S2E5: Cyber Security Careers: Battling the Forces of Darkness with Former Professor and Current Cyber Security Consultant Jason Lowmiller
Angel Leon: Hello everyone and welcome to another edition of ASCII Anything, presented by Moser Consulting. I'm your host, Angel Leon, Moser's HR advisor. In this week's episode, we'll be talking about a subject that should be on the top of your list if you're someone who likes to be in the cyberspace a lot, and that is cybersecurity. With us today to talk about cybersecurity, is Jason Lowmiller. Jason is currently a senior security consultant for CyberSheath Services International, a cybersecurity firm in the defense supply chain industry. And a former assistant professor of cybersecurity in Anderson University. He has experience working in dev ops, systems and network administration, development and cybersecurity. Jason has also been an independent security consultant and trainer. He has a bachelor's in business information systems from Indiana Wesleyan University and a master's degree in cybersecurity from Bellevue University. Jason, it is a pleasure to have you with us on ASCII Anything to talk about such an important topic in today's world. How are you?
Jason Lowmiller: Good. Thanks for having me on today, Angel. I appreciate the opportunity to talk with your listener base on all topics cyber.
Angel Leon: Well, I think this topic is really an important one, especially because of the world we live in. We hear about some sort of cybersecurity attack or a cybersecurity issue going on in the world, I feel like almost daily, right?
Jason Lowmiller: Yeah, it's one of those topic areas that can really be hard to stay on top of, depending upon what market vertical you kind of find yourself to be in. Either industry cyber problems will be unique into their own industry and you'll be into areas where different regulations will change dependent upon what the business is. For medical and insurance, you deal with things like HIPAA and high tech. For federal systems, you deal with DFARS and pending CMMC. It's a very wide field that really, really needs people that understand business and also technology.
Angel Leon: Well, before we dive in into some of those topics, I'd like to start with your credentials. What could you tell us about your time in, generally, in cybersecurity? I want to learn a little bit about your time in education, as well as, a professor.
Jason Lowmiller: My entrance into cybersecurity was not probably very similar to anybody else that's currently looking to go into cybersecurity. Back in the mid'90s when I was in college, I was going to Indiana Wesleyan for a bachelor's degree in computer information systems and it was okay. Out of high school I had got a job as a programmer and liked programming. So I thought maybe I'd try out going to university and actually getting some sort of formal education. Turns out that the things that I liked the most about working with computers was only kind of peripherally related to programming. I liked knowing how to program, it's always benefited me, but wasn't necessarily something that I wanted to do day in, day out. I didn't necessarily want to just sit and pump out code according to some functional requirements that were handed to me. That kind of showed in my coursework. I was not really engaged and had more fun back then doing things like listening in on network connections, capturing network packets, as they flowed through the dormitories, stealing passwords, all the things that would kind of play out in the future, me being a cybersecurity professional. But it was kind of a long road to get there. Back then, I didn't realize that cybersecurity was a thing or that anyone could actually make money with the kind of talents or mischievousness that I had been kind of endowed with. So when I got out of college or I should say, I dropped out the first time. I went back to work, went back into the place that I was working in a small town doing programming, doing field service work. As a result of that, I would get onto the certifications. I got my A+ back in the'90s or in the early 2000s and went on the certification track and job hopped for the next few years. In the early 2000s the dot com bubble burst and the tech sector was in a moment of upheaval. Throughout that I worked in development, I worked in systems network administration and always, with every job that I had, there was some sort of cybersecurity component that either the organization didn't know how to tackle or didn't want to necessarily devote a full time employee to it because again, it was a one of those kind of those peripheral job responsibilities at the moment. It wasn't really seen as being super important at the time. Those were always attached to my positions that I was going into. It wasn't until I decided to work for another place, Indiana Wesleyan University, as a security administrator that I actually went down to a formalized path of working in cybersecurity. It was always peripheral. After I left Indiana Wesleyan to do adjunct teaching and to do my own consulting business, I was teaching certification platforms like ISACA's CISM, their CRISC, ISC squared, CISSP. So I have a lot of different certifications. Right now, due to the pandemic, I have not maintained my CPEs as well as I probably should have. And so that's always kind of one of the challenges you get all these different certifications and they all need CPEs. And that's actually, it is a good thing for the certifications to ensure that the people that are certified are maintaining their credentials. So that's not to me to downplay or not say that CPEs aren't important because they absolutely are. So I did a lot of consulting. I did the incident response for some clientele and in the Midwest here. Incident response, training, lots of consulting with nonprofits or other ministries when the opportunities arise.
