Joe Stocker, CEO of a Microsoft Cybersecurity consulting company, mentors his friend Larry on his journey to a career in Cybersecurity. Larry is a 49 year-old warehouse manager who has always wanted to get into the field of cybersecurity, but never had anyone to teach him the ropes. Larry asks tons of questions as Joe patiently explains key concepts and tells stories about his 20 year career in information technology.
Episode 16 - Duane Dunston celebrates 24 years in Cybersecurity and discusses Wireguard, Internet Privacy, and Infosec Bikinis
Larry and Joe speak with Duane Dunston, an Associate Professor of Cybersecurity at Champlain College
Duane just celebrated 24 years in Cybersecurity. He is currently working towards his EdD in Education. Larry and I learned how incredible Duane is! Among his many accomplishments, he volunteers as a security consultant with International Association of Human Traffickers and Investigators. He's working with Champlain students to develop technologies to facilitate the identification of trafficked victims. Duane is currently working on a cross-platform and mobile app to help identify victims of human trafficking. You can buy Duane a cup of coffee here: https://www.buymeacoffee.com/thedunston
00:00 Larry and Joe listen to Duane's story of how he got into Cybersecurity, after growing up in a Group Home, he earned a college degree, and then got into tinkering with Log Analysis and worked his way through Graduate school as a janitor. He helped maintain the computers and shortly after became a Unix administrator. He didn't have an easy road, but he is perhaps the best example of what the Information Security community stands for.
4:50 Wireguard VPN and Duane's contribution with Nowire
check out his NoWire Github repo here: https://github.com/thedunston/nowire
11:15 Is Internet Privacy Possible?
19:53 Duane’s presentation at GrimmCon: “Cognitive Science Aproach To Teaching Cybersecurity Education”
20:15 Should Veterans spend their GI Bill on College Degrees or Certs to get their first job in Cyber?
Duane recommends Security+ Certs and to supplement it with the TryHackMe platform.
It requires no home lab equipment so it helps those that have financial constraints.
22:30 Can someone go right into Pentesting?
Duane says you must have a base level of understanding of Networking, Windows and Linux administration.
23:00 eLearnSecurity Junior Penetration Tester (eJPT)
23:50 Duane discusses how the OSCP Cert from Offensive Security is more difficult for people who struggle with self learning.
26:00 Duane explains why he does not subscribe to the fatalistic “everyone will be hacked” mindset, and how SolarWinds is the worst case scenario of a Supply Chain compromise.
30:50 Why it is so difficult to detect cobalt strike beacons
32:45 Duane says the fundamentals are necessary: anti-malware, anti-phishing, and application control (allow-listing).
34:00 Web Browser sandboxing with Application Guard
35:15 Weakness of application control is when exclusions are set, malware an remain undetected when hiding in those exclusions
36:50 Host level detection is important because network traffic is encrypted in SSL
37:40 Philosophical Discussion on why Ransomware attacks are on the rise
39:00 Duane discusses his volunteer work with 1) using Augmented Reality to help train people in construction and 2) helping with the problem of human trafficking
44:35 Larry asks Duane a tough question: What is your driving motivation? You keep learning even after being in 24 years in Cybersecurity (Duane just got his MITRE Attack certification).
Duane's Ted Talk can be viewed here: https://www.ted.com/talks/duane_dunston_the_answer_to_cybersecurity_threats_middle_high_schoolers
Duane spoke at The Diana Initiative 2021; a two-day conference to elevate, inspire, and support women/non-binaries of all races, cultures, and backgrounds through every stage of their information security career with education, collaboration, and resources. https://hopin.co
Episode 15 - Dr. Cody Buntain "Humans are the weak link in cybersecurity - let's do something about it!" #Cybersafety
Dr. Cody Buntain (@codybuntain) is an Asst. prof in the Informatics Department at New Jersey Institute of Technology. He researches how people engage politically online, especially during disasters and times of social unrest, and how coordinating actors behave and information flows across multiple platforms. He has a Postdoctoral Fellowship for the US Office of the Director of National Intelligence (2016-2018), and a former research scientist for Raytheon. Learn more about Dr. Buntain here: http://cody.bunta.in/
#crisis informatics #online political engagement #disinformation #information quality #real-time summarization #weak supervision #text mining #machine learning
1:45 Larry asks Dr. Buntain: How can a person get into cybersecurity when they don't have prior job experience?
