Watching 10 different groups present on the same topic — one right after the other — might seem boring, but for me it was extremely exciting. Each presentation covered the results of a penetration test against a fictional company and lasted only 15 minutes. Each was conducted by groups of six students from 10 different universities and city colleges. That’s 10 presentations in two and half hours. It was actually way more fun than it sounds.
The presentations were part of the national Collegiate Penetration Testing Competition (CPTC) held at Rochester Institute of Technology this past weekend. The CPTC is similar to the Collegiate Cyber Defense Competition (CCDC), but instead of defending a network from external threats, these students actually got to attack it.
With a defined scope and defined areas of engagement, the scenario puts the student teams in the position of conducting a penetration test in as close to a real-world situation as possible. The teams test a fictional company with real infrastructure that has been developed for this test. They are then ranked on not only how well they were able to penetrate the corporate infrastructure, but also on the quality of their report and presentation.
Pen Testing Takes the Spotlight
As someone who has been doing the real-life version of this contest for over 20 years, I can tell you that the skills these students are developing as part of this contest are critical to the future security of our nation’s companies and data.
According to the Center for Cyber Safety, there will be a workforce shortage of nearly 2 million cybersecurity professionals in the next few years, and pen testing is consistently ranked as one of the biggest skills in demand. Much of what is needed to be a successful in this role is learned outside of the classroom: a unique mix of creativity, resourcefulness and hands-on practice with different techniques. Contests like these are a great way to refine those skills while learning from peers and mentors.
The teams competing at nationals were the leaders of the pack and advanced first through regional competitions. The top team from each region and the highest ranked teams at large from across all regions were invited, for a total of 10 teams competing at the national championships.
The scenario changes every year. Last year it was a medical device manufacturer. This year, the scenario involved Gotham Elections, a fictional global online election services company.
Not only were students challenged with testing the corporate network, but they were also tasked with determining if the voting system created for the test was secure. The students even evaluated a physical voting machine created specifically for this challenge to determine if it could be tampered with to alter the votes cast during elections.
On top of that, they had to test all of it, write their report and give their presentation within about 24 hours. That’s a lot of work and a lot pressure, but all the teams did a fantastic job.
Grooming Future Security Professionals
As one of the judges for the presentation portion of the competition, I was amazed at just how polished and well-prepared these students were. I’ve sat on the receiving end of many penetration testing presentations from firms that actually got paid for work that was not half as polished as the presentations from these students. Contestants were also judged on how well the content matched the audience, how well they managed their time during the presentation, whether the risk to the organization was well-communicated and how well they recommended solutions for the problems they found.
In the end only one team could win, and this year that honor goes to Stanford University, followed by the University of Central Florida in second place and the University at Buffalo in third. I’m already looking forward to next year; the competition will be intense.
IBM is the premier sponsor of this event because we know that there is a very strong demand for good penetration testers in the industry, and the demand for testers with solid technical skills is even higher. When you add in the ability to write reports and the skills needed to present findings at the executive level, the demand is astronomical.
Contests like these are a great way to develop the next generation of cyberdefenders. It is comforting to know that we have such talented cybersecurity professionals ready to step up, because we all know we need them.