Episode 18: Breaking into Cyber Security with John Kordis

Pat: 0:19

Hi, everybody. Welcome back to this week's edition of, So You Wanna Be in IT podcast.. If you're back for another round, you know, the deal or a podcast, aimed at those just starting out their journey in the vast world of it. We talk about breaking in climbing some of those big Hills breaking down some of those walls as an it beginner. Right? So breaking in, climbing the ladder, finding your niche, and everything literally in between. So I'm your host, pat. You can find me on Twitter at pat Allen, 180 2. You can find the show on Twitter as well at @sywbiit the acronym for, so you want to be in it. So we're pretty active on Twitter. So come say, hello. my man Dean over there, he's on Twitter as well DeanMacUK Dean. What's up, man? How you doing?

Dean: 1:08

Hey, pat, longtime, we speak. How are you doing?

Pat: 1:10

I know it's been awhile. It's been a few days, few weeks. It's been a rough week. So we're getting back to the mic and getting back to some normalcy.

Dean: 1:17

yeah, I hear ya. I hear ya. Yeah, it's been a crazy couple of weeks. So, with, yeah, everything going down, we're back here and, yeah, we've got a great guest on today's show, so, yeah, good, right?

Pat: 1:28

Yeah. we got a guest today, guys, John from what? The shell podcasts. So, Hey, John.

John: 1:34

I'm doing all right. It's been, as you said, a bit of a crazy week, but.

Pat: 1:39

Yep. Here we are. So we're talking to John, you reached out to the show a couple of weeks ago, maybe a month or so ago now. And, we appreciate you reaching out and being a guest and coming on and talking and seeing where you're seeing what you're all about. and, I've listened to the podcast, quite a few episodes in there they're really well done. So nice job there. And, it's security-related right. So we're all, Dean and I are security nerds from way back, so that's right up our alley. So, John actually, before we get into the podcast, right. So why don't you sort of tell us what you're doing now, some of your background, and then we'll go from there.

John: 2:11

Yeah. So I am a bit of a mouthful, but I'm a threat and vulnerability management engineer. And what that actually entitles is basically as new vulnerabilities and exploits come out, I do a bit of analysis, figure out how it impacts our environment, what we need to do to keep our exposure out to a minimum and work with whatever teams I need to really make sure that we're not going to be impacted by anything that could be nefarious to the company, right? Like really, we're the guys that are going to end up bugging you to patch your stuff is what it comes down to. so if you ever hear someone email, you say, patch your windows patch your Linux. It's probably coming from me on my company.

Pat: 2:52

Nice, look at that. That's awesome. That sounds pretty good. So how long have you doing that?

John: 2:57

I've been doing this for about three years now, but I've been in the field for coming up on. So I got my start way back in the help desk when I was in the air force, in the early 2010s, I joined there, decided that I wanted to get into it. And that was one of the positions they had open and ended up stationed at my home state in an international guard unit doing help desk remember right. getting into the very, I think entry-level of it there.

Pat: 3:29

That's cool. Yeah. That's interesting. So you were in the air force so did you stay on the military side for a while and then sort of convert over or did you get into the private sector right away? What did that look like? That.

John: 3:43

So I started a little bit, in the military side for being in the air national guard, side of it offered some pretty unique benefits for me. So I don't know if you're familiar with how it works, but really for most of the international guard is people who work normal jobs like you and me. And then one week in a month, two weeks in the summer, they'll come in and do their training. But if you're there full time during the week, your unit isn't fully there. And I was the only person in my shop during the week, which meant I got a lot of exposure to a lot of things above my level. I got to help. and the help desk was still relatively new to the air force as a career field at the time. So learning these new processes, working with our bases, trying to figure out how we're going to implement, on top of that being a part of a small unit during the week I got to work with. of it. So I got to work with our network guys. I got to work with our cyber guys. I got to work with our SIS admins, as a part of this unit during the week to help them since they were understaffed, which got me this wide breadth of exposure to all these different concepts.

Pat: 4:52

really cool.

John: 4:53

Yeah, it was great. We had a, the whole point for kind of unit I was in was like we could deploy an entire domain in three days, anywhere in the world was the aim for it. So being able to work and figure out how to do all these policies from the ground up or what we needed to do, to set up a international or in a satellite driven communication domain was something that was profoundly above my head at the time.

Pat: 5:23

that's wild. That is really wild. So, just because I'm a space reef and you were a part of the air force. John, are there aliens? Do they exist? Let's start there.

John: 5:36

I think it's safe to say that I can comment for the entirety of the United States air force when I say yes.

Pat: 5:42

Yes. I got confirmation. I don't have to watch the history channel anymore. I know all I need to know.

John: 5:48

Yeah. Maybe they made the pyramids. Didn't you see that special?

Pat: 5:52

Ancient aliens has served me well, but I got it right from the horse's mouth. Thank you, John. awesome. That's funny now. That's really cool. so from the help desk spot, did you know you wanted to be in cybersecurity right away or did that take you a little bit to sort of play in different niches and you just found cyber was the one you liked the best.

John: 6:09

I liked cyber, but I didn't really have exposure to the kind of stuff I do right now. Air really what I had, there was a good mentor. I had this guy named Craig who really worked with me every weekend. He'd text me during the week. He'd come in on his weekdays, every now and then, and really pushed me to do things. So, I'm still new to the field. He's like, all right, well, I want you to make a project, build me something from scratch. and in this case it was the fairly new at the time raspberry PI. He's I want you to build something on a pie for me, and we're going to bring it out and attach it to a domain. so this guy was constantly not letting you settle in your position once you were good at something, he found something new for you to not be good at and would wait for you to be good at it. And then rinse, repeat over and over again. And I do, honestly, I think credit the start of my career to him. I think at, in that position, I was flush with good mentors, who helped me figure out and understand. And I didn't know, in the air force and I wanted to be in cyber until probably the end of my career. I was in it for six years, but only three of them were full-time

Pat: 7:23

Okay.

