HOW TO
|
INSTRUCTIONS
|
| Start and Pause the simulation |
- The
button Just to the right of the GAME tab toggles pause and
play.
- This button:
 will start
the
simulation.
- This button:
 will pause
the simulation.
- The
"p" key also can be used to toggle pause and play.
- Pop up messages will
temporarily suspend the simulation until they are acknowledged.
|
Save and restart a scenario
|
- Select
the GAME tab.
- Select
"SAVE" to save a scenario
- If
desired, replace the automatic file name with your own file
name. You may also move to a different directory.
- To load a saved
scenario, start any scenario and use the "LOAD" button in the GAME tab.
|
Move around the office
|
- Use the keyboard shortcut keys as described here.
- The Tab (and Shift Tab) key is best for placing
computers and
moving users to a desk.
- Move the cursor to the edge of the screen to pan
the screen in that direction.
|
Buy a
component
|
- Select
the OFFICE tab.
- Decide
where you wish to place the component. Use the Tab key or
other navigation keys to move around
-- and note sometimes using the a/A keys to control elevation helps to
see more of the office.
- Computers can be placed on desks, or in server
racks.
- Click the
"BUY"
button in the lower right. (If a "Computer" window has covered
the
right pane, close the window by clicking the X in the upper right
corner
next to the word "computer", or click on an unused office area.)
- Select
one of the tabs, e.g., "WORKSTATIONS".
- Select
the desired component and click the "BUY" button.
- Use the Tab key and move the
cursor until the desired desk or server rack is highlighted and click.
- You can cancel a BUY that is in progress by
clicking the CANCEL button in the place where you originally clicked
"BUY".
- Components
are given default names which can be changed.
|
Connect (or disconnect) a
component to a network
|
- Select
the NETWORK tab
- Select
the component that is to be connected to the network
- Click on
the network icon in the upper right. A colored border should
appear around the component icon.
- Connecting
multiple components to the same network will cause a line to appear
between the components.
- Disconnect
a network from a component by selecting the component and clicking the
network button.
- Disconnect
a component from all networks by selecting the component and clicking
the wall plug icon.
- Note the
"Internet" can only be connected to gateway components such as Routers;
VPN Gateways and Firewalls.
- Note you
cannot connect some pre-existing components (ones you did not buy) to
any network.
- Note you
cannot connect any components to some networks.
- Note VPN
gateways are automatically connected to the Internet -- it is their
only protected communications path.
- If the component has an O/S that enforces MAC
(e.g., Trusted Populos), you must assign security labels to the
connection:
- Select the COMPONENT tab
- Select the component from the "COMPUTER
SELECTION" list
- Select the network (if not already
selected) from the "NETWORKS" list
- Click the "SL" button for a single-level
connection or the "ML" button for a multilevel connection
|
Connect
to the Internet
|
- Note the
"Internet" can only be connected to gateway components such as Routers;
VPN Gateways and Firewalls.
- Buy a
router or other gateway device from the NETWORK DEVICES tab in the buy
screen. (See How to Buy a component ).
- Connect
the component to the Internet. (See How to Connect a component to
a network
.)
- Connect
the router to another network.
- Connect
the desired server or workstation to the other network.
|
Connect a network to a
multilevel component
|
- Some
components include multilevel operating systems, e.g., "Trusted Populos"
- These
components require that security labels be associated with network
connections.
- Connect
these components to networks as described above.
- Then
go to the COMPONENT Tab and select the component
- In
the Networks pane of the COMPONENT Tab, select the network if it
is not already selected
- Use the "SL" button
to define a single level connection and the "ML" button to define a
multilevel connection
|
Ensure a component is
working (e.g., is not always crashing)
|
- Select
the OFFICE tab.
- Find and
select the component (click on it)
- The
resulting panel on the right-hand side of the screen includes
"Availability"
- If this
is low, you may need to hire IT staff
or train
your users.
