I've been working on the Advent of Cyber challenge this December. It's more of a walkthrough of some puzzles than it is solving them yourself, but it has given me a brush up on some skills and helped me learn some basics of how people in charge of (or looking to break) security look at the world. Plus it's been a little fun with a silly storyline each day.
The first challenge starts with a chatbot and trying to social engineer answers out of it. This was interesting to me, even though it was likely (hopefully) not a representative example of how AIs would work in most systems. However, it got me to think more about how I pose questions to an AI and how I can grow my prompts. The neat thing about AI is that you don't have to ask the perfect question and then re-ask the same question with more info to get an answer. The AI keeps context in a conversation, which is way more powerful than previous Q&A search systems.
The second day was Python and Jupyter Notebook basics, which were a nice refresher for me on a couple of concepts, but not that interesting. However, the third day introduced some password-cracking tools, the fourth day added other ones, and a few subsequent days showed some software that is devious in how it can be used to penetrate security. Other challenges have me the chance to brush up on Linux and network skills I hadn't used in a long time.
The SQL Injection module (day 10) is well done, and I might recommend most developers go through that to see why their easy, convenient build-a-sql-string-to-execute code is an incredibly bad idea. It's also why they can't also use stored procedures as built-up batch commands. Use the stored procedure objects to execute with named parameters.
The idea of using a little plot and story, with a simple challenge to teach some skills is a good one. I've been lucky in my career to be exposed to a lot of different technologies and ways of working with systems. I've set up bridges, routers, and firewalls. I've had to get network links and cables to work and talk with different protocols, including configuring T1 connections. I've built machines, dealt with different types of local and remote storage, and had to program and administer systems at all levels of the OSI model. Does anyone remember that?
This was a fun break from work, doing a module or two every other day, remembering there are a lot of complexities to our systems outside the database, or outside the application software. It's also reminded me of all the different ways that security can be breached.
Take the challenge and learn some new skills. I think many of you will learn something and you might enjoy yourself along the journey.
