Ep 119 - Cyber Security with Kyser Clark

00:48
This is the Art of Network Engineering podcast.

00:59
In this podcast, we'll explore tools, technologies, and technology people. We aim to bring you information that will expand your skill sets and toolbox and share the stories of fellow network engineers. Welcome to the art of network engineering. I am Tim Bertino at Timbertino on Twitter, and I am joined by the best haircut in the business, Andy freaking Lapteff. How are you, my friend?

01:28
did my hair for you, buddy. How's it looking? I'm good, Tim. Thanks, man. It's always good to see you. I want to give you a shout out. I just heard you on Eric Cho's Network Automation Nerds podcast. Two parter. It was great. Yeah, I really enjoyed your guys' conversation. What did you guys cover? Like finding your voice and content creation and it was, I really dug it.

01:58
Yeah, it was, it was fun and kind of funny because you know me, I'm the question guy. So I'm, I'm the one usually interviewing people and that's not what that was supposed to be, but that's what ended up happening. Yeah. You turn the tides on them again. I, in my head, Tim, I'm like, this son of a gun's trying to get on Eric's show now. Cause you came on here and you were so good at asking questions, right? We were like, we, we gotta have this guy on, but no, I really, I really enjoyed that. I've been enjoying all your blogging. You really been putting out.

02:29
A lot of content and I've really been enjoying it. I appreciate that. Besides that man, I went to my first Philadelphia Flyers game with my son the other night. I had never been, he had never been. We had such a good time. Now he's an avid Flyers fan. He's in the other room right now with one eye open. He's so tired trying to watch, trying to watch the end of the game. So, uh, hockey's fun live, isn't it? Yeah. Actually go into a game. It was, yeah, it was really, I mean, we were six rows from the ceiling. So the seats weren't great, but

02:59
I could see the puck and it was exciting and the horn goes off when they score. And yeah, it was a really good time. I didn't really get too much of that as a kid. So like getting to do it with my kid, it's been really neat. We weren't really a sports family until about a year ago. And then my son's been playing sports and then every sport he plays, he wants to watch. So now we're like a basketball, football, hockey family. God knows what's next. But yeah, man, things are good. Besides that.

03:27
We got some exciting things happening with the podcast that we can't talk about yet. So stay tuned for some exciting stuff. And work has been going exceptionally well for me lately. I've been helping out with some storytelling, doing a little content creation. I'm getting some positive feedback, which is very inspiring. It's getting me excited to do more. So kind of hitting a little bit of a stride. You know, Mike came on talking about

03:55
finding your strengths and leverage them in a role, I finally feel like it's starting to happen there. So that's been really nice. How you doing, man? What's new? Your face looks clean. I am continuing my identity crisis.

04:12
So hold on, I got to run through this. I have had hair on my head and no hair on my face. I've had hair on my head and hair on my face. I've had no hair on my head and hair on my face. And this is the first time that I have no hair on my head and no hair on my face. And I look like a turtle. You do not look like a turtle.

04:41
with some college buddies a few weeks back. And I still had the beard at this time. And one of them came up to me and called me the naked mole rat. And I'm like, you know what? You know what, I'm gonna run with that. And we'll see what happens. So I might have to change my Twitter name to the network mole rat or something like that and see if that sticks. Leave it to your old college buddies to give you an unflattering nickname. Bust the stones, yeah. But at the...

05:10
The day of this recording, you were talking sports a minute ago. It is opening day of the 2023 major league baseball season. Cubby's got a W. So, good day all around. You're a Cubs guy, huh? Yeah. Why? Yep. I was born into it. It ain't my fault. Oh, you from Chicago? No.

05:32
No, just born into being a fan. Honestly, I don't know. I'd have to talk to my dad on how I just always grew up watching Cubs games. I think a lot of it was a WGN. The Chicago station always had it and they, in the last number of years, they don't anymore, so they're actually difficult to watch now, but. Well, congratulations to the Cubbies. The Phillies lost their home opener today, 11 to seven. So, exciting at least. I guess I fortunately missed the blowout.

06:03
So joining Andy and I in this A1 jam session this week is Kaiser Clark. Kaiser, thank you so much for joining us. Other than having the perfect prototypical name for a secret agent slash fighter pilot, why don't you tell us a little bit about yourself? Thanks for having me on, Tim. So my name is Kaiser Clark. Active duty cyber defense operations for the United States Air Force.

06:32
Um, I'm from Northeast Ohio originally. I'm currently stationed in, uh, Anchorage, Alaska. That's gotta be different. Yeah, it is. Um,

06:47
The winter's a lot longer, much longer.

06:51
So why don't you, let's start with the air force. What, how did you get there? Was that something right after high school, shortly after high school, what made you want to go that route? So I joined six years after I graduated high school. So before I was in the air force, I was working in oil refineries and chemical plants. I did industrial sandblasting, painting, fireproofing, and a lot of lead and asbestos removal.

07:21
Um, and what brought me into the air forces, I was kind of tired of that. I had no passion. It was just a thing to pay the bills and pay for my hobbies. You had no passion at removing asbestos? Yeah, I had none. I wasn't going to judge. Listen, I've, I've cleaned grease traps. It's nothing's below me, but yeah, I can see how that wasn't lighting your fire after six years, right? Right. So, um, yeah, after doing that for five years, I just, you know,

07:49
Wanted to make a career move. I didn't really know what was what I wanted to do. Well, what I wanted to do is I wanted to be a Twitch streamer on Twitch and just game all the time, but that didn't really work out. So, um, I was like, I want to work on computers and, um, I didn't really know how to get started in tech like at all. And I thought it had to be college. It was like, Oh, I have to get a college. And like, I didn't, I didn't like high school at all. So I was like, well, there's gotta be another way. And then that's when the military came up. Like.

