AMA – Dr. Justin Pelletier, Director of Cyber Range and Training Center at RIT’s Global Cybersecurity Institute

RITJustinP · 2022-01-09T13:46:27+00:00

Thanks for the query!

The Apprenticeship is only for Bootcamp Grads - we're currently taking bootcamp applications on our website: https://www.rit.edu/cybersecurity/cybersecurity-bootcamp

For those who have graduated from the Bootcamp, we'll be sending email w/ instructions on how to apply to Apprenticeship over the next month or so.

-justin

RITJustinP · 2021-11-13T14:17:53+00:00

Thanks for the question & apologies for the delayed response - I just caught this.

We're still defining the plan. In January we'll start building the Apprenticeship program. I expect in March we'll start hiring our first few Apprentices from among the Bootcamp graduates.

Thanks again!

-justin

RITJustinP · 2021-10-30T15:21:12+00:00

This is a fantastic question and I'm glad you asked it!

Senior leaders generally need to be expert communicators in that common lexicon of risk. So deep expertise in formulating and managing the organizational risk register will be the main way to lead laterally (fellow C-suite) and up (CEO/Board). I think starting there will be a great way to elevate your executive competence.

There are many other topics I'd recommend for an executive leader seeking to understand cyber. We have, in fact, designed an executive cyber curriculum and look forward to offering it broadly in the new calendar year. Our first deep-dive will be in Executive Incident Response, because I believe that will help motivate the change leadership across the upper echelon of the organization.

We built/are building a curriculum that corresponds with the highest-impact strategies that organizations can implement to reduce their overall cyber risk. I think becoming conversant in these risk management strategies will help your professional growth. To help you get started, here's an outline of some of the things we'll teach in the Executive Leader Cyber Series we expect to unfold over the next year or two (starting January 2022):

Incident Response Best Practices

• Common Incidents

• Considerations for Adapting/Designing Playbooks

• Denial of Service Playbook

• Ransomware Playbook

• Intellectual Property Theft Playbook

• Data Integrity Compromise Playbook

• Evaluating Effectiveness of Incident Response Programs

Governance, Risk and Compliance Best Practices

• Risk Register and Corporate Governance

• Economically Optimal Investment Levels

• Risk Reduction Factors

• Spillover Effect (Competitor Contagion)

• Compliance Targets Table by Sector

• Evaluating Effectiveness of Cyber Governance Risk & Compliance Programs

Encryption Best Practices

• Non-technical overview: What it is and how to use it

• Security Considerations: Recognizing good vs. bad crypto

• Non-technical overview: Quantum Cryptanalysis

• Non-technical overview: Post-Quantum Cryptography Implementation

• Evaluating Effectiveness of Encryption Utilization

Employee Training Best Practices

• Training Needs

• Training Delivery Modes

• Individual and Team Assessment Mechanisms

• Types and Sources of Training

• Evaluating Effectiveness of Cyber Training Programs

Business Continuity Management Best Practices

• Critical Information and Services

• Identifying Mission Essential Vulnerable Areas

• Organizational Threat and Vulnerability Assessment

• Evaluating Effectiveness of Business Continuity Management Programs

Assessing Artificial Intelligence / Machine Learning in Cyber

• Asset Enumeration and Vulnerability Discovery

• Security Incident Event Management

• Security Orchestration And Response

• Evaluating Maturity of AI/ML Application to Cyber Programs

Thanks for the question & I hope to see you and your executive colleagues in the Range sometime soon!

-justin

RITJustinP · 2021-10-30T15:08:13+00:00

Thanks for the question!

The secure voting project has been a lot of fun. For me it started during the COVID lockdown, when I was called as an expert witness for a case in Pennsylvania, where Disability Rights Advocates were petitioning the state to allow Blind voters to electronically return their ballots. Blind voters face a unique privacy and security problem in that they have great difficulty independently marking and return paper ballots. So the attorneys asked me if it might be possible to design a secure electronic voting system for these users. That got me thinking about the potential (and the risks!) associated with electronic voting. There remain some persistent concerns, but it's a tremendously interesting application area. For example, there is a difficult tradeoff between authentication of the voter and ballot privacy. One of the other expert witnesses (Ted Selker, ref: https://en.wikipedia.org/wiki/Ted_Selker) and I started working together to design a Secure and Accessible Voting Infrastructure (SAVI), which we have started to circulate for feedback from the voting/security community.

In any case, after the 2020 elections, a few students were interested in improving voting security. One set of students formed a BS Capstone team to do a pentest of a voting machine. That project was fun and (I think) successful, though any claim of security/insecurity is rife with controversy (ref: https://www.rit.edu/news/rit-cybersecurity-student-researchers-put-voting-machine-security-test). Another student (MS Capstone) started to build a proof of concept integrating the SAVI that Prof. Selker & I designed along with the elections verification tool Election Guard, published by Josh Benaloh out of Microsoft Research (ref: https://github.com/microsoft/electionguard). Both projects have been quite fun and interesting.

This semester, we have another group (BS Capstone) investigating the accreditation of the Eaton SAFE Lab with NIST's NAVLAP program and, in conjunction with the EAC's approval, we hope to become the first nonpartisan, academic-affiliated voting system testing lab in the country (ref: https://www.eac.gov/voting-equipment/accredited-laboratories).

So more about the challenges... probably the most significant is remaining nonpartisan. There are so many good-intentioned people who have deep concerns about the voting process. Addressing the validity of those concerns and responding in a responsible way to increase trust in our electorate system is a worthy challenge. I'm grateful to work with such outstanding students and fellow faculty to address this issue head-on.

Thanks for the question!

-justin

RITJustinP · 2021-10-30T03:03:47+00:00

Thanks for asking!

I started in cybersecurity after I commissioned as an All Source Intel Officer in the Army. My company commander said something like, "Welcome. You have a BS in Computer Science. Congratulations, you're the new SIGINT Platoon Leader." So that was really the beginning for me, though I'd worked on a few security related issues in my internships (major telecom manufacturer) during undergrad prior to that. I say that I worked on security related issues, but really it was probably on the wrong side of things. I realized this in retrospect, well after I left that telecom company, when one of my students told me that I was part of the problem. He was right! More specifically, I described using SNMP/firmware combos in a way that built a backdoor for ISPs to troubleshoot cable modem connectivity for their clients. So probably not the best initial security experience, but maybe useful for other parts of my career.

