research-article

Open access

Control Effectiveness: a Capture-the-Flag Study

Authors:

Alastair Janse van Rensburg,

Ioannis Agrafiotis,

Michael Goldsmith,

Sadie CreeseAuthors Info & Claims

ARES '21: Proceedings of the 16th International Conference on Availability, Reliability and Security

Article No.: 87, Pages 1 - 10

https://doi.org/10.1145/3465481.3470095

Published: 17 August 2021 Publication History

All formats PDF

Abstract

As cybersecurity breaches continue to increase in number and cost, and the demand for cyber-insurance rises, the ability to reason accurately about an organisation’s residual risk is of paramount importance. Security controls are integral to risk practice and decision-making: organisations deploy controls in order to reduce their risk exposure, and cyber-insurance companies provide coverage to these organisations based on their cybersecurity posture. Therefore, in order to reason about an organisation’s residual risk, it is critical to possess an accurate understanding of the controls organisations have in place and of the influence that these controls have on the likelihood that organisations will be harmed by a cyber-incident. Supporting evidence, however, for the effectiveness of controls is often lacking. With the aim of enriching internal threat data, in this article we explore a practical exercise in the form of a capture-the-flag (CTF) study. We experimented with a set of security controls and invited four professional penetration testers to solve the challenges. The results indicate that CTFs are a viable path for enriching threat intelligence and examining security controls, enabling us to begin to theorise about the relative effectiveness of certain risk controls on the face of threats, and to provide some recommendations for strengthening the cybersecurity posture.

References

[1]

2013. ISO/IEC 27002 Code of practice for information security controls. https://www.iso27001security.com/html/27002.html [accessed on 25/05/2021].

[2]

Ioannis Agrafiotis, Sadie Creese, Michael Goldsmith, Jason RC Nurse, and David Upton. 2016. The Relative Effectiveness of widely used Risk Controls and the Real Value of Compliance. (2016).

[3]

Ioannis Agrafiotis, Jason RC Nurse, Michael Goldsmith, Sadie Creese, and David Upton. 2018. A taxonomy of cyber-harms: Defining the impacts of cyber-attacks and understanding how they propagate. Journal of Cybersecurity 4, 1 (2018), tyy006.

[4]

AuditScripts. 2018. AuditScripts Critical Security Controls. URL: https://www.auditscripts.com/ [accessed on 25/05/2021].

[5]

Louise Axon, Arnau Erola, Ioannis Agrafiotis, Michael Goldsmith, and Sadie Creese. 2019. Analysing cyber-insurance claims to design harm-propagation trees. In 2019 International Conference on Cyber Situational Awareness, Data Analytics And Assessment (Cyber SA). IEEE.

[6]

Francesco Buccafurri, Lidia Fotia, Angelo Furfaro, Alfredo Garro, Matteo Giacalone, and Andrea Tundis. 2015. An Analytical Processing Approach to Supporting Cyber Security Compliance Assessment. In Proceedings of the 8th International Conference on Security of Information and Networks. ACM, 46–53.

Digital Library

[7]

National Cyber Security Centre. 2014. Cyber Essentials. https://www.cyberessentials.ncsc.gov.uk/ [accessed on 25/05/2021].

[8]

National Cyber Security Centre. 2021. 10 Steps to Cyber Security. https://www.ncsc.gov.uk/collection/10-steps-to-cyber-security[accessed on 25/05/2021].

[9]

Constanze Dietrich, Katharina Krombholz, Kevin Borgolte, and Tobias Fiebig. 2018. Investigating System Operators’ Perspective on Security Misconfigurations. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. ACM, 1272–1289.

Digital Library

[10]

Center for Internet Security. 2015. A Measurement Companion to the CIS Critical Security Controls. URL: https://www.cisecurity.org/white-papers/a-measurement-companion-to-the-cis-critical-controls/[accessed 25/05/2021].

[11]

SANS/Center for Internet Security. 2021. 20 Critical security controls. https://www.cisecurity.org/controls/ [accessed on 25/05/2021].

[12]

ISACA. 2021. COBIT 5. https://www.isaca.org/cobit/ [accessed on 25/05/2021].

[13]

Dorene L Kewley and Julie F Bouchard. 2001. DARPA information assurance program dynamic defense experiment summary. IEEE Transactions on Systems, Man, and Cybernetics-Part A: Systems and Humans 31, 4 (2001), 331–336.

Digital Library

[14]

Dorene L Kewley and John Lowry. 2001. Observations on the effects of defense in depth on adversary behavior in cyber warfare. In Proceedings of the IEEE SMC Information Assurance Workshop. Citeseer, 1–8.

[15]

Nigel King. 1998. Template analysis. Qualitative Methods and Analysis in Organisational Research: A Practical Guide (1998).

