University of Virginia computer science students are known for their two consecutive national championship titles for countering cyberattacks. Now they are putting the University on the map for another important dimension of cybersecurity: preventing attackers from getting access to critical systems in the first place.
UVA Engineering’s student team prevailed over nine other teams to win the Northeast Regional for the Inter-Collegiate Penetration Testing Competition, held Oct. 11-13 at Pennsylvania State University. UVA advances to next month’s national event in Rochester, New York.
Teams competed on skills on the offensive, rather than defensive, side of cybersecurity. From Virginia, only UVA and Virginia Commonwealth University participated; VCU finished third. UVA’s team, which competed for the first time, was led by team captains Maggie Gates, a master’s degree student, and Jake Smith, a fourth-year student.
UVA’s team successfully conducted a security assessment for a fictional bank, testing all information technology systems – including the company website, e-commerce portals, partner institutions and employee social networks – for security vulnerabilities. The team also provided the bank owners with a summary of findings and recommended security enhancements.
Gates said the team members spent a lot of time in and out of practice learning and working on their skills. “Throughout the competition we maintained our focus, dedication and camaraderie,” she said. “There is no doubt that our commitment to the competition as well as to each other was a huge factor in our success.”
Besides Gates and Smith, competing for the team were fourth-year student Michael Benos; third-year students Calvin Krist, Daniel Chen and William Tonks; second-year student Jack McDowell; and first-year student Paul Vann. Jack Davidson, professor of computer science, advised the team.
The competition was divided into two components over two days. First, the team spent a full day conducting a cybersecurity assessment to detect how the company’s networks were vulnerable to attack. One vulnerability the team located was personally identifiable information that included fictitious Social Security numbers exposed in a plain-text database. The team then worked through the night to produce a 50-page penetration testing report, which was a summary of detected vulnerabilities and recommendations for how to install remedial security measures.
“The team’s communication and professional skills helped us stand out,” Gates said. “Our ability to spend nine hours in a room deep in the technical weeds and then spend another eight hours producing a well-written and formatted report is a challenging context switch, but it is one we have been prepared for by our education at UVA.”
UVA won the National Collegiate Cyber Defense Competition in 2018 and earlier in 2019, and this Collegiate Penetration Testing Competition victory points to UVA Engineering’s strengths on the other side of the cybersecurity equation: offense.
“Having a lot of experience in cyber defense was a great advantage to us in the competition,” said Smith, who also was a member of the national championship team. “Experience in cyber defense makes it easier to understand how bad actors could try to exploit a system.”
Smith, like Gates, also feels his team’s communications skills were a competitive edge. “A big part of this competition is based on how the findings and resulting recommendations are communicated,” he said.
“The team’s communication and professional skills helped us stand out. Our ability to spend nine hours in a room deep in the technical weeds and then spend another eight hours producing a well-written and formatted report is a challenging context switch, but it is one we have been prepared for by our education at UVA.”
- Maggie Gates
Gates and Smith expressed their gratitude to Davidson, their faculty adviser and coach, for his support and advice in getting ready for this competition. Both also thanked UVA Engineering’s Computer Science Department for providing the support that allowed them to not only compete for the first time, but to win.
The competition sought to create a real-world scenario for the students to practice their cybersecurity and penetration-testing skills. Cyber offense competitions like this one directly test a team’s understanding of how things work, knowledge of why systems function the way they do, and their skill in assessing the overall security of a network. The competition is a way to “test and assess a contestant’s proficiency in the field of computing and cyber security,” according to the competition’s website.
“Teams are judged not only on their technical skills, but also their ability to effectively communicate their findings to company executives,” said Davidson, who also directs the Computer Science Cybersecurity Program and is co-director of the UVA Cyber Innovation & Society Initiative. “I was extremely impressed with the professionalism of our team and their teamwork in producing an outstanding report in such a short time.
“We are very proud of these future cybersecurity leaders and wish them the best of luck in the upcoming national competition.”