A word of advice to CCDC teams across the country – it’s easy to get overwhelmed and wrapped up in the details of a CCDC competition, so don’t forget the basics of information security.  Sure it is tempting to get neck-deep in that FreeBSD web server you’re building or to try and catch every little probe a Red Team sends at you.  I’m not saying don’t do those things, I’m saying don’t worry about those things if you haven’t taken care of the basics first.  Every CCDC event is different (that’s one of the great things about the program) so while there’s no magic set of procedures and processes that will win you any CCDC event, there some tried and true security basics that will dramatically increase your chances of winning any CCDC event your team walks into.

1. Change passwords.  On everything.  Seriously.  If it has an account and a login, you will probably want to change the password.  After years of running CCDC events, we still see teams going into the second or third day of an event with a default password on a router or an admin password that hasn’t been changed.  A weak or default password is like a giant blinking bull’s eye to a Red Team.  So when you take over a network, make changing passwords one of your first priorities.
2. Secure the perimeter.  If your network is an open door, the Red Team will walk right into it.  Use network firewalls to block incoming connections and limit the services that can be reached from outside your network to the bare minimum.  There’s no reason TCP port 135 should be open the entire world so lock it down.  Don’t have a network firewall?  Then each host just became its own little island with its own perimeter.  Use host-based firewalls to do the same thing – limit access to services wherever you can.  It’s not a bad idea to limit access at both the network and the host level either.   You’re not being paranoid in this case – there really ARE people out to get you (well your systems anyway).
3. Remove/restrict unnecessary services.  If your server does not need a TFTP service running then turn it off.  Take note of what is required and then turn off any service you don’t absolutely need to address the competition scenarios.  Every service you can turn off or get rid of is one less service to worry about securing and one less target for the Red Team.
4. Be prepared for contingencies.  Systems get wiped out at CCDC events.  Systems get taken away due to “hardware failures” or “natural disasters”.  So be prepared to restore content quickly if needed.  Make your own copies of critical content where you can – just make sure you store them in a secure manner.
5. Read injects carefully.  Most injects will tell you what the judges expect to see in your answer.  If they suggest or specify a format, make sure you use it.  If the inject says list the patches applied to each system, be sure to list every system in your report.  Format and content are important as well so don’t ignore them, but if your inject response does not address the questions being asked of you then you will lose points no matter how pretty or well written your response is.

This is by no means a complete list – and it’s not meant to be.  It’s just a reminder that when the buzzer sounds and the keys start clicking, don’t forget to take care of the basics.

As a coach, organizer, and collaborator of CCDC event, I have spent a lot of time strategizing about my team’s structure. Before you can put forth a practice, you have to have a goal. Like with any project, you have to have a plan that will need to be both structured and flexible. All of that said, it is best to put together an outline similar to a project or work flow for that practice.

Create themes for your team. Structure your practice around a certain organization such as medical, financial, defense, aerospace, small business etc. Having a firm understanding of the applicable laws, regulations, technologies, and applications of those industries will give you a leg up if you come across them in a competition. From a technical perspective, look at the dynamic of applications used in that space. This will dictate the logical data flow from the top down.

It is good to have a “base structure” for your team. For example, do you have team members that are dedicated to Microsoft operating systems? This can be said for Linux, Juniper, Cisco, etc. etc. etc….. Have a lead for each of these technological areas. This lead should be one of the senior people on the team; typically either a junior or senior. On the management end of the spectrum, does your team captain (assuming you have a captain, and I hope you do…) have an organizational plan to handle the business injects? Is he/she handling them alone? Do you have a structured business model for your team?

Finally, practice, practice, practice….. Most competitions I have participated in are not won or lost in the first hour or two much less the first day. Last year at nationals (2011), The University of Washington was not leading going into the final day of the competition. Same at the Western Regional (2011) and West Coast Winter Invitational where Cal Poly Pomona squeaked out a victory over Cal State San Bernardino in the last hour of those competition! The moral of this story is, never give up, don’t quit, and my favorite saying:

Keep Moving!

- Motto of the 2^nd Marine Regiment, Tarawa Atoll, November 1943. Nearly 1/3 of the regiment was lost in this battle which was the bloodiest in U.S. Marine Corps history.