08:18
And I was like, Oh, the military will pay me to learn and I don't have to pay anything and they'll teach me how to do a job and I can, you know, have transferable skills, um, you know, pretty much anywhere. So that's, that was my reason for joining. I love that the military will pay me to learn. You know, I didn't, I didn't particularly like high school either. I did okay, but I didn't particularly like it. And I didn't love.

08:44
college, but I didn't know what else to do. And you had said, like, well, I thought I had to go to college, you know, so I, I don't know where that idea comes from. I guess it's a cultural thing. My family, I was first generation college. So like, they were really pushing, like, you're going to go to college, but I really didn't want to and I didn't know what else to do. And I really like the, I really like that framing that, you know, the military is going to pay me to learn. I guess that's brilliant. Right. And that's what they write. What did you learn in the military? Do you have to take like a test and they decide what you're going to do?

09:14
Yeah. So you have to take the as that was the armed forces vocational. Oh boy. Something battery. Something, something. Take that. And it's, it basically just calculates like, you know, how smart you are in given areas. So there's like, there's general, there's, um, arithmetic, uh, mechanical engine, electric, electrical. So you get all these different things and each job has their own requirements. Um, and then.

09:43
depending on what you score in each category, it opens you up or closes you from whatever job. And then you just basically, you apply for jobs and hopefully there's an opening and then they send you off and you get that job. I wish I had an ASVAB. Because I had no idea what to do and it took me forever to figure it out.

10:10
And I really didn't know what I was suited for. Was that a stressful test? Like when you're sitting down, you know, like this is what's going to determine part of my future. It was super stressful. Um, because, well, it was stressful for me because I was, I was like six years away from out of high school. So I had to, I studied for it and I had to relearn how to do like, you know, all this arithmetic and all this science stuff, like I had to learn like, oh, hey, what's the, how do you calculate the mass of

10:39
this or the force of that and like had to relearn all of it basically. And then when I get to the testing center, um, to do my tests, I don't know why, but I drank twice the normal coffee I normally do. So I know why I do the same thing for cert tests. You know, like, come on, man, let's get the brain going. And yeah, when I did that test, I was so stressed. I was like, man, I'm not going to get any jobs I want. And luckily I got a higher score than I needed. So it worked out in the end.

11:09
So going into that as VAB, did you already have a couple ideas of things that you wanted to do? I did. So, um, I was pretty much all, almost anything cyber related. And then there was air traffic control. Um, and that's a funny story that you bring up because I was almost air traffic control. Like I was like this close because I qualified it for, for the as VAB. I had a high enough score, but, um, there was a second separate test for the.

11:39
air traffic controller and I actually barely failed that, that test. And that was the best fail of my life. It was great. I wouldn't be in cyber if it was for that, you know, I hear that's a super stressful job. Oh yeah. You know, I think, I think that was a good failure for you. It was, I am so glad I failed that. Cause you imagine just think about it for a second. You're looking at a computer screen, every dot or like hundreds of souls.

12:06
riding in a tin can and you're responsible to keep them all from bouncing off each other. That sounds awful. I mean, I'm grateful for them. But yeah, it's the test they gave me. I don't know how realistic it was, but it was very difficult. I may have, I crashed a few plans. I was like, Oh boy. This is a simulation, correct? Yes. Correct.

12:33
So you've had a few roles so far in the Air Force and you said you're reaching about your fifth year? Yes, so I start my fifth year next month. Okay, can you kind of walk us through some of the different experiences you've had in the Air Force so far? So, yeah, so once you do basic training, you go through your technical school and our technical school. So I'm a class system technician. There's...

13:03
So there's cyber defense operations. And then underneath of that, there's like a whole subset of like other jobs. So for me, I'm a client system technician, but you can get other things like the cyber transport, those are the infrastructure guys. Um, there's server ops, there's, um, knowledge management where like you do like records keeping and stuff. And then there's like programming. So there's, there's a lot of different cyber jobs in the air force.

13:28
And we're actually in the middle of a transition to where like they're trying to combine it into one. So that's why there's like cyber defense operations and there's the shred outs. But for me, for this class systems technician course, it's a four month course in Biloxi, Mississippi that I had to do. And then once you pass that, then they send you off to your first base, which for me was South Korea, which I spent two years there. My first year I was,

13:58
plain classes of technicians. So what I do would, we get tickets, we go out on jobs and we troubleshoot anything an end user touches, we troubleshoot and anything like past the wall was we route that ticket to the infrastructure guys or the server guys at that point. So we do the tier zero, tier one troubleshooting and we do the diagnosis mostly. Was this desktop support? So.

14:28
No, my first year was just, I could do things remotely, but a lot of it was like, hey, show up in person, go drive on the other side of the base, fix this person's printer, fix this person's- Yeah. I like helped out with the scroll, right? You just had to go around and to each location and fix printers, laptops, I can't get email, that kind of stuff, right? Right. And then, well, my second position in South Korea, which is where I spent my second year was

14:55
was strictly help desk. I didn't go out on jobs at all. And that was not only was a help desk, but it was, it's called a communications focal point. So basically it, I'm like, I'm the middle man between all the back shops of our, of our unit. So I'm a, have to coordinate between all these shops to get, you know, whatever needs done, whatever project needs to be done. And then on top of that, you're doing your desktop.

15:24
you know, over the phone troubleshooting. There's a lot of communication with end users. Yes, every day. Do you feel like that helped you?