Angel Leon: That's interesting. And I want to dive into some of the credential stuff a little bit later. I want to just to go back to the education part. So can you tell us a little bit more about the curriculum you taught and now diving a little bit deeper into that education requirement and those certifications, what would you say are the major requirements needed for somebody who's looking to get into an undergrad degree or maybe just a certification in cybersecurity?
Jason Lowmiller: So that's great. I really am a fan of the CompTIA, the CompTIA stack A + the Net + the Sec + for individuals that are looking to get into a Ric into cyber security. For awhile there, I was running some, some free classes for some of the CompTIA Sec +, for individuals who just wanted to wet their whistle. They didn't want to pay for a full boot camp, but they wanted to see if this was something that they were interested in because myself growing up that would be something I would have absolutely loved to have taken advantage of. The opportunity to at least try something before committing to a full- on educational experience. I like a lot the CompTIA stuff for the introductory. The CISP and the CISM, both have requirements of five years of experience in cybersecurity or some sort of related kind of an adjacent field. As far as talking about job skills in some of the things that people kind of need to have in order to be successful, cyber practitioners, and even going into the university. When I would teach my Cyber Fundamentals class, I would teach the students that if you can kind of imagine a quadrant and again we're in IT, we love our Gartner quadrants and anybody who's in business loves a good quadrant. If you can kind of imagine a quadrant with the vertical axis being between technical and non- technical, or I should say the first quadrant being non technical and the second quarter being technical. And then the horizontal axis being between good and evil, we kind of need people on both sides of that technical axis, but in that good area. Different areas for me, where I've been at different times in my life I can kind of spend time in either one of those quadrants. So you really have to have cyber professionals that understand things about business, who understand things about regulation that can read laws, but they also need to be able to be technical and understand how a network operates and what are some of the ways that the IpV4 stack is vulnerable and how have we gotten to where we are today? So for cyber professionals, they really have to understand business. They have to understand things like people process, data and technology, but they also have to understand some of the low- level aspects of where technology has made us vulnerable and continues to make us vulnerable so far.
Angel Leon: There was somehow during this discussion, I thought about Star Wars for some reason, because you mentioned being on the good side and the bad side, and this sounds a lot like Star Wars you're either on the light or the dark side.
Jason Lowmiller: Yeah. Or you either have a red saber or a blue saber, right. You either are on that red team where you're constantly attacking in a very offensive, or you're in that blue team where you're using the force to do what you need to do, right.
Angel Leon: So it's very interesting that, I know we're joking, but it's very interesting describing it this way, because when you're thinking about cyber security, and if you like to think of it in the way you described, you have people on one side who are trying to get into a system, a network and take your pick about the most recent attacks that have occurred. But then on the inside you have this defense. So it's kind of also, to use a sports analogy, it's kind of also like a soccer field where you have the attackers and the defenders it's up to a lot of people, which side they want to fight on. Right.
Jason Lowmiller: And you really have to play up to people's talents too. One of the things that I learned that in doing things like coaching or instructing for the CISM, the CRISC, one of the many platforms, either from a defensive practitioner basis, or from an organizational governance basis, you need people on both sides of the fence and you need to be able to play to their skills. You don't necessarily want the C level implementing a firewall, but you definitely want that C- level to understand what that firewall is doing and why it's there. So there's a lot of, even going back into consulting, when I left education, I didn't really leave education because one of the things that I get to do when I'm working with clients is to educate them on what these regulations mean or what this device is intended for. So yeah, absolutely. You have to both use and play to people's strengths on the team and kind of get everyone to the same level, even though they may have different functions.
Angel Leon: And speaking of that, playing to people's skills, I feel like the defenders, if you will, right, the people that are inside the organization, trying to defend against cyber attacks, they have to know from both sides of the court. Because in a cybersecurity environment, just like in any security environment, you have to be able to detect attacks. You have to be able to detect anything that might be coming. So you have to prepare for that. So how do you prepare for a cyber attack if you're on the defensive side?
