Home / Cybersecurity / CSUF cybersecurity students test their ‘ethical hacking’ abilities – OCRegister

CSUF cybersecurity students test their ‘ethical hacking’ abilities – OCRegister

It has been said that the best defense is a good offense. So, although many cybersecurity experts and firms go to great lengths to defend themselves from attack, the idea of “offensive security” has become an important component in computer science.

On Jan. 7-10, a squad of Cal State Fullerton students had a chance to test its offensive capabilities by competing in the National Collegiate Penetration Testing Competition. Junior-high snickering that the name conjures aside, the tournament is one of the top collegiate cybersecurity competitions in the country.

Corporations and countries are always looking to build a better mousetrap, and the mice — or hackers — will always look for new ways to beat, circumvent, infiltrate or otherwise disable them.

As a result, offensive security studies approach the field from a hacker’s perspective by exploring how to attack systems. There’s even a term in the lexicon: “ethical hacking.”

According to Mikhail Gofman, director of Cal State Fullerton’s Center for Cybersecurity, independent attack-testing companies have become a robust part of the industry and thousands of security jobs are out there, many that pay well.

“This is the kind of skill set that is very much in demand,” he said.

The tournament was created in 2015 and held virtually this year for the first time due to the pandemic. The tourney featured an international field of 15 schools, including Rochester Institute of Technology, Stanford, Cal Poly Pomona, Bournemouth University in England and RIT-Dubai.

A year after failing to make the tournament, the Titans qualified with a fourth-place finish in the Western Regionals behind City College of San Francisco, Cal Poly and Stanford.

Sixty-seven universities from across the globe competed in their respective qualifying competitions.

This year, RIT, the traditional home for the national competition in nonpandemic times, won the title, followed by Stanford and Cal Poly Pomona. Teams out of the top three were not individually named.

In 2018, Fullerton finished in second place in the national finals.

The Titan team will return all but one of its members to school next year.

Cal State Fullerton junior Josiah Peedikayil (Courtesy CSUF News Media Services)

“We’ll come back and be a stronger team,” said Josiah Peedikayil, 21, a junior at CSUF and captain of the team.

“This was a young team and each year they improve,” Gofman said.

The Fullerton team consisted of senior Rojan Rijal, juniors Peedikayil, Josh Ibad, David Johnson and Rian Luzio, sophomore Yao Lin and faculty coach Hernan Manabat.

Teams were tasked with looking for vulnerabilities by attacking, or attempting to penetrate, a fictional utility company: Next Gen Power and water.

In past years, ersatz self-driving car companies, voting machine makers and banks have been targeted.

In this year’s competition, the fictional utility had protective systems and firewalls set up by top industry professionals that Peedikayil said were realistic.

“It was very complex,” he said.

Although teams testing the utility’s defenses were only contracted to report vulnerabilities, Peedikayil said in the regionals a couple of teams went too far and actually “broke (the company’s) dams by accident.”

Those teams received harsh calls from the ersatz company directors.

Peedikayil joked that he didn’t think his team would have made the nationals if they had broken anything. There is a kind of Hippocratic Oath in ethical hacking to “do no harm.”

Cal State Fullerton faculty member Hernan Manabat (Courtesy CSUF News Media Services)

Although the competition targets a fake company, among the materials students study are real-world open-source websites.

While doing that, Rijal discovered a real-life vulnerability in one of the websites.

“He discovered a vulnerability not known by the professionals,” Gofman said.

“It’s a pretty big finding,” Peedikayil said, although it was outside of the tourney confines.

Rijal reported his discovery to HackerOne, a prominent cybersecurity firm for corporations and the government, and a patch has since been created.

After two days of probing the company’s defenses, analyzing code, testing and replicating systems, teams wrote reports on their findings on Jan. 9 and made presentations to the faux board of directors of the utility on Jan.10.

The side benefit of the competition, according to Peedikayil, who is also president of the school’s  Offensive Security Society student club, was the chance to meet and network, albeit virtually, with top industry professionals from sponsor companies such as IBM and Google.

In its literature, the tournament describes itself as “a bit different from several other collegiate cybersecurity competitions. Instead of defending your network, searching for flags, or claiming ownership of systems, CPTC focuses on mimicking the activities performed during a real-world penetration testing engagement conducted by companies, professional services firms and internal security departments around the world.”

The other major college cybersecurity event is called the National Collegiate Cyber Defense Competition, scheduled for April.

With the international hacking attacks on the U.S. in recent years, most notably by Russia, cybersecurity has become particularly relevant.

As a result, learning not only how to protect yourself but the methods your enemies use is particularly vital.

“Philosophically, all attacks begin in the mind of a hacker,” Gofman said, and offensive security is a way to “get in the attacker’s mind.”


Source link

About

Check Also

NSA, Microsoft promote a Zero Trust approach to cybersecurity – BleepingComputer

The National Security Agency (NSA) and Microsoft are advocating for the Zero Trust security model as …