July 7, 2006 12:28 PM PDT

Security agency war game tries to teach Net defense

WASHINGTON--The National Security Agency may be known for its stealthy eavesdropping techniques, but it's going public with advice for how to train a new generation to defend against computer threats.

Representatives from the usually secretive agency appeared at a SANS Institute event here to divulge "lessons learned" from their latest cyberdefense exercise. The exercise, which took place over four days in April, pitted students from the five U.S. military academies and the Air Force's postgraduate technology school against "bad guys" at NSA headquarters.

The NSA-sponsored exercise, unlike other governmental attempts at bolstering cyberpreparedness, has been regularly taking place for six years. Friday's public presentation, however, was described as the first of its kind. (The Department of Homeland Security, the agency chiefly responsible for safeguarding federal agencies' cybersafety, wrapped up its first large-scale mock attack earlier this year, with an analysis of its results expected this summer.)

NSA representatives said they hoped the informal briefing would provide a wake-up call to all network managers, both inside and outside the government.

"Even in four days, a network can be had," said Major Thomas Augustine, the event's coordinator. "Imagine, if you will, those individuals who have a year or two to spare and are waiting to get into your networks."

During the exercise, each team received network software that had been tainted by a group of NSA representatives, and each had two weeks to find as many misconfigurations and vulnerabilities as they could. Separate groups of NSA representatives, who were unaware of the existing vulnerabilities, then went to work over the four days attempting to hack into networks. The networks were designed and built by each military team and employed the NSA-supplied software.

In hopes of simulating a real-world situation, the attackers made a point of using the most publicly known exploits during the competition. They also took advantage of common mistakes like the use of weak passwords or the same passwords on multiple systems, and targeted security holes in Microsoft Windows that have readily available patches.

In one case, for instance, NSA hackers gained control of a router in a complex network architecture built by the West Point team because the team neglected to change the default password on the Cisco Systems device. Team members sensed something was awry when they saw that their Telnet prompt message had been changed to read, "GO_NAVY_BEAT_ARMY."

The winning team, which came from the Air Force Academy, turned out to be arguably the most inexperienced and employed one of the simplest network designs. Michael Tanner, an Air Force cadet, said the team's nine members, mostly computer science and engineering majors, had only basic knowledge of information assurance practices.

"We know there's a tendency for students to think they have to build some sort of whizbang network with bells and whistles," said Rigo MacTaggart, who participated on the NSA's end. "What has been shown to work best in previous (exercises) is a simpler works better" approach.

Aside from a streamlined network architecture, MacTaggart and his NSA colleagues offered three other rules of thumb:

•  Follow a "deny by default" policy--that is, allow network users to access only the ports and services they truly need. "If you don't know that you need it, turn it off," said Pablo Breuer, who led the NSA's "red team" of hackers. "If someone comes screaming to you, ask them to prove they need the service."

• Remove all services, software and user accounts that aren't necessary to run a particular server. They "can be disabled, but it's better to go an extra step and have (them) completely removed," MacTaggart said.

• Plan for disasters. "No matter how well-designed the network is," MacTaggart said, "there's going to be some sort of security incident, an outage, a hard-drive failure."

See more CNET content tagged:
NSA, network architecture, agency, exercise, representative

9 comments

Join the conversation!
Add your comment
Not Just Military Computers @ Risk
The exercises showed that US departments are capable of sniffing out Risk Threats, but it's not just military agencies that need to run exercises like this. Smaller applications like email even pose a threat to an organization's data <a class="jive-link-external" href="http://www.essentialsecurity.com/Documents/article9.htm" target="_newWindow">http://www.essentialsecurity.com/Documents/article9.htm</a>

