It’s 3am. A company you’ve been engaged by is concerned of an imminent hack attack. You’ve got 9 hours to find its vulnerabilities and and explain them to the CEO in layman's terms.
The company is a security vendor called Synergistic Cloud Computing. It fears the popularity of its Very Secure Transfer Protocol product will attract hackers to either attempt to steal intellectual property or deface its public systems.
This is a fictional situation, but for 24 hours, it is very real for 43 university and TAFE teams of four students.
Telstra’s second annual Cyber Security Challenge wrapped up at lunchtime today, with teams from the University of NSW taking out the first three places. The university also had the winning team in last year's competition.
The day-long Cyber Security Challenge was initiated by the Department of Prime Minister and Cabinet. It brings together the Defence Signals Directorate (DSD), CERT Australia and Telstra staff in one main hub in Telstra’s experience centre in Sydney, to test the abilities of the next generation of Australian security professionals.
Telstra and DSD approach the activity as a recruitment drive.
Telstra’s newly appointed chief information security officer (CISO) Mike Burgess, the former long-running cyber security deputy director of the DSD, said the telco hadn’t picked up any new employees as a result of the competition last year, but given the Telstra’s recent inking of a billion-dollar contract with Defence, would now take on as many suitable infosec recruits as could be found.
"We’re trying to encourage bright young minds to take up a career in cyber security. DSD, CERT Australia and Telstra would love to recruit [such people], especially the good ones, because there’s a big market for that, and these skills are in short supply," he said.
"It’s really about raising awareness on the issue and encouraging people to take up the career, and ultimately we’d like to hire them.”
DSD employed most of last year’s winning team as work experience staff last summer, and expected the students to apply and gain jobs with the agency upon graduation, Burgess said.
Challenge participants are required to undergo a range of security consultancy functions including penetration tests on a web application and network, analysing the company’s product source code and checking for vulnerabilities.
This year's 24-hour challenge began at noon yesterday at Telstra's Sydney hub, and involved four DSD staff, two CERT Australia workers and 10 Telstra employees.
DSD built the game's infrastructure, which is hosted by Telstra. The uni students connect via VPN to have a crack on the purpose-built virtual machines.
Telstra will take the winning team to the July Black Hat conference in Las Vegas. Second and third place teams will be offered a choice of the latest smartphones and tablets.
Burgess said this year’s competition was a lot harder than last year’s, and DSD had been constantly surprised by the ability of some teams to get the answer sooner than expected.
“The winning team will truly be good at this business. The range of tests and the complexity of tasks, the source code - it’s going to be hard to find the vulnerabilities,” he said.
Telstra's cybersecurity needs
Across the entire company, Telstra has around 200 people dedicated to security, both of its own networks and that of its customers. It runs a security operations centre out of Canberra, and also has security capabilities in its Melbourne-based global operations centre.
Burgess said Telstra fends off between 50 and 100 attacks each day.
“We get a whole range of activities coming from individuals, criminals, protest groups, up to high-end espionage. Most are pretty easy to bat off, but some are quite complicated. But we’ve got their mark and can stop them.”
He said how often hackers got through was unknown.
“If you have a really good hacker, you don’t know the techniques they are using. So we do all the basic and we’re there detecting the unknown. The security industry is good at saying ‘here are all the vulnerabilities and here are the techniques’, so we cover the known,” Burgess said.
“Then we also have capabilities that look at discovery, looking for the unknown hacking technique, for anomalous behaviour on our network.
"We have some really bright people whose job it is to look through that large and very complicated amount of data and check if it’s legit or strange, and we get to that very quickly if it is strange and deal with it as quickly as we can.”
Telstra currently does not have a bug bounty program in place to reward white hats who go to Telstra with discovered vulnerabilities. Burgess said the telco welcomed such actions and would “certainly not give any grief” to those that did.
Telstra is looking at whether to extend the cyber security challenge out to high school students, but Burgess said he would not recommend inviting members of the wider community to join the competition.
“We wouldn’t recommend testing in a real environment. Because as much as you can trust the university teams, if you opened it to the world, you’d likely get all sorts of people having a go, and also real environments need to stay up," he said.
"Even if you say ‘come in and steal a document’, someone else might decide to take it off the air.”