University of Virginia computer science students are well known for their two consecutive national championship titles for countering cyber attacks. Now they are putting the University on the map for another important dimension of cybersecurity: preventing attackers from getting access to critical systems in the first place. UVA Engineering's student team prevailed over nine other teams to win theNortheast Regional for the Inter-Collegiate Penetration Testing Competition, held at Pennsylvania State University Oct. 11-13. UVA ÂÂadvances to next month's national event in Rochester, NY. Teams competed on skills on the offensive, rather than defensive, side of cybersecurity. From Virginia, only UVA and Virginia Commonwealth University participated. VCU came in third. UVA's team, which competed for the first time, was led by team captains Maggie Gates, a first-year graduate student, and Jake Smith, a fourth-year student. UVA's team successfully conducted a security assessment for a fictional bank, testing all information technology systems — including company website, e-commerce portals, partner institutions, and employee social networks — for security vulnerabilities. The team also provided the bank owners with a summary of findings and recommended security enhancements. Gates attributes UVA's win to the dedication and hard work of the entire team, each of whom spent a lot of time in and out of practice learning and working on their skills. “Throughout the competition we maintained our focus, dedication and camaraderie. There is no doubt that our commitment to the competition as well as to each other was a huge factor in our success,†she said. Besides Gates and Smith, competing for the team were fourth-year student Michael Benos; third-year students Calvin Krist, Daniel Chen and William Tonks; second-year student Jack McDowell; and first-year student Paul Vann. Jack Davidson, professor of computer science, advised the team. The competition was divided into two components over two days. First, the team spent a full day conducting a cybersecurity assessment to detect the company's networks were vulnerable to attack. One vulnerability the team located was personally identifiable information that included fictitious Social Security numbers exposed in a plain-text database. The team then worked through the night to produce a 50-page penetration testing report, which was a summary of detected vulnerabilities and recommendations on the best ways to put remedial security measures in place. “The team's communication and professional skills helped us stand out,†said Gates. “Our ability to spend nine hours in a room deep in the technical weeds and then spend another eight hours producing a well-written and formatted report is a challenging context switch, but it is one we have been prepared for by our education at UVA.†UVA won theNational Collegiate Cyber Defense Competition in 2018 and earlier in 2019, and this Collegiate Penetration Testing Competition victory points to UVA Engineering's strengths on the other side of the cybersecurity equation - offense. “Having a lot of experience in cyber defense was a great advantage to us in the competition,†said Smith, who was also a member of the national championship team. “Experience in cyber defense makes it easier to understand how bad actors could try to exploit a system.†Smith, like Gates, also feels his team's communications skills were a competitive edge. “A big part of this competition is based on how the findings and resulting recommendations are communicated.†Gates and Smith said they are grateful to Davidson, their faculty advisor and coach, for his support and advice in getting ready for this competition. Both also thanked UVA Engineering'sComputer Science Departmentfor providing the necessary support that allowed them to not only compete for the first time, but to win. The goal of the competition was to create a real-world scenario for the students to practice their cybersecurity and penetration-testing skills. Cyber offense competitions like this one directly test a team's understanding of how things work, knowledge of why systems function the way they do, and their skill in assessing the overall security of a network. The competition is a way to “test and assess a contestant's proficiency in the field of computing and cyber security,†according tothe competition's website. “Teams are judged not only on their technical skills, but also their ability to effectively communicate their findings to company executives. I was extremely impressed with the professionalism of our team and their teamwork in producing an outstanding report in such a short time,†said Davidson, who is also director of the Computer Science Cybersecurity Program and co-director of theUVA Cyber Innovation & Society Initiative. “We are very proud of these future cybersecurity leaders and wish them the best of luck in the upcoming national competition.â€