[ISN] ONE BREACH IS ONE TOO MANY IN CYBER WARFARE

From: InfoSec News (alerts@private)
Date: Fri May 02 2008 - 01:11:26 PDT


http://www.montereyherald.com/business/ci_9092292

By KEVIN HOWE
Herald Staff Writer
04/29/2008

Cyberspace is a battleground that the U.S. military should learn to 
dominate, just as it has land, sea and air, says an expert with the 
Naval Postgraduate School's computer science department.

"Destroying a computer infrastructure is like denying somebody air," 
said Scott Cote, senior lecturer in the school's Center for Information 
Security Studies and Research.

Students at NPS waged a four-day battle in cyberspace that pitted them 
and each of the service academies . Army, Navy, Air Force, Coast Guard, 
Merchant Marine, and the Air Force Institute of Technology . against a 
team of computer hackers fielded by the National Security Agency last 
week.

The schools could only defend, said Navy Lt. Mateo Robertaccio, a 
student in NPS' information systems technology and management course, 
who took part in the cyberbattle.

"We would have liked to do offense, it's easier," he said. A defender 
must protect every vulnerable point of a computer system. An attacker 
only has to find one chink in the firewall's armor. "You can't make one 
mistake. It has to be perfect."

Now in its eighth year, the annual cyberwar exercise is meant to give 
students who volunteer a chance to "get their hands dirty" while 
learning about the vulnerability of computer systems, Cote said.

The students and instructors were required to use a variety of systems - 
Windows, Linux and Mac - some of which had compromising programs 
implanted in them that needed to be ferreted out.

As the exercise progressed, the Navy school's e-mails and other systems 
had to remain open.

"It's like having a business," Cote said. "A customer could be a burglar 
casing the store, or a customer. You have to be able to be open for 
business."

They also had a budget limit for hardware and firewall software to add 
realism to the exercise. "You couldn't buy your way out of trouble," 
Cote said.

He postulated a situation in which a U.S. technology team was sent to 
help a NATO ally that might have older equipment, legacy systems. "You 
couldn't just say, 'throw out all this stuff and buy new.'"

"They forced us to use things that have weaknesses," Robertaccio said, 
"older systems."

Every Navy ship, he said, has a different computer operating system, and 
the Navy can't replace them all.

This year's cyberwar exercise drew 30 students, about half of them 
civilians, he said. "There's a big human element to this. A lot of it 
was based on making sure we had the right teams in the right subgroups."

A terrorist cell doesn't have to use bombs to cause damage, Cote said.

"You can attack the Pentagon and physically destroy the building, or you 
can attack it so its network doesn't function."

Only one cyber attack from NSA got through the NPS firewall during the 
four days, Cote said. "We were 99.4 percent perfect, but that didn't 
matter. One compromise . once they get into the system . they can wreck 
it."

The Air Force Institute appeared to be the top scorer, he said, and the 
undergraduate service academies didn't do as well, because its students 
didn't have as much background in computer science as the graduate 
schools.

The penetration of a computer system would register on a graph in red, 
Cote said. "We'd call that 'bleeding.' The Naval Academy bled for days."

Cote and Robertaccio compared the computer exercise to a live-fire 
exercise with planes, tanks or ships firing real bullets, shells and 
missiles.

Planning for each year's event begins in October and continues through 
May with an after-action analysis following the actual cyberspace battle 
in late April.

Funding the exercises is "a hard sell" in Washington, Robertaccio said, 
but it teaches a lot of lessons. "I hope we can do an attack next year."

Meanwhile, students who took part can carry away a sense of how systems 
can be attacked, the damage that can be done, and the ways to guard 
against it.

The idea is to stave off a catastrophic event resulting from a massive 
attack on a critical computer network.

"A lot of people are waiting," Cote said, "for a cyber Pearl Harbor."


_______________________________________________      
Attend Black Hat USA, August 2-7 in Las Vegas, 
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings 
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.  
Visit product displays by 30 top sponsors in 
a relaxed setting. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Fri May 02 2008 - 01:40:23 PDT