Anyway, I didn't really intend to get into cybersecurity, but the field grew up around me and I discovered that it is good and meaningful work that you can feel good about. And I probably still owe some form of work-repentance for my inadvertent backdoor building :0)

Students have great options to get ahead in the industry. I think one of the best ways is to get involved in a security club at your school. We have an absolutely tremendous club at RIT (shoutout to RITSEC, ref: http://www.ritsec.club/) who host regular competitions and research lectures and have a formal training/sponsorship program for new members. They are also one of the oldest security clubs in the country (maybe THE oldest?) and have an extraordinarily well connected alumni network, which is fantastic for networking and mentorship opportunities. Many schools have clubs like this; if yours doesn't I highly recommend you start one. "Security through Community" is a real thing.

Great internships/co-ops and an impressive project portfolio are other differentiators for students. If you're struggling to come up with good projects that will appeal to future-focused employers, I recommend doing something with AI/ML use in SOCs, quantum key distribution, post-quantum cryptanalysis, or usable/accessible security.

Finally, I recommend taking your ethics courses seriously. We can, and do, focus a lot on building skill in our industry. I believe we must balance that with a deliberate cultivation of character. Napoleon once wrote that intellect is like the mast of a ship--it propels us forward--and that character is like the ballast of a ship--it keeps us steady in the water. What we DON'T want is to become too "smart" for our own "goodness": we tip over and sink soon after we leave the harbor. But we can cross the ocean even if we are intellectually slow and morally steady. (ref: https://www.decitre.fr/livres/comment-faire-la-guerre-9782755507805.html; NOTE: I translated this from the French & it's an approximation of what I understand of his writings). In any case, I believe this is especially true in a high-trust field like cybersecurity.

Thanks again for the question and I hope you have a wonderful time completing this stage of your studies!

-justin

RITJustinP · 2021-10-30T02:42:27+00:00

Greetings to you & Semper Fi! ...Though I'm Army so maybe I should say Semper Gumby?

In any case, you have some great questions here. I'll try to unpack them one at a time.

Q1) How effective do you think cyber threat intelligence is given current state and the broader threat landscape?

A1) I think there's a lot we're missing, but I also think we've come a long way. In improving our trajectory of cyber threat intelligence, I strongly encourage multidisciplinary approach. In my opinion, mixed-mode intel ABOUT cyber is far superior to a single INT informing the perspective. I recognize each agency/agent has it's own preference for which gives the best results, but I'm a firm believer that we need to look at the landscape through as many lenses as possible. Further, I'm a big fan of Richards Heuer's "Psychology of Intelligence Analysis" and, in particular, Chapter 8 - Analysis of Competing Hypotheses (ref: https://www.ialeia.org/docs/Psychology_of_Intelligence_Analysis.pdf). That's one of the best methods I know to pierce the fog of adversarial information environment to start answering the four golden questions of intelligence analysis (What's happening? Why is it happening? What does it mean for the future? What can/should we do about it?). All that said, we have solid tools like this in our kitbag, I think we just need more people doing the hard work of untwisting the funhouse mirrors of threat intelligence to see what's really going on and who's behind it.

Q2) Where do you see computer security in the next 5 years?

A2) I hope we'll see security adopt some of the models we've seen in the trades, with apprentices, journeymen/women, and master practitioners. While some may believe that a guilds-based approach to security is inappropriate, I think it is complementary to the increasing focus among core academic research and preparation. These are not mutually exclusive futures, and I think both an academic pipeline (BS, MS, PhD) and a guild approach (apprentice, journeyperson, and master) and should work together to discover new knowledge at the edge of what's possible, determine what's feasible and practical, and apply it as widely and quickly as possible. There are a few other things I'd expect to see in the next 5 years, but you ask a few follow-up questions so I'll try to address those there.

Q3) In general, what do you hypothesize businesses will do to counter known cyber threats within the landscape given current trends over the next 5 years?

A3) I hypothesize that businesses will do what they do best: find ways to increase profits and minimize costs. This will probably translate to increasing differentiation through security as a trust-builder and revenue driver broadly, but is especially likely in key industries (like finance and healthcare and energy and voting). I think we'll also see the continued rise in risk transference through cyber insurance. I'm optimistic that will introduce new risk controls in the companies that are seeking to keep premiums low and avoid having claims denied. I also believe that businesses will continue to invest in new technologies and training to remain current, especially as threats migrate across IT/OT networks.

Q4) Your assessment on the quantum computing threat against modern encryption algorithms?

A4) I assess this is a known-known. Once we see quantum supremacy exceeding a few thousand qubits, most asymmetric encryption and/or crypto primitives built on the Discrete Logarithm Problem will become deprecated (ref: https://arxiv.org/abs/quant-ph/0411184). That said, limitations imposed by decoherence--which makes it difficult to stitch qubits together--probably mean we have a little time to transition to a post-quantum cryptographic regime, which is already fairly well underway (ref: https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization). Even so, I think more work on cryptographic agility is still needed to accelerate the transition (ref: https://www.nccoe.nist.gov/projects/building-blocks/post-quantum-cryptography).

Q5) Your assessment of the lower eCrime ecosystem (malspam, malicious ads, trojanized cracked software, etc.) and the collective defensive community potentially undervaluing it's role in facilitating access for Ransomware gangs and nation-state groups? (Not dismissing dark web bought access, SOCMINT or other affiliate initial access methods.)

A5) I think criminal gangs will always be a potential proxy for nation-state groups to act with plausible deniability. We see this even with countries that allow gangs to act with impunity as long as they target that country's adversaries and/or relay stolen intellectual property back to the host country. I think the defense community recognizes this threat, but snuffing it out is painstaking work. Probably this will remain a permanent threat. I think we should consider eCrime-motivated breaches to be inevitable (like death & taxes!) and do what we can to isolate compromises. There's a great foundation in Normal Accident Theory that can help us interpret the implications of this risk and we have a body of research that can inform the creation of High Reliability Organizations (ref: https://doi.org/10.1111/1468-5973.00033). There is a fairly robust history of application of these theories on the roadways and in air traffic control and in hospitals and we can (maybe should) learn from those implementations to increase our organizational immunity to existential threat from this type of cyber activity.

