Mission: Possible – Breaking Into the World of Competitive Cybersecurity, One Hack at a Time
Sometimes, adrenaline runs high.
Competition is down to the wire, with just minutes remaining when the solution strikes you. You race to decode a cryptic image and spend the last 30 seconds hastily deciphering Morse code while your teammate enters it as quickly as his fingers can type.
Other times, it’s 3 a.m., and you realize you’ve been staring at the same piece of code for eight hours.
Such is the nature of cybersecurity, and Josh Connolly loves it.
Josh, who will graduate with a computer engineering bachelor’s degree in May, is president and founder of FITSec, Florida Tech’s cybersecurity competition team.
When Josh enrolled at Florida Tech in 2016, he assumed a cybersecurity team already existed at the university. It didn’t.
“I was disappointed, and I thought, ‘Well, if there’s not an organization already, there needs to be one,’” Josh says. “I had never competed before. I had very little technical ability, and I never really wanted to lead an organization—it has never been my style—but I recognized the need and decided, ‘Let’s do this.’”
In 2019, Josh created FITSec with a group of three or four of his computer engineering peers, atypical for cybersecurity competition teams, which usually consist of computer science students.
In the beginning, they would meet twice weekly for a lesson Josh created based on the type of competition—capture the flag (CTF), penetration testing or cyber defense—that would be coming up next.
Josh quickly recognized the need to hone the team’s focus on just one competition type, deciding on CTF due to its more transferable skill set and greater competition frequency.
In CTF competitions, teams or individuals complete as many of the posed challenges as possible in an allotted time frame, usually 48 hours. Challenges incorporate topics like open source intelligence, cryptograph, log analysis, network traffic analysis, enumeration/exploitation and more. After completing a challenge, competitors retrieve a “flag,” which they then turn in for points. The team or individual with the most points wins.
“In the beginning, it was rough because we had no idea what we were doing. Our goal was just to not get last place,” Josh says. “We might spend 10 hours on a single problem, but we would learn things that would help with the next competition.”
This baptism-by-fire approach worked for FITSec, judging by the titles and trophies the team has racked up, including several top 10 placements, first place at the 2020 U.S. Cyber Challenge regional qualifier and eighth place at the National Cyber League Competition, where more than 5,000 students competed and Josh placed third individually.
In just two years, FITSec has grown to about 30 active members and has participated in more than 30 competitions of varying size, difficulty and scope. Members have traveled to places like Augusta, Georgia, and Argonne National Laboratory in Chicago. They’ve competed against fellow college students and cybersecurity professionals alike, and in summer 2020, they participated in an international competition in which they hacked an actual functioning satellite.
“It’s been fun,” Josh says. “Stressful, but fun.”
Before coming to Florida Tech, Josh spent eight years in the U.S. Army, achieving the rank of sergeant before completing his service in 2016.
Josh got his first taste of the cybersecurity world while serving as a satellite communication systems operator-maintainer with the 10th Special Forces Group in Colorado. It was there he met Dr. T.J. O’Connor, Florida Tech assistant professor, or as he knew him at the time, Major O’Connor.
Also serving with the 10th Special Forces Group then, Dr. O’Connor was giving a brief about cybersecurity.
“I thought ‘Oh great, another one of these,’” Josh says. “But he talked about all this cool hacking stuff. I went home and started playing on my computer and looking into all of these different technologies. It’s really where my journey began, and it was just complete coincidence that Dr. O’Connor ended up being at Florida Tech.”
Dr. O’Connor now serves as Florida Tech’s cybersecurity program chair and as FITSec’s faculty advisor.
“It’s like the NCAA tournament for cybersecurity students,” Dr. O’Connor says. “The thing that’s most important to me as a faculty member is education. So, any alternate means of education that can excite students who wouldn’t otherwise be excited, or take students who are somewhat excited and force them to dive deeper into a topic by themselves, I absolutely love.”
Having joined Florida Tech’s faculty in 2019 after 20 years in the military, Dr. O’Connor focuses his research on two areas: cybersecurity education and internet of things (IoT) security of household items.
In his IoT Security and Privacy Lab, he and his students have conducted experiments on smart home products, like speakers, doorbells, backdoor cameras and more, finding their vulnerabilities and actually hacking into them. Then, instead of using the access to harass, intimidate, stalk or hurt people like malicious hackers do, Dr. O’Connor and his students notify the vendors and even suggest means of improvement when they can.
“I think we’re at kind of a crucial point, where there are a lot of things that are coming into our houses—everything from the scales people use to the coffee maker to the garage door opener to the lock that secures our house to the camera system—and we’re embracing a lot of these things without once looking at them,” Dr. O’Connor says.
In some cases, these experiments have proven lucrative, with students receiving fairly substantial monetary awards from grateful smart home device vendors.
This hands-on approach with real-world application ties into his second area of research: education.
In addition to developing ways to make cybersecurity education accessible to diverse groups of people, and at a younger age, Dr. O’Connor’s research aims to get students excited about and prepared for cybersecurity careers.
“Computer security is a hard thing to study, and there’s a lot of time spent changing a one to a zero and a zero to a one, and it can be fairly boring,” Dr. O’Connor says. “But I think students are finding that there’s a lot of fun to be had in attacking devices. And as a professor, I’m really excited to see that they’re learning the fundamental concepts at a quicker, faster rate, and it’s being reinforced by the enthusiasm of studying consumer devices.”
Such is the methodology of the courses he has created for Florida Tech’s cyber operations concentration.
Established in 2020, the cyber operations concentration builds upon the computer science bachelor’s degree program by adding six courses focused on tools and techniques for investigating, analyzing and responding to cyberattacks.
The concentration is part of Florida Tech’s efforts as a National Security Agency (NSA) Center of Excellence for Research, a program managed by the NSA’s National Cryptologic School.
“The concentration introduces you to different cybersecurity concepts, basically giving you knowledge of the tools you’ll be dealing with and how they work through hands-on engagement,” says Liana Villafuerte, one of the first two students who will graduate with the concentration in May. “Dr. O’Connor made this his baby because he wants students to understand how fun cybersecurity can be.”
Liana chose to major in computer science her freshman year because of her lifelong interest in gaming. But after taking Introduction to Cybersecurity, she quickly changed course.
“I just fell in love with it,” she says. “Every lab is a challenge. But it’s a good challenge—one where you’re like, ‘Oh, I want to beat this.’”
Although not a FITSec member, Liana competed in her first cybersecurity competition in February. At the women-only CTF event, where she competed against thousands of cybersecurity industry experts, she felt prepared.
“The courses in the cyber operations concentration definitely contributed to everything I was doing,” she says. “Before Florida Tech, I knew little to nothing about cybersecurity—I just knew it was a thing and involved protecting a computer, but I didn’t know how in-depth it worked. Everything I’ve learned in class applied to this CTF and more.”
Her coursework has already paid off in the real world, too. In fall 2020, an essay she wrote about reversing the internet of things for her Introduction to Cybersecurity class helped land her an internship with ICR Inc.—an opportunity that has since turned into a full-time job offer.
“Watching students excel is the fun part of being faculty—and we’re only getting started,” Dr. O’Connor says. “It has been super cool to watch them gain confidence in themselves and to realize that they are strong individuals. They have all the necessary skills; they have a great education; and when they put it to work, they can compete with the best of them.”