Computer science students recently competed in a high-tech version of the classic playground game Capture the Flag – an exercise designed to help prepare them for careers in cybersecurity.
“Cyberwar, like an ethical hacking contest, is one of the most highly respected and effective educational practices to assess the learning outcomes of a cybersecurity educational program,” said Xiang Fu, associate professor of computer science at the Fred DeMatteis School of Engineering and Applied Science. “Of course, the contest itself is also challenging and a lot of fun for students and we plan to make it an annual event.”
Held in the school’s Big Data Lab near the end of the fall 2016 semester, students were assigned a server and instructed to ethically attack their adversaries’ servers by applying the principles and skills they learned in their Secure System and Ethical Hacking classes. A total of 24 students participated.
At the start of the competition, students were told to survey and assess vulnerabilities in the source code of a set of web applications that were installed on a dedicated virtual server, patch them, and reconfigure the hosting operating system so that the service would run reliably. Most students chose to encode their attacks using countermeasure techniques such as command injection, cookie replay, and denial of service or by using a modern exploit tool called Metasploit. Student performance was evaluated by a grading server, which sent periodical heart beat messages to measure the running state of each server.
Undergraduate student Mazharul Onim and graduate students Michael Cheng and Nicholas Kumia were the overall winners, while undergraduate Zachary Vampola received the Creative Hacker Award.
“We always learn through experience whether it’s through our work or the work of another. The Capture the Flag Competition provided an opportunity to gain from both,” Kumia said. “This has broadened my understanding of what’s possible and more importantly, what needs to be done to get to the next level. Being able to apply this knowledge in a real-time, hands-on challenge granted me lessons that will carry me forward in my cyber-security career.”
Cheng also said he got a lot out of the experience. “The difficulty of the competition far exceeded that of a weekend project or paper,” he said. “Many questions and difficulties arose due the multi-disciplined nature of cyber security. Everyone in the competition faced a different set of problems because of their unique background. By researching and asking questions of the problems that I had, I have been able to not only learn what I myself lacked in understanding, but develop my own problem solving methodology that can be taken out of class and used in my future career.”