SECCDC 2011

Report of the Knowledge Transfer Team (KTT)

Team Members: Courtney Robinson Fayez Alharb Kurt Gunther Laura Parkinson

1 SECCDC 2011: Report of the Knowledge Transfer Team

Table of Contents
Table of Contents.........................................................................................................2 Competition Summary.................................................................................................3 Summarized Post Mortems of Competition Team........................................................7 Complete debriefs Appendices A..............................................................................7 Competitor 1.............................................................................................................7 Competitor 2...........................................................................................................10 Competitor 3...........................................................................................................12 Competitor 4...........................................................................................................13 Competitor 5...........................................................................................................15 Competitor 6...........................................................................................................16 Competitor 7...........................................................................................................17 Competitor 8...........................................................................................................18 Summation............................................................................................................. 19 Artifacts Captured......................................................................................................26 Router Security in Four Easy Steps............................................................................26

2 SECCDC 2011: Report of the Knowledge Transfer Team

Competition Summary Introduction

The SPSU Competition Team participated in the 2011 Southeast Collegiate Cyber Defense Competition (SECCDC) held at Kennesaw State University on March 8-10, 2011. The SPSU team was responsible managing and protecting an existing networked, client-server information system infrastructure. The competition consisted of (10) Academic student teams from the following colleges and universities around the southeast: 1. Fountainhead College of Technology 2. Georgia Southern University 3. Kennesaw State University 4. Mercer University 5. Northern Kentucky University 6. Southern Polytechnic & State University 7. Tuskegee University 8. University of Louisville 9. University of North Carolina, Charlotte 10. University of South Florida

The competition involved four main teams:

1. The Academic teams consisting of (8) SPSU students which includes a

Team Captain, Team Co-Captain, and Team Representative, and (1) staff member.
2. The Red team (the hackers) composed of security professionals from

various companies who tried to attack and exploit the computers of the Academic teams.

3 SECCDC 2011: Report of the Knowledge Transfer Team

3. The White team observed Academic Team performance in their competition area

and evaluated team performance and rule compliance.

4. The Gold team facilitated the overall management of all of the

competitors and tallied the overall score results.

Each student team was scored based on their ability to detect and respond to outside threats, maintain availability of existing services such as DNS, MAIL, WEB, ECOM, Database and the associated servers, while balancing security needs against business needs submitted as memos called business injections.

Official Score (SECCDC 2011)

The final score for the top 4 teams in 2011 are as follows:

1st place 4577 - University of Louisville 2nd place 3761 3rd place 3147 4th place 3114

SPSU 4th place score summary: 630 points out of 2000 for successful completion of business injections. 800 points out of 2000 for successfully defending attacks by Red Team. Nagios Service assessment engine reported uptime services at an average of 74.20% for a score of 1484 out of 2000.

Summary Results for SECCDC 2011:

Scoring Injections (2000 points)

4 SECCDC 2011: Report of the Knowledge Transfer Team

Scores ranged from -75 points to 1335 Includes penalties ranging from -110 to -345 for unsecured systems, poor password management and failure to follow log/journal requirements. Last year best team had 1335 points Bonuses possible (up to +100 points) for PROPERLY FORMATTED INCIDENT REPORTS Does not include red team specific intrusions

Scoring Services (2000 points)

Assessed SMTP, POP3, Ecom, WWW, SQL-DB, Primary & Secondary DNS. NO point penalties for SLA outages Calculated as percentage of uptime. Scores ranged from 409 (21%) to 1822 (91%) Last year best team had 1989 points

Issues with primary scoring systems from Nat CCDC resulted in use of backup (Nagios).

Scoring Red Team (2000 points)

Red team attacked 5 servers twice during competition:

WWW, Penalties for successful root, data theft, DoS and mayhem DB, DNS, Email & Perimeter device

5 SECCDC 2011: Report of the Knowledge Transfer Team

 Scores as penalties against 2000 points Final scores ranged from 400 1680. Teams may mitigate penalties by properly formatted IR (Incident Response) reports with evidence. Only 1 team submitted properly formatted IR reports.

