[Infowarrior] - Cybersecurity contests go national

[Richard Forno]

 Cybersecurity contests go national
Robert Lemos, SecurityFocus 2006-06-01
http://www.securityfocus.com/print/news/11394

It has all the makings of a B-movie plot: A corporate network targeted by
hackers and a half dozen high-school students as the company's only defense.

Yet, teams of students from ten different Iowa high schools faced exactly
that scenario during a single night in late May in the High School Cyber
Defense Competition. The contest tasked the teenagers with building a
network in the three weeks leading up to the competition with only their
teachers, and mentoring volunteers from local technology firms, as their
guides.

On Friday night, May 19, and into Saturday morning, the students defended
the network against a team of Iowa State University students acting as the
attackers.

"As the hackers came in, you could see (the students') reactions: They were
frustrated when they saw the attackers breach their systems and excited when
they stopped the attack," said John Carr, a mentor for the team fielded by
Valley High School of West Des Moines and senior solutions consultant with
Iowa-based technology consulting firm QCI.

The contest between high schools followed the first national Collegiate
Cyber Defense Competition that took place earlier this year at the
University of Texas at San Antonio, pitting four regional college champions
and an all-star team from five U.S. military academies against each other.

The two tournaments mark a turning point for cybersecurity competitions from
the mostly amateur affairs of the past to exercises throwing student,
government and corporate competitors into the arena against each other. The
competitions give students and professionals the opportunity to get hands-on
experience responding to attacks, without serious consequences.

"At the end of the day, no data has been compromised and no one is going to
get fired," said Timothy Rosenberg, CEO of White Wolf Security, a start-up
company that has made a business out of running such competitions. "You can
make an argument that this is not only good sport, but an excellent
corporate security training exercise."

The U.S. government agrees. Since 2001, the U.S. military academies for the
five branches of service have run an annual Cyber Defense Exercise pitting
teams from each school against a Red Team consisting of members of the
National Security Agency and attack specialists from the Army and Air Force.

"Exercises are an important way to improve our cyber security preparedness
and having competitions like these are excellent ways to practice for the
real thing," Andy Purdy, acting director of the National Cyber Security
Division (NCSD) at the Department of Homeland Security, said in a statement
marking the completion of the first national Collegiate Cyber Defense
Competition (CCDC).

The interest comes as companies increasingly face a variety of threats posed
by online attackers. In May, antispam firm Blue Security got chased off the
Internet by an irate spammer that attacked the company's Web site, service
network, affiliates and clients. Several security groups warned companies
that a previously unknown flaw in Microsoft Word was being actively
exploited to attack specific companies. These attacks build on a
particularly bad year for privacy in 2005, when more than 52 million
consumer accounts were placed at risk.

While academics, security experts and government officials have discussed
turning the once ad-hoc hacking contests into a more formal competition, the
seed for the idea failed to take root until a workshop held at University of
Texas in San Antonio in the spring of 2004.

Called together by Lance Hoffman, a computer science professor at George
Washington University, and Ronald Dodge, a Lt. Colonel and professor at the
U.S. Military Academy at West Point, a group of computer-security professors
and graduate students discussed the future of such exercises.

Everyone agreed that the competitions should be formalized, but one
participant--Greg B. White, director of the Center for Infrastructure
Assurance and Security (CIAS) at the University of Texas at San
Antonio--feared that the process would stall.

"The first thing that happens when you get a bunch of academics together is
they want to form a committee," White said. "We--three schools in
Texas--decided to jump start the process and have a regional competition."

Along with Texas A&M and UT Austin, White created a regional Texas
competition pitting five schools against each other in a three-day
competition in April 2005. Taking lessons from the military's CDX
competitions, the annual Capture the Flag tournament at DEFCON, and a few
smaller academic exercises across the country, the universities decided to
create a defense-focused contest, and called it the Collegiate Cyber Defense
Competition.

The college and high-school contests focus on locking down an insecure
business network in the face of an attack.

"When students come in, they are given a network that is up and running, but
we don't guarantee that it is secure," White said. "When a student graduates
and joins the commercial sector, that is what they are going to face most
likely--an insecure network."

Both the college and high-school competitions use a neutral team of
attackers, known as a Red Team, to represent online criminals that might
infiltrate a company's network. An automated scoring system keeps track of
the reliability of any services required by the current scenario, the
success in detecting and mitigating an attack, and special bonuses for
meeting seemingly random business goals from the fictitious company's
management.

Random events also spice up the competition, said Doug Jacobson, associate
professor of electrical and computer engineering for Iowa State, who ran the
High School Cyber Defense Competition.

"We threw in anomalies," Jacobson said. "In a moment's notice, the CEO says
that they want seven new users. Or a cable breaks. Saturday morning, we had
a fire alarm, and the pseudo fireman did a few things, and the students had
to come in and figure out what was done. We had those types of events going
on throughout the exercise."

The contests are not about creating the ultimate secure network--such a
beast just does not exist, stressed QCI's Carr, who mentored the Valley High
School team.

Each team had to deal with requirements that gave an advantage to the
attackers, such as run an old version of Red Hat Linux and have a Mac Mini
as part of their network in addition to the seven other computers required
by the rules. The Valley High School team, which won the Iowa high-school
competition, used Windows 2003 running ActiveDirectory, FreeBSD, Windows XP,
ALinux, and Mac OS X.

"Coming from larger environment, we (the mentors) know there is no such
thing as a 100 percent Windows or Linux environment," Carr said.

In the end, the contests are about dealing with the messy real world, he
said White Wolf Security's Rosenberg.

"Is it stacked in the hackers favor? Of course it is," Rosenberg said. "We
want the students to take a beating. Far beyond teaching students how to
lock things down, we teach them how to get through an attack."

The commercial sector has already started looking at the events as a good
training exercise. Corporate security professionals are already a staple at
the annual Capture the Flag event at the DEF CON hacking conference, which
brings together eight teams to find vulnerabilities, attack each others
networks and defend against their opponents' attacks.

The SANS Institute completed a trial run of a competition that will take
place during the training group's conferences, said Rosenberg.

Both the high-school and college competitions expect to expand in 2007,
given the overwhelming interest in the programs. Iowa State's Jacobson
expects the number of Iowa high schools that enter the competition next year
to double, while UT San Antonio's White hopes to hold 8 to 10 regional
competitions in 2007. By 2008, he expects the CCDC to have a governing body
in place to create standards for the regional competitions and to manage the
national tournament.

In the end, the competition is about training the next generation of network
administrators and security engineers, UT San Antonio's White said. He hoped
that companies would look at the contests as a fertile place to fill out
their ranks.

"It will also be a great recruiting tool," White said. "We have some of the
brightest security geeks on the planet at these events."