NSA's boot camp for cyberdefense

 

 

NSA's boot camp for cyberdefense

http://news.cnet.com/8301-13772_3-20003203-52.html?tag=mncol;txt

 

Air Force Capt. Mike Henson Henson explains to CNET what the annual Cyber

Defense Exercise is about and what the military hopes to achieve.

Daniel Terdiman

by Daniel Terdiman April 22, 2010 12:57 PM PDT Follow @GreeterDan

 

If you're the kind of person who worries about the security of computer

networks, you should know that the National Security Agency is worrying

about it too.

 

Since Tuesday, the NSA has been conducting its 10th annual Cyber Defense

Exercise, a competition that pits students from a series of military

academies against each other--and against the competition's leaders at

NSA--in a bid to see who has the best cyberdefense skills. The idea? To

"build and defend computer networks against simulated intrusions by the

National Security Agency/Central Security Services Red Team."

 

The competition will last until Friday when that Red team, or "red cell," as

it's known, will cease its attacks on the students' newly-built networks.

The goal is to help the students learn about the topic of Information

Assurance, and how it is used to protect the most vital information systems

in the United States and Canada. As they work, the students must defend

their networks and offer up consistent reports on what they're doing and on

the attacks they're identifying.

 

This year, eight academies are competing: the United States Military Academy

(West Point); the United States Naval Academy; the United States Air Force

Academy; the United States Coast Guard Academy; the United States Merchant

Marine Academy; the Naval Postgraduate School; the Air Force Institute of

Technology; and the Royal Military College of Canada.

 

The exercise is being hosted by Lockheed Martin in Greenbelt, Md., and

during the four days of the competition, NSA and U.S. Department of Defense

personnel are acting as evaluators--even as the NSA's red team challenges

the students with constant network attacks, all of which must be

"publicly-available, well-documented vulnerabilities." The competition takes

place on a closed network that does not access the Internet.

 

At the Air Force Academy, one of the instructors helping the students learn

how to construct cyberdefenses--and prepare for the NSA's exercise, is Air

Force Capt. Michael Henson. He agreed to answer some questions from CNET

about the competition, which has been won by West Point for the last three

years. However, the Air Force Academy won in 2006, and Henson surely

believes that his charges will take the crown in 2010.

 

Q: Explain the major elements of the competition?

Henson: The students must build a network with all of the services required

by the NSA's directive--including e-mail, file sharing, network printing, a

Web server, and a bulletin board system. Their mission is to keep those

services running while thwarting attempts to compromise our systems. We

typically start off with a set number of points and lose points for either a

service outage or a successful compromise of our systems. This year, all

teams built their service providing systems from scratch while we received

our workstation virtual machines from the NSA. We have also been directed

not to patch the workstations until we receive approval. It is expected that

the NSA will find their way into some of the systems regardless of how

tightly we attempt to lock them down and this is when our students actually

tend to learn the most. They need to attempt to understand how the attacker

got in and how to mitigate the problem instead of just restoring to a

backup. Hacking back has been forbidden for as long as I've been involved in

the competition, although this year our students will have a few hours on

Friday to go after some flags on a network the NSA has set up.

 

Students at the U.S. Naval Academy participating in the 2008 NSA Cyber

Defense Exercise.

(Credit: U.S. Naval Academy)

 

What are the major threats that students must defend against?

Henson: The threats tend to cover the full rage from downloaded attachments

and links taking our users to malicious Web sites to direct scanning,

enumeration, and attempt at exploitation. We have seen, for instance, that

some of our servers have been targeted with buffer overflow attempts,

cross-site scripting on our Web server, and so on. Much of what the NSA uses

against us is also happening out in the commercial Internet today. This

year, we have a new twist in that the NSA has provided us with a gray cell

member to simulate an uneducated user. This has caused us considerable

difficulty since that user is clicking on every link that comes along and

downloading and executing e-mail attachments.

 

What are the most challenging aspects of the competition?

Henson: Unlike many of the cyberdefense competitions running today, our

students have to design, build, secure, and defend their network against

attackers from the NSA. In many of the other competitions I've seen, people

are given access to a network that has already been designed and told to

secure it the best they can. Those types of competitions certainly provide

value, but adding the design and build components into the competition

requires our students to do a lot more work. It provides them an opportunity

to have to make decisions that aren't that different from some they'll face

when they commission and go on active duty, such as weighing the benefit of

different operating systems with regard to both usability and default

security. The other part of the competition that is really challenging is

that our cadets have never built a network like this from scratch, so they

have to spend plenty of time in trial and error, especially with some of the

more obscure systems they set up.

 

How does the education the students get prepare them for the competition?

