Our goal for this event is to model a real life penetration test as closely as possible in a competition environment.
A penetration testing event (PT) is cooperative, whether it’s a black box test (when very little information is shared) or a crystal box test (when a lot of insider information is shared).
Cyber security events, such as a CTF, vulnerability assessment, auditing, or Pen testing, share many characteristics. All of them exercise a competitor’s understanding of how things work, knowledge of why systems function the way they do, and their skill in manipulating a systems function. They test and assess a contestant’s proficiency in the field of computing and cyber security.
Two characteristics discriminate a PT from other tests:
- A PT picks up where a vulnerability assessment of an exploit ends. The goal is to see how far and to what extent the vulnerability threatens the company and what resources are exposed. A vulnerability assessment might discover that a cheap, easily pick-able lockset is used on your home, pick the lock to verify, and stop there. A PT would continue on a demonstrate that your TV, stereo, and jewelry box could be taken. Alternatively, the lockset could be less of a concern because the door only leads to the back porch and the next door to the house has a very good lock, minimizing the threat of the weak exterior door lock.
- Unlike the CTF, the goal of a PT is to protect and improve the security of the company. The PT should do no harm. The system should not be damaged. The company’s operation or reputation should not be negatively impacted. Any and all vulnerabilities found need to be clearly documented with a mitigation plan provided to the customer for their benefit. While a CTF needs only to find a single successful exploit to gain the flag, a PT strives to find ALL (or at least as many as possible) weaknesses, vulnerabilities, and leaks in a system. This makes a PT a much more demanding exercise. A PT should not stop at the first successful breach, but continue searching for any known vulnerabilities possible in the target system.