 Think Tech Hawaii, civil engagement lives here. Welcome back to the Cyber Underground. I'm your host, Dave Stevens. I know. Did you miss me? I wasn't here last week. But somebody else was. Rochelle Monsilungan. Monsilungan. Monsilungan. Okay. You say that from now on. All right. This is my guest host today. She's from the Hawaii Advanced Technology Society, HATS. And we're going to be making some recommendations for cybersecurity education because most people think you just go get some formal education, some training, you read a book. If you take a test and you jump into a job, it's not really how it goes, is it? Nope. No, it's not. Well, let's review why we should actually have some cybersecurity education. Let's just jump right into it. We have some slides here. Okay. Let's look at some stats. Slide one. This is some information that you need to know about how many people were employed in cybersecurity and how many open positions there were way back a couple of years ago and what we projected to be by 2021, half a million unfilled cybersecurity positions in 3.5 million openings in the United States. That's massive and we're already running behind. And every year we get farther and farther behind. So we're trying to train those people to get them into those positions. And it's a tough haul. Let's see the next slide. Okay. Business as you care. And it's all about the bottom line. In 2015 we lost $3 trillion worldwide, $3 trillion. That's some serious coin, especially when I'm worried about paying the mortgage every month. So that's like a lot more zeros than I'm usually used to. And the world lost that much money. Look at by 2021, $6 trillion. That's trillion with a T. That's staggering. Look at all the different ways you can lose your money from embezzlement to reputational harm. Fines are a big one and a lot of people don't discuss fines. So if you're a small business, you accept credit cards and somewhat ex-fills your data, they steal your credit card numbers, there's a fine for that, right? And it's like $0.75 per card number. So you can easily get a $4 million fine and there goes your small business. And then you're underwater and you'll never have another business. Let's take a look at the next slide. Okay, why shouldn't the government and its citizens care? Well, obviously, did you vote? Yes, I did. You're going to vote in the midterms? Yes. Do you want your vote to count? Of course. Well, we might not be counting as votes because people like Russia, countries like Russia are actually taking away our vote by influencing the elections. And we're going to be talking about how they did that with some fake news and Facebook stuff in the second half of the show. Let's move on now. Okay. Okay, this is a lot of stuff that people forget. Industrial control systems. So I gave the same presentation at the Pacific Rim Critical Infrastructure Security Summit last week. SCADA systems, system control and data acquisition, HMI, human machine interface, and HDI, human device interfaces. Those are not controlled by regular companies like Microsoft or Apple, and people are interested in cybersecurity like Google. They're controlled by Siemens or all these other electronics providers, and their engineers just care about making things work. Right. They don't realize that they could actually get hacked. Right. And they think because they're air gap because they're separated from computer networks that they won't ever be hacked. But you can hack that. Yes, you can. How would you hack it? Flash drive? Could be. Update? Yep. Okay. People walk in with the computers and plug in. Oh, yes. Yeah. And I love the quote. At the end there, there are only nine meals between mankind and anarchy. That was a writer, Alfred Lewis, way back in the beginning of the 20th century, said that. And I put that on there because if you hack industry control systems like SCADA systems, you can cause damage and shut down an entire economy. I mean, we'd be shutting down water and power and the grocery store and the Uber rides and you know, we'd devolve into you know, 1700s society and nobody has a horse and a buggy and no one else ought to even make a chair. How do you make a chair? I can't make a chair. So we take away like IKEA and we all go mad. And that's why it's important that we have cybersecurity in industrial control systems because we want to keep getting our water. And I'd like my toilet to keep taking the sewage away from the house, right? Okay. Let's see the next slide. Okay. Don't stand still. No problem can be solved from the same level of consciousness that created. That's Albert Einstein. And it means that if you stop learning, new problems will still arrive every day, but you cannot solve those problems, right? So these are my recommendations in enforcing a cybersecurity framework like NIST, the National Institute of Standards and Technologies, 800-171, that's for small and medium businesses. Those are recommendations to lock down your physical and cyber and social security profile. So your employees are all trained. By the way, we know that 90% of the problem is people. Yeah. Yeah. So you got to train the people. Okay. Right at the, the second to last bullet point there, Trek, Kohler and two other companies in Wisconsin are now sharing their cybersecurity incident info. They've made a collective so that if one of them gets hit, they tell the other companies so the other companies can be prepared and not get hit. I recommend that companies do this. I'll do that. Yes. And also pay attention. InfraGuard, US SIRT, look