Editor's Note: For additional information about the CCDC, please see our previous articles written by Seth Fogie: A Student-Hacker Showdown at the Collegiate Cyber Defense Competition and his follow-up A Student-Hacker Rematch at the Second Annual Collegiate Cyber Defense Competition.
Kyle is anxious to get started at the 2010 Mid-Atlantic Collegiate Cyber Defense Competition (CCDC). With his technical notes, software tools, and years of college experience, he feels ready to defend his team's network. Kyle considers himself technically savvy and well prepared to handle and protect his environment against the barrage of attacks that will ensue over the next 48 hours. What Kyle doesn't know is that a member of the Red Cell Hacker Team is already in the room with him, talking to Kyle's teammates, listening intently, and watching Kyle's every move.
When the Enemy Is Inside the Gates
Kyle's story is an example of how many companies approach information security every day. Some call this the "enemy at the gates" strategy, in which layers of security and policy are implemented to mitigate threats waged against Internet-facing services. The goal of this strategy is to protect the organization from what is perceived as the most significant threat to the businessexternal attackers attempting to gain access to internal systems. This method can be effective for perimeter security, but it misses a potentially more significant threat that may already be inside the organizationa risk that may already have access to the organization's systems, and has an in-depth understand of the environment: the human element. With this threat in mind, the Red Cell Hacker Team created a new exercise for the CCDC event.
CCDC is an annual security challenge and training event in which college students face off against seasoned security professionals. The fifth annual CCDC in 2010 introduced a new element to the exercise, with the goal of providing students with a real-world example of the importance and potential impact of insider threats. The exercise is designed to see how well college teams made up of the next generation of cyber warriors would respond to an insider threat that collected information and provided it to the opposing team. Would students recognize an individual attempting to "social engineer" information from them? Would they divulge sensitive information about the team?
This exercise is not portraying a new risk to information security. Company insiders really have walked out the front doors of their employers with extremely sensitive datain some cases, from facilities perceived as being highly secure. For example, in February 2008 a Pentagon analyst, Gregg Bergersen, copied and sold to a Chinese spy secret documents detailing U.S. weapons sales. In 2009, a Boeing engineer, Dongfan Chung, was convicted of economic espionage for selling U.S. space program trade secretsending what was most likely a 35-year run of selling insider information to the Chinese. These examples are not unique; the number of trade secret infringements and corporate espionage incidents increases every year.