Learn How to Hack: Thoughts on Running a Collegiate Cybersecurity Club
This is the first, and hopefully not last, blog post for CU Cyber. For those not familiar with us, CU Cyber is Clemson University’s student-led cybersecurity club. Because we compete in cybersecurity competitions like CTF’s and cyberdefense competitions, we gain experiences that I believe are worth sharing. None of our tactics or techniques may be new, but others will likely find the way we approach these competitions interesting. This blog post is about club operations instead of competitions, but the brave souls involved in collegiate cybersecurity club operations will likely find it helpful.
The greatest resource security clubs have is pop culture’s view of hacking. At TigerProwl, an event in the football stadium where freshmen learn about the clubs on campus, the easiest way to get new members is to yell “learn how to hack” loudly. The club sells itself. We lure potential members in with the tagline, but they stay because they enjoy the club.
How did we make a club that people enjoy? In this blog post, I will outline the features of our club, which I think other schools could find useful.
Set a Goal
Like all organizations, collegiate cybersecurity clubs should be built around achieving a goal. The most straightforward goal to set, especially when starting a club, is to win a cybersecurity competition. There are tons of cybersecurity competitions designed for colleges, which I will be enumerating later in this post. As a club, pick one to enter, focus on the specific skills needed, and work to get good at it. The competitions are all different, so explore their differences.
Participating in as many competitions as possible is a great way to learn. CTFs are perfect for new clubs because they’re typically online and free to access. Cyberdefense competitions tend to be in-person, so purchasing travel, hotels, and food can be a barrier for some clubs. Funding is a hard problem, but what’s nice about being part of a college is that they (sometimes) have funds for student organizations. If funding is not available for student organizations, check with your department, alumni associations, or businesses.
Practicing for competitions has become such an essential part of CU Cyber that we designate practice time outside of regular club meeting times. In fact, we only allow those who are on the team to come to competition meetings so that competitors can spend time in deep focus while they practice.
Weekly meetings are a must. It provides consistency to the organization, which makes members feel like they’re part of a club.
As to the content, CU Cyber is still figuring out the best way to structure weekly meetings. Previously, they were led by the president about whatever topic the president found interesting that week. It was really great, but the quality was utterly dependent on how much time the president spent on preparing the presentation. Next, weekly meetings followed a syllabus, as an actual class would. During the semester, we would cover a topic like web explotiation. The first lesson would be on installing Kali, the second would be about basic SQL injection, the third would be about “advanced” SQL injection, and so forth. We didn’t find this method to be very useful since people who missed a week (especially one of the first weeks) would fall behind.
Starting this semester, we are splitting the weekly meeting time between infosec professionals and student research. For our 1 hour meeting, we allot 40 minutes to the professional speaker and 20 minutes to the student speaker. Because of our successes in SECCDC and PCDC, two cyberdefense competitions, security professionals have asked us if they could speak at our weekly meetings. We are incredibly thankful to the professionals in this industry who are willing to spend time teaching students about their research. While we appreciate the professionals who want to talk with us, we believe it’s important to give students a platform to discuss their own research and sharpen their presentation skills.
Also, once a semester, we host an internal CTF at a weekly meeting. A CTF is excellent for two reasons. First, it gives students a peek at what our competition teams do. There are always a few people who gain an interest in CTF’ing at the meeting. Second, it gives the CTF team leader a chance to see who knows their stuff.
Work with the School
Bureaucracy sucks. The university is large and cares deeply about its brand, so being an official student organization can be a pain at times. Like most hackers, we hate bureaucracy, but as a club, we have to deal with it. In past years, we didn’t read the student organization policies to figure out our rights and responsibilities. When we actually read them, we learned that the university gave us rights and resources we didn’t even realize we had. In short, work with the grain and not against it.
CU Cyber recently started holding club-sponsored social events. With the implementation of social events, we have seen better retention in weekly meetings than in previous years.
The events don’t need to be expensive. For example, we have hosted an ultimate frisbee game, bowling, and a movie night (at someone’s apartment) with about 20 people per event for less than $100 in total. The money to host events was donated by the alumni and club officers.
The technical aspect of the club can be intimidating to new people, so having space to meet other members outside the classroom or training room is a great way to keep new members interested.
List of Competitions
As promised, here is a list of collegiate cybersecurity competitions. If you have other competitions which are not on the list, please let me know so I can add them.
There are three tabs: Defense, Offense, and CTF. CTFs are denoted as offensive competitions with no report writing.
Our methods are not the be-all and end-all for how collegiate cybersecurity clubs should operate, but a it is a snapshot of where we are currently. I hope this blog post sparks some ideas for new or struggling clubs.
If you have any questions or comments, please reach out on Twitter or use your OSINT skills to find my email.