DOD Kicks Up Cybersecurity Efforts
codingOgre writes "The US Army will try to secure an entire computer network against a team led by the NSA. They are cadets at West Point competing against military academies and other schools in a four-day Cyber Defense Exercise this week. I would have to think that this would be a lot of fun! I would like to see what the NSA and friends could throw at my network, although one would think they wouldn't reveal all their cards...like the backdoor into any Windows box :)" In a related story, jkinney3 writes: "The feds are wising up to the needs for a verifiable, secure code base for all of the DOD stuff, according to Government Computing News. A proposed solution 'would create a single executive organization responsible for software integrity and information assurance.' Joe Jarzombek, deputy director for software assurance in DOD's Information Assurance Directorate, said 'DOD possesses so many millions of lines of code in countless thousands of packages, that it would take years of effort and millions of dollars just to identify what was developed where.' I'm envisioning a lot of Bugzilla installations."
They'll be unplugging the network. NSA probably has a work-around, though.
Username is joshua, and you don't need to enter a password.
It would also be interesting to see which OS allows the "red team" to infiltrate the network.
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
Army lost last year not because of a successful outside attack but from a self-inflicted wound in which an authorized network user accidentally knocked out service for several hours, costing precious points that helped Air Force prevail.
Isn't this how most corporate networks are taken down? BTW, I can't access the intranet.
They'll probably just install Norton Internet Security.
We get random netbios traffic from the DoD all the time... looks like something is not locked down over there. Either that or they are scanning other government agencies for open windows computers. hmmmm.
Hmmm, I guess he's run out of cheap ways to get attention. Maybe he could quit the AAA or the Subway Sub Club, or something like that.
What I'm listening to now on Pandora...
As the post states, I don't think NSA will reveal all methods.
DOD: could you sec-test our network?
NSA: sure.
NSA: we've found these holes
DOD: fixed
DOD: hey, now even you guys can't get in!
NSA: Doh!
No electrons were harmed sending this message. Wait,
Cyber warfare, a subset of classic information war that goes back as far as ancient Chinese military strategist Sun Tzu, has pushed its way into U.S. military curricula as the Internet has become pervasive.
Sun Tzu say "try asking them for their passwords, maybe offering a bar of chocolate in return."
---
"I did nothing. I did absolutely nothing and it was everything that I thought it could be."
A sargent is pacing in front of a line of soldiers at attention, bellowing, "I've never seen such a sloppy outfit! Dictionary passwords on the root filesystem - open NetBIOS ports on the security gateway!!"
try { do() || do_not(); } catch (JediException err) { yoda(err); }
Unfortunately exercises like this show how our conventional approach to warfare (cyber- or human-) is doomed in the world of increasing unconventional war tactics.
With a network or a piece of land, actively defending against a known enemy in a known timeframe is fairly easy. You know the rules for engagement, you can easily account for all the possible outcomes.
Putting processes in place to defend against undeterminable attackers in an indefinite timeframe approaches the impossible. In a network, all it takes for hostile code to infiltrate is one human error (i.e.: a race condition when a firewall ACL changes). Same with terrorism: all it takes is a few people with flight training and box-cutters to do some serious damage. There are no rules of engagement.
Put another way, conventional warfare (again, cyber- or human-) is like a chess tournament. Predictable rules. For the unconventional, imagine someone winning a chess tournament by pulling out a gun and shooting the opposing player.
_______
2B1ASK1
This has been going on each year for almost 10 years now. Each of the "official" military academies compete, and the best team wins the NSA Information Assurance Directorate Trophy. In the past Army, Navy, and Air Force have all done quite well, while Coast Guard has not.
Contrary to popular belief, the NSA Red Team isn't allowed to use any of the NSA arsenal of dirty tricks. They are only allowed to use software that is freely available off the internet (NMAP, snort, etc.) running on commodity hardware. They can't do anything that violates Federal Law, (other than the intrusion attempts themselves), but social engineering is ok.
Also, break-ins are not an automatic loss, per se. Nor is prevention of break-in an automatic win. The goal of the Red Team is DoS. For every minute a service remains down, the Red Team scores points. The cadet teams win points based on how quickly they detect and respond to the attacks. All judging is done by an NSA White Team.
I'll see if I can find some more info and post it here.
You are attempting to read sigs. Cancel or Allow?
If I had moderator points, you would be at -1 right now instead of 0.
This is the best way to learn security, by applying the "book learned" concepts to the real world. In fact, this is exactly what we did for the final project in the Computer Security course that I took as part of my MS in Computing program at Marquette.
It also reinforced a very important concept -- people are the weakest link. We got the other group to send us passwords by faking an email in the instructor's name!