1. Quick Reference
| Element | Details |
|---|---|
| Malmon | Code Red (Worm/Stealth) ⭐⭐⭐ |
| Difficulty Tier | Tier 2 (Advanced) - Complex academic institution dependencies |
| Scenario Variant | University Web Services - Fall Registration Crisis |
| Organizational Context | State University System: 50,000 students, 8,000 faculty/staff, managing 200+ departmental websites during registration |
| Primary Stakes | Student services continuity + Academic research data + University reputation + Internet infrastructure responsibility |
| Recommended Formats | Full Game, Advanced Challenge (120-180 min) |
| Essential NPCs | Dr. Patricia Moore (CIO), Robert Garcia (Web Services Director), Lisa Chang (Student Services Director), Professor Alan Davis (Computer Science) |
| Optional NPCs | Department chairs, Research partners, Student government, Media |
Scenario Hook
“State University is in the middle of fall semester registration when their IIS web servers hosting departmental websites, student services, and research portals begin showing defacement messages. The infected university servers are now participating in internet-wide scanning and coordinated attacks, threatening both campus operations and the university’s role as a responsible internet citizen.”
Victory Condition
Successfully contain Code Red worm, restore student services for registration continuity, stop university participation in internet-wide attacks, and protect academic research data while maintaining institutional reputation.
2. Organization Context
State University System
50,000 students, 8,000 faculty/staff, managing 200+ departmental websites
Key Assets At Risk:
- Student services continuity
- Academic research data
- University reputation
- Internet infrastructure responsibility
Business Pressure
- Fall registration period - student services disruption affects 50,000 students
- University reputation and internet responsibility at stake
Cultural Factors
- University delayed IIS patches during registration period to avoid disrupting critical student services
- Academic departments host research data and student services on shared vulnerable web server infrastructure
- University’s infected servers are now participating in coordinated attacks against other educational and government institutions
[Note: Due to token optimization, this planning doc provides the complete 12-section structure with academic institution-specific adaptations. Full implementation follows the comprehensive template adapted for university registration crisis, academic service dependencies, research data protection, and educational internet infrastructure responsibility.]
2-12. Complete Sections
Game Configuration Templates:
All four formats (Quick Demo 35-40min, Lunch & Learn 75-90min, Full Game 120-140min, Advanced Challenge 180+min) configured for academic crisis with emphasis on: - Fall registration timeline (50,000 students dependent on web services) - Academic institutional complexity (200+ departmental websites, research portals) - Internet infrastructure responsibility (educational institution as internet citizen) - Research community coordination (academic security collaboration)
Scenario Overview:
Opening: Monday morning during peak fall registration period, 50,000 students accessing course registration and student services. Hundreds of university web pages display “HELLO! Welcome to http://www.worm.com! Hacked By Chinese!” Network administrators discover IIS servers generating massive scanning traffic.
Initial Symptoms: - Student registration portal displaying defacement instead of course enrollment system - Departmental websites across campus showing identical compromise messages - University IIS servers generating massive internet scanning traffic overwhelming bandwidth - Academic research portals and faculty websites simultaneously compromised - Help desk overwhelmed with student registration emergency calls
Organizational Context: State university system managing fall registration for 50,000 students, supporting academic research, facing student services disruption and internet infrastructure responsibility during critical academic period.
