Pratum Blog

2018 Secure Iowa Capture the Flag Competition

Earlier this month Pratum sponsored the ISSA Secure Iowa Conference, and we are proud to announce that Team Pratum (AKA Pratumeers) placed 2nd in the Capture the Flag (CTF) competition hosted by SecDSM!

What is a CTF?

Capture the Flag is an information security competition designed to increase the knowledge and speed of penetration testing workflows. Each “flag” (challenge) is obtained by exploiting vulnerabilities, reconstructing encrypted messages, or by solving cryptographic puzzles. Team members submit flags on a Jeopardy-style board that tracks each team’s overall point count. The goal is simple: solve as many challenges as possible in one day.

Our Experience at Secure Iowa 2018

Following the conference keynote, the teams filed into the CTF conference room and eagerly began solving challenges. The first flag was solved within minutes after the keynote, and Team Pratum promptly responded with 2 flags submitted. Everyone started to get into a rhythm, and the solved challenges began flooding into the scoreboard with Team Pratum in the lead.

Not surprisingly, we were first to pick one of the challenge locks, and shortly after picked another MasterLock. Only two locks were left unpicked, as we began strategizing our time for higher-value flags.

Pratum participating in 2018 Secure Iowa CTF
Team Pratum (Pratumeers) competing in 2018 Secure Iowa - Capture the Flag (CTF)

A total of 6 flags were in the Packet Capture (PCAP) category, which we scored 300 points from. We learned a few new Wireshark tricks, specifically carving image files out of HTTP frames. Our brilliant challenge writers hid some cat memes, which brought some much-needed laughter.

After lunch, Pratumeers were able to divide into respective roles and almost complete the entire Misc category. Some Docker images were broken, rebuilt, and then broken again to compromise accounts containing the flags. Pratum’s CTO Steve Healey dove into some PCAP files while our Security Consultant Jason Moulder started to brute force the vulnerable web applications.

2nd Place finish at CTF 2018 Secure Iowa
From Left: Chad Porter, Steve Healey, and Tanner Klinge

As the conference came to a close, the race was tight and Team Pratum decided to try out some SDR (Software Defined Radio) tools. Pratum’s Security Analyst Tanner Klinge tuned into an unlicensed pager channel to intercept an encrypted Morse Code message, while the rest of the team chased after a mini-bug bounty challenge.

The Pratumeers placed 2nd overall and were awarded some prizes sponsored by SecDSM. We certainly learned a lot, enjoyed the opportunity to compete and look forward to new challenges next year.

Capture the Flag Key Takeaways

  1. Constant CTF team communication is vital, leveraging something like Microsoft Teams.
  2. Test and become comfortable with all tools prior to competing.
  3. Time management based on point value of the target.
  4. Debrief with your team afterwards and have them show other people how a particular challenge was solved so everyone can learn new tactics.
  5. Contact Pratum
Why companies should consider implementing Identity and Access Management in their information security strategy.

Why companies should consider implementing IAM as a part of their defense-in-depth strategy

We’ve all seen this scenario. Bob hires on as an ERM System Administrator, performs well and is promoted to Senior IT Administrator. He excels and is promoted to managing 15 IT employees. Eventually he discovers his love for project management and transfers to become a Project Manager. Yes, Bobs are talented individuals!

Often employees move from job to job, department to department, all the while accumulating access to systems, applications, and data they need to perform their job. But how often do managers remember to remove access from their previous position? Answer ... not as often as they should. Their employees aren't going to complain as they enjoy having their previous access. Little do managers know how much additional risk they adding to the business.

Climbing the corporate ladder while accumulating access to systems, applications, and data.
As employees climb the proverbial corporate ladder, they gain access to different systems, applications, and data. Proper Identity and Access Management should remove access to systems, applications, and data no longer part of the employee's responsibilities.

Identity Access Management solutions help enable proper provisioning to reduce the risk associated with an account becoming compromised. Eddy-the-hacker should not be able to access the ERM Application or IT Support Share using Bob’s credentials, if his access had been properly removed during his move up the career ladder. All too often during breach investigations we discover how much access individuals truly have as security consultants comb through the labyrinth of accumulated access. This can easily manifest itself into breach notifications as the number of compromised records and data elements continues to grow. In our example above, Bob would have had administrator level rights to key applications, personally identifiable information for all his employees, and in-depth knowledge of projects within the company.

