Comments on: Cyber Defense Red, White, and Blue?

By: Rachel

Rachel — Tue, 05 Jan 2010 20:21:08 +0000

I really did call Georgia in a panic as soon as I left the Cyber Defense meeting in which we found out the major changes to Cyber Defense Qualifiers. Granted I understand the reasoning for making these changes to allow more schools to participate in the challenge, but is it really worth the cost? There will always be some schools that do not make it past the qualifying round, but by structuring that competition as a 1 day version of the regionals, it gives those schools a taste of the experience they were hoping to get and thus gives them the incentive to come back and try again the next year. Not all of the schools are going to be able to get this experience now that it’s being taken away, so will they keep coming back?
We have all come to look forward to the excitement/stress of being attacked in real time while frantically trying to harden our systems and tell the tales of our experiences to recruit new members to our team. How are we going to instill our excitement to potential members if all we have to tell them about is sitting at a computer for 3 hours to lock it down and then maybe, just maybe we secured it well enough to move on to the next round where the real excitement is. It’s hard work preparing for a Cyber Defense Competition where the only reward is getting the experience of competing and of course meeting real live hackers (aka security professionals). If, by chance, we do not make it to the CCDC Regionals, where is our reward?

By: Scott Hazel

Scott Hazel — Mon, 04 Jan 2010 17:54:45 +0000

I appreciate the options this approach will provide for smaller teams and really all the teams that may not have the funding for travel costs, etc. It also helps to increase the scale of how many teams can compete. However, a valuable component that you can’t produce over a VPN is Incident Response. I’ve always been impressed with how heavily IR was stressed at the Quals as well as Regionals. It’s an area that doesn’t get enough attention in normal IT security as it is. The fact that upcoming professionals will have been exposed to IR in a live fire training exercise adds significant value to the CCDC experience as well as makes the students more valuable in the job market. Hands on experience is hard enough to come by in a collegiate environment. The more realistic (also read not outlandishly farfetched) we can make the experience for the student teams the better off they will be when they enter the workforce. They will at least have been through an IR process and can ramp up more quickly within an IT Security team.

I’ll admit some selfishness here too. It’s a great opportunity for the red team members to experiment with fully authorized, live hacking of systems and we want as many chances to do this as we can get. Selfishness aside though, the missing components of live attackers, having to deal with a situation on the fly, managing team organization under stress, and having to fix problems are a great loss to the student teams in my opinion.

Hardening and patching systems, then having them attacked once at the end is more akin to a cooking competition where you spend 3 hours creating the meal then wait to see what the judges think.

By: Michael LaSalvia

Michael LaSalvia — Mon, 04 Jan 2010 14:36:51 +0000

Wow beat me to it. Though good perspective from the student side. I will be writing up my thoughts on this at my blog from the red cell side. My fear is that it is no longer a cyber security exercise it is who ever did not patch all systems in 3 hours with all the needed patches that automated attack systems like core impact, immunity, metasploit know of looses. Were is the social engineering, where is the web attacks, where is the tormenting? It is is just a patch race I feel.