- Alternately,
the component
might have Trojan horses or viruses. Here
is how you view the software (and
remove the malware) on a component. If you have malware, you may
need to enhance the component
security properties or put a firewall
between it and the Internet.
|
Find a user or computer
|
- While
in the "OFFICE" screen:
Pressing
the "u" key selects each user in turn
Pressing the "s" key selects each support staff in turn
Pressing
the "m" key selects each computer in turn
Pressing the "d" key
selects each network device in turn.
While in the USER screen, double click on a user name takes you to the
office with the user selected.
While in the COMPUTER screen, double click on a computer name takes you
to the office with the computer selected.
|
Assign a computer/desk to a
user
|
- If
the user has an assigned desk (and you are happy with the assignment)
just buy a computer and place it on the desk. It will be assigned
to the user. Otherwise:
- Drag and drop the user to the new desk; or:
- --Press
the "u" key repeatedly until the desired user is selected -- or just
click on the user
- --Click
the "MOVE" button (on the right toward the bottom of the panel)
- --Use the Tab key to find the desired desk
and move
the cursor until desired
desk is highlighted. Click there.
- If the work area
highlight is red, a user cannot be assigned to it.
- If the work area
highlight is blue, that is the user's assigned desk.
- If the desk had a
computer, it will be assigned to the user. Otherwise buy one and
place it on the desk.
- You can give the user some other computer by
dragging it and dropping it on the user's desk.
|
Find a user's desk
|
- User the "u" key to find the user, or double click
on the user name from the USER screen. If the user is sitting
down (or close to it), that is the desk. Otherwise, the user work
area is highlighted. Use the Tab key to move around until you see
the highlighted space.
|
Move a Component
|
Click on the computer
with the mouse and drag it to the desired location. Use the Tab
key for a good view of potential locations. If the work area is
highlight is red, the computer cannot be placed there. Note
that some zones do not permit connections to some networks.
In these cases, the networks will be disconnected from the computer if
it is moved into such a zone.
|
Change a Component's Name
|
- Select
the Network Tab
- Click
within the component's current name
- Type in the new name
|
Use
Link Encryptors
|
- Purchase
two
link encryptors from the BUY
, Network Devices screen.
- Decide
what network the link encryptor will protect, and connect
each link encryptor to that network.
- Connect
other components to the link encryptors by connecting the link
encryptors to networks that contain the other computers. In the
simplest case, a single commuter is connected to the link encryptor via
a dedicated link (network).
- As you connect the second network to the link
encryptor, a pop-up
screen will let you select which network connection is encrypted.
Use the "Reverse Links" button to switch which link is encrypted if
needed. The pop-up screen also allows you to select which key to
use with this link encryptor. Each link encryptor must share the
same
key to communicate properly.
- You may also display the link encryptor pop-up by
clicking the "Link" button in the lower right panel of the Network
screen when a link encryptor is selected.
- View an Encryption
Tutorial
|
Buy software for a
component (or remove software)
|
- Select
the NETWORK tab or the Office Tab
- Select (single click)
the component for which you want to buy software.
- Click the
SOFTWARE button on the lower right.
- Select
either the BUY or REMOVE tab.
- Hovering over or right clicking on the application name will display the full description.
- Select
the desired software and click the BUY (or REMOVE) button.
- Note that purchase of some software types will remove previously installed software of the same type.
- (Note you
cannot buy software for a thin client workstation. Instead,
connect the thin client to a terminal server and buy software for the
terminal server.)
|
Assign
an asset to a
component
|
|
Permit a user to locally access
a workstation
|
- Make sure the user can get into the zone that contains the computer.
- Double click the component, or select
the COMPONENT tab and select the component from the list
- Within the "Configuration Settings" pane, locate the "Local Authentication" configuration entry.
- If
"Local Authentication" is requried, then the workstation must be able
to identify the user as described below, otherwise any user is free to
access the workstation (though not necessarily the assets on that component).
- Locate the "User & Group Identity" pane in the lower center of the screen
- The user must either be defined locally (click "LOCAL" button to see), or defined on an authentication server.