those up. They will send you broadcast emails saying, hey, here's the latest threat. Look for Hidden Cobra, which is of course North Korea, which is always doing some crap. That's like daily, right? They do that. They send you. Daily, like several times daily. And they cover industrial control systems also. It's not just the software, but they'll go so far as to tell you your Chrome browser needs an update. You know, the Spectre and Meltdown stuff was a lot of browser in there. It depends if they actually listen though, right? Because I'm pretty sure there's some people that don't really care. There's a lot of people who don't really care, right? That's the last point. Not on their priority. Yeah. Let's look at the next slide. The next slide is this one. This is what's available right now. We're going to talk about formalized educational programs. The first thing you can do for your employees, and I put some samples down here from our state, but if you're listening from another state or country, there's programs that are equivalent of these out where you live, too. Vocational programs, your first stop, they can train you on specific skills. So if I need a specific skill, Rochelle, you work for the state. What kind of skills would I send an employee out for vocational updates? If you're running an IT department, what would you need updates on if you sent out people for skill sets? New certifications. Yeah, certifications, probably security plus. Security plus. So that's the CompTIA. Yes, CompTIA. CompTIA is also coming out with a couple of new ones, but there's NetPlus for networking, and there's the A-plus for basic training and networking. So you can update your skill sets by going to these vocational programs, and they're a one-stop shop. You just go in there, you get the education, you come out, and you don't have to formalize anything. Now, Rochelle's going to tell us about the certificate programs that we do at the University of Hawaii Community Colleges, because she's got two. Right. You got the CNACA, yeah? Oh, yes. I've got about that. Tell us about those. Actually, more than that, I think, because we finished, we have the database, we have the website, right, all of that. You just stacked the deck. Yes, I pretty much stacked it. Tell us about your journey. I think the only one I didn't finish was programming. You're one class I didn't take, and that was the only one that I was shy of, I think. So you got the certificate of achievement in cybersecurity, and you got your associates in information technology. Then you moved on to another school. Yes. Right. To University of Hawaii, West Oahu. Right. West Oahu is one of those four-year campuses that specializes and does stuff that the other campuses, the four-year campuses, don't, Maui's a four-year college. The mothership, UH Manoa, does not do cybersecurity specifically. So you went into the ISA program. Right. Tell us a little bit about the ISA program. So the ISA program, it's more geared to cybersecurity students. So a lot of the classes I've been taking, or I've taken, like right now I'm taking a cyber investigation class, project management, because you need to know all those things, not just the cybersecurity, but also the business side, right, to it. So we learned a lot about the hands-on kind of like the tools that you would have to use when you're, if you're going to be in cybersecurity. Now, this is a broad spectrum of pathways. You can take inside cybersecurity, and I think a lot of people realize how many choices you can make. You can do forensics. Yes, forensics. And you can sit in front of a monitor watching network traffic all day, which is mind-numbing for some people. Yeah, if you like to do that. Yeah. If you've got your music and your headphones, that's fine if that's your thing. But there's also management, right? So in your program, they teach you project management as well, right? So you can manage a team of IT people, and I think many people that want to go into management don't realize that you really need to know what your people are doing in order to manage those people. You need to know what their job is and how hard it is, so you know how much they can take, how much, you know, to expect. And those expectations can be skewed if somebody comes in from another industry and doesn't know cybersecurity. So the degree you're getting gives you that broad spectrum, right? So when you get out there, you can be one of those leaders and you understand what your people are doing. Correct. You understand that. You're more well-rounded, right? Right. So you know it's going to take a long time. Yes, it will. Yeah, right? It takes a lot. Well, so you've done that. Yeah. Talk about that, too. Let's put that slide, the next slide up. This is the program that Rachelle is in right now. It's a four-year degree. It's accredited by the NSA as a center of academic excellence in cybersecurity. Dr. Matt Chapman has put together this program. There's multiple pathways from all the community college systems. So if there's anybody in academia on the mainland listening, please do this. This is an exceptional thing to do. Feed your community college students into a four-year university and give them some experience on the way there because if we all know when you walk out of school and you have an education but you don't have any experience, what can you do? Nothing. Nothing, right? You just get like some help desk job. So let's talk about some of the things you're doing to attain that experience at hands-on functional experience