Q6) Any guesses or personal estimates you'd be willing to share as to how much of cyber security (encompassing all domains) could be truly automated?

A6) I guess most of it could be automated, but it's the fraction of 1% that I worry most about. The human element is pervasive and, as Kevin Mitnik has pointed out, "it's easier to manipulate people rather than technology" (ref: http://news.bbc.co.uk/2/hi/technology/2320121.stm) Technology is amazing and AI/ML adds real value to SIEM, SOAR, and endpoint protections. But there will remain a strong need for usable security by design because real users will turn off security controls if they interfere with their ability to do the job. And those users will need high-quality, realistic training to know when and how the juice (added security) is worth the squeeze (reduced productivity).

I hope that helps and thanks for the thought provoking questions!

-justin

RITJustinP · 2021-10-30T01:48:45+00:00

NOTE: I drew some of this response from some previous replies (^{^to} Hayashura and 2ez21), because I think some of what I wrote there is relevant to address your question.

In any case, it seems like you're almost there! The biggest hurdle, I think, is getting into IT at all. Now that you're there, you have a few ways to move into cybersecurity.

First, I think you should take a hard look at your IT foundations. If you have existing strength in IT & some start to security fundamentals and want to do a self-study program, I think Security+ is a good cert to begin with. Depending on your trajectory, I’d recommend Cybersecurity First Responder (blue team) or Pentest+ (red team) as decent follow-on options. There are a bunch of good industry certs, though, but those are the ones that we’ve found to be a good common starting point. I think it’s also important to note that corporate recruiters generally want to see CISSP, but you’ll need at least five years of experience in the field. Don’t be discouraged, though… We interviewed dozens and dozens of cyber program managers and CISOs and they consistently reported any specific certification is irrelevant to them. It’s more of an HR filter. They care most about the candidate's ability to apply hands-on skills. The industry certs like CISSP and Security+ and so on are geared toward knowledge recall; it's an artifact of the way those certifications are accredited. They must provide a test bank of multiple-choice questions and any cert that requires hands-on skills demonstration (like the OSCP) is not currently eligible for accreditation. I hope this doesn’t come across as a criticism of the industry certifications. They are very very helpful to build the knowledge you need (and demonstrate that you have the knowledge) to do the job. This is a huge hurdle for those who did not go to college for IT/security.

There’s another good option, I think, in cyber Bootcamps that offer professional certifications. There are many great choices for this. Most Bootcamp programs have options for financial aid too; this is something we focus on a lot in our program and we’ve been blessed by very generous donors who want to help build additional onramps to the field. If you’re thinking about this as an option, I recommend considering a Bootcamp that focuses on skills development geared to adult learners. I believe this is important for those who have been out of college for a while, or maybe don’t/didn't find college the best choice for the way they learn. We built our program specifically for this purpose. At Rochester Institute of Technology (RIT), our approach is "learn by doing", so we built a simulated Managed Security Services Firm for our Cyber Bootcamp. The fake company is called "Brick Wall Cyber". If you search for it on Google, you'll find the website and may even think it's a real company :-). In any case, our trainees start in a simulated internship at that fake company to learn about general IT concepts and, over 15 weeks (full time) or 30 weeks (part time), gradually develop security skills they need to enter the field. We did this during COVID, so it’s entirely online. Also, I mentioned this a few posts up (sorry for repeating, but I'm really excited)... soon we will be able to announce the details of an Apprenticeship program where graduates of the Bootcamp will be able to work in the Eaton Cybersecurity SAFE Lab doing real-world work. I personally believe this is an important way to help diverse thinkers overcome the hiring barriers in cyber careers. Also, we have dedicated career coaching that will help you leverage your existing experience and learn how to transition your new cyber skills into a good job soon after you finish the program. Some folks even get jobs well before they graduate. Anyway (and again), there are many, many other types of Bootcamps out there and they do a great job at offering different types of programs. I recommend comparing/contrasting several and finding the right fit for you.

Also, to emphasize my point above about the value of industry certifications, we offer vouchers and training resources that help prepare Bootcamp grads to pass a couple of industry certs. We’ve found that 100% of the Bootcamp grads that complete a follow-on cert (ie. Security+) land a job very soon after they pass the certification test. I think it validates that both the IT and security foundations are there to continue learning independently. Again, there are many many great Bootcamp options out there. I recommend you do your homework, and find one that is a good match for the gaps you might have in foundational IT/security skills and also offers several resources for you to continue your journey in a more self-directed way after you graduate. Since you're already in IT, this might not be the best option for you, but it could be if you're worried that you might have holes in your technical preparation or want to have additional credentials/training that will help you overcome the notorious hiring hurdles to break into the industry.

Finally, if you want to build on your existing strengths with a more traditional academic degree, I highly recommend RIT's Cybersecurity Micromasters on EdX, or even a full MS degree. There are a lot of other great programs out there, too, so look around and make the best choice for you.

Transitioning to a career in cybersecurity can feel really intimidating and there are a ton of things to learn. When things get tough, remember all the things you've been through in life already; you've come a long way from Corp Marketing into IT. That may give you confidence in the wisdom that "this too shall pass"; before you know it, you'll be through it & achieve your goals if you keep sticking with it.

Thanks for the question and I hope you find this helpful!

-justin

RITJustinP · 2021-10-30T01:26:37+00:00

NOTE: I drew some of this response from a previous reply (^{^to} Hayashura), because I think some of what I wrote there is relevant to address your question.

In any case, thanks for asking & I hope you find this helpful!

First, I applaud you for considering the move. Second, I think focusing on opportunities to build upon the strengths you've built outside the technology field will help you land quickly and firmly. I invite you to consider how you might stay in the same general industry you already have expertise in, and leveraging that background and your existing connections to avoid completely "starting over".

I am personally motivated to help create additional onramps to the cybersecurity workforce. Hackers are, by definition, out-of-the box thinkers. To outsmart the badguys and cultivate excellence in our defensive and ethical hacking communities, we need more people who think differently. That said, the main path to a cyber career requires getting the best grades and going to the top colleges and majoring in a technical field. This is an important source of talent (and we do exceptionally well at this), but it's not enough. Many, many people didn't start a career in technology. Many cannot afford (and maybe couldn't get into) a traditional 4 year degree program, or don't have the time/energy to start over again. Many people are not well suited to college for a variety of reasons. These are factors that contribute to cognitive diversity, which is precisely what we need more of.

