- Related Stories
-
DHS scores F on cybersecurity report card
March 16, 2006 -
Homeland Security wraps up first mock cyberattack
February 10, 2006 -
U.S. cybersecurity due for FEMA-like calamity?
October 10, 2005 -
Tax breaks for cybersecurity firms?
September 27, 2005 -
Homeland Security flunks cybersecurity prep test
May 26, 2005 -
Feds urged to tighten cybersecurity
February 17, 2005 -
U.S. cybersecurity chief resigns
October 1, 2004
Representatives from the usually secretive agency appeared at a SANS Institute event here to divulge "lessons learned" from their latest cyberdefense exercise. The exercise, which took place over four days in April, pitted students from the five U.S. military academies and the Air Force's postgraduate technology school against "bad guys" at NSA headquarters.
The NSA-sponsored exercise, unlike other governmental attempts at bolstering cyberpreparedness, has been regularly taking place for six years. Friday's public presentation, however, was described as the first of its kind. (The Department of Homeland Security, the agency chiefly responsible for safeguarding federal agencies' cybersafety, wrapped up its first large-scale mock attack earlier this year, with an analysis of its results expected this summer.)
NSA representatives said they hoped the informal briefing would provide a wake-up call to all network managers, both inside and outside the government.
"Even in four days, a network can be had," said Major Thomas Augustine, the event's coordinator. "Imagine, if you will, those individuals who have a year or two to spare and are waiting to get into your networks."
During the exercise, each team received network software that had been tainted by a group of NSA representatives, and each had two weeks to find as many misconfigurations and vulnerabilities as they could. Separate groups of NSA representatives, who were unaware of the existing vulnerabilities, then went to work over the four days attempting to hack into networks. The networks were designed and built by each military team and employed the NSA-supplied software.
In hopes of simulating a real-world situation, the attackers made a point of using the most publicly known exploits during the competition. They also took advantage of common mistakes like the use of weak passwords or the same passwords on multiple systems, and targeted security holes in Microsoft Windows that have readily available patches.
In one case, for instance, NSA hackers gained control of a router in a complex network architecture built by the West Point team because the team neglected to change the default password on the Cisco Systems device. Team members sensed something was awry when they saw that their Telnet prompt message had been changed to read, "GO_NAVY_BEAT_ARMY."
The winning team, which came from the Air Force Academy, turned out to be arguably the most inexperienced and employed one of the simplest network designs. Michael Tanner, an Air Force cadet, said the team's nine members, mostly computer science and engineering majors, had only basic knowledge of information assurance practices.
"We know there's a tendency for students to think they have to build some sort of whizbang network with bells and whistles," said Rigo MacTaggart, who participated on the NSA's end. "What has been shown to work best in previous (exercises) is a simpler works better" approach.
Aside from a streamlined network architecture, MacTaggart and his NSA colleagues offered three other rules of thumb:
• Follow a "deny by default" policy--that is, allow network users to access only the ports and services they truly need. "If you don't know that you need it, turn it off," said Pablo Breuer, who led the NSA's "red team" of hackers. "If someone comes screaming to you, ask them to prove they need the service."
• Remove all services, software and user accounts that aren't necessary to run a particular server. They "can be disabled, but it's better to go an extra step and have (them) completely removed," MacTaggart said.
• Plan for disasters. "No matter how well-designed the network is," MacTaggart said, "there's going to be some sort of security incident, an outage, a hard-drive failure."
See more CNET content tagged:
NSA,
network architecture,
exercise,
agency,
representative
If the government can secure its servers, how about deploying solutions for the average government worker who may need to VPN from home to use his or her laptop? RLS tools are measures that smaller non military departments can incorporate as part of their security policies
http://www.essentialsecurity.com/howitworks_laptop.htm
If the government can secure its servers, how about deploying solutions for the average government worker who may need to VPN from home to use his or her laptop? RLS tools are measures that smaller non military departments can incorporate as part of their security policies
http://www.essentialsecurity.com/howitworks_laptop.htm
- Over-rated
-
by The Cryptowizard
July 12, 2006 7:48 PM PDT
- The NSA's Red Team is severly over-rated. These nub-cakes have mastered only "the art of textbook reading". I know, I've 'been there done that'. Network security goes deeper than the response-control approach that they use. This nation will not get any more secure until red teams such as this start to focus more on the enemy they're up against, and start to recruit quality personnel. "I'll probably see him on the news" - well here I am. rofl @ owned!
-
Reply to this comment
-
(8 Comments)