I volunteered for the Rocky Mountain Collegiate Cyber Defense Competition yesterday. The RMCCDC is a regional competition for college students that specifically focuses on the operational aspect of managing and protecting an existing “commercial” network infrastructure. This winners of this event, along with its 9 sister events around the country, go to the National CCDC held in San Antonio, TX. This year will be the 9th annual competition at the National level.
Schools in each region form teams of 8 to 12 students, and the students don’t quite know what to expect it seems. They are told they will be defending a network and given some guidelines. They probably don’t really understand that during the competition they will experience problem solving in the midst of a stressful, real world simulation. They will be dealing with attackers, malware, user support issues, and priority requests for “status updates” and “security questions” from the CEO. The teams are not given too much info, they are given some rules of conduct and instructed that they are entrusted to defend the network and keep services up and available, and that they will receive support calls and email from the CEO as if they were in the employ of a company and protecting it during an incident.
It’s actually a lot of fun. The Red Team is not bound by the same degree of restrictions that the Blue Teams are (again, realistic simulation.) Social Engineering was off the playlist this time, but mostly because of the layout and space and difficulty conducting the event safely. Some of the questions from the CEO are very much “WTF” types of queries. For example, “I would like to know how we can leverage Social Media to improve business. Please provide an executive report.” Of course, that sort of non sequitur request isn’t at all realistic…
The competitors are scored on systems uptime, services availability, and their response to customer requests and CEO queries; all support calls and queries have a specific time limit, and if not addressed by the deadline provide no points. It’s not always obvious to the team that ignoring or blowing off the CEO temporarily might be a legitimate tactic, if they can earn more points with the time they would spend on answering Social Media questions by instead hardening that web server that was DoS’d again!
Vendors, employers, and even the professionals that volunteer to staff the event pay attention to the competitors, making these events an excellent opportunity for students to network within the industry for a career come graduation time. If you are a college student pursuing a CS or Technology degree or simply interested in network security I suggest you look into the NCCDC website. If there isn’t a team at your school, form one! If you are like me, you are a professional and want to help teach the next generation and network with colleagues it’s a great opportunity to do so.