Discussed how start a career in cybersecurity today with military veteran and security teacher, trainer and expert, Josh Mason. Covering what employers want in cybersecurity, new approaches to enter cyber security, how transition fro military into cybersecurity today, new approaches to enter cybersecurity, how start a career in cybersecurity today, effective communication for security internally in business, new approaches to enter the cybersecurity field, and best ways to keep up to date on security news. Also discussed cybersecurity careers for military, military to cybersecurity careers, ways to transition from military into cybersecurity, how to transition from military into cybersecurity today.
Connect with Josh: https://www.linkedin.com/in/joshuacmason/
Here's Policy Wizard training we mentioned: https://www.policywizard.io/
VIDEO Episode Link: 👩💻 https://youtu.be/uVMcnl-PNT4
🔔 Want 💎 EXCLUSIVE💎 Content? For only $4 💎 SUBSCRIBE to Cyber Crime Junkies PRIME https://www.buzzsprout.com/2014652/supporters/new
We Really want people to be able to Watch and Listen and we would love your help.
📲 📲 PLEASE CONSIDER SUBSCRIBING to our Youtube Channel. It's FREE and it will help us to help others.
📲 📲 Our Channel @Cybercrimejunkiespodcast https://www.youtube.com/channel/UCNrU8kX3b4M8ZiQ-GW7Z1yg Our /SOCIALS and PODCAST/
📲 DAVID MAURO Linkedin: https://www.linkedin.com/in/daviddmauro/
📲 Cyber Crime Junkies Linkedin: https://www.linkedin.com/in/cybercrimejunkies/
🔔 Site, Research and Marketplace: https://cybercrimejunkies.com
Support the show
Want EXCLUSIVE Content? For only $4 SUBSCRIBE to Cyber Crime Junkies PRIME
Please consider subscribing to our YouTube Channel for ALL Video episodes.
It's FREE. It helps us help others.
Our YouTube Channel @Cybercrimejunkiespodcast https://www.youtube.com/channel/UCNrU8kX3b4M8ZiQ-GW7Z1yg
How start a career in cybersecurity today. Josh Mason
Discussed how start a career in cybersecurity today. With military veteran and security teacher, trainer and expert, Josh Mason. Covering what employers want in cybersecurity, new approaches to enter cyber security, how transition fro military into cybersecurity today, new approaches to enter cybersecurity, how start a career in cybersecurity today, effective communication for security internally in business, new approaches to enter the cybersecurity field, and best ways to keep up to date on security news. Also discussed cybersecurity careers for military, military to cybersecurity careers, ways to transition from military into cybersecurity, how to transition from military into cybersecurity today.
[00:00:00] It's always in the news. Cyber criminals attacking great organizations wreaking havoc on the trust of their brand. We socialize cybersecurity for you to raise awareness. Interviewing leaders who built and protect great brands. We help talented people enter into this incredible field and we share our research at Blockbuster True Cyber Crime stories.
This is Cyber Crime Junkies, and now the show.
All right, well, welcome everybody to Cybercrime Junkies. I'm your host, David Morrow. In the studio today is the illustrious always positive co-host, my ying to my yang, mark Mosher. The [00:01:00] Mark Mosher, like the Ohio State. How are you, mark? I'm doing wonderful today, David. I'm really excited. This is gonna be a great episode.
Looking at, this will be a lot of. Well, we, yeah, we are, we are definitely here with somebody, much better than us about cybersecurity. Absolutely. And, and we're looking to learn a great deal from 'em. So we are joined today by, Josh Mason. Josh is a decades long military veteran, served in the US Air Force is a pilot in the cyber warfare officer as well. He's created, the NOOB village. He's gonna explain that is se, along with several other philanthropy, ventures, that we're gonna cover. He's a cybersecurity practitioner and expert. Josh, welcome man. Really glad to have you here. Thanks for having me.
Glad to be here. Yeah. Well, very cool. So introduce yourself to the ladies and gentlemen. Kind of tell us what your current role is, what you're doing, some of your projects, and then let's back into kind of how you got here and then we'll get into get into some of the other topics. [00:02:00] Yeah, definitely.
So, my current role is with Newick Solutions. We're a small boutique firm. We focus in, advanced assessments and, risk manage. And have a training arm that goes alongside that. When you do a, a red team engagement or a pen test or an audit and come across things that need to be fixed, we have the ability to, to help mitigate and remediate those things.
Sometimes that falls into training developers on threat modeling, which is one of the ongoing programs we have right now. Okay. And. But I'm a senior instructor here to help build out some other capabilities for other customers that we have coming on board and. My background, I've been a sales engineer at sim space building out large ranges.
I've been a instructor for I and e and e Elan security, built out pen tester student and the Elan security junior pen tester version two exam. and then I was an instructor at the Defense Cyber Crime Center's, cyber [00:03:00] Training Academy, training up a bunch of cyber troops, for the Army, Navy, Marines, coast Guard, in the Air Force.
So, so you're still learning, like you have no idea really what you're doing yet, so that's great. , no, dude, that, that's, that's incredible. So let's, let's, let's boil it down a little bit. So when you're talking about PE penetration testing and things like that, you're, you're talking about the ethical acting mm-hmm.
right? The, engagement by an organization to kind of break in, like hack them. Oh, yeah. Right. And then explain to them their vulnerability so that they can. Right, exactly. For example, right before this call, I was working, working as an engagement manager with our pen testers, our ethical hackers, and our client has a website, a web app that they just spun up.
They just moved. Development in-house and they wanted us to test and see, okay, , is there ways that we could take over the website, spoof things, get access that we're not supposed to have? , can [00:04:00] we buy things for free? Can we steal other people's items? Can we get information on, other sales that have happened?