John: 7:24

the, so a couple of years in, I switched out of that and got a job as a network security engineer. So, firewalls, email gateways, web security appliances. I was, we were a big Cisco shop and I did that for a healthcare provider for the state that I'm in right So that got me, I think, more into the cybersecurity side of it than the air force did where I honestly just took one of the first jobs I could get in a security related field and suddenly I was working with firewalls. I was working with processing different exceptions for what would go into place and why certain things would be allowed and not allowed and starting to get these concepts in my head. And at the time I think I got introduced to my first phone scanner appliance around then and that was where I was like, Hey, this is pretty neat. I can set this up on my home server. I can do something pretty, easy like this and start playing outside of work.

Dean: 8:26

that's awesome.

Pat: 8:27

that's really cool.

Dean: 8:28

So you've got a pretty sweet home network, then where you, do vulnerability scans that sort of end stations and things of that nature,

John: 8:35

I do now at the time I was a virtual box, I would set up a VM. I would, I opened up, open VAS as its own installation, played around with what I could find and really was just looking for whatever free tool I could get. Right. And just playing around with that, and trying to apply it. But one thing I think, I don't know, you guys, as network guys might be able to corroborate some of this when there's old equipment that goes away. I don't ever think I've seen it actually hit the trash. It'll usually end up in someone's house. If it's not, if it's not being retired to back to a manufacturer, the trash never really sees the networking equipment. So I had a Pix firewall in my house for a

Dean: 9:19

an old one, right? That's a really old

Pat: 9:21

that's the memories right?

John: 9:22

was end of life. When I came into the field.

Pat: 9:26

That's awesome.

John: 9:28

So I was playing around with that in my spare time, trying to figure out, okay, well, I can break through scanning if I had to do this, or I can, depending on what ports I allow on the firewall. Okay. I'm going to allow this and really just creating a bunch of what if scenarios in my head

Pat: 9:44

That's pretty cool. I like that. I like that a lot. That's a cool story. Yeah. So, I'm interested there as far as your, again, sort of into the help desk, realm and things of that nature. And we talk about on this show all the time about, starting at that level, right at the help desk and getting a feel for, the it industry as a whole. what, what's your business, does the, the purpose serves, if you will, and then sort of growing up and grooming, from there, you mentioned the mentor, which we've mentioned before on the show, a lot of people do have mentors and that points them in the right direction and, keeps them on task if you will. I think that's huge for today's folks coming in, trying to sort of find their way and get there. there is, I don't want to say as quick as possible, but I've also feel like, and, I saw this on Twitter the other day that, there's some, and maybe you can speak to this. There's some sort of. Like weird time right now. Or we're like, there's like an entitlement in these folks that are in the industry and they, they don't want to put in the work. They want to go right to the mid to top level and this, that, and the next. And it's it doesn't necessarily work like that. there's a whole path there. And if you're just starting, some people's paths are quicker than others, but you're going to have to take a path and nobody starts at the top sort of thing. Do you see a lot of that? Like in today's realm of that entitlement aspect of, oh, everybody wants to title. Nobody wants to put the work in sort of thing.

John: 11:12

I'll say some of that online on if I'm browsing the subreddits, I'll see occasional posts like that. And really what I think happens is people don't understand that you got to play the game a little bit. So I think it's speaking to a mentor, really. It's doing a couple of things for you at that point, right? You're not just learning from someone now that mentor, if you're reflecting good on yourself, to them they're very, a reference for you. They are someone who will fight for you because it goes two ways. Barely. If you demonstrate that mentorship is paying off, they will come to bat for you in it. Let alone security is the biggest little field I've ever seen, where I'm constantly running into people that know each other or that are I've worked with years ago. Right. So when you have a good mentor, it's really more than just learning. It's if you want to move up. Get a mentor. It's there's a lot of people who I think are just lone wolves. They're like, I'll do it on my own, but they don't know that to play the game. You got to put yourself out there. You got to make friends, you got to network a little bit. You gotta make these mentor connections because not only is it going to pay off knowledge wise, it's going to pay off. I hate to say politically in as you're moving position to position. And then to go back to your question, like on the help desk side of it, name another position in it that has its fingers in as many things as the help desk, right? You are constantly either, even if it's just assigning tickets to other teams, you're working with these people who are contacting you. And if you're good at your job, and you're doing that well, even if it's just at a help desk, there's no reason you can't go to your manager and someone else in your company, who's doing a position. Do you think is interesting and say, Hey, can I shadow a day? Can I learn what you do a little bit? I'm meeting. Project goals, I'm meeting my ticket assignments or whatever. I'd like to sit down and shadow this person for a day, see what they do and see if it's something that I'd be interested in. I've had it, I've done it on that side and I've had people do it to what I do now. And I think on the help desk in particular, if you can get in on that ground level, some people think it's beneath them, but really again, I didn't know what I wanted to do at 2224. So if you're just coming into the field, I think it's a good set of binoculars to really look for what you want to find.

