Subscribe
Share
Share
Embed
We explore the risks arising from the use and misuse of digital devices and electronic communication tools. We interview experts in the fields of cybersafety, cybersecurity, privacy, parenting, and technology and share the wisdom of these experts with you!
[00:00:00] Welcome to the cyber traps podcast. I am Jethro Jones. Your host. You can find me on all the social networks at Jethro Jones. The cyber chaps podcast is a proud member. Of the be podcast network. You can see all of our shows at two B podcast. dot network. And today on the show we have. A special interview from the inch 360 conference.
That's the inland Northwest cybersecurity hub. They put on a conference each year and I have the great fortune of being able to go. Go to that conference. And interview a bunch of people. So that's what you're going to hear on this episode. I hope you enjoy it. And if you want. To learn more about inch 360, go to inch 360 dot O R G.
Uh, so welcome to the Cybertraps podcast. We are here on the beautiful Gonzaga campus for the Inch360 Cybersecurity Conference. And we have Stu Steiner from Eastern Washington University here. Um, Stu does a lot of stuff and is very well regarded [00:01:00] in our community.
We're very grateful for all the work that you do. Um, One of the things is, uh, the cyber team at, uh, EWU. Can you tell us about that and what, what you guys have recently accomplished?
So we have, um, a cyber team that's made up approximately of 12 students and they, the competitions have different number of students per them.
So in 2023, we won the national championship for the NCA cyber games, which ultimately is. A set of games meant for noobs, for new students who have never done competitions at a blue team level. There's plenty of competitions, CTF competitions, CTF time, PICO CTF, and National Cyber League. Those are all capture the flag kind of competitions.
NCAA Cyber Games is their first introduction to actually hands on securing systems for the blue team, and then getting attacked all day long by the red team.
And so help us understand that a little [00:02:00] bit more. The blue team is the defenders and the red team is the attackers and walk us through what a typical scenario looks like.
So, a typical scenario for the blue team as defending is they get a topology, and that topology starts with a, uh, router of some kind. So you have to bring the router online, and then from the router you have a DNS server you have to build yourself, you have a, Just a SSH box, you have a web server, you have a database server, and you have to make those all talk together, and they have to secure them as they go along.
And there's logic bombs, and there's all kinds of malware on them, so they have to do scans, that type of thing. the concept is you get points for your services that are up. and you have your own Kelly boxes so you can get into your own machines. but it's really a point based. How many, how long can you keep your services up for?
How fast can you recover once the red team attacks you? [00:03:00] And then just to add some more fun to it, there are what we call anomalies, which are really kind of capture the flag questions, but they're at a much greater level than like the piece, the Pico. There's a lot of logic and, cryptography, those kind of questions in there.
And those add points on there. And then, when you get to nationals, they also have interviews, where you, you get points for the team interviews. They have, um, Just special challenges that one team member gets to do and nobody else gets to do. All those add up to points, and after eight hours, whoever has the team who has the most points wins.
When we won, we won by seven points. Um, and it's kind of funny because, There's, it, the clock ticks, and when the clock hits zero, there's still another two ticks, because if you entered right at that clock tick, you have to get those points if you got it right. So there's two more ticks, so when we were, when we won, we were up by ten points, and then a clock tick came, and then we were up by seven points, and [00:04:00] then we're all looking around, did we win, did we not win, but we ended up winning, so.
All right, so eight hours is a long time to be in a competition. football games can sometimes be very long at almost four hours, but, but this is like, sounds like a grueling thing for students to be involved in. is there one blue team and multiple red teams? And, do they have any time period before they start to when they can get attacked?
Or is it basically just the time starts for both teams?
well there's multiple blue teams, and there's multiple red teams. They kind of have their own red teams. We don't really get to see, I do as the faculty member, but the students don't get to really see the red team, what they're doing until afterwards.
But it, you come in, you get an hour to secure, you get an hour to do what you need to do, and then after that hour, the clock starts, and the time starts, and we go about. Three, two, two and a half hours, and they kind of give them a little break. And then [00:05:00] they go for another hour and a half, then they get to lunch.
Uh, and at lunch then, it's, there's, The red team comes out and talks about what they're seeing and kind of gives the kids hints on what they need to secure And what they haven't secured type of thing. The coaches can do a little bit of coaching at lunchtime, but not much And then it's the same thing in the afternoon It's go for a couple hours take a little break go for a couple more hours and the competitions over
And, and so, how do you get your team ready for this kind of event, and what kind of things have to be, to go into it, and then to get to the level where you're, where you win the national championship, like, that, I, I can't imagine that you just like, let's start it this year and then you win it this year, like, you probably have to go through a few iterations.