So yeah in order so that they can fix them. Right, right. So they are criminals. Line of delineation, right? I misnomer that hackers is, is just, you know, a general term, but everybody that's a hacker is bad. That's not true, right Josh? Not at all. I look, look very much up to you, Josh and David and I, we work with hackers.
We have a team of hackers. Yeah, we have a whole, yeah, we're, we're, so we work for an MSS P, which is also an msp, different arms, and one of our re recent acquisitions was this depth security team out of Kansas City. And they're phenomenal. They're involved. BSides rsa, a lot of the, the def con, you know, some of the villages there and they have a whole team of ethical hackers.
And we've been getting to know 'em ever since the acquisition. It's just fin, it's like our coolest offering. [00:05:00] Like to us it's the coolest thing that we do. And, and part of what we do, Morgan and I is even educate the other people. Cause it's a big company. Mm-hmm. , it's a North Amer, it's a global company.
It's Konica Minolta. Right. And so what we're doing is explaining to them, did you guys know? Like that we do this. and a lot of people don't, don't even know that it's really fun, like just to talk about business owners and just to kind of educate people. Are you, when, so, Okay, before I even get to that, yeah, yeah, yeah.
One, one of my questions was when you're talking to business owners, let's say it's a manufacturing company or healthcare or law, whatever, whatever vertical, it's, do they understand the need for penetration testing and ethical? Great question. More. Like it's compliance. Cause there's some field, they're, they have to check a box.
Like what, what's been your, what's been your experience? Yeah, so it's been a mixed bag. There's sometimes a little bit of education [00:06:00] that's required. A little bit of mentoring too, folks. I lean heavily instead to, others on our team who are in the risk management side. Lean heavily on our business training and education.
Sseveral of us have MBAs and mm-hmm have looked at things from that side more so than the cyber side. And it you start talking to people about risk, taking opportunities, knowing that there might be a downside that you might, your product might fail, that you, your physical location could be breached.
Depending on where your offices are located. They probably have locks and cameras and lights and maybe a security guard. People inherently know that security exists and they want to protect things. Sometimes they just don't know how or what they need. For example, do I need an armed guard here with me right now?
Okay. At my house? I don't think so. That's a risk decision that we've made. When you start translating that and teaching that to folks, then they go, oh, okay. Well, [00:07:00] Similarly, we don't have a guard at the building, but we do have a direct, like the person at the front desk does have a, a button or can quickly call 9 1 1 if we need to.
And you're like, okay, so you've, you've put the thought into that. What about with your networks? What about with your apps? What about with your email? Like how much are you willing to protect? How much are you willing to spend both time and energy to actually, protect those things? Yeah, exactly.
It's, and it's almost like a, like a snapshot in time, right? It's, it's, it's an ability to, to see exactly where you're vulnerable and how an. Adversary. Right. And I think Mark's point earlier was excellent, and that is the public's perception. A lot of it has to do with the media and, and you know, movies and, and, television shows and things like that where they create this, this image of hackers a kid in a hoodie mm-hmm.
his mom's basement drink and Red Bull all night cracking code. And it's like, that's not what cybercrime is today. Right? No. And [00:08:00] so, but by being able to, because they're really threat. . And so, so by being able to identify how a threat actor would get into your organization mm-hmm. today, the specific tactics, right?
Yeah. , sure, sure. There's fishing, and that's a massive avenue, right? Mm-hmm. , but there's, there's, there's a different, there's different types of that, right? Like once they cl, once they click what happens, right? And where do, where do you get access? Can you move laterally? Can you move vertically? How do you do that?
And that's where the skillset comes in. Oh. So, so I, I gotta know like, what, what drove you to this? Like, was it, I mean, first of all, you had phenomenal experience in the military mm-hmm. . So let's, let's walk through this. But, but what, is there an event you can point to or some, something, some curiosity you had that led you into this field?
Yes and no. So, my dad was a network engineer and a system administrator and ran [00:09:00] a, a consulting company in the nineties. And was doing a lot of just trying to get people to understand that you can have connect computers that connect to other buildings, let alone the greater internet. Yeah. In the nineties that was like, there, people were like, what?
You gotta be kidding me. Like it was. . and I remember, him consulting with a bunch of companies to help them understand if they were going to be Y2K compliant. Mm-hmm. . And I didn't think about it at the time. It was just my dad was going to work, he did a thing. And we had computers at home and, again, didn't think too much about it.
I found out about planes that I could go be a pilot that sounded really interesting to a 14, 15 year old Josh Mason and I dove in head. Got there flew planes for a while. Some family stuff changed. Air Force. My flying ended in the Air Force for some reasons, and they swapped me over to cyber warfare.
I owed some time still. As an officer in the US military, you have contracts, they call 'em active duty service commitments. It's one of those [00:10:00] things of, you can do anything you want as long as it's what we tell you, where we tell you. And you can like, decide not to do that. But then they send people to pick you up and take you back to work and, or you can go to, summer camp in Kansas.
Until your time's up and that's the less fun way. So I said, yes, what are we, what are we going to do? And they said, cyber warfare. And I was like, okay, let's do it. That sounds really cool. Like, like if, if you're gonna tell me what to do and I get to go do cyber warfare, that is actually kind of a really cool idea.
I, I think so. Initially I was like, I dunno what that means. , It ended up being running enterprise it, and a little bit of the, security side of that down at a hurl Burt Field in Florida for Air Force Special Operations Command. It's their headquarters in the largest space that Air Force Special Operations Command has.