Jason Lowmiller: On the defensive side and in a consulting role, I've been a huge fan of the NIST CSF framework. And this NIST CSF framework, it breaks down things into five important phases. And the first phase is to identify. You have to identify all your systems. You have to identify who your threats are, and you have to identify where your informational flows are going within your organization to external organization. And if you can't do the identify phase well, then you literally have a very little chance on picking up on any sort of attack that's currently impending. So you have to be tied into things like threat awareness, threat awareness streams. You have to be tied into what the current playbook looks like for a threat, how they're going to try to gain access to what they want to gain access to. And that's one of the things that talking about different regulations working in the current defense industrial base we're looking at the DFARS regulations with the CMMC coming up. And the reason for this is because our supply chain has been being picked apart. No longer is it important for a threat to be able to rip off data for some confidential piece of information, they can go ahead and aggregate all of that confidential data by picking apart all the unclassified data to all the suppliers in that supply chain have. So and it's simply understanding how the threats are currently trying to gain access to the information they're trying to gain access to. How are they trying to win?
Angel Leon: Interesting perspective. See I go back to that thought that I had initially about defenders having to know offensive skills too, because, as you mentioned, in that detection stage, so they have to do that. So they have to run their own simulations. They have to run their own attacks, if you will, sort of like you would do on a physical security where you do a simulation of a fire say, and so then you bring out the people and you put them in the safe space that your organization has decided. So I view the defenders, I put them in a high platform if you will, because they are the ones that have to have that knowledge from both the offensive and defensive skills to make sure that your organization is safe.
Jason Lowmiller: Yep. And it constantly changes. The vulnerabilities that systems might be subject to today, change how the threats will adjust their playbooks in the future. So you constantly had to constant cat and mouse game where we're trying to identify what is vulnerable? How could a threat possibly leverage this against us? But it really starts with first understanding what assets you have the threat could leverage a vulnerability on to gain access to the stuff that they're trying to want to get access to.
Angel Leon: Right. The playbook is constantly changing. Okay. So I have to ask a little bit to go back to the whole education side of things. Do you have any stories about your students and their prospects in the field of cybersecurity? What can you tell us about that?
Jason Lowmiller: A lot of my students, whether it's been through community colleges or it's been through a more formal education, like at Anderson and Anderson has a great program, it's a great university. If you're wanting to get exposed into cyber or wanting to work on the national security policy side of things, the Anderson University is definitely the place to do it at. President John Pistole and his contacts, and some of the other professors in there, Dr. Michael Frank, they're all top notch professors who have a lot of great contacts in the national security. And they really let students have a lot of good exposure into some organizations or some groups that a lot of other universities wouldn't necessarily be able to get them exposed to. So that's a great place to start. As far as an education perspective goes, my students, whether it's through our formalized classes or informal classes, they have all gone into doing cyber for other organizations quite effectively. And the job market right now for people doing cybersecurity is pretty rich. Whether they're doing risk assessments or whether they're doing vulnerability analysis or whether they're just doing systems and network administration with a little bit of a cyber defense added in, there's a lot of different areas and ways you can take a cyber career. Whether it's a governance risk and compliance, or whether it's going down the more technical track of being a Bug bounty hunter, I've had students that have gone down, both tracks. And again you have to identify what your student is more geared to and kind of pointing them to those different jobs and helping them to grow.
Angel Leon: Well. I have two thoughts on that. I have to second your thoughts on Mr. Pistole, I may or may not have met Mr. Pistole in a previous working life where he and I worked in the same area. So he is a gentleman's gentleman. He is phenomenal and cyber security and national security are his areas of expertise. Having said that I have to ask Bug hunting?
Jason Lowmiller: Yeah. So one of the interesting things is that we've seen over the past, I don't know, 10 years or so now is that the free market has found a niche in Bug bounty hunting where organizations will throw out Bug bounties for people that if they want to try to find a bug in a software or some sort of vulnerability, they will then provide the person who reports that bug or reports that vulnerability then to that organization. And then they'll get a reward. There've been some people out there who are just incredibly smart and they've made millions of money, millions of dollars, just doing Bug hunting. And they've had little or few formal education. And when I'm talking about the quadrant, these are the people in that very far right end of the quadrant that are just incredibly technical. They're the MIT dropouts, right? They're the people that are almost too smart for their own good that haven't really gone through that formal education. There's not a lot of those, right. I mean, making money in Bug bounty is not necessarily for everybody, but it's definitely out there. It's another interesting career path for certain people.
Angel Leon: Another Star Wars, reference, bounty hunting. We're full of those today. So shifting-
Jason Lowmiller: Their the Mandos.
Angel Leon: Shifting gears a little bit now to the corporate world, what do you think are the top issues in cybersecurity facing small and medium- sized companies and how can we address those? How can we attack those issues?
