ITSO Team attending a seminar
A new penetration testing program run by the IT Security Office is helping departments be proactive about cybersecurity. Photo courtesy Brad Tilley.

Keeping the university's computing systems, networks, and people safe from cyber threats requires having robust defenses in place. These range from minimum security standards, to network firewalls and endpoint detection software, to solidly built websites and software.

Just as important is ensuring that our defenses hold up against attacks — and that is where the IT Security Office (ITSO) Red Team comes in. Led by Director of Security Architecture Brad Tilley, the ITSO's Red Team tests Virginia Tech's systems and networks by employing similar tactics to a cybercriminal to expose vulnerabilities. The goal is to find and fix these vulnerabilities before bad actors have a chance to cause harm.

During FY 2023, the ITSO Red Team focused on two programs that helped to identify issues and improve Virginia Tech's security stance at the department and community levels.

New penetration testing service provides customized testing to departments

In November 2022, the ITSO Red Team launched a new cybersecurity penetration testing service for the university community. This on-demand service goes a step further than a traditional vulnerability scan, using customized tests and scanning tools to identify potential vulnerabilities and security problems with specific operating systems, application software, and network configurations for a department.

Upon a department's request, the Red Team tries to exploit any weaknesses found in university applications. Additionally, they use special vulnerability scanners to confirm the severity of an issue; these scanners help the Red Team identify the best course of remediation to address vulnerabilities rapidly and effectively. By acting in a safe, controlled environment, the ITSO is able to dig deeper into vulnerabilities and therefore can provide a stronger solution.

As of October 2023, the Red Team had completed 19 penetration tests on various university departments and applications. 

Bug Bounty program pays off — for participants and the university's cybersecurity

Launched in 2021, the ITSO's Bug Bounty program has expanded the ITSO's efforts to reduce vulnerabilities in Virginia Tech's systems while offering a way for Virginia Tech students, faculty, and staff to hone their own red-teaming skills.

Through this program, registered participants (a.k.a. "bug hunters") have permission to attempt to hack into certain university domains, and then report any potential vulnerabilities they find. Bug hunters can receive a monetary reward for confirmed bugs they find and report.  

It's been a win-win for the ITSO and the Virginia Tech community. Searching for vulnerabilities can be time-consuming, and with a relatively small staff, the ITSO Red Team benefits from the extra bandwidth provided by the program. Bug hunters not only have a monetary incentive, but  gain hands-on experience while serving the university. And, with more vulnerabilities identified and repaired, the entire Virginia Tech community benefits from more secure systems.

To date, 43 bug bounty reports have been submitted through the program, with four of these rated as critical by the ITSO. Thanks to the efforts of Bug Bounty Program participants, these vulnerabilities were removed as quickly as possible.