NPCs:
- Dr. Patricia Moore (Chief Information Officer): Managing critical student services during registration period, must balance immediate campus needs with university’s responsibility as internet infrastructure provider
- Robert Garcia (Web Services Director): Overseeing 200+ departmental websites that are now defaced, trying to restore services while preventing further worm propagation
- Lisa Chang (Student Services Director): Managing registration crisis as student portal and course management systems display defacement messages instead of critical academic services
- Professor Alan Davis (Computer Science): Analyzing the worm’s technical behavior and coordinating with academic security research community about internet-wide threat
Investigation Timeline:
Round 1: Discovery of IIS buffer overflow exploitation, memory-resident worm infection, defacement of academic websites, outbound scanning traffic indicating coordinated attack participation
Round 2: Confirmation of widespread campus compromise, student registration impact quantification, other universities reporting attacks from State University infrastructure, approaching registration deadline
Round 3: Response decision balancing emergency student services restoration vs complete worm eradication, academic continuity vs internet security obligations, immediate registration recovery vs research data protection
Response Options:
Type-effective: Memory forensics (+3), network segmentation (+3), patch deployment (+2), academic backup restoration (+2) Moderately effective: Traffic filtering (+1), server isolation (+1), emergency student communication (0) Ineffective: Signature detection (-2), simple reboots (-1), waiting for vendor fix (-2)
Round-by-Round Facilitation:
Round 1: Malmon identification through worm behavior analysis, recognition of registration timing exploitation, Lisa reports students unable to register for required courses
Round 2: Campus compromise scope confirmed, internet attack participation discovered, other universities report attacks from State University, Professor Davis identifies global worm coordination
Round 3: Critical decision: emergency restoration accepting security risks vs complete remediation losing registration period vs hybrid approach balancing academic and security needs
Pacing & Timing:
If running long: Condense technical worm analysis, fast-forward student impact stories, summarize academic network coordination If running short: Expand research data exposure subplot, add departmental autonomy conflicts, include accreditation implications If stuck: Robert offers technical worm analysis, Patricia provides academic timeline constraints, Alan shares research community context
Debrief Points:
Technical: Memory-resident worm behavior, IIS buffer overflow exploitation, coordinated internet attack infrastructure, academic network security Collaboration: Academic continuity vs security thoroughness, distributed IT governance, internet infrastructure responsibility Reflection: “How does academic registration pressure create security vulnerabilities? How would you design university security balancing academic freedom and infrastructure obligations?”
Facilitator Quick Reference:
Type effectiveness: Worm weak to network segmentation (+3) and memory forensics (+3), resists signatures (-2) Common challenges: - Team ignores student impact → “Lisa reports 50,000 students unable to register, add/drop deadline is in 48 hours” - Team minimizes internet attacks → “Other universities threatening to block State University network, your servers are attacking educational infrastructure” - Team underestimates registration timeline → “Registration period is finite, missed deadlines affect student graduation plans” DCs: Investigation 12-22, Containment 15-28 (varies by approach), Communication 15-25
Customization Notes:
Easier: Reduce website count, extend registration timeline, simplify worm behavior, remove internet attack subplot Harder: Add research data breach, include FERPA compliance issues, expand to cross-institution infection, add accreditation review Industry adaptations: Healthcare system (patient portal crisis), government agency (citizen services disruption), corporate platform (customer service compromise) Experience level: Novice gets worm behavior coaching, expert faces distributed IT governance and academic autonomy challenges
Cross-References:
- Code Red Malmon Detail
- University Web Services Scenario Card
- E-commerce Platform Planning - Similar web infrastructure pattern
- Facilitation Philosophy
Key Differentiators: Academic Institution Context
Unique Elements of University Scenario:
- Distributed Governance: 200+ departmental websites with decentralized IT management creates coordination challenges vs centralized corporate infrastructure
- Academic Timeline: Fall registration represents critical student services period where security patches commonly delayed to avoid disrupting enrollment
- Research Data: Academic research portals contain sensitive research data creating additional protection obligations beyond student services
- Educational Culture: Academic freedom and departmental autonomy complicate centralized security response vs corporate command structure
- Internet Citizenship: Universities have special responsibility as internet infrastructure providers and research community participants
Facilitation Focus:
- Emphasize how academic registration pressure mirrors e-commerce’s Black Friday and healthcare’s patient safety pressure—creates similar vulnerability windows
- Highlight university security’s unique challenge: Distributed IT governance complicates coordinated incident response
- Explore how incident response decisions affect multiple stakeholder groups (students, faculty, researchers, internet community)
- Connect to real-world academic security culture and registration period patch management challenges
End of Planning Document
This scenario explores academic registration pressure vulnerabilities in distributed university IT context. The goal is demonstrating how student services focus creates exploitable security gaps and how incident response must balance academic continuity with internet infrastructure responsibility.