So a medical centre in a busy city wants to keep up with their office based tech-savvy patients and provide the ability to view and book appointments online. The focus of the business is patient health, not IT, so they want a simple system aligned with their windows environment where they store private patient records.

For many small businesses, this scenario is a modern reality and one which comes with the enormous risk that sensitive information could be compromised.

But for 15 teams of ICT undergraduates, this scenario formed the basis of the 2012 Australian Cyber Defence Challenge.

Working from their university and via VPN access into their own target network environment, the students’ mission in 24 hours was to undertake a number of tasks and submit a report on strategies the business could adopt to mitigate any security risks and enhance its information security.

Each team started with a limited client brief and scored points for conducting tasks such as:

  • Bypassing authentication controls to access a specific document containing PII (personal identifying information) as specified by the client.
  • Performing forensic analysis of an oddly behaving workstation, to understand what happened to the system, what information may have been compromised and when.
  • Developing a secure architecture that the medical practice could adopt in the future. Considering practical controls and specifying changes which would not only mitigate the risks which this test identified, but future risk.
  • Creating a socially engineered email that could be used to compromise the medical practice.

But the winning team wasn’t necessarily the first to complete these tasks and cross the finish line, the bulk of the points were awarded for the team’s report into how they would fix the vulnerabilities they identified and reduce risk for this business.

Members of Telstra’s Security Operations, CERT and Defence were based at Exercise Control (ExCon) for the entire 24 hours monitoring the progress and supporting the teams, and then calculating the final scores. We set up a Twitter feed to keep the teams updated on the scores, and it was great to see the participants use this and engage in some competitive banter. Teams were also able to use points to purchase hints for any of the tasks.

Not surprisingly, ExCon achieved the atmosphere reminiscent of one of the many team assignments I did at uni where invariably we would work through the night – with pizza and loads of coffee. The Challenge was a huge success and something I hope we are able to continue to support down the track.

Congratulations to the participants from the University of New South Wales who took first place honours; closely followed by Edith Cowan University (WA) in second place and Australian National University (ACT) third.

See the scoring results online here

Telstra Team at the scoring of the Challenge

Photo. Despite the long night the team at ExCon really enjoyed their gamekeeper role