Pen testing team qualifies for national competition
October 23, 2018
For the second year in a row, a team from Dakota State University used their technical abilities to find strengths and vulnerabilities in a fictitious company’s system to win the Midwest Regional Collegiate Penetration Testing Competition (CPTC). This earned them the right to attend the national CPTC on Nov. 2-4 in New York, at the Rochester Institute of Technology.
Along with those technical skills, all six team members said communication was an important part of the process. Their faculty coach, Andrew Kramer, agreed.
“Technology skills transfer to many things you do,” said Kramer, “but technical writing is huge. The rest is useless without communication.” Kramer is an instructor of computer science in The Beacom College of Computer and Cyber Sciences at DSU.
“Communication is huge in many aspects at CPTC,” said Jacob Williams, a master’s degree student in computer science. The Parker, S.D. native explained that the team members meet with the representatives from the fictitious company to discuss goals, the scope or engagement of the work. The team also delivers an introductory presentation and a full report after the competition. “It’s like presenting at a board meeting,” he explained.
At CPTC, the teams aren’t defending a system from attacks, they are trying to find system vulnerabilities, in what is called offensive hacking or penetration testing. “In our reports, we include comments about what they did well and where they succeeded in their security practices,” said Brian Vertullo, a junior cyber operations major from Orange, Calif. They also look for information that isn’t intended to be disclosed, access to files that aren’t supposed to be available, and misconfigurations. This is very realistic that systems will have strengths and weaknesses, said Austin Fritzemeier, a junior cyber operations major from Brookings, S.D.
“The competition stressed that we give the best advice and remediation ideas so the company would know how to fix the things we found,” said Williams.
One thing Vertullo found was evidence that another hacker had been in the system, an APT or advanced persistent threat. Several members of the team competed in the 2017 CPTC so knew how to respond. The DSU team advised contest organizers that they should stop the penetration test, quarantine the system, and bring in an expert to investigate the issue. “Other teams didn’t know what to do with that,” Fritzemeier said. Williams added, “That gained us a lot of bonus points.”
An APT can be a federal felony violation, explained Mike Shlanta, a master’s degree student in applied computer science from Sioux Falls, S.D. “Continuing with the test could change logs, change evidence and other things critical to an investigation,” he said, explaining that it would be similar to wiping fingerprints off a murder weapon.
In addition to this technical success, “it came down to technical writing,” said Zach Quintana. He is a junior cyber operations major from Las Vegas, Nevada. He praised team member Leron Gray. “He was very thorough, and well-versed in writing reports,” said Quintana.
Gray, a senior online cyber operations major from San Antonio, Texas, noted the importance of matching the message to the audience. “When speaking to different audiences, it's important to make sure that ideas are articulated clearly in a logical manner,” he said. “You have to clearly and consistently speak on findings, impact, and recommendations on any reportable item.”
That was something Quintana took from the experience. “You have to write so upper management will understand. If it’s too technical that’s counterproductive.”
The six team members – made up of undergraduate, graduate, on campus and online students – also communicated well with each other, Quintana added, and will continue to work together as they prepare for the national competition. The theme for 2018 is an autonomous vehicle system, something like Uber.
Dakota State will be competing with 10 other college teams, from small colleges like Baldwin Wallace University (Ohio) to large institutions including Cal State Fullerton and University of Central Florida. Last year’s winner, Stanford University, will also be competing.