as far as internships. Yeah, well, from in your entire journey, let's talk about when you first started Kapiolani Community College, all the way up to right now UH West, let's talk about some of those things that you and your club do for experience. So from my experience, I've done two internships with the state. So that's with the CEO, Todd Nakapoy, and then with Vince Hong, the CIO of the state. And then now I'm doing another internship with Purple Maya. So that one is more teaching. Purple Maya is? Yeah. It's like a nonprofit organization where they teach like more underprivileged kids coding, like website development. So like from my school that I'm at is Kapiolani High School. So they actually are going to do some kind of project at the end and they're going to present it and they were learning all about coding. And it's not like what we learn, like W3 schools, they're doing like bootstrap. A little bit harder way. That's the JavaScript framework for Twitter. It's publicly available that you can use to enhance your website. So that's a bunch of JavaScript functions that you can just call. You don't have to rewrite it or reinvent the wheel. So you get good at bootstrap and your site can look as good as Twitter, which is kind of nice. So you're out of Kapiolani High School? Yes. You're out by the old military base, right? That's by the old front gate of Barbara's Point. So that's out there with UH West. That's good. But with that one I'm also going to be doing a, just started a program with the Boys and Girls Club. So I'm going to be teaching a class in Evo Halipono. So this one is just kind of starting. So it's like an hour, a class, same thing, web development. And Evo's in the same area? Yes, in the same area. So the opportunities are so numerous. There are, yes. Everywhere. That you can localize, physically, right? So it's not too much of an inconvenience to get experience. No, for me especially. It's in that area. And then I work on campus. I know E.T. is about help desk, but I work at, I just recently started working at the UH IT, I'll use what's-a-while IT help desk. And I, okay, this is something I'm going to say, okay, I'm not like help desk, but from working there, I've only been there for about a month. I've learned so many things, and I think anybody starting out in the IT should start from it. Yeah. Yes. Well, we all did. Back in the day, you know, they called it the pit. Yeah. And when I go on calls, we get teased about IT. They love doing that stuff. That's the nerd stuff for them. And I'm just standing there like, oh my God, this is like so- I'm right here. Yeah, I can hear you. But we go through that, but I just ignore it. But I mean, I really enjoy it. I don't know. Well, you are a nerd. Yeah, I am. It is. You're one of us. I'm a blogger nerd. Okay, we're going to take a break. All right. We're going to go pay some bills. Come right back. Okay. Stay safe. Hello, everyone. I'm DeSoto Brown, the co-host of Human Humane Architecture, which is seen on Think Tech, Hawaii every other Tuesday at 4 p.m. And with the show's host, Martin Desbang, we discuss architecture here in the Hawaiian Islands and how it not only affects the way we live, but other aspects of our life, not only here in Hawaii, but internationally as well. So join us for Human Humane Architecture every other Tuesday at 4 p.m. on Think Tech, Hawaii. Welcome back. We're with the Cyber Underground and Rochelle Manstilungan. Yes. Right? Yes. Got it. Correct. Okay. Good. Good. We're going to talk a little bit about some of the things that puts our government in danger right now. Okay. And we just talked about this first part of the show. Why should governments care about cybersecurity? And one of the things is, you know, the DNC and the RNC have both been hacked. And poor Podesta. All of his emails out there for everyone to see. But that was caused by a two-letter mistake in an email from the help desk. You know, they meant to say it's an illegitimate email and they left off the I.L. and they said legitimate. So Mr. Podesta put in his password and username and then they're hacked. They're owned. And that social engineering attack was actually massively effective when I looked at the statistics. Only 30 emails went out, 29 of them were to people that didn't work for the campaign anymore. So only one campaign member got a bad email and it worked. Yes. I mean, that's effective. Man, I wish I could be that effective with our pen test. We need to up our game. The Russians are good. They bring the A game to the mix, but they got time and materials. Those things aren't really the hacks that can nail us all the time though. Let's talk about what to look out for. And one of the things that I think everyone's looking at is social media. So Facebook, Facebook actually presented stuff as news. You know, people could post whatever they wanted as an ad and it looked like a news article and could link to a page that looked like a news page and people just believed it. It was in barrel. And that's disturbing to me. What other social media outlets do you watch out for when you're out there? I would say Twitter. Twitter? Especially, but that one you would have to take with a green assault because you can't believe everything what people write on there, right? I think we're experiencing the same thing with the web as we did with print in the first place way back when. People believe that if it's written in black and white on a printed page that it's true. And that's just not the case. If someone's got money, they'll publish it. And