RIT takes top spot over Stanford, Cal Poly in Collegiate Pentesting Competition

A team of Rochester Institute of Technology students took home the top trophy at the Collegiate Penetration Testing Competition (CPTC) international finals Jan. 7-10. Stanford University placed second and California State Polytechnic University, Pomona placed third.

‌

This graph shows the most common commands typed by competitors during the CPTC international finals.

This is RIT’s first time winning the competition, which challenges the world’s brightest cybersecurity college students to put their hacking skills to the test.

At the CPTC finals, teams from 15 universities faced off to see who was best at breaking into fabricated computer networks, evaluating their weak points, and presenting plans to better secure them. This year’s competition was held virtually through RIT, in Rochester, N.Y.

The CPTC has become the premier offense-based collegiate computing security event, after starting at RIT six years ago. CPTC is an effective counterpart to the Collegiate Cyber Defense Competition (CCDC), which is the premier defense-based event for college students.

Several at-large awards were also given to this year’s CTPC teams, including:

• Best Report – Stanford University
• Best Presentation – RIT
• Most Fire Memes – Bournemouth University
• Most Professional – City College of San Francisco

During the event, teams identified more than 140 issues and vulnerabilities in the competition environment. Two different teams also discovered a completely new “zero-day vulnerability.”

“We have found strong year-on-year improvement in the overall quality of technical findings and reports,” said Justin Pelletier, director of CPTC and director of the GCI Cyber Range and Training Center at RIT.

Pelletier also noted that the two most common vulnerabilities discovered across the competition included having a virtual network connection open with no authentication and password information being disclosed on a chat server.

“The teams that are most successful treat CPTC like an actual consulting engagement with a real client, as opposed to a competition,” said Tom Kopchak, competition director and director of Technical Operations and Splunk Implementation Engineer at Hurricane Labs. “I am consistently impressed by the work and dedication that the teams put into competing in this event.”

The pentesting competition allows students to experience a day in the life of a penetration tester—the in-demand security professionals hired to test and evaluate an organization’s computer systems and networks to make sure malicious hackers can’t get in.

Teams of six students interrogated a mock company’s network. The next day, they presented a report on their findings and offered their suggestions for mitigating risk.

This year’s pentesting target was the energy grid infrastructure of a small city, including a hydroelectric dam, a nuclear power plant and a wind farm system that was connected to a regional power utility company. During their pentest, teams were virtually visited by organizers who acted like clients and gave them side tasks to complete, just like in the real world. Each team also got exposure to programmable logic controllers (PLCs), industrial computers that control many of the important components of our critical infrastructure.

Sunggwan Choi, captain of the RIT team, said that technical skills and soft skills were both crucial to the RIT team’s success. The team focused on improving its presentation, so they could easily describe technical information in context with the big picture.

“It was also our first time testing critical infrastructure hosts and networks, so we definitely enjoyed researching them,” said Choi, who is a fifth-year RIT computing security BS/MS major. “It was critical to know exactly which hosts existed for which reason, and to be careful in general, as a scan or two could bring down the critical infrastructure and cause physical damage (inside the scenario).”

The winning RIT team included Choi; Ayobami Adewale, a fourth-year computing security major; Neha Sharma, a computing security master's student; Aashish Annarapu, a computing security master's student; Rajeev Ravindran Karuvath, a computing security master's student; and Spencer Roth, a third-year computing security BS/MS student. The team is coached by Rob Olson, a lecturer in RIT's Department of Computing Security. 

Judges and sponsors from the security industry evaluated the performance of the competitors while under fire. Students also had the opportunity to meet experts and distribute résumés. Sponsors include IBM Security, Eaton, Hurricane Labs and 780th Military Intelligence Brigade, among others.

During the event, IBM announced an important commitment to extend its sponsorship of CPTC for five years. The company has acted as the premier sponsor of the competition since its inception in 2015, and through this extension IBM will continue in this role – providing guidance, funding, infrastructure support, virtual servers, cloud and volunteer resources.

“The Collegiate Penetration Testing Competition has become a premier student contest in the industry, helping the next generation of security professionals build and refine a highly sought after skillset in today's fast changing security landscape,” said Bob Kalka, vice president of Security Technical Professionals for IBM. “Working closely to help guide, fund and support competitions like this is not only a chance for us to invest in the future workforce, but also an opportunity for IBM to connect with some of the most promising emerging cybersecurity talent for internship and recruitment opportunities.”

The CPTC began in October, when more than 500 students gathered for eight regional events across the globe to compete in regionals. This marked the first year with an international regional hosted in Europe.

The top 15 collegiate teams from regionals were selected for the weekend-long CPTC international finals. Participating teams included:

• Rochester Institute of Technology, Dubai
• City College of San Francisco
• Rochester Institute of Technology
• University of Central Florida
• University of Ottawa (Canada)
• Drexel University
• Bournemouth University (England)
• Carnegie Mellon University
• California State Polytechnic University, Pomona
• Stanford University
• Penn State University
• California State University, Fullerton
• Princess Sumaya University for Technology (Jordan)
• University of California, Riverside
• University of West Florida

For the first time, the competition was run through RIT’s Global Cybersecurity Institute (GCI), a new, three-story facility that features a state-of-the-art Cyber Range and Training Center. Instead of having to use a separate cloud, the competition environment was hosted by the Cyber Range infrastructure, which is capable of hosting more than 5,000 virtual machines for immersive scenarios.

“As someone experiencing CPTC for the very first time, I was blown away by the spirit of the competition regardless of the virtual format,” said Kyla Guru, captain of the Stanford team and a first-year prospective computer science and international relations major. “It made me hopeful to be a part of this new generation of students already making a difference in the cybersecurity industry, and ready to make a difference myself.”

More information about CPTC is available on the Collegiate Penetration Testing Competition website.