 Back to the Cyber Underground, I'm your host, Dave Stevens, and today we're going to find out the tricky how to get into the cyber security industry. Most people think you can't do this, this is too hard to train, you've got to go on the web, you've got to look something up, you've got to read a book or two or seven or eighteen. But then if you want to do this for a living, how do you actually get the education in an economical manner to actually go out and get the certification to get the job? What's the process? How do you get the money to do it? Today we have our exceptional co-host, Andrew, the security guy, and our award-winning student, Nathaniel Winks. I wanted to point out before Dave gets rolling here that there's two sides of this fence you can get on. You can get on the dark side of this fence with relatively little education and an email account and a little bit of onion router and golden nuts, right? Or you can go the right way, which what we're trying to convince people to do is to stay ethical and stay white-haired and help us all with this problem. Hopefully they will, but you're there to combat the people that don't do it that way. Right. That's what we're working on. Hopefully, so yeah, there's two sides of that coin, and it's always going to be that way, right? So, a little bit about you, first of all. Yeah, give us some background. Yeah, background and stuff. Where are you from? How'd you get here? What's that shoes? That's too long of a story. No, but I'm... You said no, I think. No, it's just flat out. I'm from Alabama, so... That's okay, we like it. So sorry. You're from Alabama. I did, and he still likes me. No, so yeah, I'm from Alabama. I've moved to Hawaii about four years ago, and the last couple years I've been at KCC, had pretty good professors there, you know. Oh, that's a great... That's to get a great pump there. Thank you very much. Thank you. But I went there for IT, and then, you know, I started doing the research on what was the shift, you know, in the field. You're doing trending analysis right now. Yeah, I mean, and you could not deny what was going to be hot in the next couple years. And so, I switched to the ISA route for security. That's information security assurance. Awesome. And what was your plan? Did you have a plan, or did you just switch to the classes and started taking classes? I'm still winging you. What were you taking before then? So, I had actually gone to school before, and that was just, you know, gen ed classes. But this time, going in, I knew that I was going for IT at the very least. So you had a goal this time. Yeah, so this time I stepped in, and you know, I was taking classes, OS hardware classes, and things like that. And, you know, that was really interesting. And then, you know, just through research and through, you know, it was Hal. Actually, I was talking about this stuff. I, you know, I just learned that that was probably my best bet to get the most out of this career. So you're talking about Hal Cochran. He's our networking instructor, and he also teaches cybersecurity fundamentals at Capulani Community College. So those courses were provided because of curriculum development paid for through a government grant. It was a federal grant. In 1974, they created this trade adjustment assistance grant. In 1974? In 1974. So that was to help people that were getting worked out of a job and changes in technology and the economy. And they had to adjust and retrain and get into another career field. It's going to happen with Cole very soon here. Somebody's going to have to tell those guys, Cole's going away for the most part. You need to get into another career. And that's what this grant was actually originally for. In 2004, in 2009, President Obama and Uncle Joe signed a little bill extending that, all the trade assistance adjustment career college, Community College Career Training Act, and they gave a whole bunch of money to a whole bunch of states. Most of the money, by the way, went to Illinois. Imagine that. Because of all the coal miners? That's where the president was from. Oh, because of Chicago? Yeah, because of Chicago. And the second largest funds actually came here to Hawaii. Really? Imagine that. And then in 2015, and it was for a number of fields, but in 2015 it was to support two specific fields, healthcare and cyber. So we got about $5 million bucks to put into cyber education by the equipment for training and create curriculum. And this is specifically for the community colleges. Oh, I see. So entry level stuff. Yeah, first two years. And we want to get people from absolute zero to where they can make a decision, do I want to enter the career field now as a cyber technician, or do I want to get my bachelor's or go on? Actually, Manoa, the main campus of UH, has a PhD in information insurance. And you're going to go for UH West O'ahu Information Assurance Bachelor of Applied Science. Yes. Which got created without this grant. So we created all these courses and then UH West said, oh, well, we'll just tack on out of the two years, which is great. And that's run by Matt Chapman, who used to run a cybercom here up at Camp Smith at Pacific Command, right up here in Halaba. So yeah, he's moving on to that. So that's how we got the money and the curriculum to do this. And then I don't think we did much advertising. So I was really curious how somebody chose to get into the cyber arena because we made a system of courses to give you a cybersecurity certificate of competence or achievement based on how many units you got. But if you went for the achievement one, you also got your associates of science and IT as well. Yes. Yeah, on the way. So the courses actually, it's, you know, you get double credit. Right. It's kind of nice. Oh, yeah. So tell us more about your experience. I mean, you talked to Hal, Hal said, hey, security is a big one. Yeah, so you guys already had me. Like, I didn't come in because of the grant. Like, yeah, I was already in for IT. But, yeah, I mean, it was, it was really just the trend analysis that got me into that. But, you know, when I was, I was already taking like networking class, already taking the OS hardware class. And I think that a lot of students should, you know, regardless of whether they go into security or IT route, whatever, you know, put in the extra time and try to get the most out of it. So it's not just, you know, the certifications, whatnot, but it's, you know, the labs that you guys set up. So I think that's through the tech grant. You said that. Yeah. So we set up the NetLab environment. I think you're talking about that. Right. Most of the labs are done in NetLab. That's a virtualization environment. They're little sandboxes that you get to go and do these experiments. They give you instructions, go attack this computer, go forensically analyze this computer, see what happened and where, where's the malware. There's no capture of the flags, though. We got to add that. Right. Actually, tomorrow I'll be doing a capture of the flag. So who's captured the flag? How you doing? So it's going to be at West Oahu. So the hats team has got that one set up over there. That's the Hawaii Advanced Technology Society from Honolulu Community College, which is probably the premier team here on the island. It was started two years before TAC even came up. Yeah, Jason and his crew. And this is from Aaron Tanaka at Honolulu Community College, started this little crew. And they're heavily aligned, of course, with the Pacific Center for Advanced Technology Training, that and UH West Oahu. And they're quite a team. They do some amazing. They win a lot of competitions. They win a lot. Yeah, they do. They do the National Cyber League, the NCL, which is a bunch of sandboxes. Everyone signs into their own sandbox and tries to solve problems, right? And score. How'd you do last time? You competed, right? I competed. I was doing pretty good on the early stages. Toward the end, when we had the finals coming up, there was a little less focus on the NCL. So, yeah, I mean, the finals went well, not so much with the NCL. But we had another team at KCC that did quite well. They were top 10 in the nation. Wow. That's amazing that we even score with the mainlanders. Yeah. And I think it's important that many people don't realize that we're way, way out where the furthest west and furthest south state in the Union, because we're on the same latitude as I think the Alhara Mexico, Central Mexico, but we're on the edge of the Pacific Rim where not everybody likes this. So we should be robust in cyber, right? And it's nice to know that we're actually competing at that level. I think what's coming to the workforce is going to be valuable. I think we're going to have to work to keep them here, to keep them engaged and helping us because we're going to have to bring the wages up for these kids. The needs there, it's big. How many have come through the program to date? Just on this island, we have over 220, I believe. Awesome. We've come through this program already. Our goal was 400 students. As far as I know, by the spring of next year, we will meet that goal. That's system-wide. We have seven community colleges. So those are like two-year degree? Not all of them are certificates. They're certificates of accomplishment or, sorry, certificate of competence, which is 12 to 15 years of nothing but cyber. So they could go out and begin to help out anyway, probably on the defensive side, monitoring or helping to set up tools for trapping. That's perfect for the working profession. He wants to shift a career really quickly. So someone who works for HMSA and he wants to change the department over to the cyber operations, he can come and take 12 to 15 units, get that competence certificate, and that's enough to get you into that arena. That's awesome. It's all you need. Certificate of achievement, though, 30 to 36 units depending on what campus you attend. And then you also get your associates to be usually along the way. And when you do that, you also get professional certs, right? What's the professional certification that you just got? So, yeah, related directly back to this last semester, I went ahead and took the certified ethical hacker. Awesome. Yeah, so it usually has this requirement for experience, two years. In the field? Right. And for students that can't get that in this short period of time, you actually can pay for some really expensive training, like $2,000 more than that. Or you could take a class and we use the official EC Council books. Okay. So it counted as training. Awesome. And then you were able to take the test, but you are actually even able to take it at a discount. So, I mean, not only are you getting out of the crazy $2,000 training, but you actually got to take the test. And the experience waiver as well. Yeah, right. Which is good. It's a barrier to entry to the workforce. Sure. Not having the experience, but needing the experience. It's catch-22. It's been forever. A lot of people talk about that, how people show up and they've got certs, right? And so, I mean, realistically, I think the owners out there, you're going to have to be prepared to train for what you need. People can bring basic skills to the table, the people that you're going to hire, but you're going to have to be prepared to engage them. Don't just send them loose. You know, oh, yeah, here, go help me. Oh, really? Right. You got to have a plan for that ongoing training. I hope more and more of the organizations here will continue to fund maybe that future education that next couple of years or that next cert, the CISSP or the CompTIA Security Plus or whatever it may be that can help these kids continue to grow into that organization. Here, there's a lot of competition because it's so small. Right. Everybody wants to be pumping another 100 grand into the annual. And then he goes over to my competitor. That's right, yeah. And so, that's always a concern in Hawaii, but we've got to sort of get past that because the need is going to be so great. It's great. You know, our data's being taken, our intellectual property's being taken, our PII's being taken. And so, we're just going to have more eyes, you know, watching the house. Right. And that's... A lot of vendors are getting on board with this now. So, the people that bundled the books, it's a provider called Cengage. They do textbook. And you paid a fortune for your books. There's four smaller books. Yeah. And the students were forced to pay $370 per book. No, for the bundle. But this next semester, not only are we taking it from eight weeks to 16 weeks to get more practice, but the vendor has said, we'll give it to you in e-text for, I think $100? Oh, it's time for me to sign up. For the whole thing. And you get $100 off the test. So, it's basically free. That's awesome. Sorry, man. You're the experimental model. That's okay. We got you through the guinea pigs. Have you been working while you're going to school? So, I did an internship this past semester with Haitekui. Awesome. Yeah, yeah. Really great people there. Sure. But apart from that, I've been turning things down to focus on finishing this education. School. Zero percent unemployment in cyber. Yeah. Yeah, you write your own... Yeah, I can see why. I mean, you know, you go to these events where you have these different employers that are interested in these smaller pool of potential applicants. Mm-hmm. And they're already telling you, if you can do this, we'll bring you in for the interview. Mm-hmm. And when you're a poor student, it's very tempting to just... That pool away. Yeah. Are the classes only available during the day? Or can they go to night school and work a day shift? They're mostly available during the day. So, you'd have to work a second shift somewhere. Right. Of course, you're exhausted for school. Sorry. No, Maui Community College offers these all online. Is that right? You can do the whole thing online. And Phoenix as well. I mean, some of these other schools actually have. I know we're talking about UH, you know, but, you know, there's other... Yeah. Well, Maui would give you the rates that you pay. It's about $126 a unit. Wow. It's one of the least expensive ways to actually break into this and get some certified education that people will take. Mm-hmm. It's a really great way to break them apart. Beyond... So, how do you think that compares to, like, you know, CompTIA and SANS and, you know, some of these other types of... Well, some of the courses we teach are geared towards CompTIA's test. The first thing you took was the 122 course, Cybersecurity Fundamentals. I actually took networking first. You took networking... So, you did network plus? I did network plus. Okay. After that course? And then I did A plus after the OS hardware and install. Okay. And then I did the security plus after 122. Oh, really? Well, that's awesome. So, those are great search to bring, you know, to bring in the door. Yeah. So, just this entry-level knowledge on kind of all fronts is what I was aiming for. Sure. That's awesome. Yeah. Does the school help fund that? Those