World’s best cybersecurity students battle at Collegiate Pentesting Competition in Rochester

A team of Cal Poly Pomona students took home the top trophy at the Collegiate Penetration Testing Competition (CPTC) global finals Jan. 6-9. Stanford placed second and Tennessee Technological University placed third.

This was Cal Poly Pomona’s first time winning the competition, which challenges the world’s brightest cybersecurity college students to put their hacking skills to the test.

At the CPTC finals, teams from 15 universities faced off to see who was best at breaking into fabricated computer networks, evaluating their weak points, and presenting plans to better secure them. This year’s competition was held in a hybrid format at Rochester Institute of Technology, in Rochester, N.Y.

The CPTC has become the premier offense-based collegiate computing security event, since starting at RIT seven years ago. CPTC is an effective counterpart to the Collegiate Cyber Defense Competition (CCDC), which is the premier defense-based event for college students.

‌

Scott Hamilton

The CPTC challenges competitors to complete a penetration test of a mock company and present findings to a panel of judges

“The cream of the crop are coming to this competition, and it’s really motivating for us and our future,” said Bob Kalka ’89 (computer science), vice president of IBM’s Security Business Unit, which sponsors CPTC. “We literally get to watch the top cybersecurity students from around the globe at work, doing what they do best.”

The pentesting competition allows students to experience a day in the life of a penetration tester—the in-demand security professionals hired to test and evaluate an organization’s computer systems and networks to make sure malicious hackers can’t get in.

Teams of six students interrogated a mock company’s network. The next day, they presented a report on their findings and offered their suggestions for mitigating risk.

This year’s pentesting target was Le Bonbon Croissant, a candy and croissant factory and direct sales company based in Paris. The mock company had suffered a security incident within the warehouse technology team and was looking to ensure a future breach would not occur.

As pentesters for the competition, students sought to validate the integrity of the custom business process and customer experience systems, including the industrial control systems (primarily running over Modbus) in the distribution plants, the customer rewards program, and ecommerce and payment processing applications.

“This year we offered a competition that was optimized for the pandemic long-game,” said Justin Pelletier, director of CPTC and director of the GCI Cyber Range and Training Center at RIT. “It’s important to me personally to demonstrate that multiple crises do not necessitate catastrophe. We can and should be able to coordinate cyber events in austere and contested environments.”

The CPTC began in October, when more than 500 students gathered for eight regional events across the globe.

The top 15 collegiate teams from regionals were selected for the weekend-long CPTC global finals. Participating teams included:

• California State Polytechnic University, Pomona
• Princess Sumaya University for Technology (Jordan)
• Dakota State University
• Carnegie Mellon University
• Rochester Institute of Technology
• University of Florida
• Masaryk University (Czech Republic)
• California State University, Fullerton
• DePaul University
• Drexel University
• Tennessee Technological University
• Stanford University
• University of New Haven
• University of Tulsa
• University of West Florida

Judges and sponsors from the security industry evaluated the performance of the competitors while under fire. Students also had the opportunity to meet experts and distribute résumés. Sponsors include premier sponsor IBM Security, theme sponsor Wegmans, Security Risk Advisors, Hurricane Labs, Crowe, HelpSystems, and Airship, among others.

“The cybersecurity skills gap is a real problem faced by organizations,” said Doug Rogers, director, Information Security at Wegmans. “Competitions such as CPTC provide an excellent, real-world training environment for up-and-coming cybersecurity professionals to build relevant skills prior to entering the workforce. Wegmans is proud to sponsor this initiative to work with the next generation of cybersecurity professionals and help broaden expertise in the community.”

The competition environment was run through RIT’s Global Cybersecurity Institute (GCI) Cyber Range and Training Center, which is capable of hosting more than 5,000 virtual machines for immersive scenarios. Parts of the competition were streamed on the GCI Twitch channel.

“The GCI is a critical addition to the RIT campus in supporting our growth and expansion of the event over the past several years,” said Tom Kopchak ’11 MS (computing security), CPTC competition director and director of Technical Operations at Hurricane Labs.

More information about CPTC is available on the Collegiate Penetration Testing Competition website.