15:34
Yeah, absolutely. Dealing with people is huge. So just knowing how to talk. It's people. Some people on IT that can't talk to people, Kaiser. That's true. That is very true. But I think it's an acquired skill though. I think, because I used to be really shy. So I think you can learn it if you just, if you put your mind to it. Absolutely. Absolutely. We've, we've talked about like, you know, you would define it as soft skills and we've

16:00
We've had some heavy hitters on here that are like, you shouldn't call them soft skills. Anybody can learn these no matter what they are. Yeah, communication is so critical to success in any career field, right? It doesn't matter how smart. I've worked with those super smart people that just have not worked on their communication skills, right? So let's fast forward. You're doing some remote stuff, some help desk. Do you get in any networking or you're not doing cyber yet, right? Or any kind of security stuff. Is that correct? Right.

16:30
So I'm not doing cyber stuff directly. Um, so they make us before we even begin our job, we have to get our security plus. Like that's a, that's a requirement. Um, it's called the DOD 8570. I'm sure a lot of people know about it, but you can't, you can't work on a government network unless you have it. Um, so I had to get security plus off the RIP. So that's where it started my security journey. And then when I got into the job, it wasn't really security. It was mostly IT support.

17:00
However, there are times where I have to communicate with the cybersecurity office, the ones that make the policies, the ones that actually do the cybersecurity for the base. We work hand in hand. You can learn a lot from it just by talking to them and say, hey, how does this work? And then you can understand how a cybersecurity shop is supposed to be ran, kind of indirectly.

17:27
How was it studying for security plus? I have like zero security skills, which is probably not good to say as a network person. I mean, did you, were you, were you fascinated in that realm and did that kind of light your fire for where you've headed? Absolutely. So it was, I loved it. Um, I was, I was known for being like the person who like knew security plus like really well, like, uh, a lot of people in my tech school, they struggle with it, it's not a, it's not an easy exam.

17:57
Um, the, the, the pass rate wasn't very good. So I put a lot of time and effort into it. Um, I, I sacrificed a lot of my personal time to, to pass that exam on my first try. So it's, I had a lot of fun with it. Um, when I started doing, I'm like, this is really fun. This is really fascinating to me. So it was a little easier for me to just to dedicate the time to it, but it's definitely a challenging exam that, uh, comfiest questions can be a little tricky sometimes, so, um,

18:27
It's, it can be hard. What are some of your best tips or tricks that you can come up with for, for studying for that particular exam? Um, so for that one and actually pretty much any CompTIA exam, uh, for me, the formula is pretty simple. I read a book cover to cover, and then I watch a video series. Um, doesn't really matter where it just go to your favorite instructor and then whoever appeals to you just.

18:57
do that. So watch the whole video series and then just answer as many practice questions as you can. Like like we're talking thousands. Like if you do like a thousand practice questions, you're doing pretty good. Don't don't get discouraged if you get like if you're getting like 60% on your on your practice exams because I'm not even kidding. Like I was getting high 60% low 70% before my actual exam and I passed with a 780. So

19:26
Um, those practices exams are usually harder than the real exam. So don't get discouraged if you see those, you know, 60%, 70%. So is there any labbing associated with that cert or any like Sims in the exam? Do you know any, any keyboard memory of, you know, banging out a config or not really, it's just memorization of concepts. Uh, so I don't know about the current version of the exam because I haven't taken the current version. I took a five Oh one. But for me, there was.

19:55
Pretty much no labing. The only labing that I really did was, I started Wireshark and I just looked at the packets in Wireshark and I wasn't really sure what was going on. The only thing I was like really paying attention to in Wireshark was three-way handshakes. I wanted to understand the sequence numbers. That was the pretty much the only labing I did. The rest of it's mostly just term knowledge and just situational awareness knowledge and like how things work together.

20:25
Yeah, I'm looking through all of your, you've got quite the inventory of security related certificates here, the certified ethical hacker, junior pen tester. There's one I want to touch on because this one is, has piqued my interest somewhat recently. And that's the, the CISSP. Can you kind of break down what that certificate really is, who it's targeted for and, and what made you want to go after that one?

20:53
So the CISSP, that's the certified information system security professional, and that's exactly what it's for. It can be for any security professional, whether you wanna go in management, it's more of a management managerial type of cert, but it's definitely useful for people who don't wanna go in management. I would say the reason why I wanted to go for it is,

21:19
Uh, if it's just the number one, sir, like on job postings at the end of the day, if you go, if you go on indeed, everybody's asking for a CISSP. I saw a stat one time. I was like, like there's 130,000 jobs that need a CISSP and only 90,000 people have a CISSP or something like that. So it's, it's incredibly in demand. So that's, that's why you, I wanted to go for it. Um, I also like challenges too. Um, but.

21:48
essay is very difficult exam. So you can't even get it unless you have five years of experience. Um, Wow. You can't wait a year. They won't even let you do it without the experience. So you can pass the exam before you get the experience, but they won't certify you until you get the, the years, um, you become an associate is that that's. The associate is basically someone who's passed the exam, but they don't have the years behind it.

22:18
Um, that's pretty cool. Like I said, you can wave. I've never heard experience tied to a cert before. Yeah. Like you can't get this until you have X. And I guess there's, I mean, I guess it kind of makes sense, at least for the integrity of the cert, you know, like you don't want somebody straight out of school with no experience getting it, I guess. Like maybe that's what holds value is an employer sees out, well, this person has, you know, they have the cert, they have the knowledge, they have experience. Cause that's that conundrum in the beginning is how do you get experienced without the job? So.

22:48
You have to have both, I guess, with that cert. That's, that's kind of interesting. And when you say management, do you mean management of security teams? Is that the thrust of what it is? Yeah. So management of security teams, um, anybody running a cybersecurity program or, um, kind of high up in the chain of a cybersecurity program. Um, cause a lot of it is, is policy based and regulation and laws and standards.

23:17
It's very, it's a very, it's not technical at all. Like, like you're not going to subnet in the CISSP. You know what I mean? Yeah.