[16]

Marsh. 2019. Global Cyber Risk Perception Survey Report. https://www.marsh.com/uk/insights/research/marsh-microsoft-cyber-survey-report-2019.html[accessed on 25/05/2021].

[17]

Jelena Mirkovic, Peter Reiher, Christos Papadopoulos, Alefiya Hussain, Marla Shepard, Michael Berg, and Robert Jung. 2008. Testing a collaborative DDoS defense in a red team/blue team exercise. IEEE Trans. Comput. 57, 8 (2008), 1098–1112.

Digital Library

[18]

National Institute of Standards and Technology. 2018. Cybersecurity Framework. https://www.nist.gov/cyberframework [accessed on 25/05/2021].

[19]

Jane Ritchie, Jane Lewis, Carol McNaughton Nicholls, Rachel Ormston, 2013. Qualitative research practice: A guide for social science students and researchers. sage.

[20]

Accenture Security. 2019. The Cost of Cybercrime. https://www.accenture.com/_acnmedia/pdf-96/accenture-2019-cost-of-cybercrime-study-final.pdf[accessed on 25/05/2021].

[21]

Teodor Sommestad and Jonas Hallberg. 2012. Cyber security exercises and competitions as a platform for cyber security experiments. In Nordic Conference on Secure IT Systems. Springer, 47–60.

Digital Library

[22]

Teodor Sommestad and Fredrik Sandström. 2015. An empirical test of the accuracy of an attack graph analysis tool. Information & Computer Security 23, 5 (2015), 516–531.

[23]

Jose M Such, John Vidler, Timothy Seabrook, and Awais Rashid. 2015. Cyber security controls effectiveness: a qualitative assessment of cyber essentials. Lancaster University.

[24]

Daniel Woods, Ioannis Agrafiotis, Jason RC Nurse, and Sadie Creese. 2017. Mapping the coverage of security controls in cyber insurance proposal forms. Journal of Internet Services and Applications 8, 1(2017), 8.

[25]

Daniel Woods and Andrew Simpson. 2017. Policy measures and cyber insurance: a framework. Journal of Cyber Policy 2, 2 (2017), 209–226.

Cited By

Chindrus CCaruntu C(2022)Development and Testing of a Core System for Red and Blue Scenario in Cyber Security Incidents2022 15th International Conference on Security of Information and Networks (SIN)10.1109/SIN56466.2022.9970546(1-7)Online publication date: 11-Nov-2022
https://doi.org/10.1109/SIN56466.2022.9970546

Index Terms

Control Effectiveness: a Capture-the-Flag Study
1. Security and privacy
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Index terms have been assigned to the content through auto-classification.

Recommendations

Practitioners’ Views on Cybersecurity Control Adoption and Effectiveness
ARES '21: Proceedings of the 16th International Conference on Availability, Reliability and Security

Cybersecurity practitioners working in organisations implement risk controls aiming to improve the security of their systems. Determining prioritisation of the deployment of controls and understanding their likely impact on overall cybersecurity posture ...
Capture the Flag Unplugged: an Offline Cyber Competition
SIGCSE '17: Proceedings of the 2017 ACM SIGCSE Technical Symposium on Computer Science Education

In order to meet the cybersecurity workforce demand, it is important to raise cybersecurity interest among the youth. Just like ACM programming competitions, Capture the Flag (CTF) competitions allow students to learn cybersecurity skills in a fun and ...
Using Capture-the-Flag to Enhance the Effectiveness of Cybersecurity Education
SIGITE '17: Proceedings of the 18th Annual Conference on Information Technology Education

Incorporating gamified simulations of cybersecurity breach scenarios in the form of Capture-The-Flag (CTF) sessions increases student engagement and leads to more well-developed skills. Furthermore, it enhances the confidence of students in their own ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ARES '21: Proceedings of the 16th International Conference on Availability, Reliability and Security

August 2021

1447 pages

ISBN:9781450390514

DOI:10.1145/3465481

Copyright © 2021 Owner/Author.

This work is licensed under a Creative Commons Attribution International 4.0 License.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 17 August 2021

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

ARES 2021

ARES 2021: The 16th International Conference on Availability, Reliability and Security

August 17 - 20, 2021

Vienna, Austria

Acceptance Rates

Overall Acceptance Rate 228 of 451 submissions, 51%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
743
Total Downloads

Downloads (Last 12 months)295
Downloads (Last 6 weeks)41

Reflects downloads up to 25 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Chindrus CCaruntu C(2022)Development and Testing of a Core System for Red and Blue Scenario in Cyber Security Incidents2022 15th International Conference on Security of Information and Networks (SIN)10.1109/SIN56466.2022.9970546(1-7)Online publication date: 11-Nov-2022
https://doi.org/10.1109/SIN56466.2022.9970546

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents