This weekend, Protection Group International (PGI) and Cyber Security Challenge UK, pitted 30 cyber-security amateurs against each other in a simulated cyber-attack on an automotive company, in a bid to find the country's best cyber-talent.
In a red teaming exercise, candidates were tasked with infiltrating Internet-connected GPS tracking devices to find critical vulnerabilities that hackers could exploit, and protect the Internet of Things (IoT) device from future attack. The trackers were installed on a range of prestige vehicles offered by the fictional company, dubbed ‘Premiere Vehicles Limited'.
Candidates took advantage of some of the vulnerabilities that led to that attack (exploiting hard-coded credentials) in the IoT-based tracking devices. Candidates were tested on their ability to break into devices, and use these as entry points into the company's network.
The scenario tasked the contestants to think like attackers to successfully defend the organisation from future attacks. It is important to know how your enemy operates so that you can block their attacks; but at every stage the candidates were asked to justify their actions against ethical guidelines to ensure safe and legal practice.
Successful candidates were able to use the GPS devices as an entry point to subvert the internal systems of Premiere Vehicles Limited and gate-crash a VIP launch event in which PVL unveiled its new fleet of cars. The winners were rewarded with a test drive in Audi's new RS Q3, which was supplied for the event by Audi Tetbury.
The competition was the first face-to-face semi-final round of the UK Cabinet Office-backed Cyber Security Challenge UK's 2017 programme of competitions. Its mission is to find and deliver more cyber-security talent into the sector and work towards plugging the industry's skills gap.
The competition was designed to reflect scenarios and vulnerabilities that professionals face in real-life and mirrored 2016's most notorious DDoS attack, in which thousands of IoT devices were hijacked and used as a botnet army to bring down the servers behind popular websites such as Reddit and Twitter.
As they progressed through the competition, their skills in network analysis, digital forensics and brute force attacks were assessed by industry experts; proficiencies that are in great demand by the cyber-security industry today.
The winning team was team ‘Turing' who displayed the best overall technical ability according to PGI's assessors. The team consisted of 17-year-old James Nock, Michael Senior, Dennis Jackson, Andrew Walsh and Kieran Amrane-Rendall.
The ten that will go through to Masterclass in November are Edward Godfrey, Thomas Spoor, James Nock, Oliver O'Brien, Dennis Jackson, William Seymour, William Hutcheson, Steven Woodhall, William Ashton and George.
Stephanie Daman, CEO at Cyber Security Challenge UK said: “The pace of technological change that our society is undergoing creates an even greater demand for a wide range of cyber-security skills. PGI's Face-to-Face competition reflects this change and illustrates the latest skills that professional organisations require such as knowledge of connected devices and ethical hacking abilities. Five of today's 30 candidates are under 18, showing that there is some great talent at the younger ages. These competitions are crucial for providing an outlet for their skills and demonstrating that cyber-security is a great career for them.”
Ian Lyte, senior security consultant at Protection Group International said: “The competition reflects the breakneck pace of technological progression in our society and how it has created new and unpredictable vectors of attack, which cyber-criminals are quickly taking advantage of. We specialise in protecting organisations from online attacks and we need highly-skilled people who can face the latest threats. These competitions allow us to unearth, recruit and train the UK's most talented individuals in a way that would not otherwise be possible.”