Imagine you’re registering for classes, and you can take one of two courses about locks.

The first class would teach you everything you need to know about building a lock secure enough so no one can pick it. The second class will teach you how to pick locks—even the secure ones.

Which one would you choose?

That’s how Chris Spehn describes the lure of computer hacking and, inversely, cyber security. It’s a world Spehn has explored since he was a kid, long before he ended up at Illinois State’s School of Information Technology. Now, what started as some online-gaming mischief with his brother a decade ago is leading to some big things for Spehn, a senior in the Information Assurance and Security sequence within Information Systems.

Two weeks ago, Spehn won the 2012 National Cyber League (NCL) Championship, topping 30 other finalists from colleges across the U.S. in a federally funded series of cyber security competitions. They were given 25 challenges, or “flags,” in Web exploitation, cryptography, log file analysis, and other fields—tricky tasks that were left unsolved from three preliminary rounds of NCL competition.

“The reason why I like it is it’s challenging,” Spehn said. “There were so many times that I had no idea what to do, where I’d just be Googling aimlessly. It’s like following a trail of bread crumbs.”

For Spehn, that trail started in third or fourth grade growing up in Freeburg, Illinois, outside St. Louis, when he learned how to load up DOS games, long before Xbox or PlayStation. As gaming moved online, he and his brother picked up new skills, eventually dabbling in cyber security issues before he could drive.

After high school, Spehn enrolled at a special technical school where he was introduced to what’s called “penetration testing,” or pen-testing. Think of it as ethical hacking, something a credit card company would pay to have done to itself first so that a maliciously intentioned hacker can’t do it later.

He was intrigued.

School of Information Technology professors and student

From left, School of Information Technology Associate Professor Douglas Twitchell, student Chris Spehn, and Associate Professor Glen Sagers.

“Pen-testing is the sexy part of security,” he said. “Defense is just not sexy.”

At a crossroads between taking a job, going back to school, or joining the military, Spehn enrolled at Illinois State in spring 2010 because of its IT security sequence and affordability.

After his first semester, he got to work on a pet project called Project iX, where he essentially installed his own customized mobile operating system on an iPhone using Linux. That project got some attention and helped Spehn land an internship at Discover, becoming the financial services firm’s first security intern in summer 2011. (Spehn interned for Discover again the following summer, working on the pen-testing team.)

Around this time, Spehn and another student started ISU Sec, for students interested in information security, hacking or anything IT. After drawing only a handful of people at their first meetings, these days ISU Sec’s Wednesday night meetings can bring in up to 30 students. Spehn is ISU Sec’s president.

School of IT Associate Professor Glen Sagers later told Spehn about the National Cyber League, which was formed in 2011 with funding from the National Science Foundation and other organizations.

This fall, Spehn was one of 264 participants in three stages of competition taking place online during three-hour blocks of time on three Saturdays. After those three rounds—Web security, logfile analysis, and cryptography—Spehn was ranked third out of 61 participants in the Midwest conference.

That put him in the championship round on December 1, where the 30 finalists spent three more hours going after 25 “flags” worth a total of 45,000 points. Spehn won with 12,000 points, his key flags earned in the Web exploitation stage. It took him a while to figure out, but Spehn (in layperson’s terms) figured out the crux of the challenge was to do the reverse of what most everyday Web users do—put a file with the data he specified onto a server, instead of just pulling files down.

“I was surprised more people didn’t solve this challenge since all I really had to do was upload a web shell, look at files, download files, and decrypt them,” Spehn wrote on his blog in a post titled “How I won the NCL 2012 Championship.” In the end, Spehn collected nine of the 25 possible NCL flags.

Spehn, 24, now expects to graduate in December 2013. He said the connections he’s made through Illinois State have been key. An Illinois State alum who works with the SpiderLabs advanced security team at Trustwave, for example, reached out to Spehn after he won the NCL about a possible job interview.

He has a standing job offer from Discover already, and he’ll do another internship next summer, possibly a security company. When asked about his dream job, Spehn says that he always thought it would be running his own consulting company, but recently he thinks about working for a security consulting firm with a built-in list of solid clients that lets him travel and “hack a bunch of different companies.”

Ryan Denham can be reached at