23:28
Almost more strategy, right? Like security strategy in an organization and regulation stuff, not how to secure X, Y, Z. Okay. There's some incident response stuff too. I think that kind of speaks to your foresight of kind of knowing where you want to be, where you want to go, and what the tools are to get you there. Before we leave South Korea, I do want to know, was that your first time out of the country?

23:58
Yes. And was it okay? Was it a culture shock? What was that like? It was definitely a culture shock, but man, I loved it. That's what I love the most about South Korea is like I got there not knowing anything. And it was a venture for sure. I guess a lot of people probably wouldn't handle the culture shock so much, so good. But for me, I loved it. I was like, this is a whole new world. It was the first time I was out of the country.

24:27
I didn't study anything or learn anything about South Korea prior to going. I just sent it. It was a great time. No, that's cool. So you spent two years in South Korea. Then then what happened? Where'd you end up after that? Where I'm currently at, which is Anchorage, Alaska. Pretty different, huh? Very different. Yes. To extremes. Wow. You're definitely not in Ohio anymore. Right.

24:55
Do you request, so again, I don't know anything about the military, right? When you're in South Korea, do you request like, I want to go to Alaska or is it, are you replying for jobs? Do they just send you places because they need you somewhere? Um, it's a little bit of both. So you get, you get, and therefore we get a dream sheet and we can have a pecking order of like what we desire to go to. Um, well at the end of the day, they're going to send you where they need you. Uh,

25:26
But I would say most people I know end up going somewhere they want to go. So for example, um, wait, so the dream sheets, eight bases long, Alaska was the eighth on my list and I got it. So it was, I got what I wanted in a way, but I was like, um, but that was the last on your list, right? Just to be clear on what was number one, like Maui, like I wanted to go to England or Germany. Yeah.

25:55
or then Japan. I wanted to be overseas my whole career, which technically Alaska, as far as a military assignment goes, Alaska and Hawaii are considered overseas tours. So here it's the best of both worlds of being stateside and overseas. When I went to Alaska this past year, this is how bad I am with geography. I just thought it was right above California. Like, oh, it just, yeah.

26:24
And then when I looked at the flights to go, I'm like, oh my God, why is it going to take me 14 hours? It's only six hours to California. What's going on? But you, you got to go up through all this stuff and through Canada, some Yukon territory and turn left towards Russia. Like, where are we going? Yeah, it's we're way out there for sure. So how did your job role change from South Korea to Alaska?

26:53
a lot it drastically differs. And so my last unit I was in a traditional communications unit. Here I am not in a communications squadron. I am in an air mobility squadron. So the mission is way different. So for example, in a communications squadron, your mission is to provide the communication support to an entire base essentially.

27:23
Whereas here I'm not worried about what the rest of base is doing. I only care about my unit. So my unit, their, their mission is to get people in cargo on planes and ship them across the world. And then my mission is to make sure that they can do that with whatever tools they need, like it's, you know, phones, computers, printers, anything IT related. I, I take care of them. And so my user base shrunk from.

27:53
you know, 3,500 to like 200. But it's a lot more personal because since I, I can build relationships with my unit, you know, I'm, I'm constantly helping the same people over and over. So it's a lot different. Whereas like in Korea, you know, I go out on a ticket and that might be the first and last time I'd see this person, you know. I got a silly question. You just got me thinking. So you're setting up.

28:21
Um, soldiers that are going to be deployed somewhere with their IT stuff, right? Like what they're going to need. Is that correct? Um, there's a little bit of that, but mostly so, so they have all these different programs that keep track of cargo and I'm not entirely sure how the program works, but it's, it's just my job to make sure that they have their account and they have the right rights to do what they need to do. And they.

28:49
They use applications and they use the computers to do their job. Um, my dumb question is you set them up and they go across the world when they have a problem, are they calling you? Like, are you still their support once they go halfway across the planet? Like Kaiser, I can't get an outlook. Um, no. So yes and no. So actually they would be taking me with them. So I'm part of it. And in.

29:20
In a certain, certain situations I would go with them and I have done that. So, um, for example, I went to Guam for a short, uh, T a Y that's a temporary duty. And they basically, they, they took me with them to be their comm support and. End up using me, not as comm support. Um, I actually ended up pushing like a bunch of cargo on a plane. So I learned a lot going over there, but yeah. So, um, they.

29:48
They can and they would send me with them if they shipped off somewhere. That's the other duties as assigned in the air force. You go for comms, you stay for the cargo.

30:05
So how would you say, okay, first off, when did you really start, what point in your Air Force career did you really start getting into the cybersecurity trading? And secondly, how do you use those skills, that knowledge in your Air Force career?

30:28
I would say, so once you get to your first base, it's mandatory that you and me, you immediately start your upgrade training so that, um, once, once I got done with my upgrade training, I had like this period where I just wasn't doing anything like with my extra time and I was like, well, I want to do something and I want to keep learning. So, um, I ended up studying, I started studying for the Linux plus and

30:58
I, which crazy. So I don't actually use Linux at all. And my day to day, I'm a windows administrator, but, um, the one thing that does come in handy a lot is my CCNA. So after I got Linux, plus I got the CCNA. And even though I'm not a network engineer, like job title, but like I can, it helps me so much because I can tell them like, Hey, I'm pretty sure this is a VLAN problem. And then they look it up like, Oh yeah, it's a VLAN problem. Like I knew it.