And it was really neat. Got to train up some people to deploy to special locations, essentially, be their own everything from help desk up to cso. Really for bases of like five people in a plane or, a hundred people [00:11:00] bases, where they spend. We send special operations operators and. To launch a plane, you need to have weather, you need to file flight plans, you need to know, have maps and whatnot.
So you need internet connectivity. Mm-hmm. . Well, pilots don't know how to do that right when you get to locations. So we send a a com Trooper Long, where do those com troopers come from? They come from the special operations space. So those guys were mine. I didn't train them hands on, but my folks did the training.
They figured out the deployments. They set all of that up so that we could send someone who their normal day job was like setting up speakers for the, base commander to like talk to the community. Or, maybe they handled the radios so that all the cops on base could talk properly or they handled, help desk.
we're gonna deploy them to do all of the jobs. Mm-hmm. . So they would come, put 'em through a special program and I managed the training, and the strategy for the training for that. And it was, it was neat. It was fun. Also worked the [00:12:00] qa, a lot of the compliance. What's the qa? Yeah, what's the qa?
Quality assurance. So we had, a lot of, switches and routers on base. Mm-hmm. , ups, the uninterrupted power systems. Mm-hmm. so that, you know, if the base loses. Servers will shut down slowly, naturally. Or if there's a, a change in power, or surge, like everything doesn't all of a sudden, you know, break.
But those have to be inspected. Are the inspections being done properly? We set up a, a quality assurance program too, make sure inspections were happening, that they were happening properly, that there was follow up, and. that actually reached into every part of it, including training and, were people that were getting trained and then moving up to the next level.
Were they actually qualified for that job? So a little bit of testing in there that our QA folks had to include as well. It was, it was a fun experience, gave me a lot of insights that I wouldn't have gotten. Oh yeah. And so did your dad, let me, [00:13:00] let me back up a second. So your dad was involved in network operations back, you know, preparing organizations for y2k.
Mm-hmm. . That's when I got involved, actually, back then. That's how old I am. And when I was, I'm curious, like, did you ever have a sense of what the feeling was like after. After the clock struck midnight and like nothing happened, like was he kind of like, wow, that is kind of odd. Like there's like nothing happened.
Like there was Yes. No, here's the fun thing. Like I understood it. He was able to explain it to me. He was like, so we've got two digits and they're it. , everything is being used with two digits. All of a sudden those are gonna reset to zero zero and no one knows what the code exactly is gonna do when that happens, it was like, oh, okay.
Now I understand even more intricacy of like, okay, how do we change all of this zero zero right, variables across all the programs to X X X, X variables. Sounds huge. Understanding it now, I think about like Log [00:14:00] four J and if you had to go in right and do the individual patching everywhere, that's essentially what they had to do.
It wasn't a dependency that you could just patch and everything worked. It's a good analogy. Yeah, that's a good analogy to it. Yeah. At the time, no, he was like, this is gonna blow over. Some software's gonna break and. Fix it. Yeah. Fortunately things aren't gonna like light on fire. Bombs aren't gonna launch without control.
It's, it'll be a pain in the butt for a lot of people. . Yeah, exactly. And it was, but it's one of those things we, I I, I haven't even connected that until you asked now, but it's a lot like our incidents nowadays, it seems huge. It's like the building is on fire. You're like, okay, well you can have an.
incidents are going to happen. What are you gonna do with. Right. Like, and not, not all incidents are created equal, right? I think that's 1 of the things that, one of the first kind of epiphany moments is I began studying cybersecurity, and I'm like, everyone's like, oh, [00:15:00] they got breached. Oh, and they got breached.
I'm like, like, they're the same thing. Do you know what I mean? Like they're. Yeah. It, hasn't, you know what I mean? Like a compromise is not a compromise. Like one, one organization being compromised and somebody else being compromised it, they're, they're completely different. The access the data, the exfiltration, the damage, the pr, like all of it.
is, they're all variables. They're all like dials. Yep. And so there's so much that you need to be prepared on. That's why I'm a firm believer in like operational resilience. So like people go and they create these policies like we're all set, we are secure. I've got a policy for this. And like, have you walked through it?
Like have you done a tabletop exercise? Do you have incident remediate, like incident? like discussions. Do you guys like do war games? It's basically from the military, right? Like have you done a war game? Like have you actually walked through Boom. And what happens right after [00:16:00] boom. Right after that breach happens?
Yeah, who does what? It's like, you know it, kids do it in school. Right. They have fire drills, right. Otherwise, fire with tornado drills. I mean, that's the whole purpose, right? So we're not running into each other in the middle of an emergency. That's the whole purpose. Yeah. If we didn't, we'd have kids just like running into each each other all over down the hallways.
Right. No one would know. Like it's why we have exit signs Right. On the right by the door. Yep. But, but so many organizations don't even think like that. No. And there's a bit. I gotta give them some grace. There's some areas, I grew up in Southern California and then I spent a lot of time in Little Rock, Arkansas.
David, I know, or Mark, you're in the Midwest. So still my, you quite familiar tornadoes? Oh, yeah. Being like thing . My, the, yeah. My first night in Little Rock, when I moved there, there was a tornado that hit and it actually like picked up one of these C one 30 s and moved it like 50. Wow.
Which is like, Basically [00:17:00] moving at one plane over, but growing up in southern California, you, you guys don't wanna, I was used tornadoes, earthquakes, right? Earthquakes, earthquake. Exactly. I took, I did earthquake drills. Like I knew what to happen if there was an earthquake. Like Right. Get under a desk, get in a door jam.