Best top score in competition history was in 2010 with a top score of 4497 as reported by the SECCDC Final Presentation (Power Point)
For explanation of final scores see final reports Appendix A and B. Appendix B - SECCDC 2011 Complete Score Report Appendix B - SECCDC 2011 Final Presentation (Power point)

6 SECCDC 2011: Report of the Knowledge Transfer Team

Summarized Post Mortems of Competition Team

Complete debriefs Appendices A Competitor 1
Charles Ellington Role: Captain ATTACKS/CHALLENGES FACED The Room Judge did not have the White copy of the business injections, just the Gold copy, at the start of the competition on Day 1. The pre-submitted white-list of necessary web site URLs was not implemented on the Proxy Server; thus, neither the Windows nor the Linux servers or workstations could be hardened on Day 1. Getting organized quickly on Day 1 of the competition was a challenge. Sticking to the game plan developed prior to the competition was a challenge. Ensuring each team member is working on their assigned tasks in their area of expertise was a challenge. Quickly assessing the infrastructure network and operating systems for malfunctions was a challenge because it was difficult to discern between what was intentional and unintentional. Getting all required services up and keeping them up throughout the competition was a challenge. Getting all business injections completed in a timely and accurate manner was a challenge. Identifying, documenting, and reporting intrusion detections accurately were a challenge. Knowing whether or not the Gold Team was role-playing or not was a challenge.

7 SECCDC 2011: Report of the Knowledge Transfer Team

 The conduct of the Gold Team while in investigating an issue with the Proxy Server was deemed a bit unprofessional and no apology was issued to the Team for the disruption. Receiving business injections and any associated equipment from the Gold, White, and Black teams in a timely manner was a challenge. Due to white-list sites not being implemented in the Proxy Server, the Red team was able to exploit known vulnerabilities to leverage the assigned infrastructure to attack other teams. Swapping out the firewall appliance during the middle of Day 2 and replacing it with another was a challenge.

LESSONS LEARNED

Prior to attending the competition, complete the following tasks: 1. Develop a game plan based on multiple what-if scenarios, i.e. how to search for and remove rootkits, malware, etc. 2. Document game plan thoroughly based on the different what-if scenarios, bring printout to the competition, and utilize it during the competition especially on Day 1. 3. Conduct a skills inventory of each team member identifying both strengths and weaknesses. 4. Ensure that every member of the team is assigned a task and knows what that assigned task is once the competition starts. 5. Study the NIST, NSA, STIG, and other guides for securing and hardening the infrastructure and bring to and utilize throughout the competition. 6. Practice setting up a Firewall appliance, a network or host-based IPS/IDS system, and configuring host-based firewall/IDS on servers and workstations. 7. Practice monitoring network traffic, reviewing system logs, etc., 8. Practice identifying, documenting and reporting detected intrusions appropriately. 9. Practice hardening the infrastructure using several network/security tools, e.g. NMAP.
8 SECCDC 2011: Report of the Knowledge Transfer Team

Be flexible make adjustments to game plan and assigned tasks as needed. Review all network and computer equipment to ensure that they are all connected properly and that there is no unusual physical devices attached to them especially at or prior to the start of Day 2 of the competition. Closely monitor all network traffic, computer logs, etc. for any intrusions, etc. Document the intrusions thoroughly and submit it with the incident reports. Time Management is essential in completing business injections as is quickly assessing if the business injection should be completed or not. State business case for rejecting business injection clearly and concisely quoting any and all policy and procedure manuals or statements. Ensure that team is well versed, as best as possible, on the different technologies hardware and software that has been outlined in the Team Packet. If additional equipment network, computer or printer, etc. - is needed or required, submit a request with business case for doing so quickly on Day 1. Verify that the pre-submitted Proxy Server white-list has been implemented; if it has not been implemented, submit a request with business case for doing so quickly on Day 1. Proofread all communications outbound to Gold Team. Document firewall configurations thoroughly. Work hard! Have fun! Be respectful of one another and everyone else involved in the competition!

COMPETITION ENVIRONMENT Facilities were adequate and conducive to performing all required tasks.

