Each team was handed a duplicate system with all the same services, service packs, operating systems, and applications. Once they were allowed to start, it was up to each team to figure out what they had and lock it down. Since the "corporate network" was not truly connected to the internet for security reasons, all patches and updates had to be downloaded from an separate part of the CCDC network ( Figure 1). While this off network aspect was not quite realistic, imagine the consequences if one of the un-patched systems was scanned and infected by an IRC bot during the games.
Figure 1: Isolated Segment
As previously mentioned, each network contained a wide range of operating systems and services. In summary, the core network contained three computers:
- a Windows 2003 computer running an Exchange Server, DNS, and Active Directory
- a Fedora Core 4 server on a DMZ running Apache, PHP, MySQL, and osCommerce
- a Windows XP workstation running syslog and VNC
In addition, two of the teams had a PIX firewall and the other six had a Linux-based system running Smoothwall. Figure 2 provides a schematic of one of the team's network.
Figure 2: The Network
While this may not seem like a lot, it actually ended up being more than most teams could handle in the short amount of time they were allotted. To put this another way, just imagine you were fresh out of a four year IT program from a state college and you were hired as the only IT administrator for a small business with a similar setup. While you might be familiar with the basics of each of these computers, would you be able to lockdown and secure each of these systems? Knowing how to secure both Linux and Windows, plus understanding Cisco firewall configurations (or Shorewall/iptables) — not to mention having a firm grasp of web application security — is not a realistic expectation of any newly graduated employee, much less a seasoned veteran.
As we previously hinted, the students had to deal with a few unknowns that weren't included in the packet of information they were handed. As most IT folks know, in the real world it isn't the computer systems that cause the most problems — it is the unknown that tend to take down systems. In Figure 2 you can clearly see that each of the systems are illustrated along with their IP addresses. However, what you can't see is the rough access point that was installed behind the firewall in the 10.10.20.x range. You also can't see the pre-installed rootkit/keylogger that resides on the server. These are the types of real world issues that IT professionals have to deal with…and what better place to learn about these headaches than an event like the CCDC.
Sadly, only one team managed to discover the access point. And as for the rootkit, no one had successfully removed it by the end of the game. Ironically, a couple of the teams installed "illegal" software and detected the presence of something unusual, but once they were forced to remove the software due to an onsite audit, the illicit activity was seemingly forgotten. Finally, only one team managed to locate the keylogger and was able to remove it before the competition ended.