Capture the flag (cybersecurity)

From Wikipedia, the free encyclopedia
A team competing in the CTF competition at DEF CON 17

Capture the Flag (CTF) in computer security is an exercise in which "flags" are secretly hidden in purposefully-vulnerable programs or websites. Competitors steal flags either from other competitors (attack/defense-style CTFs) or from the organizers (jeopardy-style challenges).[1][2] Several variations exist, including hiding flags in hardware devices. Competitions exist both online and in-person, and can be advanced or entry-level.[3] The game is based on the traditional outdoor sport of the same name.

Summary[]

Security CTFs are usually designed to serve as an educational exercise to give participants experience in securing a machine, as well as conducting and reacting to the sort of attacks found in the real world (i.e., bug bounty programs in professional settings). Prominent attack/defense CTFs include DEF CON's, often considered the "finals" of the competition circuit and held since 1996[4] at the largest hacker conference, and the NYU-CSAW (Cyber Security Awareness Week), the largest student cyber-security contest.[5][6][7][8]

Classic CTF activities include reverse-engineering, packet sniffing, protocol analysis, system administration, programming, cryptoanalysis, and writing exploits, among others.[9] In an attack/defense style competition, each team is given a machine (or a small network) to defend—typically on an isolated competition network. Teams are scored on both their success in defending their assigned machine(s) and on their success in attacking the other team's machines.[10] A variation from classic flag-stealing is to "plant" own flags on opponent's machines.

Hardware challenges usually involve getting an unknown piece of hardware and having to figure out how to bypass part of the security measures, e.g. using debugging ports or using a side-channel attack.[citation needed] Jeopardy-style competitions are closer to programming competitions: teams do not directly attack each other, but rather solve challenges posed by the organizers. Time is generally not a factor in scoring these competitions, but "first blood" bonus points are often given to the first solver.[citation needed] In King of the Hill–style challenges, players gain points by relative ranking. Classically, only the top team gains points. When another team bests the current champion (e.g., by gaining access to the shared "target" machine that the champion was defending), they become the new champions and shift to defending their own position against others.[citation needed]

See also[]

References[]

  1. ^ Dubey, Siddhant (2019-12-01). "An Introduction to Cybersecurity, Capture the Flag Contests, and Basic Security Concepts". Medium. Retrieved 2020-05-21.
  2. ^ Švábenský, Valdemar; Čeleda, Pavel; Vykopal, Jan; Brišáková, Silvia (March 2021). "Cybersecurity knowledge and skills taught in capture the flag challenges". Computers & Security. 102 (102154): 102154. arXiv:2101.01421. doi:10.1016/j.cose.2020.102154. S2CID 230523819.
  3. ^ "What is a Cybersecurity Capture the Flag? – StartaCyberCareer.com". Retrieved 9 November 2021.
  4. ^ "DEF CON® Hacking Conference - CTF History". www.defcon.org. Retrieved 2020-06-23.
  5. ^ "CSAW CTF Qual 2014 – csaw2013reversing2.exe Writeup". infamoussyn.com. 22 September 2014. Archived from the original on 6 July 2017. Retrieved 1 April 2018.
  6. ^ http://www.usf.edu/engineering/documents/01132015-csaw-finals.pdf[bare URL PDF]
  7. ^ "Cyber Security Awareness Week :: About". csaw.engineering.nyu.edu. Archived from the original on 26 January 2018. Retrieved 1 April 2018.
  8. ^ Polytechnic Institute of New York University. "NYU-Poly Cyber Security Awareness Week Announces Winners of World's Biggest Student Contests" (Press release). PR Newswire. Retrieved 1 April 2018.
  9. ^ "CTF Hacking: What is Capture the Flag for a Newbie?". cybersecurity.att.com. Retrieved 9 November 2021.
  10. ^ "Introduction To 'Capture The Flags' in CyberSecurity - MeuSec". 10 June 2020. Retrieved 9 November 2021.
Retrieved from ""