Henson: The education we provide gives our students a broad foundation from

which to make critical decisions whether they are commanding troops or

defending a network. Additionally, many of our cadets are also pursuing the

cyberwarfare track within the computer science degree, which requires that

they take a cryptography, information warfare, and a network security

course. To enable some of the training that's also required for a

competition like this, we have a Cadet Cyber Warfare Club that provides a

sandboxed network where cadets can learn the craft of network defense.

 

What tends to make one academy's team better than another?

Henson: This is a tough question but I think the answer is the right mixture

of highly motivated students and plenty of faculty support to help when they

get stuck on a particular problem. Our cadets spend many hours and some late

nights in the lab preparing for the competition. There's also a lot to be

said for experience. This is the first year that we have made a concerted

effort to have multi-year participation from cadets.

 

Can you think of any defense innovations that have come out of the

competition in the past?

Henson: Most of the innovations that have come from great "out of the box"

thinking during the competition are too much of a violation of the

psychological acceptability design principle to really be feasible. For

example, one school decided to run its Web pages off of CD so that they

couldn't be changed. While that worked to stop changes to the Web site, it

probably isn't very practical for most companies that need a more dynamic

option. One thing I would mention here is that there is a capture the flag

event scheduled for Friday, which will be testing out some of the security

guidance provided by an office at the NSA. If our students are successful at

getting in to that network, it may result in some changes to security

guidance.

 

Talk about how the competition has evolved over the last few years?

Henson: The competition has evolved in several ways since 2001. One of the

most obvious ways is the amount of support and the number of players. The

competition started out between a few of the schools and now we're up to

eight competitors. Also, the number and sophistication of required services

has grown over the years. Scoring for the exercise has also seen some

dramatic improvements from the early days. Currently, there is a Web site

which gives initial indications of the status of all of the important

services. We also have a white cell liaison at each of the locations to help

adjudicate the points. Another positive evolution has been the move toward a

"fighting through" policy instead of that of the "fortress mentality" of

past years. Which means that some of the techniques used to lock systems

down in the past have resulted in minimal if any successful compromises by

the red cell. While this helps a school to win the competition, it's fairly

unrealistic in practice and could lead to students getting the wrong idea

about security. Instead, all of the faculty have agreed that it is important

for the students to be exposed to situations where they can't guarantee a

system is 100 percent locked down and have to react when that system is

inevitably compromised.

 

How much more sophisticated are the students today than they were a few

years ago?

Henson: This is interesting, since we are often told that the younger

generations are much more capable with computers and being connected in

general. What I tend to find is that many of our students are very adept at

sending e-mail, and using social-networking sites and so on, but don't tend

to have a grasp on what's happening "under the hood."

 

Can you think of any great anecdotes from the last few competitions?

Henson: We take pride in the fact that our cadets are able to think on their

feet about networks and security. For example, there are exercise "injects"

whereby the students are faced with a brand new task or challenge. Last

year, one of those challenges was an unruly Web crawler that was causing

problems and gathering information on our Web site. NSA commended Air Force

Academy cadets for their quickness in researching and implementing a

solution. It's that type of critical thinking that will be of paramount

importance for these future officers.

 

==========================================

(F)AIR USE NOTICE: All original content and/or articles and graphics in this

message are copyrighted, unless specifically noted otherwise. All rights to

these copyrighted items are reserved. Articles and graphics have been placed

within for educational and discussion purposes only, in compliance with

"Fair Use" criteria established in Section 107 of the Copyright Act of 1976.

The principle of "Fair Use" was established as law by Section 107 of The

Copyright Act of 1976. "Fair Use" legally eliminates the need to obtain

permission or pay royalties for the use of previously copyrighted materials

if the purposes of display include "criticism, comment, news reporting,

teaching, scholarship, and research." Section 107 establishes four criteria

for determining whether the use of a work in any particular case qualifies

as a "fair use". A work used does not necessarily have to satisfy all four

criteria to qualify as an instance of "fair use". Rather, "fair use" is

determined by the overall extent to which the cited work does or does not

substantially satisfy the criteria in their totality. If you wish to use

copyrighted material for purposes of your own that go beyond 'fair use,' you

must obtain permission from the copyright owner. For more information go to:

http://www.law.cornell.edu/uscode/17/107.shtml

 

THIS DOCUMENT MAY CONTAIN COPYRIGHTED MATERIAL. COPYING AND DISSEMINATION IS

PROHIBITED WITHOUT PERMISSION OF THE COPYRIGHT OWNERS.

 

 

 

 

 

 

--
Thanks for being part of "PoliticalForum" at Google Groups.
For options & help see http://groups.google.com/group/PoliticalForum
 
* Visit our other community at http://www.PoliticalForum.com/
* It's active and moderated. Register and vote in our polls.
* Read the latest breaking news, and more.