Overview
Discuss ways to develop information security skills. Behind the scenes of Capture the Flag games and other challenges. Tips on what makes a good security challenge. Point out places with security challenges.Notes
Use gamification to measure skill, identify talent, train, and provide motivation. When confronting a problem, assume that it can be solved.Types of challenges
- Offense - attack targets, pen test
- Defense - stock attackers
- Offense and Defense - exciting, but more work to implement. Need to enforce minimal attach surfaces - i.e. a scorebot.
- Analysis - packets, files, malware
- Other - bot-net control, cloud resources, etc.
- flat - all challenges accessible from anywhere
- depth - need to solve earlier challenges to get to the later ones
Free Challenges
Damn Vulnerable Web Apphttp://www.dvwa.co.uk
Iron Geek’s Mutillidae
http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10
OWASP WebGoat
https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
Metasploitable
https://community.rapid7.com/community/metasploit/blog/2010/05/19/introducing -metasploitable
Damn Vulnerable Linux: Currently being rebuilt, but you can find older versions
http://www.damnvulnerablelinux.org/
Huge archive of challenges from
2009 to 2012 here:
http://capture.thefl.ag
Multi-leveled exploit development
environment
http://exploit-exercises.com
www.counterhack.net
No comments:
Post a Comment