Pat: 13:37

Yeah, that's a good point. And I'll share a story, of the entitlement, that I've seen. And it's, some places are worse than other, but I'll share a story and, it's whatever, it's our podcast. I could talk about what I want. So, I was at a place and there was a guy there who. Wanted to sort of be like a Linux admin, whatever you wanna call it. Like he was sort of learning Linux, but he wasn't quite there yet into the field of he can call himself like a Linux admin, like he was still learning and he had a ways to go and, whatever Linux is, Linux is cool. I, I've dabbled with it, but I'm not, I'm, I'm not a master at it and I don't pretend to be, but, and he's trying to do this and automate and all this stuff, and he was throwing out all these buzzwords and I'm just like, okay, it's going on about my day. And at this company that we worked at, He was asked then to go and I don't know, pickup PCs or clean, I don't know, clean PCs, with the air, the canned air and whatever, and yeah, so he was over there and he thought that job was beneath him. Cause he wanted to be this Linux master and whatever. And he thought this job was beneath him. And he like, I guess I wasn't there. I guess he either spouted off, in front of the client that this job was beneath him or he said it to somebody and somebody overheard and went to the boss and blah, blah, blah. So then the boss, of this client came back and talked to the CIO slash co owner of the company that I was working for and basically said, here's what he said, this, that and third and. I get the co-owner was like fed up with it, this and that kind of thing. And basically the second, he heard that the co-owner called them and said, get back here. And he was fired on the spot, like literally on the spot. I was like, oh man, it's lunchtime. I got to go for this like awkward, odd moments. you don't know what to do. Like you're just kinda standing around, like someone just got their, ass chewed out and, basically got their walking papers. that kind of thing. It's that's the entitlement you're talking about. just cause you want to do something, which is fine to have goals, but you like, you're hired to do other things depending on the size of your company, you're hired to do other things. And you're a multiple tools guy, guy or person, gal, whatever you know of that. So. In my mind. I'm like, dude, you were getting paid, you're getting paid your same hourly rate to do an easy layup job. Like just do it. And so what, you know what I mean? it was just this weird, you didn't have to be all this brash and bold, like it wasn't in his niche or it wasn't what he wanted to do. So he like spout it off and it cost him his job. And I'm sure that happens other places, but it does happen. And it's this entitlement is weird and like where do you get off being like, oh, I only want to do this. that doesn't make any sense to me.

John: 16:32

I think it's like, there's this subset of people who are coming into the field that are like, I want to be a superstar. Right. but not realize that to get there. I think one lesson I've learned is that grunt work and all those, even if it's just being a ticket or a queue jockey for opening tickets and taking requests, there's a reason behind it. it kinda sucks. does, but. How is someone going to trust you to maybe upgrade a production piece of equipment? If they haven't seen you properly handle all the stuff that's, menial on a day to day, that doesn't really matter. Cause if you can't be trusted to handle all that little stuff, why am I going to give

Pat: 17:13

big stuff.

John: 17:14

a production project that could negatively impact the company or negatively impact your uptime? and you have not demonstrated to me that you can do that. So it's like they want to get immediately to I'm the guy who rearchitected the entire network and not be like, maybe I don't want to add the static route because I think that's beneath me.

Pat: 17:36

now. No, that's a good point. And like you said, I think that's huge. So everybody out there listening, you gotta be able to do the little stuff before they trust you with the big stuff. Like you gotta be able to walk on the sidewalk before they hand you the keys to the car and you go on a road like it's just what it is, it's the nature of the job. And it's just the way things are. and you just try to suck up as much as you can and suck up as far as knowledge, try to do that as much as you can. And yeah. Yeah. Zynga.

John: 18:07

It's a layup.

Pat: 18:08

Well, Yeah. exactly. but yeah, I mean, you're getting paid the same hourly amount to do whatever you're asked of. So if you get a layup, I would love a lay up at work every now and then, like I'm in firewalls all day long and putting out fires, I would love to sit there and work through a spreadsheet like that is oh man, I need that every now and then give me something to like, not look at a Palo Alto firewall for hours on it.

John: 18:31

Yeah. if I'm beating my head against the wall, trying to figure out why something's not working, sometimes I'll take a step back and just handle an easy

Pat: 18:37

Yeah.

John: 18:38

Get out of it. Be productive in a different way to get my mind

Pat: 18:41

Yeah, no, a hundred percent. So, yeah I feel like there is a little bit of entitlement going on at the moment, but again, you gotta do the easy stuff before they can give you the hard stuff you gotta walk before you can run. So, do the best you can with it. and, store sort of stay in your lane if you will, if that's a phrase for, for, to use for now and, go from there and walk, walk the line. and then when something does come up, you're the rock star and who knows what happens from there.

John: 19:06

Right. And you can be the hot shot and handle the regular ticket stuff. Like you can spend your time at work, doing those mundane things, come home and prep yourself. For other things, you can be doing certifications. You can be doing home projects, like setting up your own environment. And sometimes especially entry level. There is that kind of fiscal entry barrier that can happen. But, nowadays there's also not, there's so many free tools out there that I wish were available when I was first getting started, because at that time you had to pay you have to really buy in or get lucky.

Dean: 19:43

50 50 now. I think. Yeah, the tools are free now, but the equipment is more expensive, but to get that and just to price stuff now. That's if you can buy it. So

Pat: 19:54

insane.

Dean: 19:55

just to buy it or get your hands on. Anything, half decent now is pretty hard. So I know there's a tons of free stuff out there, but if you've got hardware or equipment to run it on is a different story, so yeah.

John: 20:09

You'll have to virtualize

Dean: 20:10

And that's it, but you still need hardware to even accomplish that. So

John: 20:15

it's stuff like there's, there is that fiscal barrier to entry thing something you can find okay, I'm going to a certification start studying that I'm going to look for a project that I might be able to learn about or see someone else's project that is tangentially related to what I'm doing and the amount of resources that are out there. Even if it's not building something is just amazing. And you can be your hot shot that way. Right? come into work saying, Hey boss, I've been studying this. And I think that I can apply it here, but don't just act like you're going to go in there and change the entire process that has been stood up for however many years.

Dean: 21:00

it's true. Yeah.

Pat: 21:01

happen.

Dean: 21:02

very rarely. Yeah. It's incremental baby steps normally for sure.

