By Anne Broache
Staff Writer, CNET News.com
July 7, 2006
WASHINGTON -- The National Security Agency may be known for its stealthy
eavesdropping techniques, but it's going public with advice for how to
train a new generation to defend against computer threats.
Representatives from the usually secretive agency appeared at a SANS
Institute event here to divulge "lessons learned" from their latest
cyberdefense exercise. The exercise, which took place over four days in
April, pitted students from the five U.S. military academies and the Air
Force's postgraduate technology school against "bad guys" at NSA
The NSA-sponsored exercise, unlike other governmental attempts at
bolstering cyberpreparedness, has been regularly taking place for six
years. Friday's public presentation, however, was described as the first
of its kind. (The Department of Homeland Security, the agency chiefly
responsible for safeguarding federal agencies' cybersafety, wrapped up its
first large-scale mock attack earlier this year, with an analysis of its
results expected this summer.)
NSA representatives said they hoped the informal briefing would provide a
wake-up call to all network managers, both inside and outside the
"Even in four days, a network can be had," said Major Thomas Augustine,
the event's coordinator. "Imagine, if you will, those individuals who have
a year or two to spare and are waiting to get into your networks."
During the exercise, each team received network software that had been
tainted by a group of NSA representatives, and each had two weeks to find
as many misconfigurations and vulnerabilities as they could. Separate
groups of NSA representatives, who were unaware of the existing
vulnerabilities, then went to work over the four days attempting to hack
into networks. The networks were designed and built by each military team
and employed the NSA-supplied software.
In hopes of simulating a real-world situation, the attackers made a point
of using the most publicly known exploits during the competition. They
also took advantage of common mistakes like the use of weak passwords or
the same passwords on multiple systems, and targeted security holes in
Microsoft Windows that have readily available patches.
In one case, for instance, NSA hackers gained control of a router in a
complex network architecture built by the West Point team because the team
neglected to change the default password on the Cisco Systems device. Team
members sensed something was awry when they saw that their Telnet prompt
message had been changed to read, "GO_NAVY_BEAT_ARMY."
The winning team, which came from the Air Force Academy, turned out to be
arguably the most inexperienced and employed one of the simplest network
designs. Michael Tanner, an Air Force cadet, said the team's nine members,
mostly computer science and engineering majors, had only basic knowledge
of information assurance practices.
"We know there's a tendency for students to think they have to build some
sort of whizbang network with bells and whistles," said Rigo MacTaggart,
who participated on the NSA's end. "What has been shown to work best in
previous (exercises) is a simpler works better" approach.
Aside from a streamlined network architecture, MacTaggart and his NSA
colleagues offered three other rules of thumb:
* Follow a "deny by default" policy--that is, allow network users to
access only the ports and services they truly need. "If you don't know
that you need it, turn it off," said Pablo Breuer, who led the NSA's
"red team" of hackers. "If someone comes screaming to you, ask them to
prove they need the service."
* Remove all services, software and user accounts that aren't necessary to
run a particular server. They "can be disabled, but it's better to go an
extra step and have (them) completely removed," MacTaggart said.
* Plan for disasters. "No matter how well-designed the network is,"
MacTaggart said, "there's going to be some sort of security incident, an
outage, a hard-drive failure."
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.