exams? You pay for those yourself? Or how's that work? So, CompTIA gives them a... Yeah. We do get it just done for that. Yeah. And it brings it down a lot. Substantially. Yeah, it does. You get a big discount. And we're trying to develop funding to help people with the cost of the test. So, one of the things we do to help with the funding is you co-founded the ICT Club. Yes. Yeah. We're going to talk about that after the break. We co-founded the ICT Club. They go out and they do penetration tests. Oh, they try. And you can use those funds for whatever you want. And a lot of people want to use it to supplement the cost of the certification. Awesome. That's great. Yeah. I think it's about time to take a break. I haven't gotten a word on this, but we're going to take a break here and pay some bills and come right back. We all play a role in keeping our community safe. Every day, we move in and out of each other's busy lives. It's easy to take for granted all the little moments that make up our every day. Some are good. Others not so much. But that's life. It's when something doesn't seem quite right that it's time to pay attention. Because only you know what's not supposed to be in your every day. So protect your every day. If you see something suspicious, say something to local authorities. Living in this crazy world so caught up in the confusion nothing is making sense. One of the mics or one of his is the amplification of the mic versus his... Welcome back with Cyber Underground. I'm your host Dave Stevens. And God of Self Guard. Nice. That was great. That's okay. We're back here talking with Nathaniel Weeks about his entry into the cybersecurity arena. How he did it. His white hat entry. His white hat entry. That's right. We got to keep this clear now. They want to get that face and get him confused with hackers. So anyway, let's review that really quick. Usually hackers right now unfortunately classify it into only a couple of different classifications. White hat. Right. Which is the good guys. The black hat which is definitely the bad guys. And then there's a bunch of classifications that fall into the grey hat arena. Hacktivists. Right. Or a cyber terrorist. And how did you pick the good guys? Yeah, there's a lot of money on the other side. There's a lot of money on the table. How did you stay on this side? Right. That's a good question. No. He enlarged my hand. I was rethinking. Right. How much money? No. No. So, you know, I was not a hacker. I was not a, you know, I wasn't interested in trying to break into a computer or anything like that. So it was just, that was the first time I'd even heard about that being used for good. Right. So before that, it was hackers. Right. It's the ones that are in the news every day that are doing the bad deeds. So it was interesting to, you know, coming from the outside, coming from zero, right, to this knowledge, to get to hear that that's actually a career, where you do that for the good guys, you know. So. How do you feel about this now that you have this much education, a couple of certs, and you're going to go to University of Hawaii, West Oahu? How do you feel about your career now? And you mean, you think you're on track? Right. I really do. It's really exciting, actually. Like, I have, I've been working really hard to get where I'm at. I still got some ways to go, but I'm excited about the next couple of years. You've got an excellent path, and there's people here just chomping in the bit to hire you. The National Security Agency, the Federal Bureau of Investigation, the Department of Defense. They need good help. They need people like you. And once you get your undergraduate degree, that bachelor's degree, you're going to be incredibly valuable. And please stay on the island. Don't be the brain dump. The brain drain, and this happens in Hawaii all the time. We're talking about, you make about 30% less, or even less than that, out here in the island, compared to one of the tech centers, Chicago, San Francisco, Los Angeles, Redmond, Portland, New York. Those places are big. It's growing up everywhere. You know, you even saw like city. I mean, there's, it's coming up everywhere. There's a lot of tech. We got to start paying our people a little bit better. Yeah. Well, we got in all the old Bob dudes with the white hair and the white beard need to retire. Let these kids in the workforce quit keeping them jobs. These guys are working to 80, you know, like you've got enough money, man. Go fishing. Geez. This is the place to go fishing. That's what I'm saying. Like just take it easy. You don't got to work anymore. Tell us about the ICT club. Now you guys, during not last semester, but the semester before, you guys formed this club. You and Rochelle, Mount St. London. Yes. Yeah. So we actually formed it. Part of our initial thought on why we needed the club was to help other students that may not be like socially inclined to find out like an outlet to help them study, help them, you know, learn about what's going on at the school. And