This weekend, Protection Group International (PGI) and Cyber Security Challenge UK, pitted 30 of the UK’s best cyber security amateurs against each other in an ultra-realistic simulated cyber-attack on an automotive company, all in a bid to find the country’s best cyber talent. In a role known as ‘red teaming’, candidates were tasked to infiltrate Internet-connected GPS tracking devices to find critical vulnerabilities that hackers could exploit, and protect the Internet of Things (IoT) based system from future attack. The trackers were to be installed on a range of prestige vehicles offered by the fictional company, dubbed ‘Premiere Vehicles Limited’.
The competition was the first face-to-face semi-final round of the UK Cabinet Office-backed Cyber Security Challenge UK’s 2017 programme of competitions. Its mission is to find and deliver more cyber security talent into the sector and work towards plugging the industry’s skills gap. With a recent report by (ISC)2 predicting the shortfall of skilled cyber workers to reach 1.8 million globally by 2022, it’s critical to act now.
The competition was designed to reflect scenarios and vulnerabilities that professionals face in real-life and mirrored 2016’s most notorious DDoS cyber-attack, in which thousands of IoT devices were hijacked and used as a botnet army to bring down the servers behind popular websites such as Reddit and Twitter. Candidates took advantage of some of the vulnerabilities that led to that attack (exploiting hard-coded credentials) in the IoT-based tracking devices.
Candidates were tested on their ability to ethically break into devices, and use these as entry points into the company’s network. As they progressed through the competition, their skills in network analysis, digital forensics and brute force attacks were assessed by industry experts; proficiencies that are in great demand by the cyber security industry today. The scenario tasked the contestants to think like attackers in order to successfully defend the organisation from future attacks. It is important to know how your enemy operates so that you can block their attacks; but at every stage the candidates were asked to justify their actions against ethical guidelines to ensure safe and legal practice.
Defending an organisation involves digital skills, but also requires innovative thinking, coordination and teamwork so candidates were also tasked with lock-picking challenges, combining clandestine techniques in both physical and digital environments, to break into an organisation’s networks. Successful candidates were able to use the GPS devices as entry point to subvert the internal systems of Premiere Vehicles Limited and gate-crash a VIP launch event in which PVL unveiled its new fleet of cars. The winners were rewarded with a test drive in Audi’s new RS Q3, which was supplied for the event by Audi Tetbury.
The winning team was team ‘Turing’ who displayed the best overall technical ability according to PGI’s assessors. The team consisted of 17-year-old James Nock, Michael Senior, Dennis Jackson, Andrew Walsh and Kieran Amrane-Rendall.
The ten that will go through to Masterclass in November are Edward Godfrey, Thomas Spoor, James Nock, Oliver O’Brien, Dennis Jackson, William Seymour, William Hutcheson, Steven Woodhall, William Ashton and George.
The competition was closely monitored by PGI’s security team and a host of industry specialists, who judged the candidates on how well they performed tasks in-line with industry best practice. This allowed candidates to show off their abilities in front of prospective employers and qualify for the Challenge’s grand finale Masterclass competition which will see the best candidates compete to be the UK’s 2017 cyber security grand champion.
Since the Cyber Security Challenge UK launched its competitions in 2010, over half the candidates from the Face-to-Face and Masterclass competitions have been hired directly into cyber security roles, demonstrating the effectiveness of these competitions. By comprehensively testing candidates’ abilities across a number of disciplines that are highly sought after by employers today, the Challenge’s sponsors have access to talent that would otherwise remain hidden.
Stephanie Daman, CEO at Cyber Security Challenge UK said: “The pace of technological change that our society is undergoing creates an even greater demand for a wide range of cyber security skills. PGI’s Face-to-Face competition reflects this change and illustrates the latest skills that professional organisations require such as knowledge of connected devices and ethical hacking abilities. These competitions can only take place with the support of our sponsor community, all of which are looking to hire the most outstanding talent. Five of today’s 30 candidates are under 18, showing that there is some great talent at the younger ages. These competitions are crucial for providing an outlet for their skills and demonstrating that cyber security is a great career for them.”
Ian Lyte, Senior Security Consultant at Protection Group International said: “The competition reflects the breakneck pace of technological progression in our society and how it has created new and unpredictable vectors of attack, which cyber criminals are quickly taking advantage of. We specialise in protecting organisations from online attacks and as such, we need highly-skilled people who can face the latest threats. These competitions allow us to unearth, recruit and train the UK’s most talented individuals in a way that would not otherwise be possible.”