Last fall, Cal State Fullerton cybersecurity students competed in the Collegiate Penetration Testing Competition where teams of students from the region met to determine how to hack the security systems of an airport and then presented a report of their findings to executives.
The Cal State Fullerton team of six students placed second in the high-pressure competition, which provided real-world experience that they will bring to the jobs that await them once they graduate. Business sponsors often recruit winners for employment during these events, said Mikhail Gofman, professor of computer science and director of the ECS Center for Cybersecurity in the College of Engineering and Computer Science.
Penetration testing means trying to break through the security systems of a business by using the same tools and techniques that hackers use. If a penetration tester can discover and exploit a vulnerability, Gofman said, then so can an attacker.
“This is often called the security governance,” Gofman said, “the goal of which is to ensure the cybersecurity of the company. It is driven by risk management, and, of course, cyberattacks are a big part of the company risk management, because a cyberattack can have very devastating consequences.”
The regional competition focused on the security systems of an airport. “They weren’t actually real airport systems, but real networks which simulated what a network infrastructure of an airport would look like,” Gofman said. “The students had 12 hours, from morning to night, to conduct the penetration test to find and exploit as many security vulnerabilities as possible.”
Then they had to write a professional penetration testing report that communicated their findings in plain language.
“Our goal as a team was to try to fully compromise the company, given only a set of IP ranges and some scattered fictitious employee information they left on the internet for us to exploit,” said fourth-year student Katherine Chen, who was a member of the winning team.
“You use public information on the internet to impersonate someone and use their information for malicious purposes, which we were successfully able to do,” Chen said. “At the end of the competition, we had to submit a huge report on our findings, which our report detailed to almost about 90 pages. At the end of the day, you want to present your findings to C-level executives who don’t know anything about technology. The report is what makes you win in CPTC.”
To replicate a real work situation, students were interrupted from time to time by pretend executives with a request.
“One example which students told me about was that they were approached by an individual claiming that he was going to have a meeting with the CO in five minutes, and he just wanted to get an update on how they were progressing,” Gofman said. “They had to be able to give a nice, concise, executively digestible formulation of where they were.”
The Cal State Fullerton team participated in a global competition in January but did not place in the top three spots. For the global competition, they had to complete the penetration test, write a report, and give a presentation to the room of mock executives.
“My students worked very hard on this,” Gofman said, praising their energy and enthusiasm, especially those in the Offensive Security Society Club. He also credited the dedicated faculty in the Center for Cybersecurity, who added hands-on experience to cybersecurity classes.
Gofman sees an important role for his students in the world of cybersecurity.
“Here at CSUF, a lot of our students are from underrepresented backgrounds and are first-generation students. I think it’s great to help those students take advantage of this growing job market. We are helping the nation by providing the desperately needed cybersecurity professional expertise while helping people who need to benefit from this demand.”
Many former students work in cybersecurity, and some of Gofman’s current students have lined up jobs ahead of graduation.
Chen is currently interning as a vulnerability researcher at a company based in Virginia. “I really love deeply understanding something, and that is exactly what cyber offers you,” she said. “Cyber is a field of being patient and being very meticulous, looking really hard for just a small hole to wiggle yourself into and wreak havoc. I always loved computer science, and I think cyber is basically computer science on steroids.”
Cybersecurity student Katie Tran, who also participated in the competitions, has landed a job this summer as a cybersecurity analyst at Deloitte, a cybersecurity company.
“My cybersecurity classes with Professor Gofman have prepared me for employment,” she said. “Cybersecurity classes with him cover a huge amount of material in detail, and he ensured that we learned and got hands-on experience with the subjects. He also provided a lot of guidance and coaching for competition.”
