CERT Division Hosts High School Cybersecurity Competition
August 6, 2015—Recently, the SEI CERT Division partnered with the Pittsburgh Chapter of the International Information Systems Security Certification Consortium—(ISC)2—to host a cybersecurity workshop and competition for high school students in the Pittsburgh, Pa. area. Other sponsors included (ISC)2 member Mike Thompson and Accuvant. The purpose of the three-day event, conducted July 27-29 at the CERT Division's Distributed Learning Center, was to provide high school students an opportunity to interact with cybersecurity experts, learn and practice cybersecurity concepts, and discover potential career options in the field of cybersecurity.
"It is a strategic goal for both (ISC)2 Pittsburgh and the CERT Division's Cyber Workforce Development Directorate to provide outreach to the community and increase awareness and interest in cybersecurity professions among school students," said the CERT Division's Jonathan Frederick, vice president of (ISC)2 Pittsburgh. Frederick, who led this initiative, noted that CERT, members of the Pittsburgh (ISC)2 chapter, and local school districts worked together to identify and recruit the student participants.
The first day and a half of the event was devoted to educational activities, led by experts from the SEI's CERT Division and members of Pittsburgh (ISC)2, that introduced students to a range of cybersecurity topics, including firewalls, intrusion detection, encryption, access control, insider threat, social engineering, denial-of-service attacks, and incident response. The remainder of the program afforded the students the opportunity to apply their knowledge playing the SEI's cybersecurity board game,
"Three Envelopes," and competing in teams in a realistic threat exercise that required the students to prioritize defensive measures.
"'Three Envelopes' is designed to place players in the role of a corporation's CEO," explained the SEI's Rotem Guttman, developer of the game. "The game forces players to make tough decisions about where to invest their company's resources," added Guttman. "Throughout the game, random events will occur, such as attempts to steal credit card information, disloyal employees, attempted break-ins, or even economic sanctions. How these events affect each player's company is determined based on what security choices and investments they made." Guttman designed "Three Envelopes" to be a fun and intuitive way to learn the basics of risk management.
The Prioritizing Defensive Measures competition pitted teams of four students against each other working to defend a typical corporate network under attack by hackers. The realistic network space and attacks were created using the SEI's STEPfwd training platform. "The student teams used various cybersecurity tools to determine what attacks were taking place," said Frederick. "The teams worked to prioritize the attacks based on their severity and secure their network to stop the attacks. The teams scored points based on their ability to maintain key network services necessary to keep their business up and running, and teams lost points when they locked down their networks so much that essential business services were blocked—a realistic scenario that cyber professionals face on a daily basis."
Organizers of the event were pleasantly surprised at the depth of cybersecurity knowledge the students brought to the event. "We initially tailored the material so that students with very little or no experience would receive it well," said Frederick, "but we made it more challenging over the three days because we found the students could handle more advanced cybersecurity lessons and challenges." Frederick noted that the students also exceeded organizers' expectations in the Prioritizing Defensive Measures competition. "The teams ended the day with scores similar to those we typically see with graduate-level university student teams working on the same exercise. In fact, the winning team scored just shy of what the best team in a graduate-level course recently scored," he said.
Members of the winning team split a first-prize award of $300. The second-place team took home $200, while the third-place team won $100. Corporate sponsor Accuvant provided $500 in prize money. John Franolich, President of the Pittsburgh (ISC)2 chapter contributed $100 in prize money. Mike Thompson, chief technical officer and principal architect at A10 Networks contributed lunches for all participants.
Organizers were pleased with the event's success and hope to repeat it each summer. The students noted they learned a great deal over the three days. "The students came out of the event confident in their abilities and interested in cybersecurity career possibilities," said Frederick.
This high school cybersecurity competition is part of the SEI's ongoing commitment to STEM education. In addition to Frederick and Guttman, other SEI participants included Robert Beveridge and Chris Herr, both members of Pittsburgh (ISC)2, Christopher May, Lisa Young, and Nick Winski. All served as instructors during the educational portion of the event.