out it goes and if it's, you know, rock solid grade, if it's not and just makes money, oh, that's great too, right? And so Facebook thrives on advertising and when they put this stuff out there they get more clicks. Right. And well, most people, they just look at the headline, right? They don't really go all the way into the story. I have friends like that that do not drill into the story and actually read the story. Because I was reading a study where they did, like people didn't actually click on the link. They just read the headlines. Yeah. It's provocative. Yes. Which is why so many people, I think, voted the way they did. I think their opinions were swayed by some reprehensible headlines, especially the one that caused a man to take a gun to a pizza parlor, thinking that the Clintons had captive children in the basement. That was way too far. I cannot believe stuff like this happens. But that's America. Yes. I would have said, I acclimated to social media, so we're reading that. So what are some of the tips, how do you read news? Give us some tips on how you would differentiate. Well, aside from just reading the headline, I actually try, I look it up. I use this thing called Snoop. Snoop.com to make sure, because most of the time it's not real, or I look at the sources. Yeah. You know, because sometimes the website could be totally off. Like how you see it brings you to another page. It could bring you to some kind of pages like Nothing at All, or something malicious. Sources. Yes. Let's talk about that. So from an academic approach, you're in school now. So now when you have an intelligent conversation, people expect this in your field. If you were going to make an assertion, make a statement, people want you to support that assertion and cite your sources. So if I say, hey, neutrino communication is going to be the wave of the future, someone's going to say, well, how do you know? And I'd say, well, in 2009, the University of Illinois did this experiment. Now tell them about the experiment and where to look it up. That's an intelligent conversation at an academic level. But I don't see that happening after two beers at the bar, right? It's just, you know, people start yelling and then it devolves. But that's how I read news. And then I look up multiple sources. So I don't know about your sources. Mine are things like BBC, NPR, I go to the Washington Post. But then I'll get the opposite opinion from the LA Times, right? Which is a conservative rack. And I compare, and they might write it from a different angle, but you still get the same underlying facts. And that's what you can go on, right? So tell us a little bit about your experience. What do you do? How do you do your news? I do the same as you, but because sometimes some of the story, they kind of turn it around to make it sound like a certain way. I've seen the news all like that. What was the one that I just, I couldn't stop laughing. One newspaper had a picture of President Obama holding a Pepsi. And he was drinking a Pepsi. And it's President Obama supports Pepsi-Cola. And then Fox News, I think, had the headline, if I'm not mistaken, said President Obama declares war on Coke. Right? Right. Wait a minute. He's just holding a soft drink. And it's too completely. And they just blow it out over. Yeah, right? They just want the headlines. I think a lot of people forget that. That's what that business is there for. They have to sell. They have to drive opinions, get clicks, sell magazines, sell subscriptions. And that's how they make their money. And if they don't have sensationalist headlines, then they won't have a job. They won't have a job. And then what do we do? Then we have to depend on the state-run media, also known as Fox News. Just in case you didn't know, it's Fox News. OK. I really ought to do a rant about that. Jay asked me to do a rant. I'm going to do a rant. OK, let's talk about more now that we're going away from warning about this fake news. Let's talk more about how you have worked with the HATS Club to bring more experiences to the students who are doing cybersecurity. Now we all know when you walk in your first job, they're going to ask you, what's your academic experience? What are your certifications? But then what have you done? So let's talk about what are the students doing under your leadership. So under our leadership, we actually do CTF trainings. CTF is? Like capture the flag. Capture the flag. Describe that for us. So it's more like, it's kind of some more real life, not kind of real life, I guess, scenarios where you're solving a puzzle, like doing reverse engineering, those type of things. So then you use tools to try and figure out the hidden message. And that's the flag sometimes. Yes, that's the flag. Whatever the hidden message is, you can capture that. And you get points. Right. And like how we mentioned the last time, I'm going to give another plug, the National Cyber League, which registration is open. So we also compete in that as well. That's going on now. That's the regular season. Pre-season's over? No. Actually, registration just started on Monday. OK, so we're just starting out? Still registering. How much is that? $25. $25. And now they're just open for high school students. That's amazing. Yes, because they're trying to really promote the whole STEM program in schools. So I think that's actually a good thing. So now they're asking us to try and mentor students in particular high schools. So Merle Hioki is trying to get that happening, I guess. He's asking us if we would like to