Kainos collaborates with CSIT and NICS to create a Cyber Security Challenge

Kainos are working with NICS on a number of digital transformation projects, and a key part of this transformation is opening up digital services to citizens through the web. These services need to be secure - and the people most conscious of this need for security are the engineers responsible for building and supporting these systems. But with attackers getting smarter all the time, how can engineers learn and practice up-to-date defensive techniques? Kainos wanted to help NICS answer this question, and offered to host an event at their annual IT conference with this challenge in mind. The event was styled as a Cyber Security Challenge (also known as a 'Capture the Flag' competition). Rather than the more traditional Hackathon, this kind of event pits the wits of different teams against each other each team tries to solve a cyber-security question in the hope of discovering a hidden piece of information, called the 'flag'. Kainos worked with the Centre for Secure Information Technologies (CSIT) at Queen's University to design the event. CSIT identified a range of practical digital attack strategies, spanning both well-known and obscure techniques, and from this created a related series of questions and challenges for the teams. Each was rooted in real world problems web forensics, cryptography, reverse engineering, and finding backdoors into websites specially created for the event.

Blue team working to solve cyber-security challenges.

The event was held at the NICS IT conference on 5^th 6^th October in the Slieve Donard Hotel in Newcastle. Six teams of four entered each team had three engineers from across NICS, and the fourth person on the team came from one of a variety of private sector companies, including Kainos. Each team had an opportunity to share their knowledge and experience in a relaxed environment. The team was provided with digital tools to assist in the challenges the primary toolkit available on the day was Kali Linux, which is commonly used for ethical hacking. This gave the teams an insight into how software in production environments is being dissected to find flaws and weaknesses and the collaborative and competitive nature of the event made it a much more active learning opportunity than traditional ways of teaching, such as through classroom or book-based learning. We wanted engineers to return to their workplace with practical skills and a new perspective on security, so they're better able to build secure services learning how to think in the mind-set of someone attacking software improves our ability to defend that software. Also security is a shared responsibility, and needs to be built into software and infrastructure from the start.

The teams starting to wrap up after the first day of challenges.

The event ended in a very close competition whereas one team broke into the lead early, the others caught up quickly and the top position changed hands a few times. At the end of the event, all the teams had completed most of the challenges and finished within 100 points of each other. Everyone gained new skills, had a chance to practically test out their new knowledge, and extended their contact network within NICS. It also provided a great example of how the public, private and research sectors can work together to improve the quality of digital services provided to NI citizens. All this, while having fun as well!During the two-day event, the Information Commissioner's Office visited to speak to the teams also, and emphasised the need to not only focus on encrypting data, but also to consider security from other angles - the Data Protection Principles are good place to learn about this.