November 8, 2017 By Space Rogue 3 min read

Watching 10 different groups present on the same topic — one right after the other — might seem boring, but for me it was extremely exciting. Each presentation covered the results of a penetration test against a fictional company and lasted only 15 minutes. Each was conducted by groups of six students from 10 different universities and city colleges. That’s 10 presentations in two and half hours. It was actually way more fun than it sounds.

The presentations were part of the national Collegiate Penetration Testing Competition (CPTC) held at Rochester Institute of Technology this past weekend. The CPTC is similar to the Collegiate Cyber Defense Competition (CCDC), but instead of defending a network from external threats, these students actually got to attack it.

With a defined scope and defined areas of engagement, the scenario puts the student teams in the position of conducting a penetration test in as close to a real-world situation as possible. The teams test a fictional company with real infrastructure that has been developed for this test. They are then ranked on not only how well they were able to penetrate the corporate infrastructure, but also on the quality of their report and presentation.

Pen Testing Takes the Spotlight

As someone who has been doing the real-life version of this contest for over 20 years, I can tell you that the skills these students are developing as part of this contest are critical to the future security of our nation’s companies and data.

According to the Center for Cyber Safety, there will be a workforce shortage of nearly 2 million cybersecurity professionals in the next few years, and pen testing is consistently ranked as one of the biggest skills in demand. Much of what is needed to be a successful in this role is learned outside of the classroom: a unique mix of creativity, resourcefulness and hands-on practice with different techniques. Contests like these are a great way to refine those skills while learning from peers and mentors.

The teams competing at nationals were the leaders of the pack and advanced first through regional competitions. The top team from each region and the highest ranked teams at large from across all regions were invited, for a total of 10 teams competing at the national championships.

The scenario changes every year. Last year it was a medical device manufacturer. This year, the scenario involved Gotham Elections, a fictional global online election services company.

Not only were students challenged with testing the corporate network, but they were also tasked with determining if the voting system created for the test was secure. The students even evaluated a physical voting machine created specifically for this challenge to determine if it could be tampered with to alter the votes cast during elections.

On top of that, they had to test all of it, write their report and give their presentation within about 24 hours. That’s a lot of work and a lot pressure, but all the teams did a fantastic job.

Grooming Future Security Professionals

As one of the judges for the presentation portion of the competition, I was amazed at just how polished and well-prepared these students were. I’ve sat on the receiving end of many penetration testing presentations from firms that actually got paid for work that was not half as polished as the presentations from these students. Contestants were also judged on how well the content matched the audience, how well they managed their time during the presentation, whether the risk to the organization was well-communicated and how well they recommended solutions for the problems they found.

In the end only one team could win, and this year that honor goes to Stanford University, followed by the University of Central Florida in second place and the University at Buffalo in third. I’m already looking forward to next year; the competition will be intense.

IBM is the premier sponsor of this event because we know that there is a very strong demand for good penetration testers in the industry, and the demand for testers with solid technical skills is even higher. When you add in the ability to write reports and the skills needed to present findings at the executive level, the demand is astronomical.

Contests like these are a great way to develop the next generation of cyberdefenders. It is comforting to know that we have such talented cybersecurity professionals ready to step up, because we all know we need them.

More from

How will the Merck settlement affect the insurance industry?

3 min read - A major shift in how cyber insurance works started with an attack on the pharmaceutical giant Merck. Or did it start somewhere else?In June 2017, the NotPetya incident hit some 40,000 Merck computers, destroying data and forcing a months-long recovery process. The attack affected thousands of multinational companies, including Mondelēz and Maersk. In total, the malware caused roughly $10 billion in damage.NotPetya malware exploited two Windows vulnerabilities: EternalBlue, a digital skeleton key leaked from the NSA, and Mimikatz, an exploit…

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

ICS CERT predictions for 2024: What you need to know

4 min read - As we work through the first quarter of 2024, various sectors are continuously adapting to increasingly complex cybersecurity threats. Sectors like healthcare, finance, energy and transportation are all regularly widening their digital infrastructure, resulting in larger attack surfaces and greater risk exposure.Kaspersky just released their ICS CERT Predictions for this year, outlining the key cybersecurity challenges industrial enterprises will face in the year ahead. The forecasts emphasize the persistent nature of ransomware threats, the increasing prevalence of cosmopolitical hacktivism, insights…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today