NSA's boot camp for cyberdefense
http://news.cnet.com/8301-13772_3-20003203-52.html?tag=mncol;txt
Air Force Capt. Mike Henson Henson explains to CNET what the annual Cyber
Defense Exercise is about and what the military hopes to achieve.
Daniel Terdiman
by Daniel Terdiman April 22, 2010 12:57 PM PDT Follow @GreeterDan
If you're the kind of person who worries about the security of computer
networks, you should know that the National Security Agency is worrying
about it too.
Since Tuesday, the NSA has been conducting its 10th annual Cyber Defense
Exercise, a competition that pits students from a series of military
academies against each other--and against the competition's leaders at
NSA--in a bid to see who has the best cyberdefense skills. The idea? To
"build and defend computer networks against simulated intrusions by the
National Security Agency/Central Security Services Red Team."
The competition will last until Friday when that Red team, or "red cell," as
it's known, will cease its attacks on the students' newly-built networks.
The goal is to help the students learn about the topic of Information
Assurance, and how it is used to protect the most vital information systems
in the United States and Canada. As they work, the students must defend
their networks and offer up consistent reports on what they're doing and on
the attacks they're identifying.
This year, eight academies are competing: the United States Military Academy
(West Point); the United States Naval Academy; the United States Air Force
Academy; the United States Coast Guard Academy; the United States Merchant
Marine Academy; the Naval Postgraduate School; the Air Force Institute of
Technology; and the Royal Military College of Canada.
The exercise is being hosted by Lockheed Martin in Greenbelt, Md., and
during the four days of the competition, NSA and U.S. Department of Defense
personnel are acting as evaluators--even as the NSA's red team challenges
the students with constant network attacks, all of which must be
"publicly-available, well-documented vulnerabilities." The competition takes
place on a closed network that does not access the Internet.
At the Air Force Academy, one of the instructors helping the students learn
how to construct cyberdefenses--and prepare for the NSA's exercise, is Air
Force Capt. Michael Henson. He agreed to answer some questions from CNET
about the competition, which has been won by West Point for the last three
years. However, the Air Force Academy won in 2006, and Henson surely
believes that his charges will take the crown in 2010.
Q: Explain the major elements of the competition?
Henson: The students must build a network with all of the services required
by the NSA's directive--including e-mail, file sharing, network printing, a
Web server, and a bulletin board system. Their mission is to keep those
services running while thwarting attempts to compromise our systems. We
typically start off with a set number of points and lose points for either a
service outage or a successful compromise of our systems. This year, all
teams built their service providing systems from scratch while we received
our workstation virtual machines from the NSA. We have also been directed
not to patch the workstations until we receive approval. It is expected that
the NSA will find their way into some of the systems regardless of how
tightly we attempt to lock them down and this is when our students actually
tend to learn the most. They need to attempt to understand how the attacker
got in and how to mitigate the problem instead of just restoring to a
backup. Hacking back has been forbidden for as long as I've been involved in
the competition, although this year our students will have a few hours on
Friday to go after some flags on a network the NSA has set up.
Students at the U.S. Naval Academy participating in the 2008 NSA Cyber
Defense Exercise.
(Credit: U.S. Naval Academy)
What are the major threats that students must defend against?
Henson: The threats tend to cover the full rage from downloaded attachments
and links taking our users to malicious Web sites to direct scanning,
enumeration, and attempt at exploitation. We have seen, for instance, that
some of our servers have been targeted with buffer overflow attempts,
cross-site scripting on our Web server, and so on. Much of what the NSA uses
against us is also happening out in the commercial Internet today. This
year, we have a new twist in that the NSA has provided us with a gray cell
member to simulate an uneducated user. This has caused us considerable
difficulty since that user is clicking on every link that comes along and
downloading and executing e-mail attachments.
What are the most challenging aspects of the competition?
Henson: Unlike many of the cyberdefense competitions running today, our
students have to design, build, secure, and defend their network against
attackers from the NSA. In many of the other competitions I've seen, people
are given access to a network that has already been designed and told to
secure it the best they can. Those types of competitions certainly provide
value, but adding the design and build components into the competition
requires our students to do a lot more work. It provides them an opportunity
to have to make decisions that aren't that different from some they'll face
when they commission and go on active duty, such as weighing the benefit of
different operating systems with regard to both usability and default
security. The other part of the competition that is really challenging is
that our cadets have never built a network like this from scratch, so they
have to spend plenty of time in trial and error, especially with some of the
more obscure systems they set up.
