Everyone Can Play - Building CTFs for Non-Security Folks
0 likes297 views
The document discusses building capture the flag (CTF) training programs for non-security employees. It advocates that CTFs are an effective way to teach because they are engaging and apply learning principles like multimedia and direct manipulation. It provides guidance on designing relevant and solvable challenges, as well as measuring the effectiveness of the program over time. The goal is to start with a pilot CTF and develop an ongoing CTF-based training program within six months.
Everyone Can Play - Building CTFs for Non-Security Folks
- 1. Building CTFs for Non-Security Folks Everyone Can Play! Joe Kuemerle / joe@kuemerle.com / @jkuemerle https://upload.wikimedia.org/wikipedia/commons/5/5a/Muggle_Quidditch_Game_in_Vancouver_2.jpg
- 2. Agenda ● Why ○ Learning studies ○ Proven success ● What ○ Building challenges ○ Easy to participate ○ Fun ● How ○ Easy to run ○ Measured @jkuemerle
- 5. 1. Multimedia Principle: Retention is improved through words and pictures rather than through words alone. 2. Spatial Contiguity Principle: Students learn better when corresponding words and pictures are presented near each other rather than far from each other on the page or screen. 3. Temporal Contiguity Principle: Students learn better when corresponding words and pictures are presented simultaneously rather than successively. 4. Coherence Principle: Students learn better when extraneous words, pictures, and sounds are excluded rather than included. 5. Modality Principle: Students learn better from animation and narration than from animation and on-screen text. 6. Redundancy Principle: Students learn better when information is not represented in more than one modality – redundancy interferes with learning. 7a. Individual Differences Principle: Design effects are higher for low-knowledge learners than for high-knowledge learners. 7b. Individual Differences Principle: Design effects are higher for high-spatial learners rather than for low-spatial learners. 8. Direct Manipulation Principle: As the complexity of the materials increase, the impact of direct manipulation of the learning materials (animation, pacing) on transfer also increases https://www.cisco.com/c/dam/en_us/solutions/industries/docs/education/Multimodal-Learning-Through-Media.pdf Multimodal Learning Through Media: What the Research Says @jkuemerle
- 9. https://www.flickr.com/photos/37984062@N03/3495248498 1. Multimedia Principle: Retention is improved through words and pictures rather than through words alone. 2. Spatial Contiguity Principle: Students learn better when corresponding words and pictures are presented near each other rather than far from each other on the page or screen. 3. Temporal Contiguity Principle: Students learn better when corresponding words and pictures are presented simultaneously rather than successively. 4. Coherence Principle: Students learn better when extraneous words, pictures, and sounds are excluded rather than included. 5. Modality Principle: Students learn better from animation and narration than from animation and on-screen text. 6. Redundancy Principle: Students learn better when information is not represented in more than one modality – redundancy interferes with learning. 7a. Individual Differences Principle: Design effects are higher for low-knowledge learners than for high-knowledge learners. 7b. Individual Differences Principle: Design effects are higher for high-spatial learners rather than for low-spatial learners. 8. Direct Manipulation Principle: As the complexity of the materials increase, the impact of direct manipulation of the learning materials (animation, pacing) on transfer also increases @jkuemerle
- 11. @jkuemerle
- 12. @jkuemerle
- 13. @jkuemerle
- 14. 14@jkuemerle
- 15. @jkuemerle
- 16. @jkuemerle
- 17. @jkuemerle
- 18. https://engineering.salesforce.com/play-games-learn-better-fc782757c884 @jkuemerle
- 19. https://engineering.salesforce.com/play-games-learn-better-fc782757c884 @jkuemerle
- 20. https://engineering.salesforce.com/play-games-learn-better-fc782757c884 @jkuemerle
- 21. https://engineering.salesforce.com/play-games-learn-better-fc782757c884 @jkuemerle
- 25. ● Relevancy - challenges should use the same technologies and platforms that the participants work in ● Appropriateness - challenges should cover vulnerability categories that are known to exist in the participants codebases ● Interesting/Engaging - challenges should draw the participants attention and encourage them to find solutions ● Solvable - challenges should have a clear and accurate solution ● Reflective - challenges should reinforce targeted concepts @jkuemerle
- 27. Red Flags - Avoid ● Excessive Obscurity - solutions should be discoverable (with a reasonable amount of effort) ● Non-Relevant - work to solve challenges should not be far outside of the participants skill set and work requirements ● Open Ended - challenges should be have enough guidance to allow the participant to find an agreed upon “good” solution @jkuemerle
- 30. ● Relevancy - challenges should use the same technologies and platforms that the participants work in ● Appropriateness - challenges should cover vulnerability categories that are known to exist in the participants codebases ● Interesting/Engaging - challenges should draw the participants attention and encourage them to find solutions ● Solvable - challenges should have a clear and accurate solution ● Reflective - challenges should reinforce targeted concepts Red Flags - Avoid ● Excessive Obscurity - solutions should be discoverable (with a reasonable amount of effort) ● Non-Relevant - work to solve challenges should not be far outside of the participants skill set and work requirements ● Open Ended - challenges should be have enough guidance to allow the participant to find an agreed upon “good” solution
- 39. @jkuemerle
- 46. @jkuemerle
- 52. Conclusion ● Why ● What ● How @jkuemerle
- 53. ● Next week you should: ○ Identify teams that will benefit from CTF style training ○ Identify SMEs to build a pilot CTF ● In the first three months following this presentation you should: ○ Have run a CTF and iterated on the design, challenges and goals ○ Run retrospectives of both CTF builders and CTF players ○ Gathered usage data into a repository ● Within six months you should: ○ Have an active, ongoing CTF based training program ○ Run regular retrospectives and incorporate feedback ○ Report KPIs and regularly survey program effectiveness @jkuemerle
- 54. Resources ● https://github.com/salesforce/integrated_challenge ● https://github.com/apsdehal/awesome-ctf ● https://www.cisco.com/c/dam/en_us/solutions/industries/docs/education/Multi modal-Learning-Through-Media.pdf ● https://engineering.salesforce.com/capture-the-flag-secure-your-knowledge-3 7b43180e55a ● https://engineering.salesforce.com/play-games-learn-better-fc782757c884 ● https://github.com/CTFd/CTFd ● https://github.com/jkuemerle/RSA-2020-CTF @jkuemerle