Code Red Scenario: State University System Crisis

State University System: 50,000 students, 8,000 faculty/staff, managing 200+ departmental websites

Worm • Code Red

STAKES

Student services continuity + Academic research data + University reputation + Internet infrastructure responsibility

HOOK

State University is in the middle of fall semester registration when their IIS web servers hosting departmental websites, student services, and research portals begin showing defacement messages. The infected university servers are now participating in internet-wide scanning and coordinated attacks, threatening both campus operations and the university's role as a responsible internet citizen.

PRESSURE

Fall registration period - student services disruption affects 50,000 students + University reputation and internet responsibility at stake

FRONT • 120 minutes • Advanced

State University System: 50,000 students, 8,000 faculty/staff, managing 200+ departmental websites

Worm • Code Red

NPCs

Dr. Patricia Moore (Chief Information Officer): Managing critical student services during registration period, must balance immediate campus needs with university's responsibility as internet infrastructure provider
Robert Garcia (Web Services Director): Overseeing 200+ departmental websites that are now defaced, trying to restore services while preventing further worm propagation
Lisa Chang (Student Services Director): Managing registration crisis as student portal and course management systems display defacement messages instead of critical academic services
Professor Alan Davis (Computer Science): Analyzing the worm's technical behavior and coordinating with academic security research community about internet-wide threat

SECRETS

University delayed IIS patches during registration period to avoid disrupting critical student services
Academic departments host research data and student services on shared vulnerable web server infrastructure
University's infected servers are now participating in coordinated attacks against other educational and government institutions

Scenario Details for IMs

Opening Presentation

“It’s Monday morning during State University’s peak fall registration period, and 50,000 students are trying to access course registration, student services, and departmental websites. Instead of academic content, hundreds of university web pages are displaying ‘HELLO! Welcome to http://www.worm.com! Hacked By Chinese!’ Network administrators discover that the university’s IIS servers are generating massive scanning traffic, effectively turning the institution’s infrastructure into part of a global attack network.”

Initial Symptoms to Present:

“Student registration portal displaying defacement message instead of course enrollment system”
“Departmental websites across campus showing identical ‘Hacked By Chinese!’ messages”
“University IIS servers generating massive internet scanning traffic overwhelming network bandwidth”
“Academic research portals and faculty websites simultaneously compromised”

Key Discovery Paths:

Detective Investigation Leads:

Web server forensics reveal buffer overflow exploitation targeting university’s IIS infrastructure
Academic network analysis shows memory-only infection spreading across departmental web servers
Registration system logs indicate compromise occurred during peak student access period

Protector System Analysis:

Campus network monitoring reveals infected servers participating in coordinated internet attacks
Web server vulnerability assessment shows delayed patch management affecting critical student services
Academic data integrity analysis indicates potential research data exposure through compromised web services

Tracker Network Investigation:

Internet traffic analysis reveals university infrastructure participating in global worm propagation
Academic network communication patterns show coordination with other infected educational institutions
Research collaboration network analysis indicates potential spread to partner universities and government labs

Communicator Stakeholder Interviews:

Student communications regarding registration disruption and academic service availability
Faculty concerns about research data exposure and academic website compromise
Academic community coordination with other universities experiencing similar attacks

Mid-Scenario Pressure Points:

Hour 1: 10,000 students unable to complete course registration due to defaced enrollment portal
Hour 2: Faculty research data becomes inaccessible through compromised departmental websites
Hour 3: Other universities report that State University servers are attacking their infrastructure
Hour 4: University administration faces media questions about academic data security and internet responsibility

Evolution Triggers:

If response exceeds 8 hours, university misses registration deadline affecting student academic progress
If worm containment fails, infection spreads to other universities through academic collaboration networks
If patch deployment is delayed, university continues participating in coordinated attacks against educational infrastructure

Resolution Pathways:

Technical Success Indicators:

Emergency patch deployment stops worm propagation across university web infrastructure
Student services restored through secure backup systems while maintaining registration deadline
University servers removed from coordinated attack network through network isolation and system restart

Business Success Indicators:

Academic operations maintained with minimal impact on student registration and faculty research
University reputation protected through transparent communication and responsible incident response
Academic community relationships maintained through coordinated response and information sharing

Learning Success Indicators:

Team understands university’s dual role as service provider and internet infrastructure participant
Participants recognize academic institution cybersecurity responsibilities during critical operational periods
Group demonstrates coordination between academic mission priorities and internet security obligations

Common IM Facilitation Challenges:

If Academic Mission Is Ignored:

“Your technical analysis is excellent, but Lisa reports that 10,000 students can’t register for classes and the registration deadline is tomorrow. How do you balance worm response with critical academic deadlines?”

If Internet Responsibility Is Missed:

“While you’re restoring student services, Professor Davis just received calls from three other universities saying that State University servers are attacking their infrastructure. How does this change your response approach?”

If Research Data Impact Is Overlooked:

“Robert discovered that some of the compromised servers host faculty research data and collaboration portals. How do you assess whether sensitive academic research has been exposed?”

Success Metrics for Session:

Team understands academic institution’s role in internet infrastructure security
Student services and academic mission maintained as priority throughout incident response
Coordinated response demonstrates understanding of educational community cybersecurity responsibility
Learning includes university web services security and academic data protection
Response strategy balances immediate academic needs with internet infrastructure obligations