User:Dwongbound

Capture the Flag (CTF) in computer security is an exercise in which "flags" are secretly hidden in purposefully-vulnerable programs or websites. It can either be for competitive or educational purposes. Competitors steal flags either from other competitors (attack/defense-style CTFs) or from the organizers (jeopardy-style challenges). Several variations exist, including hiding flags in hardware devices. Competitions exist both online and in-person, and can be advanced or entry-level. The game is based on the traditional outdoor sport of the same name.

History
Capture the Flag (CTF) is a cybersecurity competition that has been used as a test of security skills since its development in 1993 at DEFCON. DEFCON is the largest cybersecurity conference in the United States located in Las Vegas, Nevada. The conference hosts a weekend of cybersecurity competitions including CTF. There are two ways CTF can be played: Jeopardy and Attack-Defense. Both formats test participant’s knowledge in cybersecurity, but differ in objective. In the Jeopardy format, participating teams must complete as many challenges of varying point values from a given category. Some examples of categories are programming, networking, and reverse engineering. In the attack-defense format, competing teams must defend their vulnerable computer systems while attacking the opponents. This is done through attempting to replace the opponents “flag” or data file with their own. Since CTF’s creation at DEFCON, it has spread to many other CTF competitions including CSAW CTF and Plaid CTF.

Applications
CTF is mainly used for cybersecurity education, as studies show students tend to respond better to interactive methods demonstrated through CTF exercises as opposed to a traditional classroom setting. A study conducted by researchers at Adelphi University found using CTF exercises was a highly effective way to instill cybersecurity concepts in an enjoyable manner. They can also be incorporated in a classroom setting, and have been included in undergraduate computer science classes such as Introduction to Security at the University of Southern California.

CTF is also popular in military academies. They are often included as part of the curriculum for cybersecurity courses. For example, a report released by the Cyber Defense Review, a journal from the Army Cyber Institute (ACI) at West Point, highlights CTF exercises pursued by students in the Air Force Academy and the Naval Academy who are members of  cybersecurity clubs. Furthermore, many cybersecurity concepts are taught through CTF exercises in the Advanced Course in Engineering on Cyber Security, an immersive summer program offered to ROTC cadets, active duty members, and undergraduates.

Drawbacks
One drawback of CTF exercises is the presumption of a foundational level of computer operational knowledge. Basic computer operations such as opening multiple tabs are important and cannot be taught through the exercises since the focus of these exercises is to teach cybersecurity concepts. Similarly, those running CTF exercises have encountered difficulty supervising and managing competitions and training exercises, as people need to be trained to understand the workflow of the challenges. CTF competitions have tried giving facilitators early access to the exercise environments to help them understand it in advance, but most facilitators still felt underprepared to supervise CTF events. Another drawback is the generational gap between the exercise developers and the players which lead to impractical and sometimes outdated challenges. Students may have a hard time understanding the importance of a security concept without grasping the severity of consequences from vulnerabilities.

Another hindering factor to CTF effectiveness is cost, which includes hardware and software costs, as well as administrative salaries. Some competitions require user terminals for players, so machines need to be bought for each player. In open source competitions such as PicoCTF where students play on their personal computers, such costs are saved but there are still server costs. CTF events also require hiring experts in cybersecurity, which can be more expensive than non-specialist educators and less experienced engineers.

Company-sponsored Competitions
As a popular form of education in cybersecurity, CTF has been “gamified” by many leading tech companies and organizations as a recruitment device. These competitions are more for fun as a hobby for some but it also provides education for those who want to participate.

CTF aims to include those who wish to learn about cybersecurity but there have been studies that show how CTF serves as a form of recruitment and evaluation for high performers.

Recent Competitions
Computer Science Annual Workshop (CSAW) CTF is one of the largest open-entry competitions for students learning cybersecurity from around the world. In 2021, it hosted over 1200 teams during the qualification round. Another popular competition is DEFCON CTF, one of the first CTF competitions to exist, which aims its competition for those who are already veterans with cybersecurity, introducing more advanced problems.