Representatives from the usually secretive agency appeared at a SANS Institute event here to divulge "lessons learned" from their latest cyberdefense exercise. The exercise, which took place over four days in April, pitted students from the five U.S. military academies and the Air Force's postgraduate technology school against "bad guys" at NSA headquarters.
The NSA-sponsored exercise, unlike other governmental attempts at bolstering cyberpreparedness, has been regularly taking place for six years. Friday's public presentation, however, was described as the first of its kind. (The Department of Homeland Security, the agency chiefly responsible for safeguarding federal agencies' cybersafety, wrapped up its first large-scaleearlier this year, with an analysis of its results expected this summer.)
NSA representatives said they hoped the informal briefing would provide a wake-up call to all network managers, both inside and outside the government.
"Even in four days, a network can be had," said Major Thomas Augustine, the event's coordinator. "Imagine, if you will, those individuals who have a year or two to spare and are waiting to get into your networks."
During the exercise, each team received network software that had been tainted by a group of NSA representatives, and each had two weeks to find as many misconfigurations and vulnerabilities as they could. Separate groups of NSA representatives, who were unaware of the existing vulnerabilities, then went to work over the four days attempting to hack into networks. The networks were designed and built by each military team and employed the NSA-supplied software.
In hopes of simulating a real-world situation, the attackers made a point of using the most publicly known exploits during the competition. They also took advantage of common mistakes like the use of weak passwords or the same passwords on multiple systems, and targeted security holes in Microsoft Windows that have readily available patches.
In one case, for instance, NSA hackers gained control of a router in a complex network architecture built by the West Point team because the team neglected to change the default password on the Cisco Systems device. Team members sensed something was awry when they saw that their Telnet prompt message had been changed to read, "GO_NAVY_BEAT_ARMY."
The winning team, which came from the Air Force Academy, turned out to be arguably the most inexperienced and employed one of the simplest network designs. Michael Tanner, an Air Force cadet, said the team's nine members, mostly computer science and engineering majors, had only basic knowledge of information assurance practices.
"We know there's a tendency for students to think they have to build some sort of whizbang network with bells and whistles," said Rigo MacTaggart, who participated on the NSA's end. "What has been shown to work best in previous (exercises) is a simpler works better" approach.
Aside from a streamlined network architecture, MacTaggart and his NSA colleagues offered three other rules of thumb:
Follow a "deny by default" policy--that is, allow network users to access only the ports and services they truly need. "If you don't know that you need it, turn it off," said Pablo Breuer, who led the NSA's "red team" of hackers. "If someone comes screaming to you, ask them to prove they need the service."
Remove all services, software and user accounts that aren't necessary to run a particular server. They "can be disabled, but it's better to go an extra step and have (them) completely removed," MacTaggart said.
Plan for disasters. "No matter how well-designed the network is," MacTaggart said, "there's going to be some sort of security incident, an outage, a hard-drive failure."