Sorry, you need to enable JavaScript to visit this website.

Search form

RIT to host first collegiate-level penetration testing competition, Nov. 7-8

RIT will host the first collegiate-level penetration testing competition open to university partners on November 7th, and 8th of 2015. The Collegiate Pentesting Competition or CPC for short will feature both the competition as well as a cybersecurity job fair. More information about the competition can be found below. 

About CPC

Cyber security events, such as a CTF, vulnerability assessment, auditing, or Pen testing, share many characteristics. All of them exercise a competitor’s understanding of how things work, knowledge of why systems function the way they do, and their skill in manipulating a systems function. They test and assess a contestant’s proficiency in the field of computing and cyber security. 

The differences are starker. Security audits are a co-operative effort reviewing policies, procedures, and regulations to determine if a company is in compliance with those requirements and limitations. The auditors and the company are aware of each other and co-operate in the best interest of the company. These are often in the form of surveys, questionnaires, and examinations. A checklist is a typical component in an audit as is a review of software version and patch level checking. 

Vulnerability assessments are co-operative and validate the existence of those vulnerabilities suggested by an audit. Exploits for missing patches, out of date software versions, or unauthorized software is tested to verify that they violate the security of a system. 

Capture the Flag (CTF) exercises are not co-operative. The company does not share or assist the attacker. Unique to this category is that there are typically one (or a few) known targets (flags) on the victim and the attacker need only discover a single attack vector to accomplish access to the flag. The distinguishing factor for a CTF is the effect on the target systems. In a CTF there is little or no care or concern for the state the system is left in or the damage done to the target as a result of offensive activity. 

Finally a penetration testing event (PT) is co-operative, whether it’s a black box test (when very little information is shared) or a crystal box test (when a lot of insider information is shared). Two characteristics discriminate a PT from other tests. First, a PT picks up where a vulnerability assessment of an exploit ends. The goal is to see how far and to what extent the vulnerability threatens the company and what resources are exposed. A vulnerability assessment might discover that a cheap, easily pick-able lockset is used on your home, pick the lock to verify, and stop there. A PT would continue on a demonstrate that that your TV, stereo, and jewelry box could be taken. Alternatively, the lockset could be less of a concern because the door only leads to the back porch and the next door to the house has a very good lock, minimizing the threat of the weak exterior door lock. 

Second, unlike the CTF, the goal of a PT is to protect and improve the security of the company. The PT should do no harm. The system should not be damaged. The company’s operation or reputation should not be negatively impacted. Any and all vulnerabilities found need to be clearly documented with a mitigation plan provided to the customer for their benefit. While a CTF needs only to find a single successful exploit to gain the flag, a PT strives to find ALL (or at least as many as possible) weaknesses, vulnerabilities, and leaks in a system. This makes a PT a much more demanding exercise. A PT should not stop at the first successful breach, but continue searching for any known vulnerabilities possible in the target system. 

Our goal for this event is to model a real life penetration test as closely as possible in a competition environment. The phases of the event that you can expect are: 

•       3 weeks before the day of the event you will receive a Request for Proposal (RFP) document detailing what the target company is interested in having done.       

•       2 weeks before the event, we will hold an online Q&A session for all teams to answer questions.       

•       Your first task is to develop a formal written proposal in response to the RFP that will be delivered to an email account 1 week in advance of the event.      

•       On the first day of the event, each team will have a short meeting with the “management” of the target company to review the proposal, ROE, scope, and limitations of the test - ultimately signing the contract Later that day the teams will begin the performance phase of the PenTest.      

•       Once the performance phase ends, each team should start analyzing the findings and creating a final report and presentation. 

•       At the start of the second day, each team will deliver their final report and presentation materials. 

•       During the morning of the second day each team will have a fixed, limited amount of time to present their finding to a team of company representatives and answer questions about the engagement.

Your reports live on beyond your engagement – they will represent you later. – Write well.

For more information please visit the Collegiate Pentesting Competition website.