By Christian Malone, Feb. 7, 2023
For the second year in a row, a team of six Cal Poly Pomona students took home the top prize at the Collegiate Penetration Testing Competition, an annual offense-based cybersecurity competition.
During the eighth annual installment of the event, which took place over the course of three days at the Rochester Institute of Technology, competitors were tasked with hacking into the network of a fictitious hotel, identifying vulnerabilities and reporting how to better secure the hotel’s network.
“From what I think a real company is like, I would say this is probably the best experience you can get,” team member Derrick Tran said.
Cal Poly Pomona’s team consisted of computer information systems majors Justin Covairt, Taylor Nguyen, Derrick Tran and Dylan Tran as well as computer science majors Gabriel Fok and Jasmine Weddle.
While the event took place in January, the team’s preparations date back nearly a year. Three members of CPP’s previous team returned to compete in this year’s event. To fill out the remaining spots, team captain Covairt spearheaded the team’s annual student-led summer bootcamp used to educate and evaluate possible team members.
“It’s completely student-run; there’s pretty much no faculty intervention,” said Covairt. “We designed the six-to-seven-week curriculum … it’s almost like building a class over the summer.”
The team’s coach, Associate Professor Ron Pike, who advises Students With an Interest in Future Technology and provides resources for the organization’s cybersecurity teams, ensures that potential team members are selected based on merit.
“I make sure that it is a blinded selection process, so it’s people’s skills and what they demonstrate in the competition environment that gets them on the team,” said Pike.
After the team was assembled, team members met regularly to prepare for the event while also researching and learning on their own.
“Every weekend on Saturdays we would have a little two-hour meetup to discuss what we’ve learned and some of the game plan moving forward,” said Derrick Tran. “When it comes to the hard learning stuff, most of us actually did that independently.”
CPP’s team won the western regional competition held at Stanford in November, which automatically gave them a spot at the global finals.
At the global finals, competitors had a two-day window during which they attempted to hack into the mock hotel’s network. Simultaneously, the team had to address injects where staff from the mock hotel would ask the team questions or give them additional tasks. Team members said that delegating responsibilities helped them address these multiple issues at the same time.
“Everyone had something that we knew we were good at and that we were going to primarily focus on,” Dylan Tran said. “Focusing on our strong spots really helped us go forward.”
Apart from testing the team’s technical knowledge and communication abilities, the event also required competitors to use social engineering skills by using phishing emails and, for the first time in the event’s history, phishing phone calls to get personal information of the mock hotel’s guests.
“For the voice social engineering, that’s something that Jasmine did,” Covairt said. “She came up with this ruse of a cheating husband that stayed at the hotel and was like ‘can you give me any more names he may have stayed under?’ She even ended up getting credit card information too!”
On the third day of the competition, competitors had to present a report of their findings to a panel of judges and industry professionals who evaluated the team’s technical findings, written report, professionalism and presentation. The competition’s emphasis on these business skills is what sets it apart from other cybersecurity competitions.
Some of the team members believe that their business skills is what ultimately set them apart from other teams.
“I think we went all out on professionalism,” Nguyen said. “We definitely emphasized a lot on business and our reporting.”
After this repeat win, the members of the team who plan to compete again are hoping to continue their streak next year. Alexey Tselevich, who captained CPP’s team during their first win last year, says the team’s desire to grow and get better will be their key to success.
“As long as the team can keep going forward, I’m sure they’re going to win,” said Tselevich. “And knowing the people staying for next year, I have no doubt that they’re going to do a great job, and they’re not going to be complacent.”
Feature image courtesy of Ron Pike