9 SECCDC 2011: Report of the Knowledge Transfer Team

Networking equipment was appropriately placed so as to not interfere with the Teams ability to complete assigned business injections. All network and computer equipment performed adequately throughout the competition i.e. did not experience any failed components. Some required equipment, e.g. a console cable for the firewall device, was not present at the beginning of the competition. Meals, snacks, and drinks provided were adequate and relatively nutritional. Break area was setup sufficiently to allow participants to sit, eat, drink, and be merry.

Competitor 2 Mark McLauchlin Role: Co-Captain Need a process to determine if a system has been secured. Day 1 was chaotic with people bouncing from workstation to workstation and some of the systems never got secured or issues found until day 2. Using netstat on the Ubuntu workstation would have found the open port on it (at least I think that was the issue with it). Maybe just something as simple as Post-It notes stuck on the system with a basic checklist. Updates make take a long time. If you can swing it make sure systems are downloading what they need between day 1 and day 2. A lot of the injections require changes that should be entered in the change management log. This should be part of the injection process. Adding injections to the white board worked really well. Need to track injection, time received, allowed turn time, time injection as completed and memo sent to CIO, who is working injection, and if a change-log is required/done.

10 SECCDC 2011: Report of the Knowledge Transfer Team

Print out a change log form (several pages). No "official" change log was provided. Need several copies. There was an NIST guide (800-128 ???) that may have a change log form in it. Develop a good password policy. I'd suggest no lower case "L"'s and 1's. Make sure 2's and Z's are differentiated w/ a horizontal line through the Z as well as and 5's and S's. Use 1 person who has neat handwriting to enter the passwords. Use the same big block lettering you used in grade school when you learned to write, and make the log easy to read. We had issues where other members of our team could not read the passwords other team members entered. Copy all of the memo templates to all of the systems. Get the printer setup and networked ASAP!!!! Practice setting up a wiki site (mediawiki). Not hard to do under normal circumstances but difficult in the competition. It requires a database server and web server. Easiest solution may be to add to the e-com server. Most secure solution may be to spin up a new VM with and add it to that. This would also allow you to use an OS you have practiced on. Check OS ISO's and start pinging the CIO if you don't have one you need. Easiest way to secure is to reload the OS's. Considering we had XP SP-0 it's not like you're starting from scratch. Determine some critical sites (OS updates, wireshark, OpenOffice, etc.) for your proxy and check them early. If they are not there send a request. Follow up on request if no reply. Incident reports must have evidence (screenshots, logs, USB dongle, etc.). No evidence = no credit. If a device doesn't seem to work make sure you try it on all system. Our USB drive that had the ISO's (supposed to have the ISO's) would only work on the Win7 box. Check the web pages for defacement at regular intervals.

11 SECCDC 2011: Report of the Knowledge Transfer Team

Thoughts and comments from day 3 Yum command opened a relay Restoring a snapshot is no good if snapshot is compromised. Don't come in with preconceived notions Check webpages often Mail system was an open relay. Admin on AD server ???? Firewall config is a key area. The more complicated the IDS the vulnerable to simple attacks (packet crafting) Proofread memos Port 0 firewall attacks Rogue windows processes (like keylogger). Better password policy (no l's and 1's, 0 and O's, etc.) Should be documented or don't use these at all. Report offensive materials (like the desktops). Incident Response forms have to have proof (screenshots or logs). Pay attention to memos. If it says FTP do not install SFTP but reply w/ SFTP being a better option. Await reply. Reload all OS's from scratch. Don't install wireless routers. Need security assessment. Detailed procedures/checklists for locking down all systems Tools used by hackers include nmap, Nessus, metasploit, nikto, dirbuster. Create *nix script to check/verify commands?

