Information Security – the topic is serious and complex, maybe that’s why it is more effective to teach it with simple techniques and playfully?
Hi, my name is Alexey Babenko and in the Mir Plat.Form team I am responsible for questions related to security testing of developed software products. Our systems are payment services used by tens of millions of customers. In addition to stability and reliability, one of the main characteristics for us is safety.
I will share our experience in conducting information security games within the company, but before starting, I will tell you a little about why we came to this story at all.
Ensuring the security of systems is a process that affects many stages, from the moment the software is created, to the security of the components on the basis of which this software will be launched, and even the reliability of the processes and employees involved in the operation.
My area of responsibility is application-level security. And when it comes to food safety, the first thing that comes to mind is testing. We make reliable detection of bugs before rolling out to production and there will be no problems. Unfortunately, reality makes its own adjustments. The later we identified flaws in the software, the more difficult it is to fix them, and this affects the speed of rolling out the release to production.
Therefore, our task is not only to identify shortcomings during testing, but to make them appear less often in the products we create. Thus, one of the vectors of food safety activity is training and raising a culture of safe development in product teams.
The classic approach to teaching – lecture + practical task, is good, but not always optimal. We use various options – thematic seminars, best practices for self-study, newsletters. Last year we decided to add gamification to our training and conducted a task-based CTF.
If we talk about CTF in general, then there are 2 main options:
classic CTF, where each team is given an image with pre-installed vulnerable services that need to be protected from their side and attack the services of rivals.
task-based CTF, which is a set of independent tasks on various topics related to security.
Classic CTF is more dynamic and time-limited, but, unfortunately, it imposes requirements on the minimum entry threshold. A person from the outside will not understand what needs to be done and interest in the game will quickly fade away. For the first time, we chose a more measured and easy-to-learn approach in the form of a task-based game.
An additional advantage of choosing this direction was the opportunity to stretch the length of the game for two weeks, which means that everyone could find time to participate in it without prejudice to their main employment.
Before planning any activity, we ask ourselves the question – what do we want to get in the end. By launching CTF, we have formed the following goals:
increase interest in the topic of security among developers,
show the real risk that a vulnerability that does not initially seem critical may carry,
to gather a community of passionate developers who want to develop in the topic of security and bring this culture to teams.
We were aware that any non-project activity is time taken away from work, and more often from free time. This was the first experience of launching a game in safety, it was important to make it so that it does not scare away with its difficult topic, carries away and is useful.
From the very beginning, we came up with a story – we are not just launching another quest, we are launching a mini-universe. The topic – fascinating and versatile – came immediately: “Star Wars”! All tasks easily fit into the common history, even the prizes were in the right topic and were to the taste of all the winners. And StarWars became StarMir.
A beautiful picture and a “legend” is a great way to lure participants, but still the main thing is the filling. All tasks were divided into fairly classic CTF topics:
Starting from simple hardcoded passwords in html and js scripts, ending with furious tasks for the implementation of SSRF and RaceCondition.
Crypto & stegano
Cases with crookedly implemented encryption algorithms and weak input parameters. Here we have added a couple of tasks related to steganography in order to acquaint participants with this direction.
Examples of various popular data transfer protocols that do not provide adequate protection.
Tasks related to the study of the provided data: secrets of documents stored in metadata, intricate encodings, protected archives.
An asterisk category of tasks aimed at reverse engineering compiled applications.
A set of tasks without a single direction, which do not seem complicated at first glance. Simple tasks related to data search, ingenuity, and sometimes luck.
In the choice of tasks, it was important for us to maintain a balance between the fact that they would reflect our “pain points”, but at the same time “we did not get another course” or “did not turn into another course” in which we analyze the classic shortcomings.
The difficulty of the problems was selected in such a way that the first problems in the categories were solved either almost immediately or after a short search on the Internet, and any participant could solve at least something, regardless of the level of his initial knowledge. This allowed us to make the threshold for entering the game quite small and to lure specialists with any level of initial knowledge in the topic of security.
For those who feel confident in the topic of security, more complex tasks were prepared, and several tasks were initially created difficult to solve, so that the whole game could not be completed in one approach and the interest of the participants was maintained throughout the entire duration.
During the development of the game, we understood that our target audience is all IT specialists of Mir Plat.Form, which means that attempts to go beyond the limits indicated by the game cannot be avoided and it will be useful to think about identifying alternative methods of solving.
Just in case, we decided to do one of the tasks with a deliberately incorrect answer, and drive into the jury an answer that could not be obtained by solving the problem. And indeed, a few days after the start of the game, the excitement heightened and the entrance went in pre-agreed ways (the difficulty is that some potential participants have administrative access to the servers of the deployed solution).
As a result, one of the participants passed the unfortunate decision. For some time we monitored his activity and when we were finally convinced of the cheating, presented evidence and with a clear conscience lowered him in the standings.
The support of the participants turned out to be an important factor during StarMir. For this, a group was organized in the messenger with the organizers on duty almost around the clock. This helped to lower the threshold for entering the game, to solve emerging problems, and sometimes to understand that the wording of the task is not completely obvious and to correct it.
One of the group’s functions was to maintain a general interest in the game throughout the entire period of the game – summing up subtotals, a selection of funny wrong answers, bonus tasks for group members.
Results of the game
A pleasant fact for us, as organizers, was that throughout the game there was no common leader – the guys actively competed with each other and got so excited that at some point the unsolved tasks began to end and we decided to add a few more “Furious” tasks for the leaders of the race.
Until the last days of the game, the intrigue remained, who will take the first place.
As a result, the winner solved all the tasks provided, but he did it literally on the last day – the tasks were enough exactly for the duration of the game.
The final part was the rewarding of the winner and the TOP-20 of the final rating. The guys got cool Lego StarWars constructors, and the organizers once again regretted that they themselves could not take part in the game.
At the end of the activity, we collected feedback from players. Everyone liked it: the participants noted that they had learned a lot of new things for themselves, wrote in personal messages that they did not even know how easy it is to realize disadvantages that are harmless at first glance.
Additionally, we collected and analyzed all the shortcomings that were made, heard the wishes of the participants. For this year we have a similar game planned, but taking into account past experience, and most importantly, divided into 2 categories – for IT professionals and for business users. The goal is to ensure that employees who are far from IT can learn the basic requirements of information hygiene and security in a playful way. I think we will devote a separate article to this event.