Pat: 21:06

it's funny you say that John. Cause now I'm like when I was coming up and out of the school and trying to get my foot in and doing the customer service and the tech support stuff I did. And this. Like when you're 20. Yeah. I would say 22 to maybe 20, 27, 28, sometimes even 30. Like you're full of yeah, I'm going to change the world. People are going to listen to me and I know what I'm doing and blah, blah, blah. And then like you hit sort of 30 and you you're in the industry a while and now you're like, yeah, these people have their feet set in their ways and they're in cement shoes and they're not changing. So just keep the lights on and keep it going, brother. feel like that a lot.

John: 21:45

I think you've got to break out. Well, there's a point where you stop being, shiny eye excited about things

Pat: 21:53

Ambition is not the right word. Cause you have it. It's just a different form.

John: 21:57

but it's like recognizing that you don't ha you're not as hot as you think you are, because I see my Facebook memories, for example, from 10 years ago, and I'm talking it up, I'm saying, yeah, I'm super pumped. I'll go within tonight. It's like midnight on a Saturday at I'm upgrading our firewall. I'm a bad-ass. And now. Why was I bragging about that? Why? I didn't know any better time doing something awesome because I'm going in and I'm upgrading to the newest version of a Cisco ASA. God, they really pulled one over on me. Huh.

Pat: 22:33

yep. I've been there. Yeah. Yeah. People are sleeping at that time and you're in a cold data center floor, like who made out on that deal,

John: 22:39

So it's like, what, when you're able to recognize that what you're doing is it's important. Yeah. It's absolutely very important, but it's not, that hot shot project, I think opens your eyes up to it humbles you a little bit and you're like, okay, well, I can put a little more perspective on the issue now.

Pat: 22:59

Yeah, I hear you. I hear you. I did that all the time. Like I'm doing this and I'm doing this and why don't they do this and why does this do this? And then you get a little longer in the tooth, if you will, in the it space. And you're just like, oh yeah, that's why, it's one of those things where you just, you kinda just gotta roll with the punches,

John: 23:18

So I'm curious on your side, because you said something that piqued my interest a little bit. Did you go straight from high school to degree to field, or did you do your degree mid career on this

Pat: 23:29

to be honest with you. I did in high school, I went to vo-tech and they had the Cisco networking academy as part of the vo-tech. So I did that, junior and senior year, mainly junior year. And then, I went to community college around here for. I don't know, like a year and a half, and then I got bored with that and went right to work. So I technically don't have a degree at all. I don't even have an associates. I do I do 12 credits for an associate's and the wife keeps yelling at me just to go back and finish it. Cause it's you got so far, like just do it. And I'm just like, that kind of thing. So I technically don't have a degree. And, so I've been just, I've been working in the field and, just, doing jobs and jumping jobs every two to two and a half years and, eventually just climb your ladder that way, titles change money changes, and you just find it, find a spot.

John: 24:16

You have a jumping job thing definitely helps. I have, I know my dad comes from a kind of, you stay one job, your whole life kind of mentality. when I first started jumping, he was like, why are you doing this? But, I never got better benefits than when I jumped.

Dean: 24:29

need to be jumping at least every two years, two or three years.

John: 24:32

I said, I set a little goal for myself. I'm like, okay. I always aim. And now it's a little harder as I hit more senior levels. But I aim to say, if I'm not promoted in four years, I need to reevaluate why I'm fair. So, my first position, I had network security engineer position a couple of years in, I was like, I think I'm doing the work for promotion. They agreed that I was doing the work of the next level up, but there were some issues trying to promote me and the person who was above my boss never really had been hearing it. So I found a different position. That was a level two in the same company and just applied for that and just switch teams. And that was when they came to me and said, Hey you, no, we'll promote you. I was like, no, you, it shouldn't have to take me leaving for you to promote me. Right. I'm still going to be in the company, but I'm moving to a different team. And that's where I moved into from network security into information security. Keeping that mentality in mind. Cause I'm not, I don't want to let the promise of next year. You'll get what you want. run its course. You know what I mean?

Pat: 25:40

Yep.

Dean: 25:41

well, it's that. And then people like positions change. Your boss is not your boss anymore. And then what was promised is there's a new person put in place, and then he doesn't know about those or she doesn't know about those promises. So yeah, you're back at square one again, I feel your pain there cause I've been through that experience and, yeah, it doesn't help your career in that aspect at all.

John: 26:05

I just think that everyone will do a little better if every three to four years I really evaluated why they're still in a position. If they haven't had any kind of. Is it, are you fine doing this and there are people who are fine making, I think a career out of a position that not knocking that, but if you ever, if you have upward ambitions and you're being fairly static, are you doing something else out of work and you're prepping it? Are you studying, are you going for any certs or a degree or something or are you just there for year number four? Not sure why you haven't nothing's changed when you haven't done anything.

Dean: 26:43

Yeah, I agree.

Pat: 26:44

just floating in space at that point.

Dean: 26:46

Yeah.

John: 26:47

And I'll say,

Pat: 26:47

how far do you wanna float?

John: 26:49

I think that there is a little cheat I like to tell people, where companies will typically have separate budgets for certifications and college tuition, reimbursements, and most it degree. So like my degree is in information technology with a focus in cybersecurity. if you have CompTia certifications, and I think couple of Cisco, I have my CISSP that credited. You can get college credits for certifications, so you can double dip a little bit.

Pat: 27:21

Nice. That

John: 27:22

helps So really, benefits. If you have them.

Pat: 27:27

yeah. That helps.

Dean: 27:28

yeah. Huge.