- If
the user is to be defined locally, click the "ADD" button and add the
user and any groups needed to satisfy DAC controls on local assets.
- If the user is to be identified via an Authentication Server, see "Configure an Authentication Server"
|
| Permit a user to remotely access a component |
- Make sure the user has local access to some workstation with a network connection to the remote component.
- Double click on the remote component, or selct it from the list on the COMPONENTS screen.
- Within the "Configuration Settings" pane, locate the "Local Authentication" configuration entry.
- If
"Remote Authentication" is requried, then the remote component must be able
to identify the user as described below, otherwise any user is free to
access the component (though not necessarily the assets on that component).
- Locate the "User & Group Identity" pane in the lower center of the screen
- The user must either be defined locally (click "LOCAL" button to see), or defined on an authentication server.
- If
the user is to be defined locally, click the "ADD" button and add the
user and any groups needed to satisfy DAC controls on local assets.
- If the user is to be identified via an Authentication Server, see "Configure an Authentication Server"
|
| Configure an Authentication Server |
- Pick or purchase a server to use as the authentication server
- Make sure the authentication server has network connections to each of its client computers
- Double click on the server (or select it from the list on the COMPONENTS screen)
- Click the "Authentication Server" button on the bottom of the "User & Group Identity" pane
- Use the "Add" or "Add All" button to select the users and groups that this authentication server is to identify
- Click the "Clients" button to select which other
computers are to now use this authentication server for identifying
users and groups.
|
Permit
a user to enter a zone
|
- Select
the ZONE tab and select the zone from the list
- Find the
"Zone Access List" in the lower center of the screen.
- If the
user is not listed explicitly or by virtue of group membership or
Clearances, click the ADD button.
- Select
the desired user or group or clearance and click the ADD button.
- Click the
CLOSE button.
|
Enable
a user to achieve a
goal
|
- Double click the user, or select
the USER tab and select the desired user from the list of users
- Review
the list of "Asset Failures". If "NONE", the user is achieving
all goals. But, perhaps the user is not efficiently achieving the goals.
- For
failed goals, read about the goal and determine what assets that user
must access.
- Are
the
necessary
assets assigned to components? Select the ASSET tab, and then
select each of the assets that are part of the failed goal. Just
below the description in the lower pane, the location of the asset is
noted. If the asset is not on a component, or not on the desired
component, select the desired component from the COMPONENT screen and
click the "ASSIGN ASSET" button on the lower right of the screen.
- Can the
user access a zone containing a component via which the user can access
the asset? (See How to Permit
a user to enter a zone
.)
- Can
the
user access the component that contains the asset? If the asset
is on a workstation that the user is to access directly, then see "How to permit a user to locally access a workstation". If the user is to access the asset remotely, then see "How to permit a user to remotely access a component'.
- Does the
component
that contains the asset, or the users workstation contain the software
applications
needed to achieve the goal? (See How to Buy software for a
component
).
|
| Ensure a User can Access an Asset |
- Assuming the user can achieve the goal as described in "Enable a user to achieve a goal", DAC mechanisms might prevent the user from accessing the asset.
- Double click on the component that contans the asset.
- Select the asset from the list in the lower right corner of the screen. If you don't see the asset, go back to "Enable a user to achieve a goal" and make sure the asset is assigned to the desired component.
- Click
the "ACL" button. The resulting display identifies the users
and/or groups that the component will permit to access the asset, and
the assoicated mode (e.g., "read").
- If the user is explicitly identified in the ACL, then the user must be identifiable to the component:
- Locate the "User & Group Identity" pane in the lower center of the screen
- The user must either be defined locally (click "LOCAL" button to see), or defined on an authentication server.
- If
the user is to be defined locally, click the "ADD" button and add the
user.
- If the user is to be identified via an Authentication Server, see "Configure an Authentication Server"
- If
one of the user's DAC Groups is identified in the ACL, then both the
user and the group must be identifiable to the component (either
locally or via the authentication server).
|
Efficiently
Achieve User
Goals
|
- Is the user achieving the goal in the
first place? If so, continue here.