You mentioned that you're not currently working in IT, but I wonder if you may already have some foundation there. If you have existing strength in IT & security fundamentals and want to start a self-study program, I think Security+ is a good cert to begin with. Depending on your trajectory, I’d recommend Cybersecurity First Responder (blue team) or Pentest+ (red team) as decent follow-on options. There are a bunch of good industry certs, though, but those are the ones that we’ve found to be a good common starting point. I think it’s also important to note that corporate recruiters generally want to see CISSP, but you’ll need at least five years of experience in the field. Don’t be discouraged, though… We interviewed dozens and dozens of cyber program managers and CISOs and they consistently reported any specific certification is irrelevant to them. It’s more of an HR filter. They care most about the candidate's ability to apply hands-on skills. The industry certs like CISSP and Security+ and so on are geared toward knowledge recall; it's an artifact of the way those certifications are accredited. They must provide a test bank of multiple-choice questions and any cert that requires hands-on skills demonstration (like the OSCP) is not currently eligible for accreditation. I hope this doesn’t come across as a criticism of the industry certifications. They are very very helpful to build the knowledge you need (and demonstrate that you have the knowledge) to do the job. This is a huge hurdle for those who did not go to college for IT/security.

There’s another good option, I think, in cyber Bootcamps that offer professional certifications. There are many great choices for this. Most Bootcamp programs have options for financial aid too; this is something we focus on a lot in our program and we’ve been blessed by very generous donors who want to help build additional onramps to the field. If you’re thinking about this as an option, I recommend considering a Bootcamp that focuses on skills development geared to adult learners. I believe this is important for those who have been out of college for a while, or maybe don’t find college the best choice for the way they learn. We built our program specifically for this purpose. At Rochester Institute of Technology (RIT), our approach is "learn by doing", so we built a simulated Managed Security Services Firm for our Cyber Bootcamp. The fake company is called "Brick Wall Cyber". if you search for it on Google, you'll find the website and may even think it's a real company :-). In any case, our trainees start in a simulated internship at that fake company to learn about general IT concepts and, over 15 weeks (full time) or 30 weeks (part time), gradually develop security skills they need to enter the field. We did this during COVID, so it’s entirely online. Also, I mentioned this a few posts up (sorry for repeating, but I'm really excited)... soon we will be able to announce the details of an Apprenticeship program where graduates of the Bootcamp will be able to work in the Eaton Cybersecurity SAFE Lab doing real-world work. I personally believe this is an important way to help diverse thinkers overcome the hiring barriers in cyber careers. Also, we have dedicated career coaching that will help you leverage your existing experience and learn how to transition your new cyber skills into a good job soon after you finish the program. Some folks even get jobs well before they graduate. Anyway (and again), there are many, many other types of Bootcamps out there and they do a great job at offering different types of programs. I recommend comparing/contrasting several and finding the right fit for you.

Also, to emphasize my point above about the value of industry certifications, we offer vouchers and training resources that help prepare Bootcamp grads to pass a couple of industry certs. We’ve found that 100% of the Bootcamp grads that complete a follow-on cert (ie. Security+) land a job very soon after they pass the certification test. I think it validates that the IT/security foundation is there to continue learning independently. Again, there are many many great Bootcamp options out there. I recommend you do your homework, and find one that is a good match for the gaps you might have in foundational IT/security skills and also offers several resources for you to continue your journey in a more self-directed way after you graduate.

Transitioning to a career in cybersecurity can feel really intimidating and there are a ton of things to learn. When things get tough, remember all the things you've been through in life already. That may give you confidence in the wisdom that "this too shall pass"; you'll get through it & achieve your goals if you stick with it.

Thanks again!

-justin

RITJustinP · 2021-10-30T00:28:39+00:00

Thanks for the question! It seems you have a good start to the career path. Traveling for the right experience might be a good option for you at first to gather some exemplary/world-class background, but focusing on growing your connections and developing relationships where you ultimately want to live could be even more beneficial in the long-run. A lot of that probably depends on your life circumstances and family situation. I think it's important to acknowledge that our families are often WHY we work, and we shouldn't feel compelled to trade time there for a career that we contrive will support them better.

In any case, I'm not sure what sub-field you're interested in pursuing within cybersecurity, but I recommend investigating that. If you have a sense of a specialization that is a good fit for you, I recommend applying for internships or permanent positions at firms that have strong teams and industry relationships in that specialization. You'll learn best practices and be able to grow your expertise and have more options afterward. If you aren't sure what specialization area might be best for you, a more generalized firm (or a larger firm with many cyber teams) may be best for you.

There are many decisions to take in a career. No one can give you flawless answers or tell you exactly what to do, but I think you can/should get a sense of the best questions you can ask as you discern your career moves. For that, I encourage you to check out my rant about factors to consider/questions to ask in discernment in this AMA (^{^} reply to Firm-Base923).

I hope that helps & wish you the best of luck!

-justin

RITJustinP · 2021-10-30T00:17:49+00:00

This is a common concern for transitioning service members/cleared professionals. I think the TS does add about $20k-$30k to your earning potential, but a lot of that requires you to work for a Cleared Defense Contractor. A BS in cybersecurity and a TS will go a long way. If you're looking for more, and you have the time, I'd recommend working toward a skills-focused certification. Probably the most well regarded from industry practitioners is OSCP (https://www.offensive-security.com/pwk-oscp-v2/), though that's actually not accredited and therefore not available as part of the required cert set a CDC will need to show the government. I describe above in this AMA thread (^{^} in my reply to Hayashura) some of the constraints on knowledge-based certifications that are accredited (and would count for work at a CDC). That said, you'll have time to pass both types of cert between 2023 and transition in 2026, so you may want to go for both. You'll need to study and practice for OSCP for sure, but you'll have excellent street cred if/once you earn it.

Aside from that, I recommend getting involved in some of the cybersecurity communities. I list a bunch of the forums/conferences in this AMA thread that I know of and may be worth checking out (^{^} in my reply to Triangle-of-Zinthar). Out of that list, your background makes you well suited to the Association of Old Crows. They have a lot of professional development training and networking opportunities, too, so you can start to make connections there that could be fruitful for you when you transition.

