You appear to be offline. Some site functionality may not work.
Sign Up

Fastly Blog

How college security competitions help us build great security teams

Building a great team is one of the most difficult challenges managers encounter. This is especially true in security, where the threat landscape changes so rapidly that it’s hard finding the talent we need to help keep our companies, and by extension, the internet, safe.

Luckily, there’s a few initiatives that make things easier on us, one of which Fastly participated in March 4-6. A group of us from the Fastly security team headed out to Rochester, NY, to attend the Information Security Talent Search (ISTS) at the Rochester Institute of Technology (RIT).

table-photo

Photo credit: William James Ingalls</p>

The competition: stretching students’ abilities

This year was the 12th iteration of the ISTS, organized by RIT’s Security Practices and Research Student Association (SPARSA), a student-run organization that has been bringing together students interested in information security since 2001.

The Information Security Talent Search is one of a few security competitions in which multiple universities send their best and brightest students to compete as so-called “blue teams” against a group of industry professionals, who participate as a “red team.” The blue team is given a set of systems which they need to harden and secure, while the red team engages in offensive tactics, aiming to compromise the systems operated by the students. The ISTS is a bit unique amongst its peers as it also gives the university blue teams the opportunity to spend some time attacking systems other student teams are protecting. This year’s participants included students from Rensselaer Polytechnic Institute, Syracuse University, University at Buffalo, and many others. 

Two Fastly engineers (both RIT alums and past blue team participants) took part in the contest as part of the red team: Zack Allen, a security researcher, and Rusty Bower, security engineer on the infrastructure team.

ISTS was an impressive competition, not in the least because it’s entirely organized by a group of students. It included custom-built infrastructure, software, and even a homegrown "Bank of SPARSA" ATM. The team had put together a challenge which was very realistic, and covered a wide variety of real-life operating systems, such as Solaris, Linux, Windows, FreeBSD, and the more obscure Node OS, a lightweight operating system with a userspace entirely built with Javascript.

SPARSA-ATM

Photo credit: William James Ingalls

To stretch students’ abilities even further, the competition had a distributed control systems (DCS) angle. Each team managed a data center with a temperature sensor. When the temperature of their data center exceeded 80°F, the team’s servers were switched off to prevent fire. The sensor used the insecure but very common Modbus protocol to communicate with the process that scheduled the machine shutdown. Clearly, this became a common area of attack during the exercise. Securing this type of sensor-process interaction is a common scenario in many industries, but not something typically taught in schools.

Passion + opportunity

SPARSA invited me to give an opening speech to all the participants; I walked them through a number of major incidents, passing along ideas on how to outsmart some of the other teams along the way. There was immense passion amongst the participants — we spent at least 20 minutes discussing various questions on what it takes to work in the industry, finding great information security roles, and the greatest threats facing online services.

ISTS is a great way for recent graduates to find opportunities in the security industry. The conference was sponsored by several companies, and each of them were provided with resumes of job-seeking participants. It was also great to see many RIT alumni recruiting at the event — it’s clear SPARSA has built a great alumni community.

The fact that the next generation of security engineers is so passionate about security makes finding and hiring the very best talent easier. It’s efforts by students like these that directly translate into our industry’s ability to make the internet a safer place.

group-photo-SPARSA

Photo credit: William James Ingalls

Security

You may also like:

Author

Maarten Van Horenbeeck | VP of Security Engineering

Maarten Van Horenbeeck is the Vice President of Security Engineering at Fastly. He is also a Board member, and former Chairman, of the Forum of Incident Response and Security Teams (FIRST), the largest association of security teams, counting 300 members in over 70 countries. Prior to his work at Fastly, Maarten managed the Threat Intelligence team at Amazon, and worked on the security teams at Google and Microsoft. Maarten has a master’s degree in Information Security from Edith Cowan University, and is currently pursuing a Masters degree in International Relations. When not working, he enjoys backpacking, sailing and collecting first edition travel literature.

maartenvhb