RIT hosts national pentesting competition

‌

RIT took third place in last year’s Collegiate Pentesting Competition.

Sixty of the nation’s top cybersecurity college students will face off this November at an offensive hacking competition in Rochester. But for these future data defenders, cybersecurity is more than just a game.

“As the various corporate breaches keep coming to light, I’ve realized over the last five years that there is already enough despair and hardship in the world and that people shouldn’t need to constantly worry about identity theft and bank accounts being hacked,” said Lucas Christian, a fourth-year computing security student at Rochester Institute of Technology. “I decided that a career in cybersecurity would be both fulfilling and give me the opportunity to shape society for the better.”

After making their way through regional competitions in October, the top 10 college teams in the U.S. will now have the chance to use their offensive hacking skills for good at the national competition, which is sponsored by several top tech companies, including IBM Security as the premier sponsor. The National Collegiate Penetration Testing Competition (CPTC) will be held Nov. 3–5 at RIT’s B. Thomas Golisano College of Computing and Information Sciences.

Teams will attempt to break into computer networks that were created for the competition, evaluate their weak points and offer plans to better secure them. The competition allows students to experience a day in the life of a penetration tester—the security professionals hired to test and evaluate an organization’s computer systems and networks to ensure that malicious hackers can’t get in.

“The demand for workers skilled in penetration testing significantly outweighs the supply,” said Bill Stackpole, professor of computing security at RIT and director of the competition. “Student competitors are learning how to add value to a business by helping the company better understand its computing infrastructure and improve its security posture.”

During the competition, teams of up to six students will interrogate a mock-company’s network. The following morning, they will present a report to the judges on their findings and offer their suggestions for mitigating risk. The whole event is set up to mimic how penetration testing consulting happens in the real world.

Participating teams at the national competition include:

• Rochester Institute of Technology
• University at Buffalo
• University of Central Florida
• Pennsylvania State University
• University of New Haven
• Dakota State University
• Missouri University of Science and Technology
• California State Polytechnic University, Pomona
• Stanford University
• City College of San Francisco

Judges and sponsors from the security industry will evaluate the performance of the competitors while under fire. Students will have the opportunity to meet experts and hand out résumés. Sponsors include IBM Security, Uber, Crow Horwath, Hurricane Labs, IEEE Cybersecurity Initiative, Eaton and Indeed.

“Pentesting is one of the biggest security skills in demand right now, as companies are looking for people who can find security loopholes in their systems before cybercriminals have the chance to take advantage of them,” said Bob Kalka, vice president at IBM Security. “This competition is particularly valuable as it allows contestants to demonstrate not only their technical abilities, but also to relay that knowledge into practical steps and guidance for business, which is also a critical skill in this role.”

Outside of coursework, student competitors often spend a few nights during the week and most weekends practicing for the event. Practice includes, breaking into fabricated networks and computers, independent research and working on their technical writing.

“These events not only hone your technical skills, but also your interpersonal skills, understanding of a business and help you learn how to be a part of a cohesive team,” said Christian, who is captain of the RIT team. “Employers adore these engagements—wanting to see how students handle high-pressure environments and how well they can work effectively with a team.”

For Alex Lynch, a fourth-year computer science at University of Central Florida, organization is a significant factor in success at CPTC.

“The challenge is staying organized, communicating effectively, and then taking all the technical data and boiling it down into a coherent report under extreme time restraints,” said Lynch, who is captain of the UCF team. “Once the about nine-hour technical portion of the competition is over, the report must be drafted and finalized overnight, which leaves little time for sleep.”

The Collegiate Penetration Testing Competition, now in its third year with nationals held in Rochester, is the premier offense-based computing security event. It is an effective counterpart to the Collegiate Cyber Defense Competition (CCDC)—with its national competition held annually in San Antonio—which is the premier defense-based event, requiring students to defend an infrastructure while performing typical business tasks.

RIT will host the National Collegiate Penetration Testing Competition Nov. 3–5 in the B. Thomas Golisano College of Computing and Information Sciences. Teams from the nation’s top 10 computing security universities will come to RIT to face-off in the offensive cybersecurity competition.