The world’s best cybersecurity students converged on the Rochester Institute of Technology to compete in the global finals of the Collegiate Penetration Testing Competition (CPTC) January 13-15. The event concluded the largest crime-based cybersecurity competition for college students hosted annually by RIT.
A team from California State Polytechnic University, Pomona students, took home the top CPTC trophy for the second straight year. Stanford University took second and the University of Central Florida third.
In the competition, 15 teams used their white hat hacking skills to break into fabricated computer networks, assess their vulnerabilities and come up with plans to make them more secure. CPTC helps students build and improve the skills needed for a job in cybersecurity – an industry that lacks qualified professionals.
In this year’s scenario, students conducted a penetration test for a mock hotel and tourist destination, with a focus on protecting the customer’s personal information. The students faced the challenge of having to move from one system within the hotel to another – starting with public kiosk computers in the hotel lobby and seeing if they could access other hotel systems, including those that control reservations and access the rooms .
“As you can imagine, if this were possible in a real hotel, this would be a major safety concern,” said Tom Kopchak, CPTC development manager and director of technical operations at Hurricane Labs. “Our main goal in creating the competitive environment is education – we want students to learn skills relevant to their future roles. We’re actually modeling it after things we’ve experienced in the real world as security professionals.”
One thing that makes CPTC unique is how the competition gives students experience working professionally with both technical and non-technical clients. Professionalism – along with technical insights, presentations and reports – play a key role in doing well.
At one point in this year’s scenario, teams were tasked with finding ways to break into a hotel safe. Social engineering was another component added this year.
“At Regionals, teams had to create a phishing email to capture the username and password of a specific employee at the hotel we identified,” said Kopchak, who is also a 2011 graduate of RIT’s computer security program. “In the finals, we upped the challenge by including phone call phishing (vishing). Students had to call our hotel reception and try to get personal information about hotel guests.”
Judges and sponsors from the security industry evaluated the performance of the participants. The students also had the opportunity to meet experts, distribute CVs and have interviews with potential employers. Sponsors included IBM Security, Paperclip, and Black Hills Information Security, among others.
“This competition gives you a taste of real-world engagement and helps you expand on what you learn in class,” says Sarthak Mathur, a master’s computer security student and captain of the RIT team. “Not to mention that when it comes to competition, everything is hands-on and you always come across technology you’ve never seen before, so you have to adapt and learn in real time, just like in the real world.”
The RIT team included mahurwho is from Jodhpur, India; Annika Clarkea third-year computer security student from Delmar, NY; Max Fuskoa fourth-year computer security student from Freehold, NJ; Daniel Railic, a third-year computer security student from Rochester, NY; and Mohammed Eshana fourth-year computer security student from Jamaica, including NY Alternates Karin Sannomijaa fourth-year computer security student from Oakville, Ontario, Canada, and Domenic Lo Iaconoa fourth-year computer security student from Howell, Mich. The team is coached by Rob Olson, a senior lecturer in RIT’s computer security department.
The competitive environment will be operated through RIT’s ESL Global Cybersecurity Institute (GCI) Cyber Range and Training Center, which can host more than 5,000 virtual machines for immersive scenarios.
Throughout the fall, hundreds of elite cybersecurity students from 70 schools gathered at regional events around the world to compete in the CPTC regional competitions. The top 15 college teams from the regional competitions have been selected for the weekend’s CPTC Global Finals. The participating teams included:
- American University of Sharjah (United Arab Emirates)
- Brigham Young University
- California State University, Fullerton
- California State Polytechnic University, Pomona
- Indiana Institute of Technology
- liberty university
- Princess Sumaya University for Technology (Jordan)
- Rochester Institute of Technology
- Rochester Institute of Technology, Dubai
- University at Stanford
- University of Central Florida
- University of Massachusetts, Amherst
- University of Texas at Austin
- University of Texas at San Antonio
- University of Tulsa
The theme for next year’s CPTC has also been announced. Participants take on cybersecurity at an airport, with a focus on transportation and signals cybersecurity. Alstom, a French mobility technology company, has been named Theme Sponsor 2023-2024. Alstom also works together to provide RIT students with educational, research and career opportunities.
Having started at RIT eight years ago, CPTC has grown to become the premier event for crime-based college computing security. CPTC is a counterpart to the National Collegiate Cyber Defense Competition (CCDC), the premier defense-based event for college students. For more information about CPTC, visit the Collegiate Penetration Testing Competition website.