Second Year of Cybersecurity Contest Twice as Fun

By Mary Lynn Lyke

Like a band of thieves, security professionals roam the Pacific Rim Collegiate Cyber Defense Competition scouting weaknesses: the unprotected password file, the print-out of instructions that can be swiped and swapped with a devious mockument. They eavesdrop on conversations about network configurations, attach malware to fake Web sites, launch sneak attacks on system infrastructures.

For these nefarious predators, the only rule in the two-day cyber battle is to break the rules.

For their prey, teams of university and community college students trying to secure network systems from attack, the effect can be unnerving — and instructional.

"In the real world, there are no limits to what attackers can try or who they can pretend to be, so it is interesting to watch that same dynamic play out in the competition," says UW Computer Science and Engineering student Travis McCoy.

McCoy’s team won both the 2008 and 2009 cyber battles, and headed onto the nationals in Texas April 17-19 to place sixth out of a field of eight teams. The winning strategy? "It’s a matter of preparing as thoroughly as you can while staying flexible enough to deal with the unexpected," says McCoy.

The Pacific Rim competition is co-sponsored by the Microsoft Corporation and the iSchool’s Center for Information Assurance and Cybersecurity. Senior Lecturer Barbara Endicott-Popovsky, mastermind of the regional competition, is director of the five-year-old center at the iSchool, a research hub for innovation and problem-solving, and a training center for security professionals who must deal with the increasing stealth, sophistication and severity of Internet crimes.

The iSchool faculty member uses training exercises developed by West Point in her teaching. She decided last year to expand the exercises into the full-on, large-scale digital warfare competition, held on the Microsoft campus. "The idea is that people learn more intensely when you simulate a real-world environment," says Endicott-Popovsky.

The competition has proven a boon not only to students, who can put classroom theory into action as they hone defense skills, but to industry professionals recruiting new talent for a burgeoning profession. The logistics of pulling it off, however, are daunting, requiring months of preparation and more than 50 volunteers from academic and business communities. Microsoft has provided the venue, the laptops and other equipment, as well as volunteer personnel. Cisco loaned routing and switching equipment.

Judges at this year’s competition, March 28 and 29, were from Idaho State University’s information assurance graduate program, with help from the McChord Air Force base cyber unit. The UW, University of Idaho, Microsoft, Internap and the Casaba Security organized the 2009 "Red Team" of cyber attackers — the Jokers in this digital Gotham City.

They, too, have a steep learning curve. "Nothing exists in a vacuum, and it is impossible to fully understand the challenges of network security in the cold confines of a classroom," says Jason Glassberg, managing partner at Casaba Security, based in Redmond. "It is one thing to read about malware and Trojan applications; it is another to see them ‘in the flesh’ actually working in a system in front of you. Nothing is better than hands-on training."

That hands-on training can work up a virtual sweat inside a room full of coiled cables, take-out coffee, pop cans, tapping fingers and the intent stares of Pacific Rim competitors. Adrenaline surges the instant Endicott-Popovsky announces: "The games begin. Let’s rumble."

For 16 nerve-wracking hours, students must maintain networks for a fictional business such as a newspaper Web site or utility company. Their first job is to set the network system and immediately patch it for protection. "If you access the Internet without protection, a system can be compromised in under two minutes," says Endicott-Popovsky.

Judges score students on their ability to defend the network against attack and keep all systems operational — even as they deal with demands from bosses to perform a slew of business chores, called "injects." A student may be producing a business report and, at the same moment, warding off an attempt to lock down routers.

"It was completely hectic and chaotic on the floor. As soon as we got one thing done, they’d hand us another task to complete. Between the injects and the intruders, we had our hands full the first day," says UW Informatics student Osman Surkatty, from the iSchool team. "We were hammered left and right."

Members on the Red Team arrive with no knowledge of the students’ networks. These cyber pirates must quickly scan networks, map them out, determine what ports are open, and figure out diabolical ways to penetrate the system. While some attackers this year worked on retrieving administrative passwords and installing malicious software, others were testing Web sites for exposed functions, client information and other openings, says Red Team member Mary Jane Kelly, Casaba Security consultant.

"We didn’t want to jump right in and blast everyone out of the water to start off with because that wouldn’t make a very good learning experience," she says. "So we started slowly and escalated our attacks over the two days."

Students say that this year’s Red Team seemed especially aggressive at exploiting vulnerabilities, storming fortress walls and putting defenders in a reactionary mode. One attacker highjacked customer list databases and told students they’d have to give up a password if they wanted them back. "Luckily our database guy was smart, and had made a back-up ahead of time," says Surkatty.

The aggressiveness may explain why the 2009 student teams seemed to be ganging up against their Red Team assailants in the March match. One organizer observed a student scooting over to a competitor on another team in the heat of battle and whispering: "Our team figured that out, here’s what to do…"

At competition’s end, with the UW Computer Science and Engineering team the declared victor, the Red Team used a wiki to discuss and analyze the weaknesses they’d found in their prey. "Some teams were great at locking down their systems, but they left their Web sites wide open," says Kelly. "Others did a good job of fixing their Web site vulnerabilities, but their infrastructures were open for intrusion."

Still, scores for all the student teams were up over last year, when the Red Team penetrated 90 percent of the students’ systems — a figure industry insiders say compares to the real world, where networks are only as secure as their weakest link, and that link is being circled by a thousand ruthless predators.

"There are adversaries out there who are pretty sharp and extremely determined," says Endicott-Popovsky. "They’re like wolves up on the hill watching sheep romp around. They’re looking for us."

To make a gift to the Center for Information Assurance and Cybersecurity (CIAC) Gift Fund that supports this work, please visit the iSchool's Giving page.