Pat: 27:29

I want to talk about that, John. Cause we talked a little bit before we hit the record button and the Dean, this is sort of before you were, before you jumped on, but, we talked about some of the really high walls in the cybersecurity space to break in to that space. And you made a good comment, John, as far as okay. The entry level to cybersecurity. positions are almost like, well, Hey, they're impossible in today's world because cybersecurity is such a huge chunk of today's data fabric, if you will. And then there's also the, you said it was know the entry-level in cybersecurity position is more of like a mid-level position in any other specialty or something close to that. I'm curious to get your thoughts on that. Cause I, I hear that a lot from guys like, on LinkedIn, I follow so like Neil bridges and, Josh Mason and some of those guys that are really heavy in the security space, they say that all the time, and I'm curious then, the high walls, like what do you think we can do to sort of break that down and give these people a chance to have the wall not so high?

John: 28:33

I think that, so to go back to the comment itself, I was talking about how an entry level position in cybersecurity and information security that field typically, you're talking a core level position. Isn't actually. A entry-level as most people think of it. It's not something that you can come you'll typically come through straight out of college or straight from a non-working career. to come in and maybe be free to five years in the field at that point. I've sometimes I think currently these days it's more of a, I didn't know that field was a thing from younger people, but I've seen most young people get into the field either for internships or for adjacent moving in the company. After they've been in a few years, I haven't seen a lot of success in people coming straight out of school, into the field, because what we typically look for is some level of familiarity with concepts that they just don't have. So in my specific position, I'm looking for vulnerability analysis. So I might ask someone, what some of the bigger vulnerabilities of the last few years are, look for context of how they would treat it, how big of a threat they see it as things like that. And frankly, it's you're not going to be looking at that when you're in school, because you're going to be focusing on your studies. So you are inherently creating this gap that you don't even know is there or there are tools that are so specific to cybersecurity that they don't teach at school. I don't think there's a course that covers Splunk, right? Which is a major tool for analyzing logs and creating a specific dashboards or reports from information that streams in from across your network. You don't get training and some of the stuff that you need at the start of cybersecurity. But what you do see is a lot of people who have been in it for a few years who have gotten some general exposure to that and who know enough about the concepts that you'll see mid-level cybersecurity guys be like, okay, I can train this person up because a, I know they work well because they have a resume to prove it. And be very familiar with the concepts because we use this all across the enterprise.

Pat: 31:01

that makes a lot of sense that really does. yeah. I hear that a lot from folks in the cybersecurity space that the know walls are too high and try to get these folks into the right positions. And there's a massive shortage of cybersecurity folks, right? I mean, you hear it all the time, people getting hacked and all this stuff, and then there's all these empty positions that don't get filled. And you're like, why is that? And you're like, oh yeah, there's, you need, you need 10,000 years of experience and this for a SOC analyst like what? That doesn't make any sense.

John: 31:33

I think it's the hardest part is just getting for your HR interviews. Honestly, like if you can get past whatever front-facing filter they have in place and you can show a demonstrable initiative or eagerness, I think that's the number one thing but that front facing HR stuff is typically really hard because I think there are some unrealistic standards that get put into place that no one can really control who's on the actual team that's hiring. one thing I do think it is shifting a little bit though. I do think as more and more schools are offering actual security degrees in the last few years, I'm starting to see at least in hiring this swap where previously I would say 90% of people in the cybersecurity field were somewhat passionate about security, right, like they can talk security. They are eager to talk security, but as it becomes more publicized, we're starting to see people into our field that are very much just treating this as a day job, which is fine. It's a completely acceptable thing to do. But there is just this inherent shift that I think is starting to happen because all these people are now starting to come out of those four year programs that were just introduced and into the cyber workforce. So it's been really interesting to see that come into play as well.

Pat: 32:54

Yeah, that's interesting. I have noticed that, folks have, been latched on to, the cybersecurity, degrees and they, attached to colleges or institutes of higher learning things of that nature. So I guess just for my own knowledge, and maybe for some folks that are out there, but what does a typical, you said you have an information, science degree with the specialty in cybersecurity. What do some of those courses look like? What did you actually take? is it based off a networking and then you sort of move into cybersecurity because you have to know the underlay to know the overlay for lack of a better term, or what do those, what does a typical course look like? is it math? Is it science? Is it a mixture of both or.

John: 33:30

I should preface this with, I didn't get my degree until seven or so years into the field. And I only got it as a bit of a check mark so that if I wanted to go for higher level positions, and that was a requirement I could beat that front-facing HR filter that I was talking about. it's a little bit of a unique use case there but what I had was. Largely lab based. So I was doing my degree online, and it was lab environments, a lot of manual exercises. I had a network security course that was specifically aimed at having you learn how to configure these IDS, IPS is firewalls, and then try to break through them, but doing it in a very, railroad environment where you can't really go off and do your own thing, you're really just paying attention to how this behaves. there's lot of, also like like boring reporting, like a lot of Gantt charts I had to make, which I don't love, but I don't regret. cause I actually able to put that to use last year for the first time.

Pat: 34:33

no, that's cool. Yeah. I'm just trying to give some folks a little flavor of what a, cybersecurity degree typically it looks like, are they, do you know if the, if they're cut from the same cloth, no matter like what Institute you go to, or is it specified or tailored to whatever college university, whatever.

John: 34:50

I would expect it's similar and I would expect a lot of labs. you'll start off typically as a normal degree would like your first few years are just broad classes, right. But as you go in and also really hammered in to what specifically you're looking at, and for me, that was learning a lot about how it functions in an organization. So getting a lot of different exposures into, I had a course on risk. I had a course on network security. I had a course, I had a course on cyber law and ethics that I really thought was probably one of my favorite courses that I had taken there. But it gives you that. What's it say the mile-wide view of what you're about to go into. And then you'll, for me, I had my specialized courses that were specifically geared towards security, which was that network security stuff. It was, writing vulnerability reports. It was reporting to management on risk and things like that.