31:28
Boom. Yeah, that's a good and that's why I always tell people that networking is even basic networking is a good skill set to pick up because people in networking have to constantly interface with not only customers, but other teams within it. And I don't think there are always a lot of occasions in which

31:53
The other teams know a lot about networking and that's nothing to their fault. But when you have somebody on another team that you can easily communicate with, um, when you're trying to help troubleshoot an issue, that's, that could be a breath of fresh air. Yeah. Um, cause like I said earlier, a lot of what I do is, is, um, diagnose because a lot of things are out of my control. Um, so when I'm, when I'm routing the ticket up,

32:20
I'll be like, Hey, I pinged the DNS server. I pinged the default gateway. I pinged, you know, the DHCP server, all this stuff, and I can connect to this. I can connect this. I can't connect to this. And I feel like I can give them a lot better troubleshooting. And they're not going in blind as much when they get, you know, to get from me. Make it happy. Yeah, that's, that's appreciative. You know, you usually, I mean, this is a networking show, right? So usually it's someone going.

32:50
Blame the network, right? The network's not working. And then like Tim said, we're like, oh God, let's check all the things. You have to prove it's not the network. So somebody like yourself to come along. I don't know if anyone ever like you ever jumped on an outage call with me and is like, I've paid the default gateway, I've checked this, I've checked that. Like, oh my God, dude, hire you. You're awesome. So I know we're delving into cybersecurity and I don't think I understand exactly.

33:19
what cybersecurity is. Could you just define it at a high level? I mean, I know it's security. I don't know what cyber means. Is that the internet? Just, I don't understand it. What is cybersecurity? Talk to me like I'm dumb. So cybersecurity is anything that's digital. That's cybersecurity. So you're securing anything, any digital asset. That's cybersecurity.

33:49
Similarly, the information security, that includes all digital security plus things that aren't digital. So for example, like if I have a piece of paper with sense of information on it, and I have to put in a safe, that's information security, but that's not necessarily cybersecurity because it's not digital. So all...

34:11
All cybersecurity is information security, but not all information security is cybersecurity, if that makes sense. This is like the jacuzzi and the bathtub thing all over again or hot tub.

34:23
What? All jacuzzis are hot tubs, but not all hot tubs are jacuzzis. Oh, I must have missed that one. Interesting. So when I think of cybersecurity, I think of, you know, what the hell are those things where they lock your whole thing and you got to pay them Bitcoin to get it back? The ransomware? Yeah, ransomware. So ransomware is a cybersecurity attack, right? That's correct. Okay. So they, you know, they have to get in through your...

34:52
You know, layers of security, right? And social engineering's a thing and passwords and get through, and then they get firewalls like, so they really, that's what you're up against. Right. Is just the whole world trying to get into you. And I guess, again, from my own experience, the government stuff is pretty secure, right? I mean, they take security pretty seriously. Yeah. It's.

35:17
It's so secure is even as an admin, like sometimes I struggle to do things. I'm like, it's so strict. Like my, they strict, like even as a system administrator, I'm very restricted in what I can do, like separation of duties is like key. That's like, I route tickets because I don't have the rights. I don't have the keys to the kingdom, you know, you need a guy with a special laptop and a special VPN with a special pivot card to use his fingerprint on a Tuesday on a full moon and then he can get into the system.

35:47
Yeah. Okay. So you'll have to escalate to different teams if there's a problem. People's access to the systems. And so, huh. I wonder, so in a security incident, I would think that that would be, you know, points of friction that would slow down response, you know, Hey, something's happening Kaiser. Well, you know, I got to call 13 people and figure out who can get into what. But I guess that's part of your cybersecurity policies is how to deal with events and threats and all hands on deck, right? To get it resolved quickly.

36:18
Right. So yeah, there's definitely like a, like a, a chain of things that are supposed to happen, like if an end user finds, you know.

36:29
some security incident, then they would notify someone like me and then I would route that up further up and then depending on the issue, it could be more or less severe depending on what it is. Is that something in the CISSP like incident response, like that kind of stuff? Is that what they cover? 100%. Yeah, that's, it's definitely in there. Nice. I just panic and call Tim. What the hell am I going to do?

36:57
I don't know. You're smart to help bad things are happening. Get Kaiser on the phone. So what would you say? Pique your interest more, more of the, um, red team or blue team, attacker defense, 100% red team. Hold on. You got to define things here. I've heard a red team and blue team. I don't know what it means. So the red team.

37:23
is so this is a it derives from military terms. So the red team is like they play they pretend like they're the bad guys and then the blue team is like the good guys and when you when they do war gaming the red team is basically you know pretend like to be the bad guys and they're attacking and the blue team defense but the ultimate the whole goal is to make the blue team better so that's what the red so in cyber security the red team

37:51
they act as the criminal hackers. They use the same tools, techniques, and procedures as a criminal hacker would, and they would attack someone's network, the Blue Team's network. And then, but at the end, they'll be like, hey, we got in this way, and this is how we did it. Here's what you should do to fix it. So that's the whole purpose of our red team. So our red, our all, here we go, hot tub and jacuzzi, are all red teamers pen testers? So the-

38:22
I would say all red teamers are pentesters. Yeah, I would tell us is our red teamers. Yeah. Well, that's not yeah, now I'm confused. But yeah, all red teamers are pentesters. Right. That's I was just curious. Okay. So the blue team secures the stuff. Right. And the red team attacks like I know I forget her name. Rachel Toback, I think is her name. She's like a famous.

38:48
I see her on Twitter and YouTube. She was on CNN and her, she's big into social engineering, but she's also a pen tester. She can get into your, she, there was a CNN reporter and they dared her to like hack him. And I think it took her 10 minutes. She like, she changed the seat on his plane. Like she did all this crazy stuff. She like stole his hotel room in like 10 minutes just on the phone. But where I'm going is I guess she's red team, right? Cause she is attacking the systems to get in.