Like worth a safe door that's not gonna kill you. But like a hurt, a tornado. I was like, I'm glad they came over the loud speakers and were like, okay. go in place, and there were signs on the doors and like they were prepared because I, I was on a base and so like mm-hmm. preparation is like, it's not a new thing for the military, but even just people who live nearby have an idea.
It gets taught in schools. It's on the news. It's, Businesses will put up signs of, Hey, this is a shelter room. There's no windows here, that sort of thing. You know, those things because it's part of the culture, it's part of the norm. But it's not everywhere. Yeah. If you go into a McDonald's, it doesn't necessarily say like, Hey, if there's a h a tornado come over here.
Right? Mm-hmm. [00:18:00] similarly, Yeah. Yeah, I was thinking similarly, there's some organizations that are going to be more on top of things for cybersecurity and others that don't think about it. They're worrying about other platforms, so because of their experience in life or their vertical or whatever, they're mm-hmm.
It's not, it hasn't been top of mind, but it exactly seems like today, you know? major news to the government, to private industry, to vendors, to, you know, every engagement. , it seems to be a topic of discussion across the board now, more so than it was even just a few years ago. Yeah. And that's the thing to, to cyber professionals.
This all seems obvious. Just like I've talked to firefighters and they're like, yeah, doesn't everyone know where the fire extinguishers are and like where their near stairs is and where they're supposed to go in case of a fire. The is no. Right. Most of us don't, we don't have to. Right. Exactly.
And in the same way, that's how people act with cybersecurity. Unless, you [00:19:00] know, unless you think about it. Unless someone told you you don't know, which is why cybersecurity awareness, I know you, you all are active in that. Absolutely. Yeah. Is really helpful. Well, because it's so, it's so obvious to us and to us.
I almost feel like, is it not complex enough? Like are we, are we doing like, like we're, you know, every, you know, we talk to people and they're like, we know not to click on links. We know what a phishing email does. We're like, really? All breaches are human error . Yeah. And yet, and yet everybody's still doing it, or we've got multifactor authentication.
But do you or do you fall for it? Like, or if if it just gets annoying, you're still gonna approve it, like you're not gonna verify. Yeah. Like it's, it's, it's, it's be, it's human behavior. It's like a huge social.
Everybody just wanted to mention Cybercrime Junkies Prime. We [00:20:00] now have a subscription available through our podcast and it offers exclusive content, bonus episodes, and even pre-releases of all of our standard shows. We keep it simple, it's just the cost of one cup of coffee, one time a month, and you can cancel.
You can subscribe by scanning the QR code next to me in the video or by clicking the link in the show notes. If you select not to subscribe to our Prime membership, please at least consider subscribing to our YouTube channel. It's at Cybercrime Junkies podcast on YouTube, and it's absolutely free. It allows us to bring great guests on the show.
Thank you for your support, and now let's get back to it.
To me. Yeah. I mean, and, and personally, I love the field. I think the field it draws in people like you from the military that have this sense of protecting others, like to serve and protect. And, I mean, I think that's what the field's about. [00:21:00] It's, well, it's like a, it's a higher calling and we. this, you know, across and, and not just, you know, we talk to a lot of people overseas, Eastern Europe, the Middle East.
Those experts that are in our industry still have that same drive, that determination, that sense of, of a higher calling to help. So it's, yeah. I don't think it's unique just to us. I think we see that, you know, across the globe for people in this. Pretty cool. It really is. It's a lot of good people.
Well, and I think that that's part of the reason why we have so many people trying to get in. Mm-hmm. . And so let's, let's talk about that, you know, best ways Oh yeah. To, to break into security. Cuz I know you're, you're an advocate for it. You're a, you're a, lecturer, teacher, mentor to. To many mm-hmm.
I'm, we're, we're really grateful for, for some of the things that you're doing. First, from a global perspective, or not even global perspective, but at least here in the us what are you seeing in terms of, you know, there've been a lot of layoffs we've seen mm-hmm. [00:22:00] in, in, in, in the tech industry, but it still does seem like people and organizations are still hiring in, especially in cyber.
So a lot of big organizations and even some smaller ones, I saw like NCC group just let off a lot of people, including cybersecurity folks. but there are still going to be companies that are hiring I'm one month in with this company and, I think I took our numbers up to 10. I'm the, put us into the double digits when I came on board , but.
It's the smallest organization I've ever been part of, which is fun. , it gives us a lot of power. But it's, it's interesting because companies are still hiring. I, I just saw this this morning, article in the Wall Street Journal. That, , despite a recession in some companies letting off, there are still, like our unemployment LO numbers are still incredibly low.
There are p still job seekers who are getting into companies and there are still companies hiring. And [00:23:00] there are still, a recruiter just shared on LinkedIn that, he is still able to place people into companies. Like his business hasn't slowed down. But the competition is harsh. Right.
One of my other friends posted, a job opening at her company. At their company, within the first 12 minutes they had 124 applicants. Oh, I saw that. I actually saw that post. It wasn't that experience. It was, yeah, it was just, yeah. Mc Mcara just, just posted that and it was just on, on LinkedIn, I think yesterday I saw that I was, I was like, just within the first hour or so, there was like over a hundred applicants.
I put out a job post for New Village to get some interns and it was mm-hmm. , completely unpaid internship. I was very straightforward. This is like, it's a volunteer work. It like it, it's great thing for the resume. Great thing for your own experience though, right? Yeah. Good stuff. But like, this is, There is no money here, , right?
I am losing money on this venture, and that's fine by me if you want to be part of it. [00:24:00] Know that that going in, I, within like five minutes, I had linked, matched out whatever, free applications I could get on LinkedIn. Wow. holy cow. And so then it disappeared. It was kind of crazy. Yeah. That's amazing.