How does the education the students get prepare them for the competition?
Henson: The education we provide gives our students a broad foundation from
which to make critical decisions whether they are commanding troops or
defending a network. Additionally, many of our cadets are also pursuing the
cyberwarfare track within the computer science degree, which requires that
they take a cryptography, information warfare, and a network security
course. To enable some of the training that's also required for a
competition like this, we have a Cadet Cyber Warfare Club that provides a
sandboxed network where cadets can learn the craft of network defense.
What tends to make one academy's team better than another?
Henson: This is a tough question but I think the answer is the right mixture
of highly motivated students and plenty of faculty support to help when they
get stuck on a particular problem. Our cadets spend many hours and some late
nights in the lab preparing for the competition. There's also a lot to be
said for experience. This is the first year that we have made a concerted
effort to have multi-year participation from cadets.
Can you think of any defense innovations that have come out of the
competition in the past?
Henson: Most of the innovations that have come from great "out of the box"
thinking during the competition are too much of a violation of the
psychological acceptability design principle to really be feasible. For
example, one school decided to run its Web pages off of CD so that they
couldn't be changed. While that worked to stop changes to the Web site, it
probably isn't very practical for most companies that need a more dynamic
option. One thing I would mention here is that there is a capture the flag
event scheduled for Friday, which will be testing out some of the security
guidance provided by an office at the NSA. If our students are successful at
getting in to that network, it may result in some changes to security
guidance.
Talk about how the competition has evolved over the last few years?
Henson: The competition has evolved in several ways since 2001. One of the
most obvious ways is the amount of support and the number of players. The
competition started out between a few of the schools and now we're up to
eight competitors. Also, the number and sophistication of required services
has grown over the years. Scoring for the exercise has also seen some
dramatic improvements from the early days. Currently, there is a Web site
which gives initial indications of the status of all of the important
services. We also have a white cell liaison at each of the locations to help
adjudicate the points. Another positive evolution has been the move toward a
"fighting through" policy instead of that of the "fortress mentality" of
past years. Which means that some of the techniques used to lock systems
down in the past have resulted in minimal if any successful compromises by
the red cell. While this helps a school to win the competition, it's fairly
unrealistic in practice and could lead to students getting the wrong idea
about security. Instead, all of the faculty have agreed that it is important
for the students to be exposed to situations where they can't guarantee a
system is 100 percent locked down and have to react when that system is
inevitably compromised.
How much more sophisticated are the students today than they were a few
years ago?
Henson: This is interesting, since we are often told that the younger
generations are much more capable with computers and being connected in
general. What I tend to find is that many of our students are very adept at
sending e-mail, and using social-networking sites and so on, but don't tend
to have a grasp on what's happening "under the hood."
Can you think of any great anecdotes from the last few competitions?
Henson: We take pride in the fact that our cadets are able to think on their
feet about networks and security. For example, there are exercise "injects"
whereby the students are faced with a brand new task or challenge. Last
year, one of those challenges was an unruly Web crawler that was causing
problems and gathering information on our Web site. NSA commended Air Force
Academy cadets for their quickness in researching and implementing a
solution. It's that type of critical thinking that will be of paramount
importance for these future officers.
==========================================
(F)AIR USE NOTICE: All original content and/or articles and graphics in this
message are copyrighted, unless specifically noted otherwise. All rights to
these copyrighted items are reserved. Articles and graphics have been placed
within for educational and discussion purposes only, in compliance with
"Fair Use" criteria established in Section 107 of the Copyright Act of 1976.
The principle of "Fair Use" was established as law by Section 107 of The
Copyright Act of 1976. "Fair Use" legally eliminates the need to obtain
permission or pay royalties for the use of previously copyrighted materials
if the purposes of display include "criticism, comment, news reporting,
teaching, scholarship, and research." Section 107 establishes four criteria
for determining whether the use of a work in any particular case qualifies
as a "fair use". A work used does not necessarily have to satisfy all four
criteria to qualify as an instance of "fair use". Rather, "fair use" is
determined by the overall extent to which the cited work does or does not
substantially satisfy the criteria in their totality. If you wish to use
copyrighted material for purposes of your own that go beyond 'fair use,' you
must obtain permission from the copyright owner. For more information go to:
http://www.law.cornell.edu/uscode/17/107.shtml
THIS DOCUMENT MAY CONTAIN COPYRIGHTED MATERIAL. COPYING AND DISSEMINATION IS
PROHIBITED WITHOUT PERMISSION OF THE COPYRIGHT OWNERS.