39:19
But then I believe her company that she created also their services, they'll do that for an organization. Like say you're in health care, I will attack you and then I will show you all the vulnerabilities that you need to plug up. Right. So that's red team, blue team. Yes. Maybe. Right. Okay. And which team are you? You can have. Are you an attacker? Red team. Red team sounds fun. Why would you be blue team? Yeah. Blue team is for nerds. So it depends on the person. So.

39:49
Red team does sound a lot more fun. It does. It does. Oh, yes. Let's get it. It's not for everybody. No For me blue team, I don't I don't like going through logs like I'm like trying to it's like the forensics aspect I'm like going through logs. I'm like, this is boring trying to figure out how that attacker broke in I'm like, uh, I just want to break in and you know

40:14
and not worry about the logs. So, so a term just jumped in my head, SOC, right? Like security something, something is that the knock of cybersecurity? Basically, is that what a SOC is? Basically exactly what it is. Yeah. Security operations center. So they're sitting around doing the boring blue team stuff, watching alarm systems and logs and seeing if nefarious things are happening. Yeah. Red team seems way more fun. Yeah. So.

40:43
But a lot of people go into blue teaming because there's a lot more blue team positions than there are red team positions. So I would say it's probably like, it's probably easier. And maybe even a little quicker to go into the blue team. And whereas red team requires a lot more time and it's hard to find positions because there's not as many. So people start out on the blue team is what you're saying. Get their experience, get their CISSP and then both for the fun red team stuff. Right.

41:11
Yeah, they can. I mean, Red Team is not for everybody, but that that definitely happens a lot. I knew kind of seem like a red team guy, you're gonna go for a red team when it's time. Yeah, so that 100% so I have a year I have a year left on my Air Force contract, and I'm already doing my best to get hired as a penetration tester in the private sector. When I separate, just because

41:40
I think it's so fun. I spend so much free time on Hack the Box and try to hack me. It just, I have so much fun with it. I was going to ask you, how do you prepare yourself now that you have this goal of wanting to be a pen tester in the private sector? So let's rewind a little bit. So when I was in Korea, I remember I said I did my Linux plus, my CCNA. So

42:08
That's where you got to start. I think, um, you gotta have, you have to know networking like the back hearing and, and you have to know Linux at a minimum. And then the next thing I learned after that was I started getting into the Python. Um, you don't need to be a master Python or, but knowing some basic Python stuff definitely helps. And once you have those three things, you can pretty much start going into any hacking course or penetration testing course. And.

42:38
you can find success as long as you put your mind to it. But I would say networking and Linux, absolutely critical skills. Python is not as much critical, but it's still very important. Shout out to Mike in the chat who just read my mind. Oh no, more coding, boo. Every time we turn around to networking, we have to learn more coding. So, but seriously though, that's just a joke. Why would you need Python? Is it to run scripts to repetitively?

43:07
attack different things? Are you automating attacks with Python? Yes. So a lot of the time, so there's a lot of exploits that are written in Python. There's a lot of exploits written in other programming languages too, but Python's definitely the most common and almost no exploits work like right off. Like right off the shelf, like you have to modify it in some way, shape or form to fit your specific use case.

43:34
So knowing how to code in Python, like I said, you don't need to be a master, but if you know how to take a script and modify it to your use case, that's a critical skill. And then like I've never actually programmed in any other language, but because I know Python, I can modify other programming language scripts to an extent, you know, it carries over to other programming languages too.

44:01
I want to put some meat on this bone. So could you hack me right now? So hack the box I've heard of. So I just have a consumer grade. What can you hack is my question, but now I'm going to say a bunch of nonsense in that I have a consumer grade router at home. It's got your basic firewall out of the box. It's only going to respond to a request that was initiated in the out. So

44:31
Would there be a way to get in? I mean, it's not a sophisticated firewall. It's just a crappy little Verizon Fios thing. Like I'm assuming people could hack me and I'm just not that valuable to try to hack, right? Like I don't have resources here. You know, what can you hack? Can you get into a home network? Or is that a silly even thing to ask? Like, why would you? Definitely a silly thing to ask. I get asked this a lot, but.

45:01
My response is always, it just depends. It depends on how seriously you take security. If you don't take security seriously at all, I feel like I could break in pretty easily. So that's what I mean, like consumer grade, like a dumb dumb, you know, here's my router, you know, the default security settings from the ISP, right? Like, I don't know what I, and this is, I guess this is why security is fascinating to me because I don't understand it. I mean, you know, I don't think you're gonna find any open ports, for example, right? Like if you do a port scan.

45:30
I don't think that's going to happen. I don't think like, I don't even know how you'd get in, but like you're probably, so I think I know what I know. I know what you're going to do. You're trying, you're going to send me some emails. You're going to make a phone call. You're going to get me to click something, install some malware. Like you got to get into my. You right. You got to get inside somehow. And maybe it's through more sophisticated methods to just brute hacking my crappy router. Does that sound like what you might do? So

45:58
I haven't really messed with social engineering much because I'm still on the junior level on the pen testing side. I actually just got my e-learning security junior penetration tester certification. So I'm working my way up to the more intermediate to advanced level stuff. But as far as what I do with that cert and like Hank the Box and try to hack me, they teach you about social engineering.

46:28
But like, I don't get to practice it because there's no way to really put that on like a certification or like put that on like a try hack me or hack the box. Um, because social nearing requires real people and no one's going to volunteer like to be hacked. You know what I mean? So I volunteer. I'll be tribute. So, so as you progress, if you need somebody to hack, I'll, I'll, I'm definitely, I mean, this would be a fascinating experiment and episode someday, like the day that guys are hacking Andy. And.

46:58
You know, I got on the job at Google or whatever, but it's a fascinating. So, so what can, so what can you hack today? Like what's hack the box? That's the service they run and they say, try to, try to hack us. Right. So I had the box and try and act me too. They're very similar. They're just, they're learning platforms that have intentionally invulnerable machines at varying level, difficulty levels that you can.