help with that. There's a lot of apprehension with people who don't know about this. And they say, oh, National Cyber, I don't know anything. So why would I do this? But what they don't know is that there's a gym where it's like a practice area, right? Tell us about the gym. You sign up for this, and then you get access to the gym, right? So the gym, you could practice that. That's like throughout the whole competition. So you can practice everything that they will have in the actual season. So there's the open source, there's like the reverse engineering, web exportation. So you can do things like with Wireshark. There's even cryptography, stenography. Stenography. Stenography, I guess, thank you. Yes, all of that, which I wasn't too good at. But after doing the gym, I got better. They show you the tools. They show you the tools. This tool will reverse that hash. This tool will break this goal. This tool will do this web attack or whatever, right? And metasplites in there, I would assume, and Wireshark, which is a scanning tool. Just so you know, learn Wireshark. All right. So we've got the National Cyber League. And if you sign up, you do the gym, and you practice. And then there's the contest. How many days is the contest, when it starts? So it starts, I believe it starts in April. So there's the, what do they call it? So you do the preseason and the postseason, right? And then there's the individual, and then you do the team competition. So as a team, how does that work? Have you ever done a team? Yes, I did the team last semester. How's that work? It was a class that I was taking at Utah as well, which I would highly recommend. It's only offered in the fall. But it's, we all teach each other our tips and how to get through the whole NCL. And we had presentations, tools to use, because most of the people in my class were experienced more than I was. So did you have to sit in the same room when you competed, or could you be in remote location? Oh yeah, so we were separated in groups. So yeah, we sat, we were in our classroom, and the other people were in another area. So that's the team one. Individualized, you can do this whole home, right? You're at home. You can't get any help from anybody else. You're pretty much on your own. And yeah, you have no life. You're just going to be doing that all the time. They don't monitor you, right? They don't have a camera on. No. OK. No, no camera. No help. No help. Yeah, right. I'm with you. OK. So let's talk about the, there's another competition, the collegiate cyber defense competition. So you've participated in this? Yes, like when I was at KCC. So that was another class I was taking. OK. So let's talk about CCDC and how that works. You don't know how that works? I know. It's a red team, blue team. So let's talk about, the red team is usually attacking team. They exploit things. And then there's a blue team that's the defense team. And that's usually what the students do, you defend. Just so everybody out there in the audience knows, it's a set up. So the blue team is just where? It's actually? You get hammered. The red team gets to scan your network days in advance. And they have everything set up. So the moment they release you to do the attack and defend, the red team's got metasploit and all that stuff, ready to go. And they just press the button. And you have to defend. You have to lock out the administrator password, do your updates. It's like working at a help desk. You get phone calls. What actually happened in real life, I guess. I don't know about the child being lost. I don't know. There are some weird scenarios, but. Well, they try to get you to unlock passwords. Yes. It's over the phone, like the real help desk. The first, in our last minute, I'll tell the story, because I love this story. The first CCDC competition we did, I came in with pizzas for lunch. And the judge said, hold on. And typed an email to the entire team without me knowing. And it said, anti-sale and so-and-so brought in pizza. Come on, get pizza. Everybody in the room, the whole team stood up, did not lock themselves out of the computer, and walked out of the room to get pizza. And the red team walked right in. And when they returned with their pizza, they were compromised and they lost the whole thing. Lesson learned, which is why I like the competitions. You learn life lessons. Yes, you do. OK, give us your 10-second plug for hats before we go. So hats, if you guys want to join, we have a website. It's hats-e-t-o-a-t-t-e-m-slash-join. So going on to our website, there's actually a sign-up sheet where you just tell us about yourselves, what you're interested in. And we offer, like we were saying, the CTF training. There's also industry professionals that come in to talk, which we're actually going to have one soon, this month, for the pen testing. Oh, that's wonderful. And we're actually doing that with UH Manoa, the MIS club. Oh, good. Yeah, they're the great hats? The MIS? No, I don't know. No, this is totally different. Yeah. Oh, there's a lot of clubs out there. Well, everyone's into this. Well, thanks for being a guest. Thank you. And thanks, everyone, for joining us. Aloha, and we'll see you next week with a really rousing episode. And I want you to call in for our next episode. It's 808-374-2014. We're going to need callers because we're going to go, where no one's gone before in the show, we're going to ask you what happens if we get a message from space. Should we click on that attachment? Follow that link. We'll see you next time. Until then, stay safe.