CANVAS: Security Competition Challenging Learning Expperience

A few weeks ago, I wrote about getting ready to attend a security competition called CANVAS: Computer and Network Vulnerability and Assessment Simulation.  I was among five students in the field of Advanced Networking and Information Assurance who participated from my University, Fort Hays State University.  Here’s the lowdown on what we learned at the competition.

Lessons Learned

• Just how easy an SQL Injection can be
• SQL Injections can lead to much more serious problems
• Why attack a router/firewall when the systems behind it are not secure?
• Emergency Incident Response can be stressful, but very rewarding
• Team building among geeks in time-critical environments can be interesting

Overview of Our Day

Essentially the five students from FHSU were each assigned to one of 13 teams of four students. It was a unique experience because, in my case, I was paired with two Senior Cadets from the United States Air Force Academy and a student from another Colorado university (not exactly sure which one). We were given the opportunity to work together as a team, even though we had never met before that day. We quickly met and introduced ourselves, identified our particular skillsets, and decided how we could best use those skillsets to accomplish the goals of the competition.

Our teams were asked to attack a simulated “Real-Time Air Traffic Control System,” as well as other teams that happened to get in our way, and then to provide a report of the vulnerabilities we found to both the CEO and CIO of the Federal Aviation Administration. What made this challenging was that the report needed to be tailored to two different markets, since the CEO would not care about the technical aspects of what we attacked or how we did it, but would care more about what we could have done as a result of the vulnerabilities we found. The CIO, on the other hand, would be more interested in operational recommendations that could be implemented to secure the network after receiving our report.

Our team had a wide variety of skills and knowledge available to use when planning and carrying out the attacks. The two Academy students had a working knowledge of Information Warfare and the tools used, the student from (unkown university) was a Computer Science major with experience with Linux and programming, and I had a strong background in networking (thanks to Garry Hoffman and Jon Thulstrup) and web development. We focused our attacks early in the simulation at the networking equipment itself, because we thought we could do the most damage if we gained access to it first. After about an hour of attacking the core router/firewall, we starting targetting the web platform they were running.

One of the stated goals of the competition was to insert our team number into a flight tracking database. Since the simulated FAA provided a web portal to query the system, we started to attack this system, where our first break occured. We were able to perform what is called a SQL Injection and break through the system’s defenses and accomplish the goal. It was neat to see our team name appear in the database along with a few other teams that successfully completed this attack.

I have to give credit to Jason Zeller, a fellow INT (Information, Networking, and Telecommunications) major, for intentionally restarting our team’s computer from across the room. While exploring vulnerabilities in the systems, we accidentally opened a whole in our own system which allowed Jason to get in and restart us. We got lucky that all he did was restart us – because the damage could have been much worse. This is one of the lessons my team learned as a result: if you are going to start attacking systems offensively, you better be ready to play defense.

Throughout the day, as we found vulnerabilities and exploited them, I would take down notes on what we had found and our recommendations on how to fix those holes that were present in the systems. I started to form a report for the CEO and CIO and divided it into three sections: Executive Summary, Critical Actionable Recommendations, and Moderate Actionable Recommendations. The first section was geared toward the CEO, with a quick overview of what we were able to do and what damage we could have caused. The last two sections were for the CIO, who needed more specific details on the vulnerabilities and how to patch them.

At the end of the day, we submitted our report for judging. While the judging was taking place, the Colorado State University graduate students, who set up the event for us, gave a presentation on what vulnerabilities were present in the system, how we could have attacked them, and what to look for in the future as we do this in the real world. Their presentation taught us to think from a security standpoint to identify problems with systems that could make huge problems for the organization behind them.

Our team’s report was given first place in the competition, which I have heard was because of the way the information was presented. Too often, technical people can not break down the technicalities of hacking into terms that everyday people can understand and relate them to how they affect the business. Instead of saying, “We hacked this, this and this and caused this damage,” we provided “This is what we found and this is how your organization can improve your security posture in the future.”

I have attached the report for your reference. Remember these were real systems on an isolated network: while it was a controlled environment, the recommendations provided apply to every environment!

Vulnerability Assessment