Competitor 3 Zeauddin Ahmed

12 SECCDC 2011: Report of the Knowledge Transfer Team

Role: Misc. Have a Project manager, where his job is to maintain and distribute injections to the members that are specialized in their tasks Try to submit injections on time. There had been cases in the competition where we already finished the injections on time, but it was submitted late since the both the team leader and vice team leader was occupied. Divide the groups based on their specialty therefore we save time trying to figure who needs to do it. Scan all the computers for malicious software etc. If it is not possible just reformat it. Its better to be safe than sorry If the ISOs that you need is not in the repository, send a memo as soon as possible. We wasted almost an hour complaining that we dont have Linux OS etc. If they ask for a print server, try not making the computer with one usb port the printer server. It was the biggest and time consuming mistake we made. Try to scan through the process of the systems and check for rogue process that shouldnt be there and report it. If there is an injection where no one in the team can do, just leave it and do the others. Do not waste time dwelling on it. Take a screen shot of the preexisting configuration of the firewall that is given to use before and after you have hardened it. It also comes in handy when you are forced to switch firewalls in the middle of the competition.

Competitor 4 Anthony Dunaway Role: Firewall Feedback from Red Team SPSU had a team this year. Yay!

13 SECCDC 2011: Report of the Knowledge Transfer Team

Once owned, our systems were used to exploit other teams (so they stopped trying to take us down)

Problems No firewall passwords given Stonegate admin console is frickin complicated. Do anything possible to learn it before competition; dont assume you can figure it out in a few minutes at competition. (use the downloadable demo and/or virtual environment if no hardware available)

Injections remembered Firewall licensing expired, must request a new firewall (Cisco or Checkpoint). Regardless of request, they gave Checkpoint. Must setup and move over within a couple hours, then they rip out the old firewall. (day 2 early). Initial plan of Gold Team was to come in and exchange firewalls w/ no time for the team to have them both running Setup new VPN for external access. Demonstrate to judge. (1 hour?) New WAP given, install *securely* and test. The 100% correct answer was to not install because no available hardware to test, and violates policy. User requests an FTP site. Insecure, so reply with no. Corp requests an SFTP site. Ok, setup. Disable/delete accounts of people fired. Memo: Team captain is sick. (they took him out of the room for 1 hour as part of the competition) Modify Apache http headers to not include sensitive info. Get a change log from NIST 800-128 (not sure about that number).

14 SECCDC 2011: Report of the Knowledge Transfer Team

Status report at beginning of day 2. What you've done, what issues, how are you going to deal with them, and next steps. Setup a network printer accessible from all stations

Other notes Checkpoint was relatively easy to setup, but you need network config (including external interface settings!) from old firewall, so record them quick. Stonegate and Checkpoint firewalls had great monitoring/logging, useful for watching red-team traffic and blocking IPs. Dont block the corp network IPs (duh). Wireshark useful for inspecting captured packets on firewall for deeper analysis. (monitoring shows the IP/Port accessed, but wireshark will show in the packet what they were doing, like SQL queries, etc) Disable, dont delete, firewall rules. You might need them later for reference.

Competitor 5 Ruben Hernandez Role: Servers Brainstorming:

Since we were so new to this competition we were all very calm and not pressing with each other. This was kind of a downfall because we were late or missed a good many injections. Went in expecting one thing got the opposite. Delegated tasks need to be more evenly spread. Such as who is on what systems. Essentially maybe each person has 1 major task and then their workstation as their second task. Knowledge needs to be more precise. For example I am pretty good with AD and Group Policies, but I still need A LOT of work on these for this competition. Need to have knowledge of attacks so we know what to look for. Know how to launch these attacks so that we can look for patterns. Active monitoring on every system, what gets connected, whats running and etc,

15 SECCDC 2011: Report of the Knowledge Transfer Team

Knowledge of security risks on all types of system. Eg on the, I think, secondary DNS the cd command was shutting the system down. I learned that typically that is a sign of a rootkit on a system. We missed a lot of trojans and rootkits on the systems. When submitting incident reports we need to have more information about the attack and logs to prove the attack More push back on tasks. If there is something wrong with an injection or something possibly missing, give push back. If it doesn't need to be there, take it down. Port scan all systems for open ports to see possibly malicious activity. We had an http server running on the Ubuntu workstation. Disable windows services that are not needed, or remove programs that are not needed. The mail server was getting attack from what looked like an exploit with notepad.exe. System use age went up very high from the process. Better documentation of changes, keep a log for each person then go in and consolidate at different periods. Change passwords every few hours, just in case Use the guides... We brought a lot of guides and didn't use any of them

My Thoughts On competition: Well I think this competition was more of a learning experience then anything. It did was it was intended to. It put me into a situation as if I were working for a company. This put lots of pressure on the team to see how we reacted. I feel performance wise we have a great deal to improve on, but that means that next year we will place. I know if we can keep a few members from this year and put there to help out next year we will be golden. I personally feel as if I did not work to my full potential because of my reaction to the way the systems were set up originally. I didn't go in open minded so when things we screwy I fell apart and skewed away from my game plan.