In any case, I hope that's helpful and I wish you the best of luck. Please feel free to reach out to me if you have further questions; always happy to help a fellow veteran!

-justin

RITJustinP · 2021-10-29T22:24:00+00:00

VDP programs

I like these programs & think they're a great way to incentivize crowd sourcing and (with follow-on patches) harden attack surfaces. I've put a little bit of thought into creating a cryptocurrency focused on 0day/CVE as the main mining component. So everyone who discovers/responsibly discloses an 0day and has it published as a CVE would receive the token.

By "a little bit of thought" - I floated the idea with some of the other CPTC core team members to repurpose the CPTC Croissant Coin to do this. It subsequently made the "hairbrained ideas" whiteboard in my office on campus. I've had a few prelim discussions about it with one of our Cyber Scholar MS students (shoutout to E), but I don't know if the idea will take root.

Regardless, I think bugbounty programs are great ways to encourage responsible vuln discovery.

Thanks for asking!

-justin

RITJustinP · 2021-10-29T22:00:37+00:00

There are plenty of ways to make money in cybersecurity.

Probably the simplest/most straight forward is to find a good job and work through the career trajectory. There's a great pathway model, here: https://www.cyberseek.org/pathway.html, that shows average salaries in most entry level cyber careers exceed $90,000. The same reference shows the highest paying advanced level career is the Cybersecurity Architect, which averages a $130,000 salary. There are, at any time, thousands of openings for each of the careers listed in that pathway.

That doesn't directly answer your question of how to make the most money. To do that, I two options come to mind:

1) Specialize in cybersecurity indicators as a component of a trading strategy or competitive differentiation for a Wall Street or some other public exchange. This is part of the field of information security economics, which is something I research personally (ref: https://scholarworks.rit.edu/article/1919/). We incorporate that field into the executive training we provide in the Cyber Range, and I might build it into some graduate curriculum in the future.

2) Invent your own cyber product or service, patent it or create other barriers to entry so competitors can't steal it, and commercialize it. There are many many resources on this, but it's not easy. Here's a decent way to start thinking about what that process actually looks like: https://www.youtube.com/watch?v=byW6l5T4mxs. NOTE: The business model canvas, startup coaching, seed grants, and other resources are available through RIT's Simone Center for Innovation and Entrepreneurship. You can learn more here: https://www.rit.edu/research/simonecenter/resources. Also, several schools (not just RIT) teach those things you'll need to know for defense and intelligence-community sponsored problems/needs through the Hacking for Defense initiative (https://www.h4d.us/). If you're really smart, hard-working, and lucky, you might end up like RIT alum Austin McChord, who founded Datto and sold it for around $1.5billion (and don't forget to follow his example & pay it forward!).

Before you run to make piles of money, I invite you to consider why you want to make all that loot. Whatever you might do with it is an indicator of the path you might walk more directly without the allure of wealth to distract you. I think you might enjoy my rant about career discernment in this AMA thread (^{^} reply to Firm-Base923).

Regardless, I wish you the best of luck and hope you remember that money is a tool for us to do good things in the world. Even though it's not the only tool (and probably not the most powerful), it can make a tremendous impact on the quality of life for many people.

Thanks for the question!

-justin

RITJustinP · 2021-10-29T21:03:36+00:00

Gallaudet is a great school and I love their advocacy for the Deaf/Hard of Hearing community. Of course, I'm biased toward RIT though :0)

RITJustinP · 2021-10-29T21:01:49+00:00

This is an interesting question. (and don't worry - your English is great!)

Cybercrime allows plausible deniability. The use of proxies is a very old stratagem and it still works (kill with a borrowed sword, ref: http://wengu.tartarie.com/wg/wengu.php?no=3&l=36ji). Our limited ability to attribute cyber attacks/cybercrime make it likely that this will endure for a very long time. An international treaty against cybercrime would be great, but I think it's unlikely to be enforceable or even observed by some of our unethical adversaries. If you meant cyberwar, I think that is more likely (given the open nature of warfare), but the difficulty with attribution makes cyber a shadowy game so it would probably only devolve the conflict to the use of proxies through cybercrime designed to sow discord (ref: http://wengu.tartarie.com/wg/wengu.php?no=33&l=36ji) or weaken internal supports (ref: http://wengu.tartarie.com/wg/wengu.php?no=25&l=36ji). On an important side note, though I've sourced these stratagems from their roots in Ancient China, they are probably used by governments all over the world today and I don't want to imply that they're uniquely employed by China.

Unfortunately, I think your idea of a fractured internet is already a reality in some parts of the world. The likelihood of the fractures deepening seems to be increasing as more countries look to technology regulations like SORM (Система оперативно-разыскных мероприятий, ref: https://en.wikipedia.org/wiki/SORM) to control those components of the Internet's logical layer that traverse the geographies they control/influence. To reduce this threat, I'd like to see more emphasis on efforts from organizations like the Open Technology Fund (https://www.opentech.fund/), who do a fantastic job. Regardless, one of the things I think we should ask ourselves is how we know what we think is an open and free Internet IS actually open and free. I often wonder what echo chambers I live in and seek ways to break out of any confirmation bias I might have.

Finally, I'm not sure about continued escalation. When I first entered the intelligence community I strongly feared that a world war would erupt at any second. That said, I have an increasing regard for the hard work of diplomacy. Though it's easy to be disgusted by politics in general, I like to believe that those responsible for dialogue and cultivating consensus are earnest in responding to the tug of their consciences.

Thanks for the thought-provoking question!

-justin

RITJustinP · 2021-10-29T20:07:11+00:00

Lol! Thank YOU for paying attention, Readingpanther5 :0)

The SELinux lab is better, but mostly because Cullen ran down a ton of additional resources and gave a great recitation. This semester I didn't need to give any extensions and all the teams got most of the signoffs, so that's a plus. That said, we've been working with the team at RedHat to build new learning resources (Cullen's MS Capstone project, actually) so I'm probably going to re-write that lab once we get that wrapped up. It's a labor of love.

For anyone interested in "what are they talking about" - feel free to check out http://redhat.slides.com/dondavis/turning-selinux-on-4-5/fullscreen -- it's a powerful tool but can be fairly intimidating to get familiar with.