For, for a free thing, like no one's getting paid it. There was still a lot of, and there's still a lot of competition, so We are, we are, let me ask, you had a great question about, about certs. You know, do certs. There we go. Do certs make you stand out from the crowd as you go through these resumes and you look at people and you're out there and mm-hmm.
you're involved in this? What, what do you see? What's your take on that? Certs have a couple things, so. If two people are completely equal, everything else being equal, having a cert versus not having a cert is going to make you stand out more. Yes. Right. I mean, that, that makes sense, right? All else being equal, I don't believe in things being equal.
I was in the US Air Force we don't do things equally. We do things. [00:25:00] Overpoweringly and, dominant one of the core concepts in the Air Force is air dominance. It's not like air good, it's air dominant. It's not air quality. Like we want everybody to have a plane. We don't wanna share the airspace. No, we want, yeah, you have to dominate the airspace so that the land, troops, the infantry can do it.
Right? Yeah. I mean, that's kinda what it's going up. It, it comes down from the. US security strategy, dominance is what we do. We don't just do okay. We don't just do good. We don't just do pretty, pretty great. We do dominate . Mm-hmm. , we do the best. It's not an opposite. Stand out. No. It's not acceptable either.
So. The type of certs will depend on where they wanna land, right? If you're interested in cybersecurity, you wanna be on blue team. You're not necessarily gonna have the certs dealing with pen testing, like it's still good to have, but, but, but that'll be more SOC related, things like that, right? It can, so [00:26:00] it can be very valuable.
to understand. If you understand pen testing, you understand how people get in. You understand, okay, what is vulnerable? You understand, what does, CT communication look like on a network from the operator side? That way then when you get into the SOC and you start seeing alerts or you have an idea of someone's in, well, what do they need?
They need some sort of connection. They need to be communicating back and forth. They probably found a vulnerability in what our web app, right, in someone's accounts. So you start thinking about. . If, if you go through pen testing training, then you think about all the things that your adversary is actually doing in your network.
And if you know what they're doing, then you know how to block block them. It's football players, right? If you are a safety, then you need to understand what a wide receiver is thinking, right? Mm-hmm. , so like you are, maybe, maybe you have someone. Throw you some passes while you go like long and try to think like, oh, okay, so if I was gonna catch this, I was gonna do this.
So if I'm gonna stop that guy from catching it, what I want to [00:27:00] do is X. So it is valuable, but it's how you apply it that absolutely right. Some of them, you've gotta have that, that foundational level of, of knowledge and skillset, right? Like you're going into cybersecurity, like security plus. You've gotta have some type of foundational understanding.
I think depending on what specialty you may wanna go into. . Yeah. And you, the, the thing is, I don't think you need necessarily the cert itself. You need the knowledge. Right. And if you can project that you have the knowledge, assert will will probably do that to an extent. It shows that at one point in time you had enough knowledge that someone said, you know this.
Yeah. Now, from the time that you took the test until now, no. I don't know what you kept, how you grew, what you have on top of that. So I'm What are the roles of, no, I'm sorry. I didn't mean to in interrupt you, but, but along those lines, what about home lamps? Right? Yeah. Like especially if you're gonna [00:28:00] do penetration testing and things like that.
Being able to demonstrate, yeah, I studied for this ser whether you even passed it or, or obtained it, but the fact I've got a homeland, I'm able to, you know, do X, y, Z with a flipper. I'm able to do X, y, Z with this, with this with this you know, this radio frequency yeah, you know, this pineapple, whatever, whatever it is, like being able to show that and say, well, in my off hours, here's what I do.
I practice. . Right. And I think that's really key that home lab can go for all aspects. It doesn't just need to be for pen testers. Mm-hmm. , if you are interested in digital forensics, like, well, do you have a raspberry pie that you could set up with done Exactly. And then pop that into wire shark and then look and see like, oh, okay, my kid was watching this.
Show on Disney earlier, these are what the packets looked like when they went across, they were encrypted in this way. Okay, can I capture that SSL token and then de obfuscate that and see oh, or decrypt it because it's on your network. So [00:29:00] you, you, you're allowed to do that. And then try to figure out, okay, so what all are these packets doing?
You got an idea? , you could even throw some things at yourself on your network. Go to like an AWS or a line node and throw some, attacks at your own network and see, okay, well what does that look like? As a soccer operator, you can run those things or you could do in a vm, something safe, actually run some malware and see what that does.
That's, Samples are out there. There are p caps available, that have malware in them, and people can pull them into wire shark, do it in a VM because it is live malware, and if it, if you were to rebuild it and then run it yeah, you wanna let it loose, be able to like, turn off the vm, make a new.
Fresh day. Your stuff isn't messed up. Well, one, one of the listeners, engineers, yeah. They can all do those things on their own network. Yeah. Sorry. See, that's, that's really key. The, the, the value there of being able to, to, to demonstrate it. [00:30:00] Brian Godfrey's, one of the listeners and said he became a sock analyst with only self-directed study taking only free materials.
I've now been asked to get a plus, security plus net plus only, plus to get now. So that's like, you do a lot with, , free. And that's phenomenal. First of all, Brian, congrats. Great, great example. Right. , and Josh, walk us through kind of your new village and some of the, the approaches like you Yeah.
You po you post often you, you're active in the community and you talk a lot about, a lot of the, the free or low cost. Self trainings that are out there. Can, can you walk us through that? Yeah, definitely. So I'll throw this out there. I see Brian Godfrey was one of my interns at Cyber Supply Drop, and he is now a SOC engineer for, Black Hills Information Security, sorry, dot, talks you, but I know you share your that stuff on LinkedIn.
