit different the CTF time is just a giant list some of them like Flair on our kind of reverse engineering challenges some are more linux operating system based summer web based but they're all a little bit different that first link actually goes to this website so all of these are individual VMs or individual

websites for specific technologies so there's specific there's reverse engineering ones there is web ones there's networking labs there's online websites there's mobile applications for pretty much anything that you want to start practicing all right

so so any questions no all right so next up real quick we're gonna have tilson Galloway yes come up and he's one of the high school students that has competed in DC DC and can give you a little more feedback about what they're doing at his school so to start off a little bit about the porter gallant cybersecurity team we were founded in 2015 to last school year by max harley who actually presented earlier today on shellcode in that room over there in our first year we were third place at the b-sides charleston CTF we got first place at the carolina con CTF against profession we were the only high school team there and we placed first in

raleigh north carolina and then we saw a placed second at pc DC on the high school day so this year the team is made up of 11 students most of which have no prior experience with security and generally are just taking the standard computer science classes their range from freshman is seniors and it's actually really interesting how a lot of the time in the security team it's actually the freshmen not the seniors and the juniors who are the most motivated and therefore do the best in the club so we compete in cyber patriots various CTFs throughout the year and then p cdc to end our year which brian did a great job of talking about

so this was most this was mostly all covered but cyber Patriot gives windows windows server and the new bun two images and it tries to gamify something that's really not so fun to high schoolers securing and hardening machines and makes it more fun by playing sounds and giving points based on changing passwords and setting up local security policy so it makes people feel like that so at peace EDC I'll just skip over the first two since Brian covered it but what students tend to find really fun about PC DC is just the the feeling of being being attacked by the red team all day and just seeing like thinking everything's going fine and then just

seeing an cats or minecraft servers popping up on your web on your website and then also what was fun and past years at pc DC is there would be social engineering there wasn't much of this last year but from what I've heard there would be the red team like coming in with crayon made badges and just bring it in a camera on just filming the password sheets and what was happening on every computer so I found this on Twitter a couple days ago and it brought me some flashbacks so by the end of the day at pc DC the red team won and not that it matters but this was our team so so another thing that i found when

running the cyber security team is that people find hacking really fun and that's really what motivates people to join the club so obviously that nick start training have to have a big emphasis on ethics you know knowing that you can probably go learn something and then go ten minutes later after our break go exploit that on the quarter gallon servers which we don't do and then CTFs also serve as a great hands-on learning experience because even if you don't know you'll end up spending enough time on the CTF problems where when you go read or write up it'll all just make sense to you so um so on the twenty-eighth of january we're going to have a there's a completely

student-run CTF being run fab porter gal it's being run by charles to your lack cameron hey Charles over there and myself and it's free for completely free for all high schoolers to compete it's going to be an all day event there will be prizes and lunch and it's all of its well it's open to all skill levels so you don't have to have gone and competed in PC DC are going you go do CTFs every weekend you can have no experience and security and we'll make sure to help you accomplish what you came to do that day yes that's open to so that's open to it's aimed at high schools in the low country but really any high schools are

like anywhere are welcome to come and compete in it maybe yeah I will have to if you can email me I'll talk to you after this so training is something that we take seriously but we also make sure to keep it fun like we don't just sit there and have a classroom environment all day and talk about networking and tcp/ip all day so we meet every Saturday and we cover ethics obviously windows security Active Directory networking and then Red Team basics and penetration testing and we generally do penetration testing second semester and just to ensure that everyone is aware of the moral implications of using the things that you learn and at the end of the

year this year we're going to all get security plus certified so all of the knowledge you learned so you have something written for all of the knowledge that you hopefully learned throughout the year so in the future obviously after we run the CTF we'd like to make it an annual event that possibly we get sponsors from and then we'd like to start competing in more high-level CTFs that aren't necessarily aimed at high schoolers and then next year hopefully we're going to have a cyber security class at school and so I got [Applause]

a lot of them are internationally and rock what's distributed that you fit so a lot of cts our health internationally they open it up during a weekend and allow anybody to sign up and compete for the most part it really depends on each individual CTF competition like a lot of them especially the high school and college ones are set up to award prizes to those teams but often allow other teams to register in a non-competition capacity so they can still get flags they just won't get into the prize monies or rewards that they go to the schools thanks any other questions yes this goalkeeper thought about maybe t1

so the problem with so the question was asking if each team should have its own separate environment which is 1 through 16 wonders Yeah right so that would be great if we didn't have one day to attack these networks right it's a very it's a limitation of a the gold teams time because then they would have to build out different scenarios for each team and it's a lot harder for the red team that has to basically do a penetration test on 8 networks as opposed to one network that you can then share right so it's kind of a time constraint when you're doing these types of competitions

so there are competitions like that it's just not the focus of like PC DC and CCDC again there are some ethical constraints when you're talking about teaching kids to attack networks that have to be taken into consideration but like these guys if they want to stand up their own private lab server or network and attack each other to learn different techniques and then defend against them which is one of the best ways to do it there's plenty of resources on the internet and for VMS like that Thanks and that's also in private labs like that are something that known SC which is a non-profit for cyber security in high schools and colleges out of Charleston is working to create more of

all right thanks guys