It surely doesn’t take much imagination to realize the treasure trove of data Eddy-the-hacker just stumbled upon (Darn those Eddys).

Flash forward a couple of years. Bob leaves the company, and his manager hires a worthy replacement, Alice. During the onboarding process his managers submits an IT request for the new employee's access, modeled after Bob's account. Wait, did you catch that? If this were a magic show, you just missed the trick. Now Alice has all the access Bob had, including ERM admin rights, access to personnel files, project file information, etc. Imagine if part of Bob's career path had been in payroll!!!

IAM - Too much access.

A proper IAM solution associates one main role to each individual, based on duties associated with their job function. This requires time, analysis of what their employees do, and implementation of Roles associated with those job duties. Managers need to periodically review access their users have, and last but not least, Information Technology (IT) has to collect and correlate data from all the critical applications across the company and present it in way that makes sense to even the most newbie of managers.

Is IAM worth it? The resounding answer is YES. In the long term, your company will:

  • Have a clear understand of the security associated with each job function.
  • Increase the efficiency AND reduce costs for your security department through faster provisioning with increased accuracy.
  • Be better prepared for audits as your roles will already be defined and documented.
  • Improve user experience with fewer approvals and one-off provisioning.
  • Reduce inaccuracies within application security. A fun side effect is during the IAM process, you'll have the opportunity to tune and clean the accounts and roles within each application.
Contact Pratum
Pratum Celebrates 10 Year Anniversary as Iowa's Cybersecurity Leader

We are celebrating Pratum’s 10-year anniversary

In 2008, in the middle of a national financial crisis, I set out to establish an information security consulting company. I wasn’t sure how quickly we would grow or how large we would become, but I knew we could serve our clients well and help them solve information security challenges based on risk, not fear.

As I reflect on the past 10 years, one thing is certain, Pratum’s strength and vibrancy is not due to my shear will and determination. Our success is directly linked to our employees, the team of consummate professionals who serve our clients day in and day out. Whose tireless efforts ensure our clients achieve the right balance of information security.

From our beginnings, we have strived to bring together the best people who enjoy working together to solve problems. This teamwork and cohesive working environment is seen and felt by the clients we serve. I’m humbled by and thankful for the people who make up this amazing team.

Dave Nelson, CEO and President at Pratum
Dave Nelson, CISSP - CEO and President

Pratum also owes its success to you, our clients. You entrust us with your most sensitive information. You rely on us to help grow your business. Our teams work side by side to implement creative solutions to improve information security, without breaking the bank or strangling your business operations. I’m thankful for the trust you place in us and love watching your accomplishments.

As we celebrate this 10-year anniversary, it is only fitting we do so as we dedicate our new headquarters in Ankeny, IA. This new facility enables us to continue to grow our team here in Iowa and offers a great place for people to work and raise their families. It provides us the opportunity to serve our existing clients and a place where we can meet our future customers.

Pratum Building Interior and Exterior
Pratum headquarters at 1551 SW Prairie Trail Pkwy, Ankeny IA

My family and I thank all of you for this amazing journey. We were confident Pratum would succeed, but this level of success only comes from surrounding yourself with great people. So, we say thank you to the great people both on our staff and those on staff with our clients.

I’ll leave you with one final quote from Winston Churchill, which I think captures Pratum’s future perfectly.

Now this is not the end. It is not even the beginning of the end. But it is, perhaps, the end of the beginning.

Winston Churchill

We at Pratum are just getting started and the future is exciting!

Thank you,

Dave Nelson, CISSP
President and CEO

You Are Invited!

Open House Ribbon Cutting Celebration

We are celebrating our new headquarters and 10-year anniversary!

Date: September 13, 2018

Time: 4:00pm - 6:30pm (Ribbon Cutting at 4:30pm)

Location: 1551 SW Prairie Trail Pkwy, Ankeny, Iowa 50023

Join us as we celebrate our 10 years of information security services and our brand new headquarters. Enjoy hors d'oeuvres and a beverage as you talk with our staff, network with local professional, or relax on the second floor patio overlooking The District.

Contact Us

Get our blog posts delivered to your inbox: