 ThinkTecAway. Civil engagement lives here. I have a question. Welcome back. It's the Cyber Underground. I'm your host Dave Stevenson. I'm here with Andrew, the security guy. Welcome brother. Hey, it's good to be here. Good to be here man. Give us some. Another week. This week, so our hosts, our guests cancelled. So we got to figure it out. Yeah, I hope you guys are over at UH. Brian Tuskens He's the director of global security operations for Microsoft. Really nice guy. I had a great show with him yesterday upstairs here at the Plaza Club. We talked about sort of the future of the sock, you know, and he was giving us some of what they're up to and then today he was over at UH and we thought we'd get him in here but he, they packed on an additional like panel discussion over lunch with him which held him until two o'clock. So you're not going to have Brian Tuskens here today, but maybe next time. That's important that we should tell the audience the sock, SOC, Security Operations Center. Security Operations Center. Yeah, yeah. So they're important acronym. They do all virtual sock. I mean, so he had a guy yesterday with the HoloLens and so they're all, they got brought up their sock in the HoloLens so everybody else could see what he could see. It was awesome. Oh, that's pretty cool. Yeah, it's all virtual. He was showing us what they're building now. Their next version is all, it's just all virtual. So that's kind of scary and it kind of gets into our topic of, you know, so you want to be a hacker. Where do hackers come from? A lot of hackers are gamers and we have a new movie that just came out, Spielberg's new and ready player one. Oh, is that what it's about? It's supposed to be in the year 2045 and all these people go into this gaming world because the real world sucks. Oh, so they just stay? Yeah, so they just stay in this virtual world that's actually wonderful and you could be whoever you want to be and then getting for control of the planet because everybody's in this world. Whoever controls this virtual world controls the world and so there's a revolutionary in virtual space and yeah, I don't want to give it away but it's a pretty, it's actually a great movie, great story and it's kind of prophetic and I keep telling people that if you want to know what the future's going to be like, read or watch sci-fi now. Sure, go to the movies. Go to the movies and the most random weird movies you pick out stuff that's kind of prophetic. Keanu Reeves, Local Boy, things like John Wick and of course Matrix, right? But there was one he did way back when if you ever saw Johnny Mnumonic. I remember the name of that. I don't remember watching it. He's a courier, he carries data, took out part of his brain and he puts something in his head to carry like a hard drive or something. But there's a disease going around the planet in this movie in this kind of dystopian future that's caused by radio frequency. Basically Wi-Fi. Yeah. There's an overabundance of Wi-Fi. In fact, a lot of people are doing voice over IP but in Wi-Fi so they don't have to cable it. They're just saturating entire floors of building with as much radio frequencies you can get to get all this bandwidth so you can do Wi-Fi VoIP calling. Personally, I think that's a bad idea. Eventually we're going to run into something like this black death that Johnny Mnumonic had. Oh, you think from the RF? I think there's going to be health problems. There's been a bunch of news lately about that. They said big telecom industry has been hiding the fact that this RF is actually causes cancer of your brain or whatever, right? And so they were saying that 5G I guess the intent is going to be quite a bit closer to get a lot more of them. We're going to be walking around just bathed in RF and see what you're talking about. It's going to come true. Well, the good news is that the microwave dishes that shoot this stuff all over the place, when they hit your body, they excite the water molecules and they actually warm you up. So we'll be much warmer as we die. Maybe that's where the global warm is coming from. I wonder if you guys could try to call it. What's it when you look at not causation but correlation. I wonder if those are correlated things. It's not actually the greenhouse gases at all. It's just microwave dishes. It's just RF. We're heating up the air. We're heating up the bodies. Well, SciFi kind of predicts the future. Ready Player One I think is everyone's wearing these virtual headpieces and going into the gaming mode. I read two articles of differing viewpoints from assistant professors at two institutions. They both are in computer and psychology. So they do both, which I think is the best way to examine this causality or maybe a hypothesis that these things are connected. One of these professor states that it is absolutely better to hire gamers to do cybersecurity. Probably. Okay, that's my first instinct too. But then I read the counter proposal and this person brought up some other points. So let's go through the goods and the bads. Okay. And some things are obvious. If you're a gamer, you're obviously in grossed-in technology. Well, I think you also like the challenge of figuring it out because you have to learn how to play and it changes. There's new scenes. I know that you replay it because you die but you're a problem solver. Yeah, right. But in your nature and you enjoy it. You like the challenge. I think that's a good thing for cybersecurity. You know what else came out of the research is these gamers because games inherently always have a path to win. They never figure it out. Not only to figure it out, they never give up hope. If not, they hack it. They Google it. There's a workaround. There's a cheat. They know somebody. In real life though, that creates the type of person that never gives up and says I just can't. There's always a way. I can script it. I can hack it. I can bust it. I can break it. I can hash it. I can do something to make this X function. So they're problem solvers and they never give up. Hope. Now that's not really a strategy though. Hope is just a characteristic of willpower. Let's say that. In my opinion, willpower is the thing that gets us by. Yeah. Just to share will. Yes. That you will overcome whatever it is. Right. It's do or die. And I think gamers kind of adopt this gaming. Yeah. Of course they get to get reborn too. It's a little false in this. I mean in there, you know, because they know if they die, they don't want to start over. I get it. You know, they want to progress in the game. I'll lose your character. You don't want to lose your character, of course. So in cyber, the stakes are just a little higher perhaps, right? Maybe. But I think the characteristics are valuable. There are valuable ones. There's a counter argument that, and this, one of the things I disagreed with is this other professor from the Rochester Institute of Technology said and she wrote for, I believe, Slate online. Was I was reading this article? And she said that some of the characteristics that are bad is, well, diversity is one of them. And I thought, you know, that's got some merit. So when you look at the gaming population across the globe, really what do you see? What's the demographic? I don't know. The majority, not just the age demographic, but the genetic makeup of these people. What do they look like? What's their national origin? It's almost all white male. Oh, is that true? The highest volume of gamers is white male. So if you hire a majority of gamers, you could end up not having a diverse work population. Do they not game in Asia? They do. Well, I mean, it can't be there. It can't be white males. It's not the dominant demographic. Well, males is the dominant demographic. So you lose women. You lose women absolutely. That's a bad idea. That's a bad idea. And then on top of that, you lose the demographic of the people that really can't afford to go out and buy a PS3 or PS4 and spend all day on it. But they might be creative and solve problems in different ways, which you need. You need all those. If it's not a diverse population, then I'd say that is an issue. I mean, I'd agree with that. But again, it's only that we're looking at this tool of gaming platforms as people that we could train to do cyber because they possess these skillsets. So maybe that's just one piece of the solution and we go outside of that for other pieces. Now, there's another point she brought up, and this is the point I agreed with also. She said that we should go outside because not all things in the cyber sphere, what you could do for cyber are hunting down bugs and tracking down vulnerabilities and setting up a honeypot and reverse hacking. Those are fun things to do. Those are active things to do. But much of it, as you know, is audit, gap analysis, risk assessment, security assessment, log file review, policy generation, which is so mind-numbing it's better than a sleeping pill. I'd rather do those things than do the hunting because it's just less stressful for me. But a lot of people don't want to do that. Slogs and slogs and slogs of paperwork. My company inside, that's what we focus on, governance and audit and risk assessment. But it's kind of like being the certified public accountant of the cyber world. If you go to the FBI, you've got the field agents with the gun and the badge. It's really cool and they're after the criminals. But then you've got the white collar guys going after the cyber guys. And then there's the cyber guys. So there's different avenues. So you've got to go out and hire those people. How do we find those people that are really good at risk analysis and governance and policy generation? Is that an English major? Is that somebody who likes to manage businesses? Where do they find these accountants? Because I don't understand them either. Same group maybe. I mean you don't have to have that sort of mentality. And there are those, we use the disc assessment. So you have your dominant types. We use these birds from, so you have the eagles and then we have the parrots. Everybody knows I think they're the C's. They talk and talk and talk anyway. And you can't, you know, they don't listen to anybody as a product. And then the doves, right, they like to make everybody happy. So you have all these, you need all these personality types. Anyway, they're really more communication styles than personality types. And then you have the owl, you know, the wise old owl type who's that wise. I think to me that's more that accounting type who likes everything in order. You know, because accounting is very orderly and so you need those. Like you need those people to write code or to do code analysis. Like things have to be correct. Oh, code review, yeah. Code review, audit review. I just want to be the cowboy coder. Nobody wants to review it. Nobody wants to, they don't document their code. That's always going to play. I'll document this when I'm done. Yeah. And so there's that. You know, so there's, I mean you need all those types I would presume. And I, you know, there's as many types of attacks as there are, right? People need, you need all those different types of brains thinking about how can they come after me. Where's the next hole? And then somebody, you know, the guys that are just, oh, let's go looking, right? The hunter guys. Those are cool, but they're probably impetuous. And they're looking, looking, looking, looking, looking, you know, where it's the owl, the wise old owl type stands back and goes, now let's audit the complete protocol stack and let's see where this could perhaps hide. Let's define our scope. Yeah, they actually you know, they do this like a project. So you need all that going on. I think, you know, I mean, in the, in the world of security. Now that's the best way to handle security. If you get all those different viewpoints, then you can imitate all the different types of attacks. Well, you get, you have classes full. So how do you, how do you divide them up and do you try to put the different skilled people in groups? Or do you guys? I do. The first question I ask in the class is who's my gamers? They raise their hands and I spread them out across the world. You'll put them together? No, you never do because that's the, that is the clown college right there. Those guys are going to talk and hack and play games. If you walk by and they're playing, you know, the old, what's the first pretty shooter games online, you know, Wolfenstein or whatever. But if you spread them out and put them in project teams, like one of my network security classes, they do a security plan for a company. That's the final project. They're part of that team. Gotcha. So their viewpoint matched with somebody who who's retraining in a new career. It's going to look at the world differently. And somebody who just came out of high school, completely different mindset. Somebody who just switched majors, completely different mindset. Awesome. You put all them together. You get a really good perspective on what could happen. How do we defend what are our boundaries? What's the scope? Do they attack each other? Is that how you test them or like? No, no. We have plans to implement that next semester. We're going to have a virtual playground where we actually simulate a business environment and we tell one team to be a blue team to defend this. The other team is going to attack. It's two different classes, network defense and ethical hacking. And you it's whoever gets the most points. So it seems like even in academia, you know, professionals, writers, people that are studying this and how to what it would be because everybody's worried about workforce development. But in academia, it seems like that you guys have a very good test ground test bed already for this. You've been watching it. You're building teams. You're watching what they do how they were. You've already learned not to put all the gamers together. Oh, yes. You know, let's kiss it. There's some knowledge that we already have gained for how to put this stuff together and so hopefully some of that will start to, you know, matriculate into the working world because we need them. Now I just have the IT advisory at our community college where we bring in business members from the community from the IT sphere, the people that do IA analysis they do coding, they do project management, their directors and CTOs and so forth and we got about 20 of them in a room and we asked them, hey, what should we be training our students to do to get them into your organizations to make a good employee so you'd hire them and some of the things and we had a wide variety of answers on this gaming. One side said, yeah, definitely I want gamers. Just send me a whole bunch of gamers they're great, they're creative, they're exploratory and another side of the room was, no, don't send me gamers because like I was saying you can't put any of them together because they're going to make their own little subnet and they're going to start gaming and doing, you know, you'll see them on PUBG or Fortnite, you know, well, I mean you get some of each, right? You got to have a variety so that was the general consensus you have to pick and choose and how to get the governance people. We're going to take a quick break and when we come back we'll do a security minute. Sure. Until then, stay safe. Hi, I'm Pete McGinnis-Mark and every Monday at one o'clock I'm the host of Think Tech Hawaii's Research in Manoa and at that program we bring to you a whole range of new scientific results from the University ranging from everything from exploring the solar system to looking at the Earth from space going underwater, talking about earthquakes and volcanoes and other things which have a direct relevance not only to Hawaii but also to our economy. So please try and join me one o'clock on a Monday afternoon to Think Tech Hawaii's Research in Manoa and see you then. Do you want to be cool? Watch my show on Tuesdays at one called Out of the Comfort Zone. I sing this song to you because I think you either are cool or have the potential to be seriously cool and I want you to come watch my show where I bring in experts who talk all about easy strategies to be healthier, happier, build better relationships and make your life a success. So come sit with the cool kids at Out of the Comfort Zone on Tuesdays at one. See you there. Hey, welcome back to Think Tech Hawaii. You are on the cyber underground Dave and I are sitting here chatting. I got a quick security thing for you. We have a massive show next week if you can make it to Las Vegas. I see West is out there 40,000 vendors hawking all their wares. Bunch of great sessions on really cyber and protocols and the advancement of the industry. The American Society for Industrial Security will be there. The International Association will be there. PSA Security Network will be there and yours truly will be there. Representing Cyber Underground, Hibachi Talk and Think Tech Hawaii. So if you can get a ticket to Vegas, come on over. It's going to be fun next week. Now, we are talking about teaching hackers. Hold on. Just a minute. You didn't pump up your new show. That's in two weeks. Security matters on the 27th. We are going to do security matters starting on the 20th. So tell us what your focus is. Security matters. Because if I have written the first program yet, we are going to really on that show, we are going to focus more on physical security. The forgotten realm of cyber. We will definitely have the overlap pieces. I think I will bring you in for those periodically. We will talk about that intersection. It's a big piece of the conversation. There has been a lot of changes to the industry. There has been a lot of progress in the industry. It's time to get back. Helping folks that have legacy solutions out there that we need to sort of work on. Talk about those. Talk about the new ones. Help them. I want to look at some best practices for migration. Things like that. So I really want to work because we got a lot of not only have segmented vertical markets and the way that they use our products but we also have different products themselves and the way they are being brought to market. We have wireless lock sets today. Just a lot of things in access control are different. A lot of things in video are different. A lot of things in intrusion are different. The merging, the integration of those services has become quite robust. There is a lot more happening. So we are going to get into that for a few years and see if I can generate some valuable content that helps the folks out here. Good buzz there. When we are doing a risk assessment, physical security is a tremendously large and very complex portion of a risk assessment and the gaps identified usually go to an offshoot in the other part of the management team for facilities. Isn't that something? We are not merging the security teams and I think this is an incredibly important show. I think we are doing a great thing. We encourage that. All the stuff I was doing earlier this year was all about that actually. Everybody has been talking about it for 20 years. The convergence of IT and it's like really? It happened. You guys all just missed it. But many organizations sure haven't adopted it yet. So talking about that as well we've got to get the culture changed. It's not all technology, it's people too. It's important you hook that up to your website for your company so your customer can see this is what we do. This is how we talk about it. We are chartered to, our vision is leading Hawaii to a safer place so communication and education is a big piece of what we do. I've been doing a lot of cyber work as you know. On Hibachi Talk we have a lot of different topics which have been really fun. I think some information for a while on physical security. So Security Matters, Fridays at 10, right here on Think Tech Hawaii. YouTube you'll have your own channel. So you just look up Security Matters with a Z and you'll have your own channel. Actually I think we're going to go Security Matters, Kohlen, Hawaii. Well don't forget to tell people that on your show next week. So they know how to find your show on YouTube because every day that we finish our episodes we have a great staff here that just uploads everything to you. YouTube, yeah it's fantastic and it's all ordered the right way and you can see every episode. So I personally love that people don't have time to watch my show in the middle of a work day. They don't. They just go on YouTube whenever. They're not watching us now? No, if they're like us they own businesses and they work until 2 in the morning then they watch the show. Then they watch 2 AM when they're done. That's what I watch. I got to see what Dave did today. That's right. That's awesome. So let's go back to the How do we grow a hacker? So you want to be a hacker, right? Gaming actually sets you up I think in a good way and going back to these 2 articles I was reading the person who was the dissenting voice that we've agreed on a couple points from her point of view. The diversity one was one and we need more people that know governance and not just the active shooter type of things in cyber. Well we need also to emphasize that if you're a gamer and you're coming into this world she said that she didn't see any relevance in having somebody who wanted to escape reality and dive into a game and forget about the physical world and she said there's no use for that. Why would you ever want to do that? My immediate thought was and maybe you're thinking the same thing that's exactly what you're supposed to do in the cyber world. Because everything's in binary. You have to imagine yourself as in the matrix so to speak. You have to put yourself into a different reality and imagine all these connections because you can look at a network map and you can look at a wire shark and see your... Port map, packets, sure. You can see packet analysis but you have to imagine what's going on. You have to imagine what other people can see and how they can exploit it. Exactly. It takes a lot of imagination. I think gamers have that imagination. They're willing to suspend physical reality and go into a virtual sphere, a gaming environment and understand completely new rules. They don't follow Newtonian or quantum mechanics. They don't follow physics of any kind. You can do whatever you need to do within this gaming realm. They learn what their limits are by testing those boundaries. That's exactly what cyber security professionals are supposed to do. It makes you wonder if she must have a bad experience with someone who gained or something. It's kind of an interesting position to take. You don't want them... There's a whole world that's quite lucrative out there called pornography that people leave the real world. I don't know anything about it. There's a lot of precedence for people wanting to escape this world and go spend time in another one. Really? When did this become popular? Is this new? I googled it on Bing. You googled it on Bing? I took that from Gordo. I don't know what he did. I just think that ability to get away. We talk about meditation. That's a great thing. That is leaving this behind. I don't have to go occupy myself in another game, but calming the mind is a practice. I take issue a little bit with her saying that you don't want people that want to escape reality. I don't get it. She might be the kind of person in my mind that thinks about meditation because she's thinking, you're doing astral projection or something. You're just calming down and listening to your own breathing for a minute. Putting everything out of your mind. I tell my students a lot. They're very stressed in my class because I work them hard. I