Competitor 6 Chris Meinert Role: Windows/Linux Notes:

Don't worry too much about sql injections.

16 SECCDC 2011: Report of the Knowledge Transfer Team

Be prepared for maliciously configured systems. Be prepared for having nothing you wanted on the proxy

Competitor 7 Eliott Neumann Role: Linux Feedback from the red team

We worked well as a team We were owned twice known vulnerability through rpc port on domain controller
Ubuntu workstation. Known vulnerability Open smtp relay

We were exposed completely. Patch everything.

Problems

No pile of crap in the room

Dont expect anything in the future

35 injections with time limits ranging from 30 minutes to 2 hours Windows group policy must know No office suite on systems Set up practice systems in as little time as possible. Spend most of the time reading up on how to secure things and build systems.

Worked

Firewall management was great. Have specific roles for each person. Everyone knows what everyone elses role. Strong leader with great organization and delegation skills. Business skills are better than technical skills for the leader

17 SECCDC 2011: Report of the Knowledge Transfer Team

Strong co-captain who can take over when the leader gets kicked out

Failed

We were not provided with a list of approved sites. Make sure to bring a list with us. Don't go to iffy sites Keylogger Know Windows processes. Make list of windows processes that should be running. Make a baseline of a good windows system Prepare for a media wiki setup injection. Webserver and database. Reload Operating systems. Assume they are completely compromised. If you can't do exactly what they want you to do, push back with a very good excuse that is detailed.

Notes Make sure injections follow proper procedure Record firewall config. Backup and make sure you know what the rules are. Excel spreadsheet Read the handbooks/documents that they give you before the competition!

Competitor 8 Jason Tejada-Valiente Role: Misc. In the competition all computers need to be assessed to verify if it needs to be wiped out and reinstalled. Make sure to have all The team leader needs to make sure injections are submitted on time. Firewall is important as soon as we get to the competition. Be aware that the firewall might be changed in the middle of the competition. Be prepared.
18 SECCDC 2011: Report of the Knowledge Transfer Team

Designate one team member that knows system processes and services so that that team member can point out any rouge process. In the competition, Notepad.exe was infected In the Mail server. Monitoring firewall activity is important. At least two team members should check on the monitoring.

Summation
This section identifies common themes in the competitors individual summaries and other observations that you developed from your observations of and interactions with the competition team. It lays the foundation for the gap analysis in the next section.

Check webpages often (including code) For Incident report, report any irregularity that is found. Also provide evidence. For example red team is doing a port scan. Take a screen shot of the attack, copy and paste on the report. Doesnt matter how detailed your explanation is. The incident report count as incomplete without picture evidence. If you have any websites that are not in the proxy, which should be majority of them, wright a memo as soon as possible. We had problem updating the linux systems and windows systems since the links ware not in the proxy. No firewall console cable right-away Complete a total hardware/systems inventory (in the first 30 minutes, day 1). Need printer ASAP! Setup a new Wiki site on the web server. Personnel evaluation summary. Team Captain has to do one for everyone; everyone has to do one for the team captain. Time management. Share printer over network Proxy list not implemented or was incomplete. No patches, no antivirus, no updates, no mirror sites Do not expect any ISOs

19 SECCDC 2011: Report of the Knowledge Transfer Team

Proofread everything Gold Team has a serious attitude. Don't be smart with them. Check all the wires and connections on all the systems at the beginning of the first and second day. They will put things into your computer Make sure your passwords are readable. No ambiguous letters or numbers. Legible handwriting. Be descriptive of what the passwords belong to. Prepare communications log and change logs. Be diligent about these logs. Be sure to request anything you need. Give a good reason or they won't even consider giving them to you. Scan for malicious rootkits and rouge processes.

