What do highly skilled IT security professionals do for fun at an international conference? They compete to see who has the fastest hacking skills.
.jpg)
In a bid for global bragging rights, Matt Bing, the incident response coordinator at Information Technology Security Services (ITSS), won the first international Security Challenge Competition in June in Seville, Spain. Security has always been “in my blood,” says Bing, modest in spite of his victory. “It’s just fun for me to find security vulnerabilities. That whole world is fascinating.”
The competition was part of an annual conference led by Forum of Incident Response and Security Teams (FIRST), a professional organization composed of vetted security teams from governments, universities and corporations. “It’s a great chance for social networking,” Bing says. “You can sit down and talk shop with guys from Croatia and Finland, see what they’ve been up to.” The conference promotes worldwide coordination and cooperation among Computer Security Incident Response Teams (CSIRTs).
Similar to a game of capture-the-flag, the competition leads contestants through a perilous environment to uncover a breech to a computer network system. The contest, designed by S21sec, a security company based in Spain, tested participants in four areas: forensic analysis, reverse engineering, network analysis and password cracking.
“Most contests of this nature focus on hacking vulnerable systems,” Bing says. “This challenge was unusual in that it focused on the incident-response side.”
Eighty teams began the challenge; 30 made it to the second phase, four to the third and two finished. Bing beat the second-place team from the CERT Coordination Center, one of the oldest and most well-known incident response teams, by 24 hours.
“I’m really proud of kicking their [butts],” says Bing, who credits the University of Wisconsin for providing a fast machine for the password cracking portion. “The CERT Center team is sort of the rock star of the community.” The team from Cisco Systems, Inc., a major supplier of networking equipment and management for the Internet, placed third. As a prize, Bing received the Gargoyle trophy, known as the “The Goblin with ATTITUDE,” and an invitation to design next year’s competition. “I’ve got some ideas,” he says. “I’ll make it a little more difficult.”
Created in 2004, ITSS works to respond to security incidents effectively and consistently, and to mitigate negative impact. Their responsibilities include combing University systems for vulnerabilities, searching for suspicious activity and responding to IT security incidents.
Examples of IT security incidents include stolen laptops that hold sensitive information, breeches in online systems where information like human subject or financial data is stored, or unauthorized changes to online information, such as compromised Web sites.
Bing says he didn’t have a special strategy going into the competition.
“I just really wanted to win,” he says. “In this industry, you don’t usually get to participate in this kind of thing. It’s global recognition.”