then, you know, we were given this great opportunity with the email fishing campaign to help the community to, you know, test their employees. See, like, if they're really actually exercising safe browsing. This was great. So we actually had a KCC graduate from Kapiolani, who was running an IT department. And he came to our IT advisory board, which is when we talked to all the community members that run businesses. Hey, are we training the right people for you? And he said, I'd love to participate in. And that's the first company you guys did. We did an email fishing campaign against them. And we were unsuccessful. Yes. To a point, nobody actually entered personally identifiable information, but we accumulated a grand amount of data about all the people that clicked on the link. Sure. And that's still, I mean, if they clicked on a PDF, we could have had that wrapped up with some malware. An image or whatever today. Right. And we can't do that. That was not in the contract. Right. Oh, it was non-destructive or whatever. We had non-destructive, non-invasive. So we just tried to gather people that, you know, give us your phone number. Interesting. Yeah. We had some small errors in there where, well, not too small, but one of the emails went to their IT person. So it got snuffed out pretty quick whenever that happened. Blocked the servers. Yeah. It was blacklisted. Yeah, yeah, yeah. It was backtracking. That was a little bit of an obstacle. Yeah. Right. It was a great experience, though. I mean, it was the learning experience from that. You can't get from the classroom. So that was one of the goals, right? We continued to seek to out those opportunities, though. So we're actively looking for some other opportunities for you guys to do that with. So you business owners out there that want to test your staff. You want to find out what kind of take rates you're getting. This is a good way to do it. And then you can donate some of these kids for the effort that they put out and get them some more education. That's a great point. Now, the donations go to the IT Foundation here at the University of Hawaii at Capitol County Community College. It's a 501c3. So you actually get a write-off at the end. It's a charitable donation. Exactly. Right. And the kids get to use it for certifications. And our original goal was to try to get everyone to DEFCON and we just couldn't make enough money. Yeah. Well, it takes time. But students are going. We have five students that are going on their own. Awesome. To DEFCON, which is July 27th to 30th this year in Las Vegas. And we're going to broadcast this show live from the floor at DEFCON until July 28th and interview the students. So how's it going to be there? Nice. And I need someone here to anchor the studio. Oh, in the studio? Okay, that'll be me. I'll be here. If you're available, let's do that. Yeah, let's do that. It'll be Friday the 28th. Friday the 28th. Okay. Live from Blackhead here on Think Tech. That's awesome. On the cyber underground. That's super cool. But now you know they're going to get some influences there and they're going to learn about some other avenues of recompense that aren't necessarily Whitehead related. That's all I want to say. You need to know these things. You need to know what people are doing. That they could break into your network so you can defend your network. One of the classes we had, I mean, we had three-hour sessions last. It was just insane. But one three-hour class was a skill set that I picked up at DEFCON. I went and learned how to pick locks. And physical security is a big part of this. So I had sample locks and four lockpick kits and I brought it in and everyone grouped together. And at the end of that lockpicking class, Cesar and a couple of other guys were grouped up together and they were timing themselves with a six-pin lock, which is your basic standard door lock. And then we're doing it in one, 36 seconds? Yeah. Behind the back. Yeah. Incredible. We had to stop and don't go outside the room and do this. Because now they have a skill, right? There's like lockpicking societies out there. There's a kid that works for Microsoft I met out here and he regularly goes to those competitions. They have clubs that meet every week. And it's a realm of being able to get harder and harder locks opened up. They get into the safes and the tonguewires. It's cool, man. It's hard to say that you're in one of these societies because I always picture there's the guys that do the medieval war plane. Yeah, yeah. Civil war reenactment. And there's a lockpick. And there's a lockpick, yeah. But it's cool, right? This is cool. Being a geek, I love it. It's hard security, right? That's what security started, right? Security was a lock, right? That's right. It was a locksmith. That's that world, you know? So I think it's cool that it comes from there and that IT people and specifically security IT types pick that up because the physical world that I'm in, the physical security world, a lot of them doesn't, you know, it's only starting