Pat: 35:49

okay. Cool. No, that sounds good. I'm intrigued by the cyber law side of things as well, I think that's a really cool, field to sort of go down the rabbit hole on as far as since this is all I'm gonna say relatively new, because cyber has been around cyber secure has been around for a little bit, but I think now it's being thrust to the forward or thrust to the front of the line. I should say. When you hear about, a company has been hacked every other week and you're like, yeah, now it's such a pivotal part in that has such eyes and money and, dollars and cents tied to it, right. To keep people's data and the company's data out of the hands of the bad guys. It's interesting to see the law aspect on the other side of that, because guys like you and I, and P indeed, we deal with the bits and bites of it, but there's a whole other side of the other side of the coin where law and how those things are written and processes and procedures and things of that.

John: 36:42

well, it's look at last 25 years in the house, cyber law has changed. You go back into the nineties and you talk about someone like Kevin Mitnick, who big in the hacking field. He was put into solitary confinement because someone told a judge that he could whistle into a phone and launch a nuclear weapon. Not at all true, but that was how based, how non-existent cyber understanding was in law at that time. And you've asked for. 10 years or so to 2004, you've got, FBI and the secret service hijacking a semi dark web site, trying to get people to come in and actually turn themselves in because they quote have our IP addresses as a part of that operation firewall that they launched in the early two thousands. Right. So we were trying to get people to turn themselves in as almost like a, we supposedly have you. And then you move on to someone like Jonathan James, who was almost framed for the big TJX hack in 2008. And they were just going to try to pin it on him because of some pretty substantial or I'm sorry, circumstantial evidence that didn't quite pan out. For him, it's just constantly shifting. And the goalposts are constantly changing and, someone who committed that same crime that I told you Mitnick did in 2000, in the early nineties, gets a much less significant piece of jail time right now, because examples are constantly being made. And the law laws constantly being developed to mirror

Pat: 38:22

That's interesting. I do like the story of Kevin Mitnick. I actually had, when I was in community college, I had a security class cause networks and security are closely tied together. I had to take a course and whatnot, and we each kind of hacker that we had to report on and, a college book report, if you will. And, I got, I actually got Kevin Mitnick, so I had to read the whole story and, the art of deception and his book and the whole deal. It was really interesting.

John: 38:45

Yeah, he's probably one of the I D when I launched my show, he was a first episode that I did. And that was one of the. Coolest stories. I had read, like talking about a kid who is gaming the LA bus system. I'm like, okay. And he's on Barron. This is, I encourage anyone to read about him. He's got his own company that he works for security now. And he may, he came out on the other side of the law in a good way. Some people aren't as lucky.

Pat: 39:15

That's true. That's very true. now that's a good segue, cause you said your show. So why don't we flip the coin a little bit and put on your, a content creator hat, if you will. So what was the, so tell us a little bit about the background of your show. what was the driving factor, your inspiration sort of thing, and sort of start there and see, see where that goes.

John: 39:35

Yeah, I guess I'm going a semi flip it right back to this show because I operate a podcast called what the shell I'm about to publish episode 12 next week on it. But the driving factor for me doing a podcast was forward career growth. I hadn't been put in a position until the last few years where I'm constantly presenting to people and I recognized pretty early on, but I need to get better at public speaking. I need to get better at talking about something to an audience that might not have a complete understanding of it. Mainly in my field. I need to get better at explaining high level vulnerabilities to people who have no idea what I'm talking about. And I have very much fi mentality of, I could talk for an hour about an exploit and the intricacies of how it works, but no one else wants to hear that no one else

Pat: 40:29

Yeah. Big execs don't care. Yeah.

John: 40:32

So, I was actually boss, late last year I just need to get better at this. And he was like, yeah, if I feel like it's something that you need to work on and I'll help you work on it. And I ended up listening to darknet diaries for a bit and picking, I really liked the idea of telling these stories of hacks of hackers or cybersecurity incidents. And I was like, alright, I'll try that. And I started scripting out episodes to of stuff that I really liked and something interests me, but doing it in a way where I leave, I either leave out some of the super technical stuff or I boil it down in a way that I hope someone who has no input in the field can understand, because I think that there are a lot of these stories that don't get told or don't get told in a way that feels accessible to.

Pat: 41:27

Now that's a good, that's a good point. And I would, we'd love darkness diaries. Jack is great. he's really a great storyteller and he really does some great work over there. So that's another, that's a podcast that security folks are interested in. darknet diaries is totally, one of the best up there. So, shout out to darkness diaries. And, Jack is he's a really good guy. I've spoken to him a couple of times, just chatting back and forth and whatnot. It's really good dude. So if you're into that darkness, diaries is your.

John: 41:54

I'll think, I'll say I think fat, my strategy has worked. do know there are several people in my discord better, students that are listening to this and gaining exposure to the field through that, through some of the episodes that I've made. I'm like, okay, I've succeeded in what I want to do. And I can say that I come into, at the very least discussions with people I've never met. Maybe a little bit more confidence than I used to. So it's working and now I just fake I'm doing it because that's fun. Like I think I've gotten to the point where if I prepare adequately invested is something that it's really taught me. How to do is prepare for these discussions. I could present to people who I have no familiarity with on a topic that I don't really think they have an idea of what it's about in a way that is much better than I used to.

Pat: 42:45

Cool. That's really cool. So, I've listened to. a couple episodes. it's just you, right? John? There's no like guests or interviews or anything like that.

John: 42:53

It is just me. I have had one episode with a guest. I did an episode on skip tracing, which is open source intelligence and finding people. Based on what information you have publicly available. And then I knew someone who was a skip tracer, someone who actually goes out and finds people for a living. And so I had him on as a guest, but the main episode format is just a script where it's only me. I'll write it, edit it, record it all from, my closet or my desk and, table. It's only me. So it's been a unique experience in bathroom.

Pat: 43:31

So I guess, I guess my next question is how do you find, or like, how do you find your content then? do you just do pick a few, pick a hack and talk about it? do you do some, preventability like, Hey, do this, instead of, don't try to get hacked. Here's how to do that sort of thing. Like what's your thought process behind actual content?

