|
|
| |
Cyberwar!
by Quinn Shamblin
On March 19th, as part of the final exam for the Information Security and Privacy course taught at the UC College of Applied Science, UC Information Security staff joined the class to host the first cyber war games at UC.
For weeks, students had been learning about Information Security and now they were able to put those concepts into action. Half of the students, lead by Information Security Officer (ISO) Karl Hart, were the “Black Hat” hacker team. It was their job to use hacker tools and techniques to try to break into machines defended by the “White Hat” team, lead by ISO Quinn Shamblin, and steal information.
The rules were simple: “You may not risk person or property. No physical confrontations are allowed. Other than that, get the data by any means.” Throughout the morning the two teams worked in their separate locations to set up and test their systems. The defenders worked through a detailed security checklist to ensure that their systems were as protected as they could make them. The hackers set up and tested their attack tools and made their plans.
The games were to commence at 1 pm, but the Black Hats launched their first salvo over lunch. (Hackers can attack at any time!) When the White Hats returned to their room after lunch, they found their computers were gone. As Black Hat leader Karl Hart put it, “Physical access trumps logical protections (passwords, file permissions, etc.) every time.” One of Microsoft’s ten immutable laws of security is: “If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.”
White Hat leader Quinn Shamblin agrees. “Absolutely. If I have physical access to your computer, typically I can be into it and reviewing your files in less than five minutes.”
However, the game was not over quite yet. Per Shamblin, “We expected them to try something over lunch. I would have. However, this was a curve. I expected them to sneak in and install a virus, key logger, or some other malware. I didn’t expect outright theft. It was a good move on their part. However, that theft did not gain them what they wanted. We expected something, so we chose not to put the target data on any of the machines until it was time for the games to officially begin. What they stole was just hardware. A company would just write that off and go on with business. They did not get the important stuff, the data.”
UC's Director of Information Security, Kevin McLaughlin, refereed the game. His ruling was “If the data had been on the systems, it would have been game over with the Black Hats the winners.” The Black Hats were allowed to keep one of the computers as a penalty to the White Hats for not providing adequate physical protection. “After all, a hacker may easily choose to steal a computer if he can get one. It would provide valuable information on how to attack a company.”
So the White Hats were back in business, albeit with one less computer. They made a few final tweaks, placed the target files on the computers and it was game on!
hroughout the afternoon the hackers hammered the cyber war network, but the security configuration created by the defending team held up. Monitoring tools showed attack activity, but the attacks failed to penetrate the systems. The level of excitement in the rooms was high. Students who had other commitments said, “I have to go, but I really don’t want to.”
At the end of the day, the Black Hats had not gotten through. The two teams were brought together to discuss the event and learn from each other. The prevailing attitude was that it had been a great time and very informative. This competitive form of learning really clicked with many of the participants.
Says McLaughlin: “We consider this event to be a great success. We learned a lot from it and will make it even better next time. Today’s participants will be welcome to join a future event so that they can learn the other side if they wish. Local law enforcement has even expressed an interest in taking part in these events in the future.”
If you are interested in securing your PC, laptop, or home network, the instruction document is available from infosec@uc.edu (and will soon be on http://www.uc.edu/infosec, as well). Step-by-step instructions — including screen shots — walk you through exactly what to do and how.
For more information on a wide variety of information security topics, please visit http://www.uc.edu/infosec.
|
| |
|
|
previous article | next article
Return to the Spring 2008 index.
Print-Friendly version
|
|
