Australia's infosec students prepare for cyber battle

Around 250 of Australia's information security university students will soon battle it out for the chance to win entry into three of the world's biggest information security conferences, alongside the prestige associated with taking out Australia's fourth annual Cyber Security Challenge.

The challenge's sponsors have upped their game this year, offering - among other things - flights for the winning team to the upcoming Kiwicon, Defcon and Ruxcon infosec conferences.

The national cyber security event is run out of the Department of Prime Minister and Cabinet with the help of the Australian Signals Directorate and sponsors, which this year include Telstra, CBA, PwC, HackLabs and Facebook.

The main objective of the challenge is to uncover Australia's top information security talent and get students excited about a career in information security. 

The challenge has grown each year it has run, from 40 students in 2012 to around 250 expected this year.

On September 30, up to 60 teams of students from the country's universities and TAFEs will compete over 24 hours to solve a series of challenges and problem-solving tests.

In the 'capture the flag' competition, players work to solve puzzles to win a 'flag'. The flag is then submitted to the game's judges to earn points, and the team with the highest number of points wins.

While teams will be asked to demonstrate the ability to break into networks, systems and web applications; perform forensic and network traffic analysis; and prove cryptography, programming and password cracking skills, it's not only technical skills that will earn teams points. The challenge's judges consider soft skills just as important.

Students will need to provide written explanations - for a non-technical audience - of the steps they took to capture a flag. It's intended to show students what a career in cyber security within a business will look like.

Each year teams are given a main challenge and a series of linked and extra tasks to test their infosec skills.

The main challenge

This year, students will be working on the fictional Enterprise Cloud Wellness Initiative (ECWI).

The scenario: a number of influential CEOs watched several movies on hacking and mistook them for documentaries, deciding they needed to establish a new initiative that would advise and assist enterprises suffering from infosec problems.

But the ECWI was unlikely to be successul because, according to a third-party review, its decision to give staff job titles like 'Innovation Sherpa' and 'Chief Visionary Officer' meant no-one really understood what anyone else was doing.

The institute therefore needs help, and contracts a team (the students) to provide technical skills and assistance.

The students will be tasked with thoroughly assessing the enterprise's systems by pentesting its web-based intranet and corporate network, undertaking forensic analysis of potential malicious network and system activity, and analysing network traffic for real-time threats.

Players will need to be familiar with tools such as Kali Linux 1.1, Metasploit, SQL map, Wireshark, Dubugger, Burp Suite and Volatility, among others. Players will use OpenVPN to connect their system to their team’s sandboxed network.

The prizes

The winning team will be awarded four flights to Defcon 2016, Ruxcon 2015 and Kiwicon 2015, as well as four Samsung Gear VR with Oculus headsets and four Samsung Galaxy S6 phones.

The second placed team will get four flights each to Ruxcon and Kiwicon, as well as four Cisco Meraki MX64 network security appliances, and the choice of four phones or tablets.

The runners-up will receive four flights each to Ruxcon and Kiwicon, as well as the choice of four phones or tablets.

A number of other individual and lucky-door prizes are also on offer.

The challenge is open to full-time Australian university undergraduates and undergraduate-equivalent TAFE students. Each university/TAFE can register up to four teams, and the deadline for entry is Friday September 4.

Past winners have gone on to careers with the challenge's sponsors - HackLabs employee Petr Novak won in 2013, and PwC cyber security manager John Cramb took out the challenge last year.

"It's an intellectual challenge that allows you to see how good you are and how you stack up against your friends and other universities," Novak told iTnews.

Its HackLabs' first year of being involved commercially with the awards, partly motivated by self-interest - the security firm is hoping to be able to make some new recruits.

"There's a lot of talent in Australia but it's untapped," Novak said.

"There should also be more, [infosec] should be encouraged. It's a very interesting field and not very many people are trained in it. That's why we're all so interested in the challenge, it gives people a motivation to get into security."