Kyle is anxious to get started at the 2010 Mid-Atlantic Collegiate Cyber Defense Competition (CCDC). With his technical notes, software tools, and years of college experience, he feels ready to defend his team's network. Kyle considers himself technically savvy and well prepared to handle and protect his environment against the barrage of attacks that will ensue over the next 48 hours. What Kyle doesn't know is that a member of the Red Cell Hacker Team is already in the room with him, talking to Kyle's teammates, listening intently, and watching Kyle's every move.
When the Enemy Is Inside the Gates
Kyle's story is an example of how many companies approach information security every day. Some call this the "enemy at the gates" strategy, in which layers of security and policy are implemented to mitigate threats waged against Internet-facing services. The goal of this strategy is to protect the organization from what is perceived as the most significant threat to the business—external attackers attempting to gain access to internal systems. This method can be effective for perimeter security, but it misses a potentially more significant threat that may already be inside the organization—a risk that may already have access to the organization's systems, and has an in-depth understand of the environment: the human element. With this threat in mind, the Red Cell Hacker Team created a new exercise for the CCDC event.
CCDC is an annual security challenge and training event in which college students face off against seasoned security professionals. The fifth annual CCDC in 2010 introduced a new element to the exercise, with the goal of providing students with a real-world example of the importance and potential impact of insider threats. The exercise is designed to see how well college teams made up of the next generation of cyber warriors would respond to an insider threat that collected information and provided it to the opposing team. Would students recognize an individual attempting to "social engineer" information from them? Would they divulge sensitive information about the team?
This exercise is not portraying a new risk to information security. Company insiders really have walked out the front doors of their employers with extremely sensitive data—in some cases, from facilities perceived as being highly secure. For example, in February 2008 a Pentagon analyst, Gregg Bergersen, copied and sold to a Chinese spy secret documents detailing U.S. weapons sales. In 2009, a Boeing engineer, Dongfan Chung, was convicted of economic espionage for selling U.S. space program trade secrets—ending what was most likely a 35-year run of selling insider information to the Chinese. These examples are not unique; the number of trade secret infringements and corporate espionage incidents increases every year.
Invisible Intruder
To set up the training exercise for the CCDC event, a member of the Red Cell Hacker Team posed as a college student working on a research project. The idea was for this hacker to take on the persona of someone with whom college students could empathize, to avoid raising suspicion. Dressed as a student, the hacker was able to enter the defending team's room by simply shadowing other students as they walked in. At no time was the hacker challenged to display a blue badge, the identification mechanism used to indicate a person's authorization to be in the room. Once in the room, the hacker was able to blend into the background, perceived as just another student on one of the teams, or perhaps a faculty member trolling the event.
After spending some time observing the students and learning who the team leaders were for each defending team, the hacker preceded to the next stage of the ploy. In this stage, the hacker asked members of the defending teams if he could interview them and take some pictures. He stated that the interviews would assist him with a research paper—a topic that resonated with the students. None of the students who were asked to be interviewed refused, and none objected to their pictures being taken. The hacker proceeded to ask questions that, on the surface, seemed benign in nature: "What school are you from?" and "What year of college are you in?" The questions were delivered with a smile, meant to be disarming and to help build a rapport with each student. As the conversations continued, more revealing questions were injected into the mix: "Have you identified any compromised systems on your network? What attacking IP addresses have you caught on your network? What is your team's strategy for defending your network?" As the hacker interviewed various team members, he altered the questions, using them to build on the information that he already had gathered from other interviews. A total of 13 students were interviewed from the five defending teams.
The interviews were a success! The amount and sensitivity of information disclosed was shocking; in a real organization, it could have been devastating to the security of the business. Students provided details about the strategy for defending their systems, including the types of defensive tools they were using and their successes and failures with those tools. They described areas of their networks where security was lacking, or where no logical security was configured at all. They disclosed detailed information about attacker IP addresses that they were able to identify. The students considered these IP addresses a coveted trophy, as they could use that information to create an incident report and block the attacker from their network. No individual divulged a significant amount of information, but the aggregate details from the interviews provided the hacker with critical data about how the Red Cell Hacker Team could alter its attack strategy to avoid being caught by the defending teams.
Although the students were all bright, tenacious, and ready to combat the technical aspects of the competition, they didn't have a comprehensive security strategy. They didn't consider the importance of protecting their informational assets, or the possibility that an insider might be sitting next to them, siphoning details.
Sealing the Gap Between Physical and Logical Security
The exercise turned out to be an excellent learning opportunity for all involved, demonstrating weaknesses that plagued the CCDC defending teams as well as many organizations—the most notable issue being the gap between physical and logical security. In most organizations, the lines between physical and logical security are distinct and clear:
- Physical security watches the gates and ensures that employees and outsiders are not walking out the front doors with company assets.
- Logical security ensures that external entities and employees are not accessing information that exceeds their authorization.
But who watches that gray area between physical and logical security? No one! Even with the implementation of tools such as data loss prevention (DLP) and host-based intrusion detection systems (HIDS), most organizations lack strong policies and procedures that would enable them to identify and mitigate attacks by insiders.
Another lesson learned from the CCDC event was the need for schools to provide more education and awareness to their students. At the end of the exercise, the students were asked if any of their classes had provided training or awareness of the risks associated with social engineering or insider threats. All the students indicated that they had not received any information on this issue. Schools need to ingrain in students the importance of looking at information security from all angles—not just the bits and bytes.
Events like the annual Collegiate Cyber Defense Competition continue to be a fantastically fun learning exercise for students and security professional alike. The event provides a fast-paced and technically challenging environment where the next generation of security professionals can learn the complexities of their craft. During the exercise, the students may have been naïve about the risks of insider threats and social engineering, but it's a good bet that they'll be wiser from the event, and will take that wisdom with them as they move into the workforce.