 Written by: Brandon R. Brown MSBA, PMP, CISSP, CCNP

Mr. Brown is a lecturer in the Computer Information Systems department, College of Business, California Polytechnic University at Pomona. He is also the Director of Managed Services for NIC Partners Inc. in So. CA that specializes in K-12 network and system management / security. Mr. Brown has helped to organize several CCDC events through the Western Regional Cyber Defense Competition organization and has run several simulation events at the college level. Mr. Brown is currently progressing toward his PhD in Information Technology with a specialty in Information Assurance and cohort in Cyber Defense Simulation from Capella University.

 The Battle of Waterloo, as the saying goes, was truly won “on the playing fields of Eton.” In our current digital age, our best and brightest young defenders are testing their mettle on the virtual playing fields of cyber sport. Cyber competitions are the warrior games of the networked era — but instead of throwing javelins, racing chariots, or wrestling to the death, today’s competitors exercise modern combat skills like firewall configuration, malware detection, file restoration, and strong user authentication. Success and failure for these high-tech warriors has direct parallels to the experiences of soldiers on historical battlefields – hold the line or lose your country.

 In fact, as a country we are coming to understand how important it is that we train real-world and high-tech warriors.  With Congress currently debating the best approach to cyber security, it is clearly urgent that we quickly learn how to safeguard our virtual information.  Anyone who has suffered identity theft can attest:  as a nation, as individuals, we need protection from crime and espionage online.

 And who will provide this protection?  Today’s youth — the very warriors who are engaged in learning through cyber sport.  You’ll find these warriors doing battle on such playing fields as  National Collegiate Cyber Defense Competition, the United States’ Air Force Association’s CyberPatriot, the U.S. Cyber Challenge, and the Global CyberLympics.  Such landmark events are raising national awareness about the need for increased education and ethical understanding within the field of information security.  And these events also offer the perfect environment for students to put the theories and skills they have learned in their coursework to practical use.

 As a professor at DeVry University and its Keller Graduate School of Management, I have experienced firsthand the important impact of cyber security competitions — as a training ground for future warriors and as a training ground for a career field.  Our government, military, and business employers desperately need an elite band of digital defenders.  DeVry University’s Cyber Defense Club can give any who might be called a taste of this action, and preparation for jobs to come.

A word of warning, though.  I’ve seen it time and again:  students who feel the thrill of victory and the agony of defeat in cyber competitions cannot wait to climb back into the ring.  Being pounded by hackers over the course of a non-stop weekend, all the while being harassed by a fictional “boss” who demands impossible budget rewrites under ridiculous deadlines may not sound particularly fun. Our Cyber Defense Club trains relentlessly all year, however, just to have this opportunity. We wear team khakis, create a business, get overwhelmed by piles of work, see our systems destroyed, rebuild our systems for a better future, and generally have the time of our lives.

You may wonder – why would anyone spend a weekend like this without receiving any overtime compensation? Well, the career compensation to come is reward enough. I’ve witnessed corporate sponsors lurking at the edges of every contest, and Human Resources staff working the lunchroom. Ultimately, the Collegiate Cyber Defense Competition had to pass a rule: no contract offers allowed until after the competition is over. Student-athletes were getting too distracted by recruiters. And still, we have trouble keeping DeVry University seniors on our team because they lose amateur status for their professional IT work prior to graduation.

This is a nice problem to have of course.  And as an added benefit, the cyber security playing field is widening.  In addition to my work with DeVry University’s Cyber Defense Club, I’m now mentoring local high school teams in CyberPatriot. But whether I’m coaching high school students getting ready for college, or college students getting ready for careers to come, I find myself often extending this reminder:  the skills we practice are not just a game.  In many ways, we play for our nation’s future.

Written by: Bob Bunge, Associate Professor
College of Engineering and Information Sciences, DeVry University

Robert (Bob) Bunge is an associate professor in the College of Engineering and Information Sciences at DeVry University. He has nearly ten years of teaching experience in computer information systems, network security and simulation development. As a cyber security and cloud computing expert, Bunge has presented on various subjects at numerous events, including the NWSec Conference and the Washington Association for Skilled and Technical Sciences Conference. He has 5 years experience coaching and organizing PRCCDC.  

Devry Know-How

http://youtu.be/lfbN-j7BEVE