Hacker wargames are nothing new: from the epic Pull The Plug to a number of off-shoot sites still in existence, simulated hacking environments are used to help train individuals to develop sound computer security problem solving skills. A few of these sites such as hackthissite.org and OverTheWire teach practical software exploitation and network penetration skills through game-like hands-on challenges. While organizations like Offensive Security and the SANS Institute feature full fledged certification paths involving penetration challenges (see SANS NetWars).
Now the United States Air Force has established one of their newest Cyber Ranges, CyberCity. The new simulation trains both military and government personnel in the proper way to safeguard systems from penetration in real world scenarios. The simulation contains bank-type systems, public wifi networks as in the sort that coffee houses and internet cafes have, social networking site-simulations and more. Even more interesting? The man behind SANS NetWars, Ed Skoudis (noteworthy SANS Metasploit teacher), designed Cyber City himself!
Although some (including myself) have been critical of Director Panetta’s use of “Pearl Harbor” as a metaphor for “cyber war” (see “Cyber Terrorism and the Election” @ Neuralhub), I can’t deny the importance of adopting sound IT security solutions to prevent against new emergent threats both domestic and abroad. I’m glad to see my government adopting them. Penetration testing and defending simulations are ideal learning opportunities. If you haven’t had the opportunity to attend a con where CTF was being played, I highly recommend attending one of the conventions in New York or Vegas (my first was HOPE 2K!).
Safeguarding such systems in light of specific exploits, malware and viruses such as Stuxnet and Flame is of great importance of to government officials. Whereas some in the news have criticized the U.S. as being behind on cyber defense (especially so with the Chinese attack against White House computer network), the public and private sector have been trying to step up their game and continue to work together to train our future front-line defenders.
From all the articles I’m reading in regards to CyberCity, I’m most impressed with the idea of real world consequences the simulation portrays. If someone botches up, it’ll have “real world” ramifications illustrated in physical models of U.S. cities (sounds a bit like War Hammer+Uplink). The simulations are even complete with statistical information regarding people affected by events occurring in game.
A similar but more expensive project is DARPA’s National Cyber Range (Lockheed won the $30m contract to help design it with DARPA back in 2010). For more information on the NCR, click here. Although my opinion is strictly that of an enthusiast/lay person, from everything that I’m reading, CyberCity looks even more promising!
Lastly, I apologize my infrequent posts as of late. I’ve been taking a DFIR class that’s been taking up much of my time. So be sure to subscribe to fork() to keep up-to-date with all the latest blog postings delivered right to your email!
Sources
O’Harrow, Robert, Jr. “CyberCity allows government hackers to train for attacks.” Washington Post, 11/26/2012. Note: If you’re interested in learning more about the CyberCity simulation, Robert O’Harrow Jr.’s coverage of it is full of great details and covers CyberCity much more detail.
For some free computer security training videos be sure to check out Security Tube or the fork() post entitled “Computer Security Resources” for more interesting sites.