to blend these last few years or people starting to understand it. Right, so. You know, we need physical security and cybersecurity related. Most people in physical security, they're part of the facilities department. Quite often. Quite often. And they're not even connected with the cyber or the IT. The IT. It's not uncommon for us to have to sit down and let a client know, look, I need his IT and facilities may have never even worked on a project together and it's physical security that I request them both at the table because we've got to have all the stakeholders here to get the right answers. Especially now, since a lot of the physical security devices are IoT. Sure. Right? And even if. Internet of theft. Yeah. Internet of theft. That's what it is. We're going to have to do another deep web segment and we'll get you back on here. Well, in your last couple of minutes, what's your path now? What do you think of your future? What are you going to do? I think the next step is to start doing a lot more capture the flags. Get some more practical, you know, challenges ahead of me. And then I think. Can we describe that really quick? Sure. Capture the flag of CTF exercise. Can you describe that a little bit? Yeah. So they set up these virtual machines that have certain hidden, either words or it just helps you to navigate these systems and to find flaws, essentially, you know, so that you know the system inside and out. And so that was also part of the NCL, too. Now that's the National Cyber League. So if people can look that up on the web. That runs two, three times a year. Yes, nationwide. And anybody can sign up? Maybe. Maybe. Okay. Yeah. So I know if you're in school. It's certain ones they open up. You know, the guard hosts on the Air Force hosts on this. You know, Raino's doing a bunch of different cyber. There's a bunch of this going on today where there weren't so many just a few years ago. So there's a lot of opportunities to compete. It's quite nice. Now we did one in the spring, a couple of years in a row, the CCDC, the Collegian Cyber Security Defense Competition. Yeah, CCDC. Cool. And it was this one. So in the NCL, you do it individually. Yeah. Everyone's an individual CCDC. You replicate a, like a blue team. Yeah. You're a defensive team. Whereas the red teams, the attacker team, you don't ever see them. So you all go into one room. And then my favorite story in the whole world. The team I was coaching, they were all in one room defending the computers. And I brought pizza for lunch because I thought it was going to be a nice guy. And the judge said, no, no, put the pizza here, spread it out. And he sent an email called an inject to the team pretending to be somebody else. Hey, you know, Antti Millie sent in pizza. Come and get your lunch. All of them stood up. All your defense walked out the door. And that was it. They walked out, red team walked in. It was all done. Boom. I love it. Done. I want to point out that I was not a part of that CCDC. I was in the next year. You would have been looking for that. So what I find is when good folks like yourself get up into an interview, it's always, hey, what's your education? What's your certification level? What have you actually done? Right. So all these things stack the deck in your favor. You've got a cyber security certificate. You've got ASNIT. You've got your certified ethical hack in your network. Plus, you were in the ICT club and you did the penetration testing. Plus, you did the National Cyber League and CCDC. So you got all this experience too. So when you walk in that door, the world is your oyster. Where do you want to work? Yeah, where do you want to work? What appeals to you? NSA actually sounds really good. Do you want to work in the tunnel up here? Yeah. Okay. It sounds really good to me. Well, I mean, why not work at the top? You know, that's the top of what's happened in the world, I believe, you know. And so, you know, our group, the Russian group, the Chinese group, one of them three, you know, you want to be in the mix and you might as well work for us. Yeah, it doesn't get much more interesting than that. It really doesn't. So you won't be able to tell us what you do later. You can go from a computer network defense to, you know, multiple other cyber portions of the NSA and keep your retirement and your benefits. And it's combined now. They combined offensive defense. So there's some ethical issues with all that, right? The people are talking about. Oh, yeah. So, good choice. Okay. Anything you want to say to us in our final seconds before we let you go? I want to say thanks for the last couple of years. Thank you for being such a great student. This wasn't about teaching. I want to emphasize this is about learning and the effort you put into learning this stuff makes you who you are. Good job, man. All right. Bye, everybody. Aloha. Hi, and we got to cut this short. And hopefully you'll join us in the cybersecurity realm. And next week we'll be coming back talking about more cybersecurity until then.