World’s best cybersecurity colleges battle at pentesting competition finals in Rochester

Student teams from Stanford, RIT and Cal Poly Pomona take top three spots in competition

Daniel Bacon

Teams from the nation’s top 10 cybersecurity universities came to RIT Nov. 22-24 to face-off in the Collegiate Penetration Testing Competition (CPTC) International Finals. Sunggwan Choi and Carmen Chiu from RIT’s team work together during the competition on Saturday.

The nation’s brightest cybersecurity college students tested their hacking skills at the international finals of the Collegiate Penetration Testing Competition (CPTC) Nov. 22-24 in Rochester, N.Y.

Stanford University took home the top trophy in the 2019 competition, while RIT placed second and California State Polytechnic University, Pomona placed third. This is Stanford’s third CPTC win in a row.

Team of seven students stands with trophies.Mariah Rose Whitmoyer Stanford University took first place in the 2019 Collegiate Penetration Testing Competition International Finals.

At the competition, teams from 10 universities faced-off to see who was best at breaking into fabricated computer networks, evaluating their weak points and presenting plans to better secure them.

The CPTC has become the premier offense-based collegiate computing security event, after starting at Rochester Institute of Technology five years ago. CPTC is an effective counterpart to the Collegiate Cyber Defense Competition (CCDC), which is the premier defense-based event for college students.

“These are the top cyber students in the world and they’re entering an industry where their contributions will immediately help make our world safer,” said Bob Kalka, vice president of the IBM Security Business Unit. “The students at CPTC are the best in the business because they bring rounded communication skills and a depth of knowledge in cybersecurity.” 

The pentesting competition allows students to experience a day in the life of a penetration tester—the in-demand security professionals hired to test and evaluate an organization’s computer systems and networks to make sure malicious hackers can’t get in.

Teams of six students interrogated a mock company’s network. The following morning, they presented a report on their findings and offered their suggestions for mitigating risk.

Student stands next to fake ATM.Mariah Rose Whitmoyer Students participating in the CPTC had to pentest a mock financial services company, including an ATM.

This year’s target company was DinoBank, a mock financial services and cryptocurrency company. Teams were occasionally visited by organizers who acted like the CEO of DinoBank or a disgruntled bank employee wondering why their IT services were temporarily down. Each student team had a network to break into, a telebanking voice call system that they could call and an ATM they could hack.

“Having a physical ATM in the room with students was a great way to up the engagement in this ‘real-world’ scenario,” said Lucas Morris ’06 (information technology), competition director for CPTC.

“The teams that succeeded were the ones with balanced skills sets,” said Morris, who is also a senior manager of digital risk at Crowe. “You need to be able to combine soft skills, technical skills and the ability to relate to a business.”

During the event, Stanford University discovered two “Zero-day vulnerabilities” and provided patches to fix them.

Judges and sponsors from the security industry evaluated the performance of the competitors while under fire. Students also had the opportunity to meet experts and hand out résumés. Sponsors include IBM Security, Google Cloud, Eaton and FireEye, among others.

The CPTC began in October, when students gathered at six regional events across the globe to compete in regionals. This marked the first year with an international regional hosted in Dubai.

The top 10 collegiate teams from regionals were selected for the weekend-long CPTC International Finals. Participating teams included:

  • California State Polytechnic University, Pomona
  • Penn State University
  • Rochester Institute of Technology
  • Rochester Institute of Technology, Dubai
  • Stanford University
  • University at Buffalo
  • University of Central Florida
  • University of Virginia
  • United States Air Force Academy
  • Virginia Commonwealth University

“It feels great to be a top three team—I absolutely loved it,” said Nishi Prasad, a member of the RIT CPTC team and a computing security graduate student. “It was a wonderful learning experience because we learned a lot about teamwork and building each other up, even in moments of crisis.”

Several at-large awards and prizes were also given to CTPC teams, including:

  • Best Listeners/Best Direction – U.S. Air Force Academy
  • Most Packets Sent – RIT Dubai
  • Most Creative Hack – Penn State University
  • Most Sophisticated/In-depth Analysis – Stanford University
  • Downloaded the Most Data – RIT
  • Tinfoil Hat Award – University of Virginia

The competition is just one way RIT is addressing the critical workforce needs in cybersecurity. The university is creating the Global Cybersecurity Institute (GCI), a new three-story facility expected to open in fall 2020. The GCI will allow RIT to conduct more groundbreaking research, education and professional training and development.

The finals were held in RIT’s Golisano College of Computing and Information Sciences. More information is available on the Collegiate Penetration Testing Competition website.

Recommended News