After months of planning that began over dinner on the night of the NCPCAB 2018 event, you all will finally get to experience what we’ve been working on for the past nine months to build the 2019 National Collegiate Penetration Testing Competition (CPTC) environment. Each year, we try to make our competition theme relevant and timely. With the recent news involving some notable breaches, we think we’ve hit our mark.
As this article goes live, CPTC Competition Director Tom Kopchak (@tomkopchak) and CPTC World Team Captain Dan Borges (@1njection) have just wrapped up their “4 Years and 10,000 Hours Later” talk at DEFCON 27’s Wall of Sheep.
Now, it’s finally time to formally announce the theme of the 2019 (Inter)National CPTC...
Here’s an overview of DinoBank and the reasons for conducting a security assessment:
DinoBank was originally founded in 2005 as a de novo bank using technology to enable our customers to bank on their terms. Our largest presence is electronic, and we have been a leader in pushing the adoption of new banking innovations. Furthermore, physical branches are expensive, so we don’t have many of them. Those that we do have are placed in strategic locations for those times when you just need in-person help.
We utilize advanced Automated Teller Machines (ATM), Mobile Phone Banking, and Online Banking so that customers can use their money on their time. Additionally, by keeping our costs down, we can pass on that savings to you.
We are performing a penetration test, as our recent IT exam has shown several issues and our examiners are issuing a Memorandum of Understanding (MOU) with our Board of Directors. One of these items is the requirement to perform a test and resolve these issues. The success of this project is critical to ensure the ongoing viability of our banking operations.
Note: Once our presentation is made available, we will provide a link to the slides and the recording. Make sure to follow National CPTC (@nationalcptc) for updates!
How Is CPTC Different?
CPTC is unique among other offensive security competitions in that it is as much a consulting competition as it is a security event.
Each year, we spend an enormous amount of time and effort to develop the story behind the target organization, starting with a comprehensive blueprint laying out all the aspects of the company. This document becomes the foundation for the rest of the event, including comprehensive environment details, information about the hosts and custom applications deployed, an organization chart, and insights into the various roles to be played by advisory board members during the event.
The parallels to real-world consulting don’t stop at the blueprint. When competing, teams must respect the environment they are assessing, and they must ensure that business is not impacted. They must also consider the relative severity of any issues they find in accordance with the business of the target organization.
We place a strong emphasis on ethics, and we believe it’s important for teams to learn what’s appropriate in a business environment prior to experiencing it in the real world. We’ll have the opportunity to cover this topic in-depth during Saturday's 4:00 pm presentation at DEF CON’s Ethics Village.
Throughout the event, teams have the opportunity to interact with members of the advisory board and other industry professionals in an in-character role, as if they were actually performing a consulting engagement. Reports are delivered to teams and scored, and they also must deliver a presentation of their findings to the executive team of the organization.
The Goal of the Competition
At the core, the goal of CPTC is education. Everything we do is intended to provide students with a realistic experience unlike anything else they will see in their college careers, and to prepare them for a successful role in their future careers.
We support a number of research initiatives with the data collected from the CPTC competition environments. We have also included additional modifications to the 2019 rules in the spirit of increasing transparency and contributing to the infosec community as a whole.
Looking Forward to 2019 and Beyond
Significant growth has been made over the past year and we have more than doubled the number of students participating. We will be holding five concurrent regional events during October 11th to the 13th in the United States; these events will be hosted at Penn State University, University of New Haven, the Georgia Cyber Center, Tennessee Tech University, and Stanford University. In addition, there will be one international event, hosted at RIT Dubai. The top team from each regional as well as the four additional highest-ranked teams at-large will compete in the international finals, held at RIT from November 22nd to the 24th, 2019.
With the growth of this year’s event, we believe we’ll continue to see more students getting involved, and we are looking forward to making further adjustments to the event to allow for wider participation. This means that there will be exciting news on the horizon for 2020 to accommodate this growth.
Thanks to Those Who Make This Possible
I’d like to personally thank everyone who has been involved in making this competition what it is, from my peers on the advisory board, to the faculty at RIT and the competing institutions, the hosting institutions for the regional events, and the volunteers who dedicate their time and talents in support of CPTC. You all have devoted countless hours and significant expertise. Without your help we couldn’t make this the premiere collegiate offensive security event! Special thanks to IBM Security for again being the premier sponsor for the 2019 event.
On a personal note, I’d like to share my appreciation for Hurricane Labs (@hurricanelabs) in supporting my long-standing involvement and giving me the resources and flexibility I need to help run this awesome event.
I’m looking forward to an exciting 2019 CPTC season. Good luck to all the teams competing, and I’ll be seeing many of you in October and November!