John: 43:49

Tell you, it's very simple. If I see something that's interesting, I put it in my bookmark tab in Chrome, it says podcast ideas, and then I come back to it and see how big of a story it is. So, I've done hacks, I've done the colonial pipeline hack for example, was my, one of my first episodes where I walk through the start to finish how that happened and break it down in a way that I think people will be able to understand, or I'll do a hacking group. Like I've done the Lazarus group out of North Korea. I've done a breakdown of what they've done. and a separate episode on their Sony heck or anonymous. That was my most recent episode was the rise of the anonymous hacktivism kind of trend from the mid two thousands. And I just bookmark these ideas. See what I can find in terms of timelines. And start writing and see what I can do that way. I have a very loose outline on my script and I'll just record.

Pat: 44:53

Nice. I like that. Dean, it looks like your you're thinking and I see the smoke.

Dean: 44:59

no, that's just aye. Yo very brave guy. I wouldn't be talking or reporting about those guys, but each of our own, I suppose you do live in a free country, but I still don't know. North Korea. Rauf Russia knocking on my door. Right.

Pat: 45:17

That's funny. That's funny.

Dean: 45:20

You're braver than me

John: 45:22

There's a lot of anxiety. In this field in general, I think because you're dealing with so many things, like if part of your day to day work is talking about nation, state attackers and what they're doing to your enterprise. I feel like there's an inherent bit of anxiety. And if I can one day worry about my podcast, because my episode on North Korea is ticking off. Some people, I think I'll be pretty happy. I think I'll say I'm pretty successful at that point.

Dean: 45:50

for how long.

Pat: 45:51

Hey, do you remember that guy? John Reed? We had on the podcast a few years

Dean: 45:55

such a nice guy,

Pat: 45:57

he stopped tweeting his website. Hasn't been updated. What happened to him

John: 46:02

So weird. His last tweet said I'm going to Pyongyang having a nice vacation.

Pat: 46:07

spending two weeks over in the, yeah.

John: 46:11

No, but I mean, at the very end of it all, I'm not really, I don't offer. I guess I do. I put a little bit of conjecture in VR, but

Dean: 46:20

but that's what makes it interesting.

Pat: 46:23

No shame in that.

John: 46:24

I think like with the anonymous stuff in particular lately, that one was the only one that I think I've put out where I felt a slight twinge of concern because anonymous as a whole tends to skew towards views, young kids who have no concept of, the fact that there can be consequences for cyber actions, but also at the other side of it, they only really know how to launch their DDoSs programs. So anyone who's anonymous vet in my opinion, has skills worth a damn has separated out into some of these small. Sex, like LOL sec back in the day that wasn't one of them, but very few smaller groups. Now. It's not like what, it's not what it used to be. And they're still active. They're still doing good and bad things, depending on what lens you're looking at it for. But, that was the only one that I put out an episode and I'm like, yeah, I could see someone getting the wrong idea from this and trying to prove me wrong. But at the end of the day, if that happens, I'll make an episode about that.

Pat: 47:26

That's it. Yeah.

Dean: 47:27

Good for you. Yeah. It's more publicity, I suppose. Yeah.

Pat: 47:30

cut that point. Yeah.

Dean: 47:32

That's I say that's also.

Pat: 47:35

That's awesome. John, did you have any other things you want to talk about? And we're creeping up on the hour and wrap it up and get out of here. But, the floor is yours. My man.

John: 47:42

I think if I could leave anyone listening to pivot with Artemis episode, with one thing, it's, ask someone to be a mentor. very rarely have I ever had someone say no to that? Ask someone to shadow them. Like I said, just ask questions. Don't be a person who just goes in and does nothing. that's how you end up stuck. And if you're the guy who's asking questions, always trying to learn, then that's good enough or your reputation, better that, you know, someone who's coming in trying to be that gung ho tech wizard can do.

Dean: 48:13

absolutely. Any recommendations on courses that to get into your kind kind of field for our listeners.

John: 48:20

If you're talking about entry-level stuff, I would say, go for your comp asserts easy enough. They're best have a best dollar to reward ratio. I think because there's such a staple in the community, right? Do your plus your net plus, or your sec, plus you don't contrary to popular belief. You don't need all three of us pick one or two, right? Only do a plus if you're really going to try to hammer in, on help desk. Otherwise, if you think you're competent enough to do SAC plus and net, plus, those will get you into the core concepts in a way that I think will give you a leg up on some of our people.

Dean: 48:57

sweet. Okay. And everything else after that, and one times of life, once you attain those, anything to sort of refine or hone your skills

John: 49:04

it depends, right? if your company is going to pay for it, go do a Sans course. that's are a bit more expensive. So don't pay for it yourself on that one, make sure you have a company that will pay for that on your

Pat: 49:16

a sponsor.

Dean: 49:17

is that S a N S.

John: 49:19

Yep. So error, this company is very large of a cybersecurity training field. I've done penetration testing certifications for them. I've done incident handling certifications, and currently I'm doing. The enterprise vulnerability assessment certification for them. They carry a lot of weight because they come with all these labs and it's effectively a 40 hour course that you do on your own time with labs. And the certification comes out that comes out of it. It's typically very sought after

Dean: 49:50

Oh, very nice. And is that an exam based or is it all just labs?

John: 49:53

it's exam-based

Dean: 49:55

Okay, nice. And is that you do at home or is that you go to a testing center?

John: 50:00

that one you'll go to a testing center and you can actually bring in some reference materials because typically what they do, and these is very well take the core material and ask you questions about. You can't just pluck an answer out of, you'll have to do some interpretation of it. for anyone that's super gung ho and wants to get into the more, hacking side of it, you can eventually upgrade yourself to an OCP, which is probably one of the more sought after penetration testing certifications. That's the one that is probably one of the hardest ones. I've taken it, but not passed. It's a certification that is you will sit down in front of a computer and someone is watching you try to hack into a network for a full 24 hours, and you'll have to write up a report on it.

