A new competition at Rochester Institute of Technology is allowing students to attack the problem of cybersecurity from a different vantage point.
Rather than only defending against attackers, as other national competitions challenge computing security students to do, they will be charged with attacking and analyzing a network. Nine teams from regional universities will face off as they attempt to break into computer networks, evaluate their weak points and offer plans to better secure them.
The first Collegiate Pentesting Competition will be held Nov. 7–8 at RIT.
This first-of-its-kind competition allows students to experience a day in the life of a penetration tester—the security professionals hired to test and evaluate an organization’s computer systems and networks to make sure malicious hackers can’t get in.
“Penetration testing is crucial to any organization that relies on the Internet—which is pretty much all of them,” said Bill Stackpole, associate professor of computing security at RIT and director of the competition. “In fact, some companies, including many in the financial industries, are required to conduct penetration tests every year.”
During the competition, teams of three to six students will interrogate a mock-company’s network. The following morning, they will present a report to the judges on their findings and offer their suggestions for mitigating risk.
“The competition includes a request for proposal from the company and a set of rules and standards for what the attackers are allowed to do,” Stackpole said. “The whole thing is set-up to mimic how penetration testing consulting happens in the real world.”
Judges and sponsors from the security industry will get to see how participants perform under fire, while students can meet experts and hand out résumés.
Sponsors include Vectra Networks, Logical Operations and IBM. Judges will include sponsors, faculty and members of the Pentest Advisory Board who work as pentesters at companies, including Crowe Horwath, Uber and Facebook.
Student teams from RIT, Alfred State College, Indiana University of Pennsylvania, Penn State, Syracuse University, Tompkins Cortland Community College, University of New Hampshire, University of Buffalo and the United States Naval Academy, are participating in the weekend competition.
“Students can learn so much from this experience, including teamwork, prioritization, handling pressure and even important soft skills like contract negotiation,” said Jonathan S. Weissman, a lecturer in RIT’s Department of Computing Security and coach of the RIT pentesting team. “I’m really looking forward to seeing my students apply what they learned in class and grow as cybersecurity professionals through this competition.”
In computing security, the National Collegiate Cyber Defense Competition (NCCDC)—held annually in San Antonio—is seen as the premier defense-based event, requiring students to defend an infrastructure while performing typical business tasks. In the future, RIT sees its Collegiate Pentesting Competition becoming the premier offensive event.
“I would like this to grow from the first regional event into a national event, with four or five regional competitions feeding to the championships at RIT,” said Stackpole. “This will help raise visibility for how important penetration testing really is to cybersecurity.”
In 2012, RIT broke the mold of traditional cybersecurity education by creating the Department of Computing Security, the first academic department devoted solely to computing security. Today, RIT is helping to fill a national need for qualified computing security professionals as a one of National Centers of Academic Excellence in Information Assurance/Cybersecurity Education designated by National Security Agency and Department of Homeland Security.
For more information on the Collegiate Pentesting Competition, go to cptc.csec.rit.edu.