Collegiate Cyberdefense Competition Injects Part 1 : Introduction to Business Injects

Collegiate cyberdefense competitions evaluate teams through several different metrics. While technical skills and concepts like incident response take center stage, soft skills and business knowledge are also tested. Business injects in particular, tend to test general knowledge, understanding of business policy, ability to communicate and influence non-technical superiors without technobabble and so on.

In keeping with the business scenario the team operates within, business injects often require creating policies, plans for implementing them, and giving professional recommendations to your CEO who… doesn’t speak computer geek.

For Example:

  • CEO requests a report covering what GDPR is, whether the company can become compliant within 12 months, whether they can afford to do it, whether they can afford not to do it, and a justified recommendation about how to move forward.
  • Log and Report all known breaches and countermeasures taken against them.

Some injects are purely technical, or pure business, but others require competency in both areas. Such as:

  • Report on the effectiveness of the implemented SEIM using specific examples
  • Create an incidence response policy and plan for implementing it

Because the technical injects cover a range of operating systems, and types of tasks, this post will focus on aspects of technical writing, and business documents.

There are some critical things that you need to remember when writing these reports:

  1. More likely than not, you will not have enough time but you must still be comprehensive. If you’ve been asked for A, B and C, and have 30 minutes left before submission you need to make some tough calls about where to cut your losses. If you have no understanding of how to address part C then pour your heart and soul into the rest of B. But chances are, you’re best off at least briefly addressing all parts of the request.

2. Save a substantial chunk of your allotted time for delivering injects.

Arbitrarily, you might was to save 30% for nonsense, interruptions, stopping to put out a fire, or delivery mishaps. You can rely on the USB dries remaining pure and uncorrupted, might lose email at any time, and who knows if the printer is still functional.

3. Your team captain is your best asset for data collection, task management and time management.

My team captain was invaluable, because he was always able to help me find out who was dealing with the systems I needed information on. He also helped me track time, which was super important at the National competition level.

4. This is a role you need to study for!

If you have enough work experience in a corporate setting then you may have a feel for what privacy policies, acceptable use policies and the like contain. But if you have to think about it too long you’ll get bogged down and lose time. Ideally, you shouldn’t have to google anything but new laws or specific products. Therefore, make sure you familiarize yourself with the basics of GDPR, HIPAA, memos and policy documents.

If you can outline a 10 page thesis paper reasonably well, or outline a 3-10 minute speech, then you should have little trouble organizing the reports logically.

There are a lot of resources online about technical writing. I’d recommend starting with SANS templates. Print them out, mark them up, and make sue that you understand the content and structure. I will be following this post up with a part two focused on resources for technical and policy writing, and other resources for collegiate cyberdefense competitions.