Ryan. And then Edgar Gutierrez is another one of my, new Inver interns for New Village. doing great [00:31:00] stuff. That's good. And that's good. Able to bring people in to share what are they studying, like what do they know, how can they help people? And then also share career tips, from how to find jobs, to how to set up a resume to how to prep for interviews.
The, the full spectrum. I started the idea of New Village. My mentor, Neil Bridges, he had gone to Defcon in 21 and on his stream was talking about how he didn't really feel like it was very valuable to most people. He went out of obligation, it's kind of expected out of his role, and he was happy to see people in person.
Mm-hmm. , especially post spend or, you know, near the end of the, the worst parts of the pandemic. Right. It was good just to be in person. Exactly. And but for someone who is new, like what would you get out of going to a Defcon or a Black hat? And for, for us, there's connections, there's networking, there's business opportunities there for someone who has no idea what they're getting themselves [00:32:00] into.
It's, it's neat, it's cool, it's exciting, but their career might not necessarily be, be boosted from that. So I came up with the idea of New Village to be basically a career village. To do networking, seminars to introduce new people to CSOs. Kind of have a, I had one idea of a, speed dating with a cso.
So someone who's brand new could sit down. Oh, that's great. Across from a veteran who is running a security organization and ask questions about like, who would you hire? What are you hiring, what does that look like? Have some talks from a few different influential people to introduce different roles.
Have a soc engineer, have a security engineer, have a sales engineer, get in and explain what are the differences? How do people get into these jobs? What does the pay look like? What's the demand for the positions? What do you need to know? Like e because even exactly from the sales, like I, I manage a whole team at mm-hmm.
Konica Minolta all covered. We've got a whole team of like 17 states and I'm just one of about [00:33:00] four or five of us across the country. But our, our team has to go through a lot of training. Like we, you have to understand because. We can't just talk hyperbole. We can't just talk generally, you can't overpromise, right?
Yep. The solutions are good solutions. They help organizations, but they, they do. A specific thing and just be very precise about it. Talk about the benefits, like talk about the impact it'll have, but, but don't overpromise. So I think no matter what, whether it's marketing, sales, whatever, we have to and you as you're aware, like there's a whole group, like if you overpromise at one of these conventions, right?
they're gonna have your head. Like they're gonna, they're gonna be like, you know, what did I just read? Like something is, saw you solved cybersecurity. Didn't. No, you go viral on Twitter for all reason. . Yeah. Hey, cyber crime junkies. We've got an upcoming episode that is an absolute must-see. Must listen.
These are some incredible guests,[00:34:00] that are participating on a global scale in making cybersecurity more resilient against today's cyber criminals. Tell 'em about, Yeah, we have Carrea founder of the Silicon Valley Think Tank. He's a special constituent to the G 20 in the World Economic Forum. As well as he's gonna share with us, the initiative they have working with the US government and other governments around the world to create a framework of public private coalition and partnerships to help boost critical infrastructure in cybersecurity across the board.
Really excited about this episode, so check it out. It's coming.
Yeah. Much better. All cool. That's not what you want, feel. Absolutely. We've talked, and Josh, this, he's gonna get on the wrong side of this community. Yeah. We've, we've talked with a lot of CISOs, all of them. Mm-hmm. . Across the country at all different levels, enterprise business, and they all reference the fact that, you know, there's, there's [00:35:00] also a non-technical piece to being in cybersecurity and to being in GRC and things like that because you've gotta be able to relate a business case or a non-technical topic or message.
To the board or to the rest of the C-suite or, or whatever that may be. So I think there's also a, a messaging and business aspect of being in cybersecurity. So you can relate that. Why do we need this new tool? Why do we need to upgrade our sim platform to qras? You've gotta be able to do that. So I think there's a non-technical piece to it.
Would you, would you agree with that? Oh yeah. All day. That's that really is my role at nuvi, is as an engagement manager. It's, I think of the guy from office space. I talked to the customers so the engineers don't have to. But it's more than that. It's I'm good at talking to people. That's exactly my role.
No, it's exactly my role. Like our, our role is to go talk to customers so we can keep the very smart people where they belong. Right, right. I, [00:36:00] I don't want my pen testers necessarily talking to CEOs. Right. The, they're gonna talk one way. They're gonna talk another way. That translation does actually need to happen.
And it's, it's more important than we think. I would love it if I could teach the CEOs, the cybersecurity and I would love to teach the business and, Value propositions and business risk to the pen testers. But truth be told, people have specialties for a reason, right? Being a Jack Ball trades is useful for all of us, but at a certain point there are going to be specialties and people who can bridge those and bring value overall are critical.
And that's actually, that's a lot of us. We have that capability, Absolut. Yeah. And in terms of when some, one of the listeners was talking was asking us to talk about GRC and things like that, and Jerry Aer has got a phenomenal GRC program, and I know he's a friend of yours. He's, he's a friend of ours as well.
We've, we've had him on our show [00:37:00] and it's really, really, a phenomenal masterclass. That whole GRC he really kind of breaks it, breaks it down very, very practic. . Yeah. And he just updated it and added some more mm-hmm. and approved, a lab. So there's a lot that Jerry's putting into it. There's policy Wizard, another one of our colleagues out there.
Just put together a course. It's Policy wizard. Yeah, I think so. I just saw it yesterday. Who's who, who put that out? Where can people find that? Don't remember. We'll, we'll have links for everybody, by the way. I'll find it. I'll share it. I'll link hug. Yeah. Great. We'll, we'll have links in the show notes and in the description on our YouTube channel, as well as as our podcast too, to New Village.
