It was a case of gamekeepers turned poachers, as students from the University of Worcester learning about cyber security turned their hand to ‘hacking’ for a special event.
Designed to give them extra skills and a new perspective, the Worcester Hackathon saw Cyber Security and Computing students working in teams to ‘hack’ into a fake web application in a simulation exercise. The idea was that instead of defending a network or application, or designing an application to withstand cyber attacks, as they would if employed as cyber security experts, they got to see the other side of the coin.
Richard Wilkinson, Head of the University’s Department of Computing, said: “These students are learning on their course about defending against attackers and about how to create things that are secure by design. The way to learn how to make things secure by design in the first place is to learn what hackers will use or exploit as vulnerabilities that make things insecure and learn how to create things without those vulnerabilities. That’s the best way to defend against a cyber security event.”
The day was run in conjunction with the British Computer Society (BCS) and Malvern-based cyber security company IASME. IASME assisted throughout the day, even providing a web application, which the students tried to hack into and do a range of tasks on during the six-hour challenge. For each successful attack they earned ‘flags’ as they are called in the industry. The team with the most flags won the tournament. Experts from Tewkesbury-based cyber security firm Cyberis also gave students the benefit of their expertise on the day, helping them learn a whole new set of skills.
“We have got lots of experts with us from local businesses that are supporting the students,” said Mr Wilkinson. “They’re showing them what to do and helping them identify things so they can flag vulnerabilities they’re finding in the software they’re using and learning in future how to create the things that they need in the first place.”
The winning team took home a £100 prize and second and third won £50, funded by BCS. Organisers hope in future years to invite other universities and local colleges to send teams to compete.
Jess Burden, cyber security engineer at IASME, who organised the Hackathon technical environment, said: “I think to get a taste of the industry the best way to do it is attacking because you cover a lot of ground very quickly, so the students are experiencing lots of different ways to attack web applications without having to build one first.”
She also highlighted the usefulness of the University’s Cyber Security course and newly opened Cyber Lab, which provides a closed network allowing students to test out their skills in a safe environment. “We wouldn’t be able to have a Hackathon without the Cyber Lab,” she said. “Clearly the way these attacks work would be dangerous in a non-segregated network. It allows us to have no boundaries to what they can explore, what attacks they can do. They would never get that opportunity to try it and explore it without these resources. We’re near a hot spot for cyber security, which is the Malvern area. There’s a great skills gap in cyber security especially. Events like this gives them [students] information about what roles they want to try in cyber security.”
Kai Smith, a first year Cyber Security student, said: “It’s been good. It’s just interesting the stuff we’re learning to do. It definitely helps to see it from the other side - to know vulnerabilities you have got to find them. You are learning about tools that can be used in attacks if you work for a business.”
For Grace Ashmore, also in the first year of the Cyber Security degree, the experience sparked an interest in a role in network forensics going forward. “I think it’s educational but it’s also fun,” she added. “It’s been a really good medium to discover the tools that are actually used in the industry, but in an engaging way.”