47:25
break in and hack. And then when you, when you hack them, then you get points and your, your ranking goes up. It's basically gamified hacking. Essentially it's called a capture the flag. I don't know if you've heard, heard that term, but it's just like hacking competitions. It's really good for learning. And, and really the only way you can hack legally unless you're like a full-time penetration tester, which I'm trying to get into, but that's something you definitely want to do before you, you can even get hired in that kind of thing.

47:55
So back to the pen testing thing. Once you get to the point where you're doing that full time, are you wanting to be, and I'm probably gonna get the verbiage incorrect, but are you wanting to be more on the virtual side or do you also see yourself doing, wanting to do physical pen tests too? Cause I've heard some pretty crazy stories on like dark net diaries of people that actually, do the case, the joint, physically go into places, try to get into places physically that they shouldn't be which...

48:24
Which side or both do you see yourself doing? So I would say at first I would definitely be like all virtual because I feel like you need to be a little more experienced to get in those physical pen testing positions. That makes sense. But I would find it very fascinating and very fun to be a physical pen tester and getting in that stuff. But that requires a whole nother set of skills because you gotta learn how to lockpick, you gotta learn how to kick down, you know.

48:54
There's ways that you can like circumvent doors and all the like scan security badges. That's like a whole nother skill set. Credit card trick, right? You push the credit card through the, isn't that how they get in the movies? Credit card door. Boop. It always works in the movies. They just, boop. Um, Mike, Mike in the chat had a question. Do you have, um, a preference hack the box versus try hack me? Is there one you like better? Are they for different things? That's a really good question. So.

49:23
Um, they are different. So I think try hack me is a little bit better for, for beginners. Hack the boxes a lot more difficult. And right now I enjoy hang the box way more because I, the challenges are much more intense, much harder to take me so long to figure out, whereas try hacking. Was

49:50
I basically use try hacking and graduated to hack the box. Essentially, I think that's the big difference. They have almost all the same stuff on them. Like, well, try hack me has challenges. They have learning rooms. They have like a competition thing, but mostly it's learning and then the challenges and then hack the box. They have all the same stuff, but they split them up in like different websites. I guess they have like, they have.

50:18
different sections on the website. But I would say overall, Hank the Box is a lot harder. And I would personally, I would start with TryHackMe. So I will start on TryHackMe. And what I really wanna know is, can someone like me without any experience in that world, is there something easy enough on TryHackMe? Like, do they have educational stuff there? Can I go on and learn some things and try a real easy one?

50:48
to kind of get my feet wet or would I just be lost? 100%. So they have all these different modules that are different categories of things. And like if you started like the beginner paths, they're gonna teach you like the actual fundamentals like networking and Linux and Python, and then you're gonna work your way up. So you can definitely start at.

51:17
at pretty much nothing. Um, as long as you know how to, you know, some basic IT stuff, then you're golden. Okay. So I have to learn Linux and Python. You just made me sad. Linux is a critical skill. You have to know it. It is, I know Suda. I can change directories, CD space for slash. That's a start. Yeah. That's that's important. That's probably the most fun thing, honestly, just navigating.

51:46
But this is helpful is you have to have some basic Linux, you know, foundational knowledge, right? Do you need Python? Or maybe you can get over with that in the beginning. Okay, so in the beginning, Lite Linux, you should be networking, right? And then some Lite Linux and you should be able to, I'd like to try that out. That might be something fun to try. I'm gonna hack you, Tim.

52:12
Okay. Such a good sport.

52:17
So Kaiser, with this being a networking show and we're talking security, I wanna get your opinion on something. So with network infrastructure really being the plumbing, if you will, of any organization from an IT standpoint, it seems to have become kind of this just natural point for being a security sensor and enforcement point.

52:47
Like at the edge of the network where we're connecting devices in the access layer, access layer switches have become enforcement points as far as being authenticators for getting people onto the network onboarding, as well as pushing ACLs, pushing security tags. It, do you think that, that that's the, the right natural progression? And I think the reason that

53:16
that we do this is because you can't just put an agent on everything, right? So we need a way to secure, but rather than separate security appliances, we're starting to leverage the network now. Do you think that's the right play? Do you see any issues with that? I'd like to get your opinion. Yeah, I think it's the right play. So it's called security in depth or defense in depth where you want to have security at every step.

53:45
in the process between the internet and your internal end users. You can't just have a firewall at the perimeter and call it good. That's what cybersecurity used to be. And they found out that doesn't work at all because with social engineering, for example, like when your people click a link and then it just shoots out past the firewall because that traffic's allowed. So you definitely wanna put...

54:15
as much security in the critical spots as you can, like segment the network. Um, just because when, when incident does happen, then you don't want it to spread to other areas. So, um, it's, it's just, it's a fine balance really. Cause like the more secure you make it, the less convenient it's going to be. And then the more convenient you make it, the less secure it's going to be. So, um, it really depends on, on your organization at the end of the day. But.

54:43
You got to find the balance that works for you and what works for your end users. But, um, definitely like, you know, if you want to put, you should have security at your, your access layer switches, your core switches, and, um, you want to pull like your endpoint, uh, antivirus stuff on your, on your computers. So it's, there's so many pieces, you know, Layers.

55:13
Yeah. Networks are like onions or ogres or something. No, I appreciate that answer because I mean, with the network being there, it can be there to be that other enforcement point. And it really just makes sense. I think it's kind of the shift in mindset.

55:41
that things used to be, you let the switches be the switches, you let the routers be the routers, you let the firewalls firewall. But to your point, bringing in that defense in depth mindset, you wanna get enforcement points really is in many places as you can. So that makes sense. So we're kinda getting down to the end of this. Is there anything we didn't touch on that you wanted to talk about?