20 SECCDC 2011: Report of the Knowledge Transfer Team

Gap Analysis
What Went Wrong
Read All Memos - Read Past memos already in the room and Present ones White list was not implemented in the proxy server. White list was not prepared in order of importance so it was difficult to discern what to ask the judges for access. There was no pile of junk in the room. Lack of practice although the team lost a week due to bad weather. Did not follow prior written acceptable use policies. Lack of time management Problems reading passwords in the Confidential Storage Log. Proxy not available for first half of competition and then when it became available a lot of the sites on the white list were not there. Incomplete incident reports.

What We Could Have Done Better

Prewritten acceptable use policy in lieu of technical controls. Develop acceptable use policies before the competition. The CIO determines if the policy is acceptable and may require the technical control anyway. An injection specifying an assignment will indicate if the control is mandatory. Complete injection even if past time limit Some assignments may have late point values beyond the due date/time, so completion of all assignments is recommended. If assignment is going to be late write the Gold team and explain why. They may not count off as many points if reason is legitimate. Prepare incident reports exactly as instructed. Need screen shots of all incidents and detailed explanation on what you did to correct the error. Note changes in the change log. A good incident report can take 50% off the penalty. Several team members noted that they demoed to room judge which wasnt good enough. Needed screen shot as well. 21 SECCDC 2011: Report of the Knowledge Transfer Team

Timely documentation of all logs - There are three logs, communication log, change management log, and password log. They must be kept up to date diligently. Check the proxy list early and quickly write a business case for why you need a site. Prepare business cases before the competition such as no implementation of WAP or FTP.

22 SECCDC 2011: Report of the Knowledge Transfer Team

Remediation Plan
For each gap identified in the previous section, suggest how future teams might remediate that gap. Be as detailed as possible. Generic suggestions such as spend more time preparing are not useful. Hopefully next year (2012) the team will have a infrastructure already in place. This will allow them to practice and interaction with each other will help the team identify weaknesss and strengths. Study hardening guides for each piece of software, ex: mySQL, OSs, Firewall. Dont rely on manuals, you wont have time to read them. Study what you need to know. Define roles for Team captain, co-captain and team members. This will help the entire team to know who should be doing what. Delegated tasks need

to be more evenly spread. Time management was a big issue. Time Management is essential in completing business injections as is quickly assessing if the business injection should be completed or not.
There are three logs, The Change Log, Communications, Log, and Confidential Storage Log. These logs must be kept up diligently. Keep a list of sites on the proxy list so you will know what sites the judges did not consider important. Write up a detailed business case for each site missing notifying the judges why you need access. Be familiar with all windows process. Scan through the processes of systems and check for rogue processes that shouldnt be there and report it. When doing inventory, check all systems usb ports and LAN cables for unauthorized devices. Devices found in 2011: keylogger and annoy-a-tron.

Prior to attending the competition, complete the following tasks: Develop a game plan based on multiple what-if scenarios, i.e. how to search for an remove rootkits, malware, etc. Document game plan thoroughly based on the different what-if scenarios, bring printout to the competition, and utilize it during the competition especially on Day 1.

23 SECCDC 2011: Report of the Knowledge Transfer Team

Conduct a skills inventory of each team member identifying both strengths and weaknesses. Ensure that every member of the team is assigned a task and knows what that assigned task is once the competition starts. Study the NIST, NSA, STIG, and other guides for securing and hardening the infrastructure and bring to and utilize throughout the competition. Practice setting up a Firewall appliance, a network or host-based IPS/IDS system, and configuring host-based firewall/IDS on servers and workstations. Practice monitoring network traffic, reviewing system logs, etc., Practice identifying, documenting and reporting detected intrusions appropriately. Practice hardening the infrastructure using several network/security tools, e.g. NMAP. Be flexible make adjustments to game plan and assigned tasks as needed. Review all network and computer equipment to ensure that they are all connected properly and that there is no unusual physical devices attached to them especially at or prior to the start of Day 2 of the competition. Closely monitor all network traffic, computer logs, etc. for any intrusions, etc. Document the intrusions thoroughly and submit it with the incident reports. Time Management is essential in completing business injections as is quickly assessing if the business injection should be completed or not. State business case for rejecting business injection clearly and concisely quoting any and all policy and procedure manuals or statements.