All of your, your, your supply drop, all of that. Awesome. Walk us through what, what you did with the, with the supply drop. What was that? Yeah, what, what, what drove that? Why did you start that? So I was putting together a [00:38:00] capture the flag, a hackathon for, with you, with me. They're a veteran and underserved, community.
Organization out of Australia trying to help people get jobs in demanding career fields, right, or in on demand or mm-hmm. , you know, career fields that are, are trying to hire, right. Because there's a lot of people with skills, but if they're going to build on careers, it's, it's difficult. So, with you, with me is doing some great stuff and added cybersecurity to the courses and job training that they have available.
I was helping them to get, some things going with a hackathon. And in there I realized there was an opportunity to have a, a giveaway someone had given me. One of my colleagues that I mentor their high school cyber club, he had a CS a plus c y s a plus voucher. . Yeah, but he's a robotics and cybersecurity instructor at a high school.
So like he doesn't need C Y S A. Right. He didn't care about it. He doesn't have the time to even study and take the test. So he's like, do you want the voucher? [00:39:00] And I was like, sure, I'll take that. That could be valuable for me to go through the process, study for it, take the exam. I'm sure that'll help me.
And then I realized I don't care about having that. I, I've just gotten s p I am not going to be an analyst. This is not valuable to me, but there are other people who this is valuable to. So I changed on my, Capture the flag a little bit. It's a, it's a room on Try hack me. It's not good enough to be public.
It is not a good room . It's fun. It's challenging, but it's very low quality. I threw it together and it's, it works, but yeah. It's not very pretty. It's my YouTube channel has like, the way to get to it. . But in there I put an Easter egg and I told people, Hey, you find this Easter egg. You contact, you follow the directions in the Easter egg and I'm gonna give you this voucher.
And I put it out on LinkedIn and people were like, oh, that's awesome. Someone finally found it, emailed me to the email that was in the Easter egg and gave them the voucher. Other people saw that on LinkedIn and were like, Hey, here's some more vouchers. And I went, oh. Oh, now is the same. Okay, what do I do with this?
And now you're in charge of, of [00:40:00] brokering all those. Yeah. And I was like, okay, this is cool. I could do something with this. And started making some posts and some giveaways. Like, Hey, if you post something this week and use this hashtag on Sunday, I'll pick someone and you can have a try. Hack me a month of free, try hack me.
And then people were like, Hey, I wanna send you like a hundred bucks. I was like, that's cool. No, but I don't want now the curator. Yeah, now you are the manager of other people's money and so you're gotta be a steward of that and custodian of it. And I was like, ah, this is gonna, I feel like this could blow up into my face.
And, but more people wanted to, I had like several people wanting to do this and I was like, okay, hey, like community, like how can I do this? And someone's like, you could do a nonprofit. And I was like, yeah, that's a lot of work. Someone's like, well, you could be fiscally sponsored by another nonprofit. I.
What, what is that? So, new village and cyber supplied off are both fiscally sponsored by Hack Club Bank. Mm-hmm. , it's a nonprofit that started, out of[00:41:00] Hack Club has their own, entities, their own mission, but they also have this bank side where they will fiscally sponsor organizations that are interested in cybersecurity.
And it could be anything from like a high school cyber club that wants to run a capture the flag or a conference and they don't know where to keep the money or how to hold the money or how it become a nonprofit and like make things tax deductible and all that. Mm-hmm. , so they put it all together. They had their lawyers do all the legwork and.
We applied, we talked with them. We figured out like, does our mission fit within their, their mission? And it does, and they're great people. But what it allows is now I've got a page on Hack Club Bank. If you go to cyber supply drop or a new village, the like link to donate is on those. Mm-hmm. And it'll take you to a Hack Club bank website For cyber supply drop or for New Village, you can donate there.
They take like 7% for processing. But now I don't have to open bank accounts. Right. I don't have to like, File tax [00:42:00] commingle funds, you don't have to put in. That's good. It's, it's all there and it's all usable and it, I don't have to worry about any of the overhead, so I, I have a whole nonprofit without having to do any of the, like, stuff that I am not qualified to do properly.
Yeah. That's phenomenal. Yeah. And so that's what Cyber Supply Drop and New Village grew out of and how. It. Yeah. A lot of opportunities now there to help people like Brian Godfrey or some of my other interns who mm-hmm. are also on this stream it looks like. That's great. What, what, what do you have as we're, as we're coming, approaching the, the top of the hour.
What, what do you have, on, on the horizon? You just took this new role. Are you gonna be, are you gonna be running some, some villages at some of the upcoming sessions? What's, what's on the horizon for you? . Yeah. I have not gotten confirmation, but I'm expecting to be doing, some career village type stuff at Wireless Hacking Fest in October.
Very cool. [00:43:00] Very. Hopefully I not trying to pressure them there, but I think they're happy to have us back. Looking at possibilities of running some of the career villages in Las Vegas during summer camp. No promises there, but having that conversation with our leadership. Maybe New Vic is going to sponsoring.
I'll run some of that. And also some giveaways at different conferences. We're also, myself and nuvi are working to build out some, capture the flags at different conferences. That's great. So. . Well, what are some of the benefits of business owners and organizations or people in security or IT leadership at at government agencies or schools or things like that?