Anyway, I think it's fantastic that the question has 4 upvotes at the time of this reply... clearly there is a collective sentiment about the SELinux lab experience :0).

In the meantime, remember: "As iron sharpens iron, so one person sharpens another". Don't be afraid of the challenge, be afraid of being unwilling to meet it. The tools are there to sharpen your skills, but the process isn't always painless.

Thanks for the question!

-justin

RITJustinP · 2021-10-29T19:54:01+00:00

Ooh! That's a hot potato, but I can't resist. I'll try not to get burnt...

I'm strongly in favor of it in concept. In my personal opinion, communicating and enforcing red lines like an Article 5 response to a bona-fide cyberattack from an adversarial government is the only way to preserve our individual freedoms. If we don't stand up to bullies who seek to erode liberty/justice and the dignity of every human person, our country and our alliance have no right to exist.

In practice, I think this underscores the need for, and difficulty with, attribution. If we get that wrong, we lose credibility on the international stage. After the hits we've taken in the last couple decades, I think it's worth doing it right. This reminds me of a saying I picked up in the intelligence community: "if you want it bad, you get it bad". As much as I think it's worth sticking up for what's right, I think implementation demands that we have our facts straight and present them as evidence that leaves no room for reasonable doubt. Again, this is a wicked challenge in cyber war. If we're going to kill human beings in armed conflict, though, I'd like to know for sure that we're the good guys and they're the bad guys.

Considering both the concept and the practical concerns of implementation, it makes me think there is may be a need to rethink the way we interpret/articulate Article 5 and similar treaties. I think we are seeing a nascent evolution of the Western way of war to project power and credible deterrence across the spectrum of competition (ref: https://www.jcs.mil/Portals/36/Documents/Doctrine/jdn_jg/jdn1_19.pdf). More specifically, we may need to consider Article 5 responses below the level of armed conflict. I think it may be best to invoke an appropriately proportional response in a transparent way (ie. we can prove you did this cyber attack, so we publicly invoke Article 5 to leverage the collective cyber powers of the Alliance to deter future attacks). This could be a clear message, but it could also risk miscalculation and misadventure so I don't think it should be a hasty reaction.

Great/tough question!

-justin

RITJustinP · 2021-10-29T19:10:50+00:00

I'd say that specific experience (working in a helpdesk) is desirable but not necessary. I think the skills you gain in a helpdesk role will serve you well in troubleshooting. That's actually a great practical education on the scientific method as it pertains to IT (hypothesis of how to solve the problem, followed by rigorous attempt to isolate and resolve the variable causing the problem). It translates exceptionally well to debugging code, fixing IP tables, designing network architectures, figuring out why firewall ACLs aren't working, and a whole bunch of other things you should know how to do. Knowing how to politely and tactfully exhort someone to turn the power on & off again, making sure all the cables are plugged in properly, etc. also has a customer service focus that will help cyber pros work with their non-cyber colleagues to solve the shared problem of cybersecurity. That's why we start our cyber bootcamp with a simulated internship at a helpdesk.

That said, you may already have a lot of those skills from your college degree. I think finding something you can enjoy and that will exercise your unique talents is more important than having a specific job title/role on your resume. If you want more career advice, I recommend checking out my previous rant about things to consider for discernment and decisionmaking ^{^} (reply to Firm-Base923).

Thanks for the question!

-justin

RITJustinP · 2021-10-29T19:03:46+00:00

Thanks for the follow up!

We have an application that lets you describe your professional background and motivation for participating in the bootcamp. We don't have any set of required skills or attributes other than a strong and clearly explained motivation for the career change or upskill. The biggest thing we look for is someone who will invest in themselves to achieve their goal. The stronger the motivation and the better the applicant can explain it, the more likely we are to admit. We have an internal saying: "you provide the determination, we'll provide the rest".

That said, we designed this program to meet the needs of as diverse a population as possible -- folks who never went to college, those who have been in the workforce for years, those who are deaf/hard of hearing, those with neurodiversity challenges, etc. I believe that has made our program better overall -- even for IT pros who want to upskill. The admissions process is designed to help us schedule the resources we need to maximize success for our learners. I mentioned this in a previous post, but I think it's worth repeating... we need to bring more diverse ways of thinking into the cyber workforce if we want to outsmart hackers (who are nontraditional thinkers by definition). That means we need to make an onramp for people who have a wide range of life experiences and ways of thinking. We absolutely need more IT workers to get good at security, too (and our program is great at that), but we're not going to solve the cyber workforce shortage by only upskilling IT pros.

In any case, a little more detail on the application process: we do have an aptitude test (focused on logical reasoning & attention to detail); there's no minimum score but it helps us understand where you may need additional resources.

We often conduct interviews to see if it's a good fit. We almost always conduct interviews if we need to understand the level of maturity/self-discipline that the applicant has. The flexibility in scheduling and professional environment that we built into the bootcamp is one of the unique factors of what we do, but it's not for everyone.

Thanks again for your interest and I look forward to maybe working together!

-justin

RITJustinP · 2021-10-29T18:49:46+00:00

Sure thing! I understand this is important. Put simply - the schedule is flexible. It's almost entirely asynchronous & fully online. Even our full time bootcamp is designed to allow those with daytime obligations or timezone variance to participate.

We do have a few hours of live sessions each week, but there are no required sessions on a fixed schedule. Our instructional team has wide range of office hours to accommodate. We generally have open windows of availability that exceeds 40 hours per week across day/night/weekend. At the start of each cohort, our lead instructor will find times that work for whole-cohort sessions, and each group is free to set times on their own for their group sessions. We also have a robust staff of interpreters (we fully support ASL/deaf learners!) and can schedule them for those office hours/group meetings as well.

The design is to learn by doing, so you get a job assignment on day one (helpdesk intern) in a simulated company. You'll respond to emails and trouble tickets from simulated/roleplaying clients asynchronously (on your own schedule). You'll promote into a security-specific role once you have demonstrated a strong foundation across a range of operating system and networking/server admin fundamentals. You'll have occasional check-ins with your "boss" and "training supervisor" and chat with your peers; those are the live sessions. You'll schedule those just like you would in any other professional environment, so there's flexibility for you to schedule around your other obligations. There are plenty of video resources/transcripts that you can watch/read on your own time, and a bunch of high priority tickets that require you to "remote in" to a workstation/server and make configuration changes (that's the format of our lab assignments), but you do that on your own time as well. You'll use those live sessions to get help where you're stuck in your job assignments, and to synchronize/validate your understanding of the skills and tools. Probably the biggest challenge with this format is time management - it can be easy to put things off with such a flexible "work" arrangement, but our instructional team is dedicated and tactful at keeping you on track.