24 SECCDC 2011: Report of the Knowledge Transfer Team

Ensure that team is well versed, as best as possible, on the different technologies hardware and software that has been outlined in the Team Packet. If additional equipment network, computer or printer, etc. - is needed or required, submit a request with business case for doing so quickly on Day 1. Verify that the pre-submitted Proxy Server white-list has been implemented; if it has not been implemented, submit a request with business case for doing so quickly on Day 1. Proofread all communications outbound to Gold Team. Document firewall configurations thoroughly. Reload all operating systems. Assume they all have been compromised.
Work hard and have fun. Be respectful of one another and everyone else involved in the competition

25 SECCDC 2011: Report of the Knowledge Transfer Team

Artifacts Captured
In here there are some links and description for the items that might be used by future team. It includes links for firewalls, router, Linux, VMware, SECCDC Team Packet, and other tools.

Items

purpose Cisco Router Hardening Stepby-Step

Link http://www.sans.org/reading_room/whitepapers/firewalls/ciscorouter-hardening-step-by-step_794 http://www.informationweek.com/news/207000367

PIX Firewall And router

Router Security in Four Easy Steps Hardening guide for Cisco Firewall (PIX, ASA, FWSM) This file supports the version of each product listed and supports all subsequent versions ESXi Installable and vCenter Server Setup Guide http://www.vmware.com/pdf/vsphere4/r40/vsp_40_esxi_i_vc_setup _guide.pdf http://security-24-7.com/hardening-guide-for-cisco-firewall-pixasa-fwsm/

http://www.vmware.com/pdf/vsphere4/r40/vsp_40_esxi_server_con fig.pdf

VMware

StoneGate Firewall

Appliance http://www.stonesoft.com/export/download/sg_appliances/SGAIG_ Installation Guide FW-310.pdf STONEGATE 5.2 http://www.stonesoft.com/export/download/sg_man/StoneGate_Ma nagement_Center_Reference_Guide_v5-2.pdf

26 SECCDC 2011: Report of the Knowledge Transfer Team

ADMINISTRAT ORS GUIDE STONEGATE 5.2 SMC REFERENCE GUIDE SECCDC TeamPacket CCDC Team Preparation Guide http://www.nationalccdc.org/files/CCDC%20Team%20Prep %20Guide.pdf http://infosec.kennesaw.edu/SECCDC/2011_SECCDC_TeamPacke t_v1.pdf http://www.stonesoft.com/export/download/sg_man/StoneGate_Ma nagement_Center_Installation_Guide_v5-2.pdf

SECCDC Team Packet Draft

DKVM-8E

http://hen.cs.ucl.ac.uk/library/hardware/kvm/dkvm8e.pdf Guide how to use it, and it gives the user ultimate in control of 8 PCs

from one keyboard, mouse and monitor

Configuratin of Red Hat Guide to the Secure Configuration of Red Hat Enterprise Linux 5 http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf

27 SECCDC 2011: Report of the Knowledge Transfer Team

Appendices A
Debriefs from competitor participants Competition team prepared and turned in what they considered to be their greatest challenges and the overall view of the competition. The following are some major themes running through each team members debrief.

Appendices B
28 SECCDC 2011: Report of the Knowledge Transfer Team

SPSU Final Score report 2011

Appendices C
SECCDC Team Packet 2011 with Network Diagrams
29 SECCDC 2011: Report of the Knowledge Transfer Team

Appendices D
After Action Report

30 SECCDC 2011: Report of the Knowledge Transfer Team

Appendices E
Guidelines for Injection/Communication Process

31 SECCDC 2011: Report of the Knowledge Transfer Team

Appendices E
Hardening Guides

32 SECCDC 2011: Report of the Knowledge Transfer Team

Appendices F
SECCDC 2011 Final Presentation (Power point)

33 SECCDC 2011: Report of the Knowledge Transfer Team