Select Page

Iron Chef of Information Security

Keyboards were a-blazing at the WOW Iron Chef competition

In presenting the WOW Iron Chef of Security award Bob Bierman, Key3Media said “Key3Media has and will continue to be active proponents of learning and standards of practice. We have been pleased to be a part of the first in the world, Iron Chef of Security competition”. He added, “WOW has shown itself to be one of the best partners that we have ever worked with. Our compliments go to everyone involved in making this new competition a wonderful success.”

And the Winner is… Dan Miller, Dan Miller Consulting

“There’s no cure for fools.” So says wandering samurai Sanjuro Kuwabatake in Akiro Kurosawa’s 1961 classic film, Yojimbo. And a fool you’d be if your enterprise environment is not as secure as it should be. Lack of information security can result in loss of public image, downtime, monetary loss, or worse. Harnessing the competitive spirit of its namesake Japanese television program featuring battling chefs, the World Organization of Webmaster’s (WOW) first-annual Iron Chef of Information Security Competition attempted to educate attendees on security issues through an entertaining security troubleshooting duel between system administrators. The daylong event took place Tuesday at Booth 7091 on the show floor.

“What we think is cool about the competition is the edutainment value,” explained WOW Executive Director Bill Cullifer. “A variety of audience types are here-business people, security experts, IT managers-who can benefit [from observing the event]. Our vendor-neutral approach fosters a spirit of competition that’s often missing on the show floor.”

According to Cullifer, companies with enterprise IT environments should be asking themselves the following questions: Are policies and procedures in place? Is documentation fully updated? Is a remediation policy in place? Is security awareness and education happening at all levels, including management, users, and administration? Is auditing taking place? If you answer “no” to any of these questions, it might be time to take a look at your security plan.

The low-down
The event was designed to challenge network and security experts to evaluate and fix the security vulnerabilities present in Internet DMZ architecture.

The premise:
A system administrator for company X’s Web environment leaves for the security industry. The environment mixes Linux and Windows platforms with Cisco network gear, a configuration familiar only to the departing employee. The company would like to engage an outside group to assess security problems with its Web architecture, and fix as much as possible in a limited time frame. The company doesn’t believe any systems are compromised, but it isn’t sure what types of apps the administrator might have uploaded.

The format:
A timed competition scored on a total point basis. Each team had three hours to work on identical architectures using the same tools in an attempt to identify and, if possible, fix problems. At the end of the three-hour period, teams prepared a report outlining the security problems discovered and how they were resolved, and presented it to the judges and audience.

The teams:
Team A (Dustin Hensley); Team B (Dan Miller); Team C (Lee Orrick). All contestants possess knowledge of Cisco routers and switches, Linux, and Windows Advanced Server; are familiar with Internet services, such as Web services and DNS; and have an ingrained knowledge of securing applications and systems.
After a pitched battle that lasted more than five hours, the dust cleared and a clear victor emerged.

I’m a winner!
Dan Miller of Dan Miller Consulting thought the Iron Chef of Information Security competition did a good job of highlighting key concerns in security today. “The competition was unbiased. The configuration featured two operating systems and three brands of hardware and networks commonly seen in the real world. Many companies are worried about outside threats, but their biggest concern should be those coming from inside the organization, such as laid off and disgruntled employees,” Miller advised.
Despite having won the competition, Miller felt he could have done a better job. “Had it been a client, I would have spent more than four hours seeking vulnerabilities. Network security is 75 percent research and 25 percent implementation,” he said while pulling out his “bible,” Hacking Exposed, 3rd Ed., from his backpack.
He also added, that had it been a client, he would have produced two reports at completion: a “geek report” and a “suit report.” “The latter would avoid the double talk common in technospeak today. If your clients don’t understand you, they can’t trust you, and security is all about trust,” he said.

Want more? The Iron Chef competition might be going global. Look for the contest to appear at select Key3Media international events later this year. For more information on the World Organization of Webmasters, visit joinwow.org.

By Sean Cassidy, The Daily

<