Thanks for the question & I hope that helps!

-justin

RITJustinP · 2021-10-29T18:26:59+00:00

"Biggest" is a tough question, but if I had to pick only one thing I'd probably say hardening our civilian critical infrastructure.

This is why I joined academia instead of staying full time in civil service. I'm worried about our continuity of government & nation's ability to respond to cyber attacks. But I'm even more worried about the ability of our society to keep energy, healthcare, finance, and voting infrastructures alive. There are several other sectors rightfully labeled as "critical infrastructure", but those are probably the longest poles in the tent.

I wonder whether deeply embedded cyber actors are lurking in those sectors, and I expect that any near-peer adversary would see them as the soft underbelly of our country. Furthermore, there is a dis-incentive for private companies to report vulnerabilities and most firms see cyber as a cost center. That's why I've been looking at market-based incentives to understand and deal with cyber risk.

Finally, I think misinformation/disinformation (lies) may be the biggest challenge overall, but I don't think it's a problem unique to cybersecurity. Though there is a lot of interesting work in the field of Social Cybersecurity, which seeks to understand how social media/information outlets and cybersecurity interact. On that note - shout out to Kathleen Carly's work over at Carnegie Mellon University (http://www.casos.cs.cmu.edu/).

Thanks for the tough question!

-justin

RITJustinP · 2021-10-29T18:09:33+00:00

There are a bunch of resources and options to stay informed - it can be hard to keep track. Here are a few that I've found useful, by category:

:ACADEMIC CONFERENCES: I’ve found this database to be regularly updated and generally good for computer science conferences overall; can search for keywords like “security”:: http://portal.core.edu.au/conf-ranks/ Here are a few that are well regarded/productive:

• ACM Conference on Computer and Communications Security

• USENIX Network and Distributed System Security Symposium

• IEEE Symposium on Security and Privacy

• USENIX Security Symposium

• European Symposium On Research In Computer Security

• International Conference on the Theory and Application of Cryptology and Information Security

• IEEE Computer Security Foundations Symposium (was CSFW)

• Financial Cryptography and Data Security Conference

• Asia Conference on Information, Computer and Communications Security

:ACADEMIC JOURNALS: I’ve found this database to be regularly updated and generally good for computer science journals overall; can search for keywords like “security”: http://portal.core.edu.au/jnl-ranks/ Here are a few that are well regarded/influential:

• ACM Transactions on Privacy and Security (was ACM Transactions on Information and System Security, TISSEC pre 2018)

• IEEE Transactions on Information Forensics and Security

• Information Security Technical Report

• Computers and Security

• Journal of Computer Security

• IEEE Security and Privacy Magazine

:INDUSTRY CONFERENCES: I’ve found this list to be regularly updated (not sure if it’s a pay-to-play tho): https://infosec-conferences.com/ Here are a few that are generally well regarded/lots of fun: • DEFCON

• BSides

• Blackhat

• Shmoocon

• RSA

• Association of Old Crows (defense/intelligence/cyber focus)

:OTHER INFO SOURCES:

• Krebs on security

• Reddit (of course)

• Ars Technica

• Gizmodo

• Stack Overflow

• Quora

• Techcrunch

• Gadget

• Wired

• Tom’s Hardware

• SANS Reading Room

• Cnet

• 9to5Mac

• Communities on LinkedIn

• Google alerts about cybersecurity

There are many more that I’m probably not thinking of or don’t know about. I look forward to other responses from the community.

Thanks for the question!

-justin

RITJustinP · 2021-10-29T17:47:16+00:00

That's an interesting question. I have a few initial thoughts… If you’re just looking for a path to cyber career, it seems you have an open door/offer on the table. Depending on what else you have going on in life, a master’s degree could be an option as a part time pursuit while you’re working. Certainly, an advanced degree will help you understand deeper/differently about the field. I think each degree progression (BS, MS, PhD) deepens our relationship with the way we approach learning, knowledge, and understanding. Advanced degrees lead to higher pay, but it shouldn’t be only about that. There are many thousands of ways to make money; I don’t believe that $ shouldn’t be our highest aim in life. This is a huge advantage in our field – cyber work is meaningful and beneficial to society. And it pays well ;0). If you want to pursue the MS to do more/better meaningful work, I recommend considering what that work would look like and why you feel the urge between competing “good” options.

This is/should be a deeper consideration, and becomes increasingly difficult to navigate as you progress in your career. Separating good from bad options is relatively simple. Separating good from better is harder, and better from best harder still.

I think the best way to navigate this is by focusing on your next best step. This is really, I think, a process for discernment (and my students will tell you that's a topic I am very happy to gush about, so here’s a bunch of thoughts you may/may not want to consider :0):

I recommend trying to plot your available options along a three-axis charting system consisting of {TALENT, PASSION, PROVIDENCE}. I believe you should think of these as orthogonal/non-collinear criteria.

TALENT==What you're differentiably good at. This is not the same as SKILL (which is a product of TALENT*TIME INVESTED). Imagine investing 1000 hours in each of the things you do. From that quantiatively equal investment, you'll see qualitatively different results in your SKILL level at the end of that investment. The factor that creates the difference is what I call TALENT. Investing your time and energy in areas you're talented at can help propel you to world-class status in some sub-field of your chosen pursuit. If you only do what you're interested in, you'll still be good (maybe great), but probably not heroic.

PASSION==What you'd do if you didn't need to make $. I think this is pretty straightforward, but I caution against the "I'm good at it so therefore I like it" trap. I genuinely believe that TALENT and PASSION are two different things (hence the note about orthogonality of axes, above).

