Network penetration competition as part of security training

Published 16 June 2008

In recent years the goals of computer hackers have changed; the intent of many hackers used to be the thrill of breaking into a network, now the goal is often money; companies and other organizations had better take network security more seriously.

To the uninitiated, the computer commands projected onto a screen at Norwich University are meaningless numbers and symbols, but to eight graduate students the commands are the digital equivalent of smart bombs used to blast open a wall. The walls the students are trying to breach are computer networks, all using different operating systems. They are looking for vulnerabilities the same way an Army commando would seek an unguarded window or an open door. The treasure hidden deep within the network is a series of target files that will earn them points. AP’s Wilson Ring writes that a three-hour competition last Thursday between students in the masters of science in computer assurance program was their last act before graduation. The winner and runner-up received a 30-day license to use a state of the art software tool used to probe computer networks when they return to their regular jobs.

Charles Gibson, 51, who said he runs a small technical services business in Parkersburg, West Virginia, won the Thursday afternoon competition. He said that when he signed on to the system he started probing the network (it was a closed network set up for the exercise that was not accessible via the Internet) with a special piece of software for weaknesses. “I’ve done it before,” Gibson said of the techniques he used to win. “It’s a service I provide to my customers. I use other tools, but the techniques are the same.” The competition was just a game. It did not have any bearing on the students’ Friday graduation from the program. In the wrong hands, what the students were doing could be considered “hacking,” breaking into a computer system, but the digital combat exercise is designed to let students test networks for vulnerabilities. In this context it is called “penetration testing.” “We are not creating hackers,” said Peter Stephenson, the associate director of Norwich’s Master of Science in Information Assurance program. “There’s a big difference between penetration testing and hacking, a big difference,” Stephenson said. “Penetration testing is rigorous, it’s planned, it has explicit objectives and there are broad-based objectives, whereas a hacking objective is get in.”

Computer security experts will probe networks for weaknesses to find them before those weaknesses are found by hackers intent on mischief or malice. In recent years the goals of computer hackers have changed, Stephenson said. The intent of many hackers used to be the thrill of breaking into a network. Now the goal is often money. The skills being taught at Norwich could, in the wrong hands, teach someone the skills needed to hack. Stephenson said it was the rough equivalent of military training that teaches people to, in the right context, kill, skills that are left behind when the vast majority of people leave the military. Still, not anyone is taught the skills. “No. 1 and foremost, we have to be very careful on who we allow into the program,” Stephenson said. “We do some vetting on our students. Not every (information assurance) student is allowed to get into these programs.” Norwich is one of the schools the National Security Agency (NSA) and DHS have designated as a Center for Academic Excellence in Information Assurance Education. Norwich’s information assurance program regularly sends students who have graduated with bachelor degrees into industry or government service. Most of the graduate students are interrupting their careers to advance them. Gibson, the winner of the Thursday competition, said Norwich offered the caseload he wanted and the ability to do it online. He’d been on the Northfield campus for a week finishing up. “This credential is going to allow me to expand my portfolio,” Gibson said after winning the competition. “This is just a little feather in my war bonnet here.”