Collegiate Penetration Testing Competition at RIT crowns the globe’s top cyber students
Student teams from Cal Poly Pomona, Stanford, and University of Central Florida take top three spots
The world’s best cybersecurity students came together at Rochester Institute of Technology to face-off in the Collegiate Penetration Testing Competition (CPTC) global finals Jan. 13-15. The event wrapped up the largest offense-based cybersecurity competition for college students, which is hosted annually by RIT.
A team of California State Polytechnic University, Pomona students took home the top CPTC trophy—for the second year in a row. Stanford University placed second and University of Central Florida placed third.
At the competition, 15 teams used their white hat hacking skills to break into fabricated computer networks, evaluate their weak points, and present plans to better secure them. CPTC helps students build and hone the skills needed for a job in cybersecurity—an industry that has a severe shortage of qualified professionals.
In this year’s scenario, students conducted a pentest for a mock hotel and tourist destination, with an emphasis on protecting customer’s personally identifiable information. Students experienced the challenge of needing to move from one system within the hotel to another—starting from public kiosk computers in the hotel lobby and seeing if they could access other hotel systems, including those that control reservations and access the rooms.
“As you can imagine, if this was something that was possible at a real hotel, that would be a major security concern,” said Tom Kopchak, a CPTC director of development and director of Technical Operations at Hurricane Labs. “Our primary goal when creating the competition environment is education—we want students to learn skills that will be relevant to their roles in the future. We actually model it after things we’ve experienced in the real world as security professionals.”
One thing that makes CPTC unique is how the competition gives students experience working with technical and non-technical clients in a professional manner. Professionalism—along with technical findings, presentations, and reports—play a key role in scoring well.
At one point in this year’s scenario, teams were tasked with identifying ways to break into a hotel safe. Social engineering was another component added this year.
“At regionals, teams had to create a phishing email to capture the username and password of a specific employee at the hotel that we identified,” said Kopchak, who is also a 2011 alumnus of RIT’s computing security program. “At finals, we upped the challenge to include phone call phishing (vishing). Students had to call the front desk of our hotel and try to get personal information about hotel guests.”
Judges and sponsors from the security industry evaluated the performance of the competitors. Students also had the opportunity to meet experts, hand out résumés, and interview with potential employers. Sponsors included IBM Security, Paperclip, and Black Hills Information Security, among others.
“This competition gives you a taste of real-world engagements and helps you expand on knowledge gained from the classroom,” Sarthak Mathur, a computing security master’s student and captain of the RIT team. “Not to mention, everything in the competition is hands on and you always encounter technology you haven’t seen before, so you have to adapt and learn in real-time, just like you would in the real world.”
The RIT team included Mathur, who is from Jodhpur, India; Annika Clarke, a third-year computing security student from Delmar, N.Y.; Max Fusco, a fourth-year computing security student from Freehold, N.J.; Daniel Railic, a third-year computing security student from Rochester, N.Y.; Kyri Lea, a fourth-year computing security student; and Mohammad Eshan, a fourth-year computing security student from Jamaica, N.Y. Alternates included Karin Sannomiya, a fourth-year computing security student from Oakville, Ontario, Canada, and Domenic Lo Iacono, a fourth-year computing security student from Howell, Mich. The team is coached by Rob Olson, a senior lecturer in RIT’s Department of Computing Security.
The competition environment is run through RIT’s ESL Global Cybersecurity Institute (GCI) Cyber Range and Training Center, which is capable of hosting more than 5,000 virtual machines for immersive scenarios.
Throughout the fall, hundreds of elite cybersecurity students from 70 schools gathered at regional events across the world to compete in the CPTC regionals. The top 15 collegiate teams from regionals were selected for the weekend-long CPTC global finals. Participating teams included:
- American University of Sharjah (United Arab Emirates)
- Brigham Young University
- California State University, Fullerton
- California State Polytechnic University, Pomona
- Indiana Institute of Technology
- Liberty University
- Princess Sumaya University for Technology (Jordan)
- Rochester Institute of Technology
- Rochester Institute of Technology, Dubai
- Stanford University
- University of Central Florida
- University of Massachusetts Amherst
- University of Texas at Austin
- University of Texas at San Antonio
- University of Tulsa
The theme for next year’s CPTC was also announced. Participants will take on cybersecurity at an airport, focusing on transportation and signal cybersecurity. Alstom, a French mobility technology company, was named the 2023-2024 theme-sponsor. Alstom is also collaborating to provide RIT students with educational, research, and career opportunities.
CPTC has become the premier offense-based collegiate computing security event, after starting at RIT eight years ago. CPTC is a counterpart to the National Collegiate Cyber Defense Competition (CCDC), which is the premier defense-based event for college students. More information about CPTC is available on the Collegiate Penetration Testing Competition website.