[ISN] Security agency war game tries to teach Net defense

From: InfoSec News (alerts@private)
Date: Sun Jul 09 2006 - 23:02:23 PDT


By Anne Broache
Staff Writer, CNET News.com
July 7, 2006

WASHINGTON -- The National Security Agency may be known for its stealthy 
eavesdropping techniques, but it's going public with advice for how to 
train a new generation to defend against computer threats.

Representatives from the usually secretive agency appeared at a SANS 
Institute event here to divulge "lessons learned" from their latest 
cyberdefense exercise. The exercise, which took place over four days in 
April, pitted students from the five U.S. military academies and the Air 
Force's postgraduate technology school against "bad guys" at NSA 

The NSA-sponsored exercise, unlike other governmental attempts at 
bolstering cyberpreparedness, has been regularly taking place for six 
years. Friday's public presentation, however, was described as the first 
of its kind. (The Department of Homeland Security, the agency chiefly 
responsible for safeguarding federal agencies' cybersafety, wrapped up its 
first large-scale mock attack earlier this year, with an analysis of its 
results expected this summer.)

NSA representatives said they hoped the informal briefing would provide a 
wake-up call to all network managers, both inside and outside the 

"Even in four days, a network can be had," said Major Thomas Augustine, 
the event's coordinator. "Imagine, if you will, those individuals who have 
a year or two to spare and are waiting to get into your networks."

During the exercise, each team received network software that had been 
tainted by a group of NSA representatives, and each had two weeks to find 
as many misconfigurations and vulnerabilities as they could. Separate 
groups of NSA representatives, who were unaware of the existing 
vulnerabilities, then went to work over the four days attempting to hack 
into networks. The networks were designed and built by each military team 
and employed the NSA-supplied software.

In hopes of simulating a real-world situation, the attackers made a point 
of using the most publicly known exploits during the competition. They 
also took advantage of common mistakes like the use of weak passwords or 
the same passwords on multiple systems, and targeted security holes in 
Microsoft Windows that have readily available patches.

In one case, for instance, NSA hackers gained control of a router in a 
complex network architecture built by the West Point team because the team 
neglected to change the default password on the Cisco Systems device. Team 
members sensed something was awry when they saw that their Telnet prompt 
message had been changed to read, "GO_NAVY_BEAT_ARMY."

The winning team, which came from the Air Force Academy, turned out to be 
arguably the most inexperienced and employed one of the simplest network 
designs. Michael Tanner, an Air Force cadet, said the team's nine members, 
mostly computer science and engineering majors, had only basic knowledge 
of information assurance practices.

"We know there's a tendency for students to think they have to build some 
sort of whizbang network with bells and whistles," said Rigo MacTaggart, 
who participated on the NSA's end. "What has been shown to work best in 
previous (exercises) is a simpler works better" approach.

Aside from a streamlined network architecture, MacTaggart and his NSA 
colleagues offered three other rules of thumb:

* Follow a "deny by default" policy--that is, allow network users to 
  access only the ports and services they truly need. "If you don't know 
  that you need it, turn it off," said Pablo Breuer, who led the NSA's 
  "red team" of hackers. "If someone comes screaming to you, ask them to 
  prove they need the service."

* Remove all services, software and user accounts that aren't necessary to 
  run a particular server. They "can be disabled, but it's better to go an 
  extra step and have (them) completely removed," MacTaggart said.

* Plan for disasters. "No matter how well-designed the network is,"  
  MacTaggart said, "there's going to be some sort of security incident, an 
  outage, a hard-drive failure."

Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.

This archive was generated by hypermail 2.1.3 : Mon Jul 10 2006 - 08:44:15 PDT