"If you have a background in IT, then consider pursuing an undergrad degree in cybersecurity or a graduate degree'
"if you have no background in IT, then start with a cybersecurity bootcamp to gain technical skills first."
3:00 to 10:00 Tough Cybersecurity Interview Questions
When you want to get into cybersecurity, it’s important to have a home lab where you can practice and then you can speak to that during an interview
Difficult interview questions, like Elon Musk's favorite: "“You're standing on the surface of the earth. You walk one mile south, one mile west, and one mile north. You end up exactly where you started. Where are you?”
11:00 Why humans are still the weak link in cybersecurity
how do we help people be more secure users on the internet
socioeconomic factors to cyber safety
16:20 Is there enough incentives for large private companies to secure against breaches, when insurance companies cover their losses, and breaches are not mandatory to disclose?
19:30 Tesla employee bribed with a million dollars to plant ransomware by a Russian
21:00 Insider Risk
24:15 Discussion on Supply Chain Attacks- like Kaseya
27:00 The supply chain risk is not new - example from the cold war. Conclusion: It comes down to trust, which is a decision of weighing risks.
28:15 Is Nationalism inevitable to avoid supply chain compromise?
29:00 Dr. Buntain discusses the #1 problem in cybersecurity today: Phishing and Humans being the weak link. It's about persuading employees with the "why" not just the policy enforcement.
Episode 14 - Daniel Rose discusses Cybersecurity Unicorn Job Descriptions
[Update 7/6/21: Daniel has accepted a job in cybersecurity! Congrats Daniel!!]
Larry and Joe invite special guest Daniel Rose on the show to discuss his efforts to obtain a position in cybersecurity. Daniel grew up placing Ice Hockey and served his country in the US Navy, and served his community in law enforcement before transitioning to IT for the past six years. He has Linux and Security+ certifications and is open to full time employment offers now. Listen to the show to learn more about Daniel's background.
00:00-02:15 Special guest Daniel Rose shares his experience encountering crazy job descriptions like this entry level position: "Must have 5 years experience and former CISO preferred?!" Larry and Daniel discuss how these “unicorn employee” job postings can be frustrating for people looking to break into the cybersecurity field.
02:15-3:15 Larry recalls a conversation he had with an IT Architect who told him having passion for cybersecurity is the most important thing
03:15-05:00 Daniel shares about when he first transitioned from a career in law enforcement to IT. It all started when he took a digital forensics workshop. He then found a computer hardware position and then web/software development.
05:00-08:00 Daniel shares stories about how his passion and drive has helped him overcome challenges in life, including an inspiring story when he served in the US Navy. If you really want to do something - stick to it!
08:00-12:00 Daniel shares tips with Larry on studying for the Pentest+ and Security+ Exam.
12:00-13:30 Daniel explains what TryHackMe.com is all about.