- Select
the USER tab, the user, and view the
productivity
value, which is between 0 and 100. If it is low, perhaps the user
is
not efficiently achieving the goals.
- If
users must leave their assigned zone to
achieve a goal, they lose efficiency.
- If
the user must use a workstation other than one that they are assigned,
they lose efficiency. (Sometimes this cannot be securely avoided.)
- Are
the necessary components working OK?
Click
on the component from the OFFICE tab. Its "Availability" will be
displayed
in the window on the right. If it is not close to 100%, the user
could
lose efficiency. You may require additional user training or
additional
IT staff.
- Does the user have
enough training? Buy
training in the USER tab. Training is purchased for all users at
once.
|
Protect
assets from
compromise
|
Only
support functions and access that are required by the user goals.
For example, do all users need access to the Internet? Check the
USER tab to see each user's goals and the assets needed to achieve
those goals. Don't build the network that you think the users or
the enterprise might want. Build the network that they need as
defined in the goals. If assets are being compromised, consider
the following questions:
- Have users who are authorized to
access the asset sold you out by being bribed or otherwise coerced
into compromising the asset?
- Do authorized users have enough training? Buy
training in the USER tab. Training is purchased for all users at
once.
- Can
unauthorized users (including external
attackers) get physical access to
components that can be used to access assets?
- Does
an unauthorized user have logical access
to components that can be used to access the assets?
- Can
an unauthorized user gain
unauthorized logical
access to a component that can be used to access the asset?
- Can
an attacker subvert
a component that can be used to access the asset?
- Can
an attacker wiretap a LAN connected to the
component that contains the asset?
- Is the asset on the
correct component? You
can move assets to other
components, and users will create assets depending on asset allocation
policies
.
|
Configure a Filter to
Protect Assets
|
- Gateway network devices such as firewalls and
routers contain filters. Filters can block application service
requests (e.g., a request to start a Telnet session) from going through
the network device. Such requests can be denied (or permitted)
based on device's individual network connections, and the direction of
the request. CyberCIEGE network filters automatically
allows all responses to any application service request that was
permitted. In the jargon of firewalls and routers, the filters
are "state full". The player does not have to configure the
filter to handle responses.
- Buy a
firewall or router
by selecting the NETWORK DEVICES tab from the BUY screen.
- Connect
the firewall or router to the networks that it
will sit
between. Note that firewalls are like routers in that they can connect
directly to the Internet network. Gateway devices must be
connected to
networks before they can be configured.
- In the NETWORK
screen, select the gateway and click the "FILTER" button on the
right. Or, in the OFFICE screen, double click on the network
device.
- Each network connected to the device is listed
under the "Network" heading. Below that, you may select requests
from that network or to that network, relative to the device.
For example, the above filter blocks all application service requests
coming from the Internet except for "email Transfer" requests.
The "Deny All" button will block all application service requests from
the Internet. The "Permit All" would allow all application
service requests from the Internet.
- Additionally, filter lists include an entry called
"Internal IP Addresses". This entry lets you block IP
packets having a source address that is assigned to the internal
network. This filter entry is only utilized in selected scenarios
that are designed to illustrate IP address spoofing.
- Click here for a tutorial on firewall use and limitations.
|
Determine
how well you are doing.
|
- Select the GAME tab to view a summary of your
status:
- MONEY -- how much money you currently have to
spend.
- Budget -- how much money you receive each month
as a fixed budget
- Costs -- how much money you are spending each
month on IT Support staff
- Bonus / Penalty -- the money you are gaining or
losing each month resulting from user productivity or a lack thereof.
|
Speed things up (or slow
them down)
|
- The "c" key speeds up time. The shift "C"
slows it down.
- The pause button starts and stops time. The
"p" key does this as well.
- See Keyboard Shortcuts
for more shortcuts.
|
Use VPN Gateways
|
VPN Gateways behave exactly like routers, however they
are preconnected to the Internet. They only encrypt and
authentication data over the Internet. You cannot disconnect
them from the Internet.
|