If the government can secure its servers, how about deploying solutions for the average government worker who may need to VPN from home to use his or her laptop? RLS tools are measures that smaller non military departments can incorporate as part of their security policies
<a class="jive-link-external" href="http://www.essentialsecurity.com/howitworks_laptop.htm" target="_newWindow">http://www.essentialsecurity.com/howitworks_laptop.htm</a>
Posted by marileev (292 comments )
Reply Link Flag
Not Just Military Computers @ Risk
The exercises showed that US departments are capable of sniffing out Risk Threats, but it's not just military agencies that need to run exercises like this. Smaller applications like email even pose a threat to an organization's data <a class="jive-link-external" href="http://www.essentialsecurity.com/Documents/article9.htm" target="_newWindow">http://www.essentialsecurity.com/Documents/article9.htm</a>

If the government can secure its servers, how about deploying solutions for the average government worker who may need to VPN from home to use his or her laptop? RLS tools are measures that smaller non military departments can incorporate as part of their security policies
<a class="jive-link-external" href="http://www.essentialsecurity.com/howitworks_laptop.htm" target="_newWindow">http://www.essentialsecurity.com/howitworks_laptop.htm</a>
Posted by marileev (292 comments )
Reply Link Flag
Awww...
It's a kinder gentler invasive domestic spying agency. Maybe these guys don't deserve the scrutiny they're getting... Oh wait, they're involved in systematic warrentless spying on otherwise innocent domestic citizens. Yeah, that's utterly immoral. Hmmm, maybe this PR fluff piece is just a smoke screen. So network securtiy is important?!? Wow, when did these stunted morons wake up... Good thing we have these kindly and trustworthy folks to point out the simplest of obviousnesses.
Posted by scdecade (329 comments )
Reply Link Flag
that's utterly immoral.
<a class="jive-link-external" href="http://www.analogstereo.com/lexus_lx_owners_manual.htm" target="_newWindow">http://www.analogstereo.com/lexus_lx_owners_manual.htm</a>
Posted by Ipod Apple (152 comments )
Link Flag
Awww...
It's a kinder gentler invasive domestic spying agency. Maybe these guys don't deserve the scrutiny they're getting... Oh wait, they're involved in systematic warrentless spying on otherwise innocent domestic citizens. Yeah, that's utterly immoral. Hmmm, maybe this PR fluff piece is just a smoke screen. So network securtiy is important?!? Wow, when did these stunted morons wake up... Good thing we have these kindly and trustworthy folks to point out the simplest of obviousnesses.
Posted by scdecade (329 comments )
Reply Link Flag
that's utterly immoral.
<a class="jive-link-external" href="http://www.analogstereo.com/lexus_lx_owners_manual.htm" target="_newWindow">http://www.analogstereo.com/lexus_lx_owners_manual.htm</a>
Posted by Ipod Apple (152 comments )
Link Flag
Over-rated
The NSA's Red Team is severly over-rated. These nub-cakes have mastered only "the art of textbook reading". I know, I've 'been there done that'. Network security goes deeper than the response-control approach that they use. This nation will not get any more secure until red teams such as this start to focus more on the enemy they're up against, and start to recruit quality personnel. "I'll probably see him on the news" - well here I am. rofl @ owned!
Posted by The Cryptowizard (2 comments )
Reply Link Flag
Over-rated
The NSA's Red Team is severly over-rated. These nub-cakes have mastered only "the art of textbook reading". I know, I've 'been there done that'. Network security goes deeper than the response-control approach that they use. This nation will not get any more secure until red teams such as this start to focus more on the enemy they're up against, and start to recruit quality personnel. "I'll probably see him on the news" - well here I am. rofl @ owned!
Posted by The Cryptowizard (2 comments )
Reply Link Flag
I agree with cryptowizard in general, though i think many people claim to be part of an NSA red team that in reality are very loosely affiliated with the NSA. All in all, most that make this claim publicly are generally very non-technical and looking to gain reputation via association. Particular point, I don't think Breuer ever "led" the NSA's "red team" of hackers. I wouldn't even really classify him as a hacker at all.
Posted by hdost (1 comment )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.