Students practice cybersecurity defense skills
RIT’s 12th annual competition helps students practice skills and meet professionals
How do you train the next generation to defend our nation’s computer networks? By pitting them head-to-head against the industry’s top cybersecurity professionals, in a real-life network infrastructure simulation.
Representatives from Google, Cisco and 11 other sponsors came out to see what more than 50 of the brightest cybersecurity students could do at the 12th annual Information Security Talent Search competition, held March 6–8 at Rochester Institute of Technology. The student-run competition provides college students with an informal opportunity to flex their cybersecurity skills in a defense simulation, while networking with professionals from the industry.
“Learning in the classroom is useful, and lab-based experiences are a good addition, but live and real-time practical experience is essential,” said Bo Yuan, associate professor and chair of RIT’s Department of Computing Security. “This is one of the few student-run competitions where future experts can exercise their skills in a controlled environment.”
Throughout the weekend, 12 teams of students—known as the “Blue Teams”—had to secure and defend a network infrastructure from the “Red Team”—a super-group of security industry professionals.
Student teams were responsible for maintaining the critical computing services of their simulated business, including websites, email and file sharing. Meanwhile, the professionals were constantly attacking and trying to gain control of their systems in order to shut down the services or steal information.
“When the attacks are successful, we like to keep the competition fun by introducing a small ransom,” said Bryan Harmat, a fourth-year computing security student who helped run the competition. “If the Red Team has gained control of a Blue Team’s computer, they might make the students sing Taylor Swift songs or do 20 pushups in order to get it back.”
Members of this year’s Red Team included professionals from Facebook, ZeroFOX, Box, Intrepidus Group and the MIT Lincoln Laboratory. J.P. Bourget, a RIT alumnus and founder and CEO of Syncurity Networks, has run the Red Team for the last six years.
“For many students, this is their first practical experience attacking and defending an infrastructure,” said Bourget, ’05, ’08 (information technology, computer security and information assurance). “I like to think that this competition will get students to research the challenges that they encountered and maybe even discover an area of cybersecurity that piques their interest.”
The ISTS competition differs from other security competitions, such as the National Collegiate Cyber Defense Competition, in that “Blue Teams” are not only encouraged but required to attack other “Blue Teams.” Harmat explains that understanding exactly how each hacker can break into your computer is important for defending a computer system.
Throughout the competition, representatives from the 13 sponsors—including FireEye and OGSystems—got an opportunity to see how the students worked under pressure.
“The sponsors hang out all weekend and are able to chat with the competitors in an atmosphere that isn’t like a formal interview,” said Harmat. “Many students make connections and are able to get co-ops and jobs with the sponsors.”
RIT’s Security Practices and Research Student Association (SPARSA), a student-run organization that addresses issues in computing security, runs the annual ISTS competition at RIT. A team of student volunteers, known as the “White Team,” manages the competition infrastructure.
Other participants in this year’s competition included Rensselaer Polytechnic Institute, University at Buffalo, Syracuse University, Eastern Michigan University, Alfred State and SUNY Polytechnic.
The top four teams in this year’s competition were from RPI, RIT, RIT and EMU respectively. A team’s final score is dependent on their success in attacking other teams, the completion of side challenges and the uptime and availability of critical services.