56:11
Hmm. What are you going to do in this next year to set yourself up to get that dream job? It's got to get a year left in your contract, right? And you're, you're, you're doing the hacking and you're building skills. And do you have a clear idea of, okay, I got 365 days. It's like, yeah, is there a learning plan? Is it, how is it going to work for you? Is it clear or is it kind of like, well, I'll just.

56:38
keep improving my hacking skills and see if I got lucky with a job. I'm glad you asked this. Um, it's crystal clear. So right now I'm working on the OSEP. That's the offensive security certified professional. It's like one of the biggest hacking certs. It's the number one hacking cert on job postings. Um, it's pretty much like you should have this if you want to go into pen testing. So that's what I'm working on now. And hopefully I can get it. I'm thinking May.

57:07
And then after I do that, try to do the other off-sec certs because they have a whole gamut of certifications. So I'm going to try to get, the goal is to get as many of those as I can before I separate, just to build up as much experience and as I possibly can to go out in the real world and hack real networks. And

57:34
Do do hack the box and try and hack me on the side. That's kind of like a, you know, like a little bit on a side type of thing. Whereas the certifications are, are my main focus because I feel like it's more structured, you know,

57:50
Well, I don't know if you're allowed to answer this, but.

57:55
If you're not just say no, Andy, and we'll cut it out. But do you have, do you have active security clearances? And if you do, will that help you when you get out with the kind of jobs you're looking for? Uh, yeah. So I, I have a secret clearance. Um, and it does help us with certain jobs for sure. And that, that is something that, that is on my resume. That's, um, you can definitely, yeah, that's fine. You can talk about that. Um,

58:26
not going to send the bad men to my house. Well, I've heard that there's certain jobs you can get in security. If you have a clearance, but it's really hard to get a clearance, you got to get a place to sponsor you and all that. So I'm guessing your experience in military, especially in, you know, in the tech, you know, it and security type stuff. And that might have been something you got along the way. And you know, I'm wondering if you can leverage that it can hurt, right? Like, hey, the government trusted me with stuff, you know.

58:56
So how does that work once you're, do you have to wait until you're completely out to start applying for and interviewing for jobs?

59:08
No, um, it's really up to you. You can, you can, I can apply and interview for jobs as much as I want while I'm in, I can't accept anything, um, without my commanders approval while I'm in though, um, well, I guess if it's going to, if I accept something while I'm in, but it's not, I don't start until after I'm out, then my commander doesn't get involved with that, but yeah, I can, um,

59:35
There's a program called SkillBridge that I'm trying to do. Basically what SkillBridge is, it lets active duty members get, use the last up to six months. So it can be, you know, one, two, three, four, five, six months of an intern for another company. And you're just interning for another company and you're still active duty and you still get your benefits and your pay from the military.

01:00:03
But you just don't put on a uniform and you don't show up to work, you know, as, as military, you you're at another company. So that's what I'm trying to do for my last six months. That's a cool program, which it is a very cool program. I'm really glad that they that's a, that's a thing because it definitely helps people like like me who, who like I'm going, I'm trying to go in a field that I don't really have like, you know, paid experience in. Because like I said, I'm an IT administrator. I'm going to be a pen tester. If I can get a

01:00:33
some more cybersecurity centric skill bridge that would help me out as a transitioning service member. So it's very nice program.

01:00:44
All right, Kaiser Clark, where can people find you on the internet? You got a, I know you got a blog. We didn't even talk about it. We didn't. Uh, so yeah, it's at KaiserClark.com and then I'm on LinkedIn as well.

01:01:00
Awesome. He's, he's posting a lot of the cool, um, hack the box journeys he's had on there on LinkedIn, lots of cool stuff. Got a great blog. I've added it to my RSS feed. Really enjoy the writing. Mr. Laptev. Do you have any parting words for us?

01:01:21
Blink once if you've seen the aliens. I think twice if you haven't. Sorry, no, Kazur, this has been a treat. We haven't spoken to many security professionals. I learned a lot talking to you. I'm gonna try, what was it, try hack me? Was that the easier one for me? Yeah, I would point beginners to try hack me. I'm gonna check it out. It sounds fascinating. I think my...

01:01:50
My security spirit animal is red team. And I think I would like to attack some, you know, give me an attack surface, man. Let me go get him. But no, it's been great. Thanks for coming on. Good luck. You know, follow up, let us know, you know, when you transition and get that pen tester roll, let us know and we could follow up with you once you're in that role for a while and see what that world's like. Really like to get an update from you when you get there.

01:02:18
will do. Thanks for having me on the show. It was a great, great talk guys. Thanks for joining us Kaiser. And thank you all for listening to this episode of the art of network engineering. You can find us on Twitter at art of net Inge, find us on our website, art of network engineering.com. Also check out www.cables to clouds.com. It's a lot of, a lot of cussing in the clouds on that show. I'm really liking what they're, what they're putting out so far. They got a good.

01:02:47
They got a good mix going on watch YouTube. So you can see Andy do the hologram sticker back and forth. Definitely check out cables to clouds as well. We like what they're doing over there and we will see you all next time on the art of network engineering.

01:03:05
Hey everyone, this is Andy. If you like what you heard today, then please subscribe to our podcast and your favorite podcatcher. Click that bell icon to get notified of all of our future episodes. Also follow us on Twitter and Instagram. We are at Art of Net Eng. That's Art of N-E-T-E-N-G. You can also find us on the web at artofnetworkengineering.com where we post all of our show notes, blog articles, and general networking nerdery. You can also see our pretty faces on our YouTube channel named

01:03:33
the art of network engineering. Thanks for listening.