tell them every once in a while, just do your zen thing. Listen to your breathing for about 10 seconds and when you open your eyes, the first thing you think of that's the most important thing. Take care of that. And that's how you prioritize. If you can't put it together or write it down on a piece of paper, let your mind do it. That kind of zen has actually brought people out of a really stressful place. It says zen and cheat sheet, man. You've got to be a layhandle stress too in the cyber sphere. Yeah, you do. There's fast heartbeat. You're playing a game, man. The risks on the stakes are really high. The stakes are very high. The whole team's depending on you. The business can get shut down. You don't do your job. We're both in the military. We don't do our job. People die. It was critical. You never did not do your job. You know what I mean? And cyber takes a team. I would hate to be the one guy like, oh my gosh, it's all on me. That's a little much. But you have layers of protection. There's things you should be watching and you set up. That's an important point. Security is in layers. We do defense in depth. There's layers of security. So when you want to go from gamer to cyber security, what I usually recommend people do is you can take a training program. You can pick up a book and I recommend that. But if you just want to learn on your own, if you're a gamer and you like finding things out on your own, it's all out there. Cyber is free. It's all free to you. What I recommend is people download this thing called Metasploitable. It's a hackable virtual machine. You learn how to use a virtual machine on your computer. And then you download the other virtual machine to hack that Kali Linux or Security Onion. And there's a couple other ones. But I like Kali Linux. It's a Debian distro of Linux. And Nessus is Nessus still free? Can you get Nessus? Nessus is absolutely free for home use. Yeah, you register it and you download it. That thing's 20 years old, man. And it works beautifully. And so you can learn how to scan, assess, hack, and actually secure Metasploitable so you can't be hacked. It's a great learning environment. If you don't know how to do it right away, there's a website called volnhub, v-u-l-n-h-u-b dot com. There you go. And you go there and people will say, here's the attack, and here's how you do it. It's a step-by-step instruction. So you're a big fan of teaching yourself. I agree with that. Super big fan. What do you think about having the structured knowledge, you know, the security plus and what do you think about having some of that, you know, in the cybersecurity framework? What do you think that plays in? Do you think that's more managerial? No, actually, I think that's complementary too. You can't exist in just the teach yourself world. You need some structured education. You need to find out. To communicate what you found. Well, there's common terminologies. You have to speak your language without everybody else, right? And then you go, you find out what NIST, the National Institute of Standards and Technologies, issues special publications of rules that you follow. Small and medium business follows the special publications 800-171, 14 families and about 600 controls. And these families are physical security, access control, media control, risk assessment, incident response. And it tells you within there, here's all the things you have to do to comply with these rulesets. And it may be enable multi-factor authentication. You need, you know, as well as the privilege. You follow all those rules and you comply with this rule set. And if you do business with the government, you got to comply with that. So after you learn how to hack, you're also at the same time learning how to defend, of course, knowing what to look for, right? But then you go and you look at some of these rule sets and now you know why everything you're doing is important and how you're supposed to implement it. And then a structured education, I think, brings to bear two other things. One, the instructor's bringing in his experience, his or her experience to bear, right? In community college we come from industry, right? And then you're also getting all the other opinions of all the other students. Like you said, there's a diverse crowd, right? So you get to talk about these things and that's important. And also I would recommend you go out there and find things like InfraGuard and U.S. C.E.R.T. or U.S. Art, the computer emergency response team or readiness team and get the downloads there. Tell us all the daily security threats that are out there. Window upgrade your browser all the way down to camera security. It's all there. I mean, what's known. So I would say self-educate because you have to be a lifelong learner because this industry keeps changing all the time. So you have to go out and learn. But get some structured education too. And we teach you the community colleges. You can get it online at online universities. And for the military they get it for free. And then of course you talk and you participate in part of the community. That's true. There's, like InfraGuard's a great group that we have here. There's other people out here working in the community. There's the hats kids and there's a lot of different groups that come on. Hawaii Advanced Technology Society. Yeah, they come on. So you know, call Dave. He'll put you right in the loop. There's cyber Hawaii. Give us give us 10 more seconds before we go here about your show coming up on April 27th. Let's do the first episode April 20th. It is called Security Matters Hawaii. And we're going to be talking about physical security and trying to share some best practices and help folks out out there. Alright, thanks for coming brother. Thanks. Appreciate it. Good fun. Aloha. Alright everybody, thanks for joining us. We'll be back next week with another exciting episode of the Cyber Underground. Until then, stay safe.