13:30-14:45 Daniel explains what it takes to get a new account in https://HackTheBox.com
14:45-15:30 Daniel talks about https://CodeAcademy.com
15:30-16:05 Daniel recommends that Larry get into Python as his first cybersecurity programming language
16:05-18:43 Daniel recommends https://RangeForce.com and talks about how it helped him gain hands-on experience with PowerShell, Intrusion Detection Systems,
18:43 Daniel talks about https://CyberDefenders.org ; a blue team training course to learn Splunk and reverse engineering malware
20:45 Joe talks about how Marcus Hutchins used his malware analysis skills to find the kill switch that stopped WannaCry ransomware from spreading worldwide in 2017. Learn about Marcus's story here: https://en.wikipedia.org/wiki/Marcus_Hutchins
22:20 Larry talks about the Microsoft MSSA Academy https://military.microsoft.com/programs/microsoft-software-systems-academy/
26:10 Daniel talks about his experience using EDR to investigate ransomware and how he created a watchlist of task scheduler changes to hunt for Indicators of Compromise (IOC)
29:00 Larry ties together how incident response requires skills with forensics
30:00 Daniel talks about how he used the Jason Dion Udemy course to prepare for the LPI Linux course https://www.udemy.com/user/jason-dion/
31:50 Daniel shares his tips with Larry on studying for Security+
35:00 Larry shares an update on his career search
Get in touch with Daniel Rose on LinkedIN at https://www.linkedin.com/in/dani3lr0se/ or Twitter https://twitter.com/dani3lr0se or his website www.CyberSecDan.com
Episode 13 - Larry has a big announcement and shares his future plans
It has been about five months since we last checked in with Larry's progress in school, so in this episode he has a big announcement to share.
Joe then recaps what has been happening in the world of cyber warfare including SolarWinds, Microsoft Exchange Ransomware #DearCry, and the F5 pre-authentication RCE.
Episode 12 - Catching up with Larry
People are asking how Larry is doing, so this episode is focused on catching up with Larry and his journey towards a career in Cybersecurity.
TL;DR As of 10/25/2020, Larry has 12 weeks left in school and he is open to immediate placement for an entry level cybersecurity or help desk role. He lives in south Orange County, California and can work remotely as well. Connect with Larry on LinkedIN (Click here to Connect with Larry).
Larry is attending an online school called MyComputerCareer where he is studying for the following Certification exams:
Microsoft Security Fundamentals
Microsoft Server Fundamentals
Microsoft Networking Fundamentals
Larry also recommends:
00:00 Catching up with Larry
5:25: MyComputerCareer offers Job Placement after 6 months. Out of his class of 113 students, half of them have already been placed in jobs!
8:24: Joe gave Larry "The Hacker Playbook" by Peter Kim, because it uses analogies from football (Larry was a professional football coach)
10:43 Joe talks about the pivotal moment in his life that caused him to attend a computer school at night while he earned a college degree during the day
13:13 why is technology interesting to Joe, and how he needs a challenge. Joe would be too bored in a routine and competitive job.
17:16 how hackers can target you individually to your phone
19:40 to 22:00 Larry shares a story about how 80% of people don’t update their phones because it is a hassle.
23:24 to: 26:00 Two major motivations hackers have for targeting individuals
26:00 Instagram Cloning
30:00 Larry’s plan: 12 weeks left in school, then find a company who is willing to give him a shot. His goal is to be a penetration tester or digital forensics.
Episode 11 - From Fast Food Manager to NASA Cybersecurity Analyst
Kris went from making burritos in an American chain of fast casual restaurants to become a general manager by age 19 before giving it all up and starting a new career in Cybersecurity, where he is now guarding against cyberattacks for NASA. It all started the day Kris took a 10 minute break before starting a 12-hour shift at a fast food restaurant. He had just worked 200 hours over the previous two weeks! During the break, he stumbled on this Reddit thread about the Stuxnet worm which sparked his interest in cybersecurity.
Soon after he witnessed one of his managers achieve their dreams after attending Year Up, a non-profit offering one-year intensive training program. Kris joined the cybersecurity program and we discuss his transition from that training to his current role as a cybersecurity analyst at NASA.
Here are the resources that have helped Kris:
1. Lesley Carhart's blog post on how to start an infosec career 2. Productivity timer 3. "Atomic Habits" by James Clear 4. Dare to Lead by Brené Brown 5. Terminus 6. OverTheWire War Gaming 7. Certification Overview Graphic 8. Cybersecurity Overview Mind Map
Great lessons at a level beginners can understand!
Really interesting podcast with Joe and Larry sharing their lessons in the growing Cybersecurity industry.