Jason Lowmiller: Well, 99.9% of business in the United States is small business. And with small businesses, you don't have the luxury of having lots of wiggle room to identify what products could possibly help reduce your risk, or what kind of controls you should have in place in order to mitigate the risks that your organization has. I think a lot of it also has to do with awareness. We see small businesses, 99. 9%, again, is a small business. And when we're talking about cyber security, we see all these controls, all these technical controls to address risk and they're not cheap, right? So you have these small mom and pops who might be subject to attacks from China because they may or may not have controlled and classified information that they're working with. They might be something like a machine shop and they're making parts for Boeing. And it's, unfortunately, those organizations are the kind of targets that the foreign adversaries are trying to get access to that information. Get access to that data. And there's not a whole lot that they can do outside of what they're already doing, or they may feel that way. Because there's just so much there. There's so much to cybersecurity and you have out there, people are selling fear, unbelief, and doubt. They sell snake oil, they sell the next biggest thing. And so you have a lot of small mom and pops that don't know how to necessarily apply what is necessary to help protect them. So all that to say there's a great guide on the ms. gov page for small business that I've used in some of my classes to helps explain cybersecurity, helps explain things like controls, like threats to small businesses. And I think now fast forward the many years that it's taken from where I've started in cybersecurity to where we are now. And I think businesses are starting to understand it a little bit better, right? We have a lot more reporting on it. We're much more aware, the situational awareness across the United States has grown to where we see that what this problem is. Unfortunately, there's a lot of small businesses that might not necessarily know what are the things that we can do to help protect ourselves. And again, it goes back into that education aspect where we're trying to educate, or need to educate small businesses on what some of the risks are and how they can implement certain things to help reduce that risk.
Angel Leon: And I agree, I feel like cybersecurity and all the risks associated with that are being widely reported nowadays. Of course, you hear about larger instances where larger companies, larger organizations get attacked. And so it immediately blows out, somebody pointing the finger at XYZ country at XYZ place. But what we don't hear is, like you mentioned, those small and medium size shops that may or may not be, are being currently attacked. And like you said, maybe they're a contractor for XYZ company and they're building a part that helps that bigger sized company. So then you've got foreign adversaries, foreign companies coming in and basically just taking those little bits and pieces away from that mom and pop shop, and then just basically turning that into their own product and then maybe just pushing it out to the market so that they can sell their own product instead of having a local shop here in America, do that.
Jason Lowmiller: Yeah, absolutely. And for a lot of the smaller organizations too, it's just simply having that awareness, right. They may not be even aware they've been compromised. They may not be aware that there's anything even to respond to. With things like ransomware, it's a little more obvious because you can't get access to the files that you're trying to get access to. But for others you might have someone within your systems, they might've been there for a while and you never know about it. So having those controls in place to have the right visibility to your network, to your systems, absolutely critical even for small organizations so that they understand what is going on and what needs to be responded to. And it doesn't take a lot of money to do it, but it does take understanding what the right controls are in order to have the visibility.
Angel Leon: Well, and it also doesn't take a lot to be under attack because I mean, something as simple as an email where you click a link that basically opens up the flood gates, right?
Jason Lowmiller: Yep, Absolutely. Absolutely. And that awareness of what the threat is doing. Here's a common play that they are constantly doing, and it's a little bit easier to track with things like with email, but then the play might change ever so slightly. And now it's a whole lot more complicated than it was.
Angel Leon: Yeah. I mentioned email because I feel like that's basically kind of the entry kind of them knocking on the door, Hey, I'm here and I'm Joe. I'm in my steel company and I'm building this little tiny part made of steel for Boeing, like you mentioned, but Matt sends me this email and I'm thinking it's Matt my buddy. And I click this link and it takes me to this nice little YouTube video. And then all of a sudden, everything in my computer gets downloaded somewhere around the globe. So that's why I mentioned email because it's like a gateway, but then as you mentioned there's more that can be happening. The attacks change, the playbook changes even for the bad guys, too.
Jason Lowmiller: Yeah. Even for the bad guys. And the players also change, you'll see different advanced, persistent threats and one threat group being more prolific at times than the other. And it just depends. Those threats constantly changed. They're usually after similar things, but what and how they do it and who is doing it also does change too.
Angel Leon: Unbelievable. A lot of stuff that we have to be aware of. Well, Jason, before we let you go, I do want to ask you three questions that we ask all of our guests, just to give us their thoughts on these things. So what's a commonly held belief about cyber security that you passionately disagree with?