Dean: 50:50

holy moly. That sounds intense.

John: 50:52

very interesting, certification. Not one minute. I'm going to continue going forward. I don't think, cause I don't necessarily need it, but I'm very happy. I took the course. It's tied to.

Dean: 51:02

oh, cause you've got some information through the study and process.

John: 51:06

Yeah. you get so much information. Just search

Dean: 51:09

okay. Sweet. Nice. That's awesome. That's good insight.

John: 51:13

anytime.

Pat: 51:15

Yeah, that's cool. And oh, by the way, we haven't spoke since, my Palo Alto test, last Monday and, I did pass, so there is a happy days on that. So no more stress on the Palo Alto

John: 51:28

Congratulations.

Pat: 51:29

that out of the way, which is nice. So thank you. thank you. Work for the bootcamp and then subsequently the free voucher to attempt his exams. So all good there. And, yeah, so that, that was good. and next one up for me is the, CCMP, security. So the S-corps I guess they call it. So it'll be, dealing with Cisco ice and, security concepts, things of that nature. So that's next. So. I think that was it. Johnny went to tell the people, tell the fine, find people where they can find You at where they can find the show and plug your socials where you at.

John: 52:03

Absolutely. You can find what the shell on any podcast platform that you've got. I have a website that also has all the episodes on it. It's what the shell pod.com. And you can find me on Instagram or Twitter at shell underscore pod.

Pat: 52:19

Nice. There you go. I like it.

Dean: 52:21

names. Yeah.

Pat: 52:22

Like it.

John: 52:23

The trick was, getting all that stuff done before I launched it. So no one else could steal it from under me.

Dean: 52:28

okay. Then doing two factor authentication so we can steal it to

John: 52:32

There's a Russian account, but that shell underscore podcast, if they haven't tried to copy me or anything, I don't know what the game was, but I got it. I got a follow request from shell underscore podcasts. I was like, okay, come on now.

Pat: 52:46

That's awesome. Yeah. So guys, I highly recommend, John's podcast, if you're into the security game or, curious about it and wanting to learn more about the cybersecurity world and that side of the it world. It's very informative. It's very well done. So, John, this has been awesome. Thanks a bunch for coming to hang out and give us an hour or so, or your time. And, we'll continue to, move forward in the cybersecurity game. And we'll definitely have you back on the show, man. This has been awesome.

John: 53:14

Thanks for having me. I look forward to coming on again at some point.

Dean: 53:18

cool. yeah, absolutely. Thanks, Sean. And awesome.

Pat: 53:21

yeah, we're going to wrap up and get outta here. We try to right around an hour. So I think we're at that hour mark. So get on with your day and we appreciate you hanging. And listening to us chat a little bit. One thing I wanted to mention was that. we're very humbled by this, but we have been nominated for the Cisco champion. It blog awards as a finalist. So the finalist awards has been out for a couple of weeks now. and if you follow us on Twitter, you've seen us tweet about it and things of that nature, but, it's the first mention of it on the podcast. So if you liked the show and you want to give us some credit with Cisco's some street credit, if you will, the voting. website will be in the show notes of the podcast. So go vote for us. And there's a ton of other great content creators on there. So go vote for them. I think you'd get a couple of votes. It's like up to five or whatever. So, it's for actual it blog and podcasts, they split it out into two categories and we are one option or finalists for the podcast side. So very humbled for that. So appreciate it by listening and hanging out and, raising our voice if you will. So, if you want to vote for that, you can check out the show notes for the, for the websites, to vote that. So I think voting, goes into mid February, so, but do it now, just get it out of the way. That'd be cool. again. Yeah. Thanks. Thanks for joining this week on the episode, this was really great. Again, thanks to John for coming and hanging out for a couple minutes and telling the story and talking cyber. That was really cool. We always enjoy a cyber guest here, again, visit our website. So you want to be in it that com you can subscribe to the show on the thousand platforms that are out there. some of the big ones, iTunes, Spotify, Google podcast, Stitcher things I chair, or there's a plane RSS feed on there as well, a link. So you can get it. However you get your RSS feeds. It's right there as well. So a ratings on iTunes, right? That's how that always helps them, with their algorithm and get us to the top of the list And things of that nature. If there was a radio on iTunes, that'd be awesome. or simply tell a friend, right. That works to wear a mouth, is always, is always good. Even in today's technologically driven age. I think word of mouth does just as good. Sometimes you a little better. So, tell your friends, tell your family. Everybody that you meet on the street. So, follow us on Twitter and Instagram, facebook.com/so you want to be an it, the, all the social handles, Twitter, Instagram, discord server, all the invites are in our show notes or on our website. You want to do that, go for it. And, again, we have a survey out there to help, help us understand you guys a little better, what you like, what you don't like, and just some general, knowledge just for us to tweak the show and help us out a little bit on understanding who you are. So, want to check that out. It is, in the show notes as well, and on our websites. so we're gonna try to aggregate all that data and tweak it just a little bit to how, just the way our formats shows and just, just to help you guys like us a little better. So again, that's it Dean. Awesome. As always,

Dean: 56:12

Yeah. Thank you guys.

Pat: 56:13

Yeah. Thanks,

Dean: 56:14

I thank you, John so much. It's been really insightful when definitely have to have you back, buddy. What's been

John: 56:20

any time, I'll say this I'm on your discourse. So keep posting up here and I'll be around.

Pat: 56:25

Yup. Yep. Absolutely. All right guys. Appreciate it. Thanks John. And we'll see you guys next week.

Dean: 56:31

Take care now. Bye-bye.