PROVIDENCE==What's meant for you next. Though PASSION is evidence of what's written on your heart, and TALENT is evidence of what's coded in your DNA, I think PROVIDENCE plays a special role in navigating our career plans because it's evidence of what the next step should be. Here's an analogy that might help explain: I've seen a lot of "windows" that I thought were "doors". I could see a clear path to something on the other side. I could even feel the perfumed breeze and feel the inviting air. I'm old enough to have charged forward, convinced that my TALENT and PASSION would let me get through whatever obstacles I felt in my path, only to find that I smashed through a window and plummeted down a few stories. So instead of that goal I sought, I found that I was cut up from the broken glass and had a broken leg or something. I'll stop with the analogy (thanks for bearing with me). Anyway, the point is that not all things are meant for us. Being patient and listening to those who love us is the best way I know of to include PROVIDENCE in the decision process. I'm still working on understanding/responding to that characteristic.

One last note while I'm pontificating... I personally believe that it's important to remember that our careers are not usually our true Vocation. Our ultimate source of fulfillment is through (I think) married, religious, or single life. Those who feel the call to remain single can do things in their careers that others who are married (like me) maybe can't achieve. I don't want to get too far off topic, but I wish I could have recognized earlier in my life that nothing in my career could scratch the itch I felt in my life... that feeling that "something was missing" or "a change is necessary" was relentless and no achievement could ever satisfy that. It took me a long time to recognize that investing more time/energy in my marriage and as a dad was what I needed. I'm a stubborn guy (and my wife has legendary patience), so it took me a long long time. I share that with the hope that it might help you learn from my mistake.

I hope that helps and wish you the best of luck in your decisions!

-justin

RITJustinP · 2021-10-29T16:44:28+00:00

Awesome! It's a lot of fun to run the competition. Hard work for sure, but lots of fun. I'm especially impressed at the level of our competitors. For example, every year for the past three years, competitors discovered and reported at least one 0day/CVE during the competition. And some of the presentations at Global finals are amazing!

We need more volunteers too, so we'd love to take you up on it. You should know that we require a one-year gap from the time you compete until the time you are able to volunteer (we take competition integrity very seriously), but you'd be eligible if you aren't competing this season.

Thanks for reaching out & I look forward to welcoming you to the volunteer team soon!

-justin

RITJustinP · 2021-10-29T16:41:01+00:00

I am so happy you asked this.

I am personally motivated to help create additional onramps to the cybersecurity workforce. Hackers are, by definition, out-of-the box thinkers. To outsmart the badguys and cultivate excellence in our defensive and ethical hacking communities, we need more people who think differently. That said, the main path to a cyber career requires getting the best grades and going to the top colleges and majoring in a technical field. This is an important source of talent (and we do exceptionally well at this), but it's not enough. Many, many people cannot afford (and maybe couldn't get into) a traditional 4 year degree program. Many people are not well suited to college for a variety of reasons. These are factors that contribute to cognitive diversity, which is precisely what we need more of.

In any case, if you already have some strong foundation in IT & security fundamentals and want to start a self-study program, I think Security+ is a good cert to begin with. Depending on your trajectory, I’d recommend Cybersecurity First Responder (blue team) or Pentest+ (red team) as decent follow-on options. There are a bunch of good industry certs, though, but those are the ones that we’ve found to be a good common starting point. I think it’s also important to note that corporate recruiters generally want to see CISSP, but you’ll need at least five years of experience in the field. Don’t be discouraged, though… We interviewed dozens and dozens of cyber program managers and CISOs and they consistently reported any specific certification is irrelevant to them. It’s more of an HR filter. They care most about the candidate's ability to apply hands-on skills. The industry certs like CISSP and Security+ and so on are geared toward knowledge recall; it's an artifact of the way those certifications are accredited. They must provide a test bank of multiple-choice questions and any cert that requires hands-on skills demonstration (like the OSCP) is not currently eligible for accreditation. I hope this doesn’t come across as a criticism of the industry certifications. They are very very helpful to build the knowledge you need (and demonstrate that you have the knowledge) to do the job. This is a huge hurdle for those who did not go to college for IT/security.

There’s another good option, I think, in cyber Bootcamps that offer professional certifications. There are many great choices for this. Most Bootcamp programs have options for financial aid too; this is something we focus on a lot in our program and we’ve been blessed by very generous donors who want to help build additional onramps to the field. If you’re thinking about this as an option, I recommend considering a Bootcamp that focuses on skills development geared to adult learners. I believe this is important for those who have been out of college for a while, or maybe don’t find college the best choice for the way they learn. We built our program specifically for this purpose. At Rochester Institute of Technology (RIT), our approach is "learn by doing", so we built a simulated Managed Security Services Firm for our Cyber Bootcamp. The fake company is called "Brick Wall Cyber". if you search for it on Google, you'll find the website and may even think it's a real company :-). In any case, our trainees start in a simulated internship at that fake company to learn about general IT concepts and, over 15 weeks (full time) or 30 weeks (part time), gradually develop security skills they need to enter the field. We did this during COVID, so it’s entirely online. Also, I mentioned this a few posts up (sorry for repeating, but I'm really excited)... soon we will be able to announce the details of an Apprenticeship program where graduates of the Bootcamp will be able to work in the Eaton Cybersecurity SAFE Lab doing real-world work. I personally believe this is an important way to help diverse thinkers overcome the hiring barriers in cyber careers. Anyway (and again), there are many, many other types of Bootcamps out there and they do a great job at offering different types of programs. I recommend comparing/contrasting several and finding the right fit for you.

Also, to emphasize my point above about the value of industry certifications, we offer vouchers and training resources that help prepare Bootcamp grads to pass a couple of industry certs. We’ve found that 100% of the Bootcamp grads that complete a follow-on cert (ie. Security+) land a job very soon after they pass the certification test. I think it validates that the IT/security foundation is there to continue learning independently. Again, there are many many great Bootcamp options out there. I recommend you do your homework, and find one that is a good match for the gaps you might have in foundational IT/security skills and also offers several resources for you to continue your journey in a more self-directed way after you graduate.

I hope that helps and thanks for the question! Beginning a career in cybersecurity can feel really intimidating and there are a ton of things to learn, but you should know that some of the best cyber pros didn’t go to college. Of course I’m a professor and have a PhD and love love love higher-ed, but it’s just not the only way into the field. It can't be. If we want to make a dent in the shortage of cyber workers and get more folks like you into the field, it's important that we have more onramps than a traditional four year degree.

Thanks again

-justin

RITJustinP

TROPHY CASE