Jason Lowmiller: One of the things that I disagree with, and it's a commonly held belief, and I dealt with this with many clients, is that cyber security is seen as being the office of no. Or the department of no where we're not going to let you do your thing that you're wanting to do. We're going to tell you, no, you can't do it. And so I dealt with that a lot in a lot of different areas where I've worked. Hopefully, if you're a cyber practitioner listening to this, hopefully our responsibility as cyber practitioners is to ensure that the organization can get done what they need to do. And if we are getting in the way of that, then we are also then a liability in that, in terms of we're talking about CIA or the CIA triad in cybersecurity, that availability. We're stopping your organization from doing what they need to be able to do. So we need to be there and coming alongside people and telling them how they can do things safely. And if there is a unsafe practice that the business absolutely has to do, we help them put in other compensating controls and helping them do it well, or do it at least as most safe manner that they possibly can do it. So often people would see me come in as a cyber professional and they would kind of roll their eyes and be like, oh no, here's this guy coming to tell me that I can't do my job. And that's absolutely not the role that I want people to see me. And I want them to see me as an enabler that helps them to be able to get done what they need to do, but also to enable the organization to do it in the most safe manner possible.
Angel Leon: Taking those processes and making them safe. I mean, I don't see what's the wrong thing about that. So next question, what's something that everyone in your industry space should start or stop doing?
Jason Lowmiller: That's a tough question. What should we stop or start doing? I think if you look at some of the reports that have come out, what are the things that cybersecurity practitioners need to be able to do? ISC squared puts forth this report every year on the workforce and they have this thing called the technical skills gap or the skills gap in the cyber workforce. Everyone wants to focus on the technical because as people it's easier to put in technical controls than it is to change people's behavior, right? So I think that we need to stop necessarily working everything as a technical control and start understanding that in that workforce study, we have to be better communicators. We have to work on our communication skills. And I think we have to stop expecting people to be at our level in order to talk to them about cyber security. And we have to bring it to them if at all possible we have to bring it down to levels that they're currently out and things that they can understand.
Angel Leon: Last question, when you first started in cybersecurity, what was harder than you expected?
Jason Lowmiller: I think the thing that was the most difficult for me starting in cybersecurity, was getting others to understand the importance of it. When I started back in the early 2000 with security, it was getting people to understand that, hey, just because we are choosing this design pattern or this method of deployment, that we should be revisiting this to make sure that there's no other ways that this could be used against us or there's no other ways that someone else could use this in any other manner. So I think just early on, it was striving and driving for people to take it seriously. And I think that is you see that obviously, and how we are today and how we've gotten to where we are. And even in just trying to do our own jobs getting education out there, getting people to take it seriously and not take it for granted.
Angel Leon: And I would see where that skepticism might come back in the early 2000 because we just had the whole Y2K thing and with the internet and people not really realizing what we had in our hands with the internet, because back then the internet was accessible, but we didn't have the devices, the type of technology that we have 21 years later.
Jason Lowmiller: Yeah. Yeah. And back then, it didn't absolutely morph some of our supply chains morph how we do business morph our economy to where it is today. So back then we saw it largely as a novelty. And today it's absolutely a critical resource that we rely on, that the hospitals rely on, that the banks rely on. And so it's kind of been one of those things where we're on a little bit of a house of sand a little bit, we're getting better every year at different, and kind of bolting on new controls to compensate for other weaknesses. But it's still a bit of a cat and mouse game.
Angel Leon: Yeah, it is. I agree. Jason, this has been a great conversation to have on cybersecurity. Thank you very much for joining us today.
Jason Lowmiller: Thank you so much for having me look forward to talking to you again.
Angel Leon: Absolutely. Thank you.
Jason Lowmiller: Take care.
Angel Leon: Thank you for listening in to this week's edition of ASCII Anything, presented by Moser Consulting. We hope you enjoy listening to our conversation about cybersecurity without guest Jason Lowmiller. Join us next week when we continue to dive deeper with our resident experts in what they're currently working on. If you have an idea or a topic you'd like us to explore, please reach out to us through our social media channels. In the meantime, please remember to give us a rating and subscribe to our feed wherever you get your podcast. Until then stay safe in the cyberspace. And so long everybody.
This week we are joined by cyber-security expert, Jason Lowmiller. He is currently a senior security consultant for CyberSheath Services International, a cybersecurity firm in the defense supply chain industry and is a former assistant professor of cybersecurity at Anderson University.