It took us two years to go through the iterations. There's a wonderful sandbox for the NCAA Cyber Games, which is all really network based. Uh, so the first thing is if you're brand new and you [00:06:00] have no idea, we put you in the sandbox. And you literally do all, I think there's like 120 videos and different challenges in that.
So the kids do that. And then we have set up our own environment. So we've done it three years in a row now. Uh, won our second year. So we know what the environment is. So we, we've got a, systems engineer that will set up the environment for us. And then the faculty will act as the red teamers. And, and just do the work.
We're just doing what we can at the kids to get them hands on, but the best thing for them is just to be in there trying to secure those systems, getting them talking to each other, but we've pretty much tried to replicate the entire, the entire environment.
And so then it's just a lot of practice in that environment, doing that again and again.
when you're creating these environments and working with the kids, you're hopeful that they're going to then go into cyber security and be able to put these tools to use. so how do you help them use their knowledge for good? And how [00:07:00] does ethics come into that conversation as you're doing this, whether they're defending or attacking?
Ethics permeates everything we're doing. So, for example, to answer your question in a second, but we're doing a lockpicking thing today.
First thing we made them sign, we read them, they had to read a form and talk about the ethics of lockpicking and, and what that means, and not how to violate the law. So, ethics permeates everything we do. And, and in that sense, what we do is, we are always talking about, you have to do this. The ethical way, I mean you can do red teaming as long as you're under contract or we're in the lab like we are But you can't do it out there in the real world and so much so that I've had we've done some showdown labs where students have stepped over the bounds of what they're supposed to do in a showdown lab and I've literally reported them to the university For violating what I thought was uh, the Computer Fraud and Abuse Act, now the Computer Fraud and Abuse [00:08:00] Act says, it's the task, it's the, actual hack itself, but then what's the intent behind that? That intent part is the gray area, but. I told the students, I'm a mandatory reporter, I'm not going to cost myself my job because you're doing something crazy.
That's just be ethical the entire way. If we make a mistake, own up to it, we'll deal with it. But it's a lot better than me finding out that you did something unethical and not telling me about it. So, ethics has to permeate everything we do.
I asked that question because I was, um, involved in the, uh, cyber team for my, middle school and high school, uh, in Alaska.
And, the things I had to go through, it was through the Air Force and I, the name, exact name escapes me, but it's the same kind of thing. the process they had to go through to be, um, able to compete was very heavy on the ethics and making sure that they understood that they were learning things that, that they could use in the real world to really [00:09:00] ruin people's lives.
And they had to be committed to not doing that. And, and there's, there's people out there who do those things. How realistic is this, for the, the simulation, the game, and then in the real world, when they're actually at work, and do they get jobs, what kind of jobs are they getting from this opportunity?
It's very realistic to the real world, because you're, you know, Especially in the Spokane area, you're either going to be a pen tester or you're going to be a digital forensics person. So we offer classes in both those. We offer classes in ethical hacking, learning how to pivot, learning how to get in the door, all that stuff.
But those skill sets, what they're taking is that problem solving skill set and how to move from point A to point B to point C. That's going to permeate everything they do in the real world anyway. I've had a lot of students that go through the program, didn't get a job in cyber, but got a job somewhere else, but realize that a lot of those skills and the ethics they learned in cyber apply to whatever job [00:10:00] they're in.
So it's that hands on learning with the ethics behind it emphasized on to do the right thing, that is going to help you realize all this stuff in the real world is actually just you cybering it in some fashion.
I really appreciate that insight, and that's definitely something that I saw as well, was that kids who were in that cyber program in my middle and high school, they understood, how that, those ethics applied to other things that were going on, and I thought that was really fascinating.
So, if people EWU with the cyber program, how would they do that? How would they connect with you?
Best way to go is ew. edu slash cybersecurity, and that'll take you to our webpage. It has our degrees on it, has my contact information on it, a bunch of other stuff about scholarships if you want to get into cybersecurity.
our big focus at Eastern is that we want you, to be passionate about what degree you go into, but we want to help support you because a lot of our [00:11:00] students are first generation students. Probably first time in college even, type of thing. And so, there's resources out there and, and a lot of students are afraid to go to college because it's so expensive.
They don't want to take debt. We have ways to help you so you don't have to take debt. A good lot, a lot of our students graduate debt free. at least reach out and ask questions. I can give you all the information you want. If you never ask them, I can't get it to you. so much.
Well, thank you, Stu.
Appreciate your time and all that you do for Eastern Washington. Thanks for being here.