Well, when they, going to these conferences are really important, aren't they? Okay. Like they can learn, they can really see what's out there, not only for the training of their own internal security or IT staff, but but also some of the threats that are out. Yeah. In the same way that, [00:44:00] is it E C three Cs Cs, is the place to go to find out what like the newest TV is gonna be and like what the newest, like teching cars is going to be going to some of these conferences is the way to find out like, oh, what is the vulnerability?
There was a point in time where, , we didn't have, , Twitter and LinkedIn and the community that we have online. And so you, if you didn't go to Defcon that year, you didn't really get to see what how that exploitate or how that exploit worked on a certain vulnerability because it was the guy who found it and started exploiting it, giving the talk, and then afterwards getting arrested by the FBI because.
you know, technically that was illegal because right. There wasn't hacker one or bug crowd and all these vulnerability disclosure programs. So technically what they were doing did fall under, you know, right. The, the laws that are out there. So it's there, there's a little bit of that. You're not [00:45:00] gonna find out these things unless you go, unless you attend.
Right. The talk, unless you listen, at least to the, the videos. And then there's the community there. It's huge. If you want to hire people in cybersecurity, there's folks at the Villages who are putting an effort. Absolutely. That's one of those things that's gonna make you stand out. Yep. There's people who are at home who are just applying, or those, the people who are at the conferences, learning things, trying to be part of the community.
And you can have a face-to-face and be like, oh, you know things, you know the things that I want, and the people that work for me. So let's, let's make that. Yeah. And, and the villages and, and the villages are so cool, like to be able to see, it's one thing to read an article about how they, you know, hack a car or how they do that.
But to go see it like live is, is really impactful because then you can say, oh, they do it. Like, oh, you don't have to, and then you can apply how that would apply to your organization. It's really, really a a, I've seen a new way of, of, of educating. I've heard of CEOs finding their CISOs at conferences.
Oh yeah. By attending [00:46:00] talk and being like, I want you to work for me and make this mm-hmm. in my organization. I know of two situations where that happened at Wild Lewis Hacking Fest. One of my friends got a job offer really, which the company had sent several of their security engineer. And the, the hiring company sent several of their security engineers still learn, but also with the mission of like, if we find someone, see if we can like, add someone to the team.
Cuz they had an opening, they met in line for breakfast, like waiting for the restaurant to open, had breakfast together, hung out again later that evening. Just hanging out at the conference and the next day. Would you want to come work for us? And he's like, that would be cool. Mm-hmm. . Yeah. Yeah. Maybe.
And then that night, no kidding. Would you work for us for this amount of money starting on this date with like this job description? He's like, is this a job offering? He's like, it can be yes. . Yeah. Like three days. not looking necessarily for a job. But Right. We got it. With the job [00:47:00] offer. Good point. No, because you're there, you're demonstrating what you know, and, and they're there wanting to learn.
And it's that, you know, people wanna do business with people that believe what they believe. Right. And by mm-hmm. being at those conferences, you're able to identify who those people are in, in, in real person like life and in person. That's phenomenal, Josh. I mean, that's, that's, that's great. What what, what are some of the biggest things that people can do and some of the resources to, to break into this field?
Because this is, this, like the way that you your, your new village website has a whole bunch of stuff. We'll definitely steer. To that, if you guys aren't aware, catching you on LinkedIn is really important. LinkedIn has got a really strong security community. What else? What else can people be? So the foundations?
Mm-hmm. . So if you want to understand cybersecurity, you need to understand a little bit about computers and a little bit about networking. People can learn those easily on YouTube. Professor Messer [00:48:00] has videos for the A plus NetPlus and Security Plus, and those videos are free and the. Essentially his course without the study guide.
That normally costs hundreds of bucks, just the videos, and you can just go through those. For free. There's cyber ACEs is put out by Sands. Again, it's a video series, but it starts at starting up a lab and then going through the security of Windows Linux networking and then some security basics to then prep for their, I think their gsec, their entry level security.
SANS or the SEC Plus essentially that's free. Black Hills Information Security, John Strand puts out a SOC core skills. Brian can attest that that's a great course and it goes through all the things that John says. He wants his sock operators to know coming in. Yeah, like I. they, he might know their background.
They might have Net Plus, they might have cpl. He's like, what I, I need you to know is this. And he is a former SAN instructor. He's been around for a while, been a pen tester and [00:49:00] runs his own company. So he knows what he wants people to know. I think that's super valuable if you run an MSSP and you're like, this is what I want my people to know, and then you make that available to.
For free. It's a pay what you can course live. That's huge in my opinion. Absolutely. Yeah. Absolutely. Yeah, so those are some of the quick easy ones that I always point out to people. Try hack absolutely free stuff. Hack the box as a, a free academy. Strike you at. Nothing introduces you to, this is command line all the way up until, hey, you have hacked a machine.
So, I think that's absolutely phenomenal. So Josh Mason, thank you so much, man. This is, this is really good. We will have links to all of this in the show notes and in the description on our YouTube as well as the podcast episode. We, this is not gonna be the last time we talk, my friend, so no, no.
Thank you for everything you do for the cybersecurity community, and more importantly, thank you for your service. Absolutely. Yeah. I mean, it's just, it's, you're a remarkable story of somebody that's transitioned [00:50:00] from the military over to the private sector and just helping people on the way. So great to, great to get you on the show.
We really appreciate it. Great to talk with you, David. Thanks, mark. Thanks, John. Hey, well that's a wrap. Thank you for listening. Our next episode starts, right. Please be sure to subscribe to our YouTube channel. It's free, and download the podcast episodes available everywhere you get podcasts. To support our show and get exclusive pre-release episodes and bonus content, please subscribe to Cybercrime Junkies Prime Lincoln, the description and show notes, and thanks for being a cyber crime junkie.