Category: Talks

Effectively Conducting Networking & Cybersecurity Distance Learning Courses

Photo by Julia M Cameron on Pexels.com

I had the privilege of sharing some of my experiences on how I conduct my networking and cybersecurity classes online to other IT Educators in a recent webinar hosted by the Philippine Commission on Higher Education (CHED).

Regardless of the Learning Management System (LMS) used by the school, technical subjects like networking and cybersecurity are different because of the need to have a working laboratory to have a complete grasp of the courses. LMS provides storage, collaboration, insights, engagement automation of quizzes. But creating a laboratory might be challenging.

How do I do it online and offline?

  • Search for useful and informative references – Aside from the references that are included in the syllabus, I also add a lot of helpful links, videos, and PDF files that I find relevant for the course. I try to relate it in every module so that students will be provided help in their studies.
  • Customize slides for the class to meet learning objectives – I create my slides for 2 reasons: First, there is so much information out there that cannot be put in a single material. It is important to choose the most important ones and guide students to relate the materials to the other references. For example. if the topic is network architecture, I’ll just discuss the components of it and provide them references on example implementations/practices for each component. They will be given a list of references that can check but the important thing is that the core concepts are properly discussed. Second, publicly available slides from vendors tend to promote their products. I try to make my materials as vendor-neutral as possible and let the students choose which they prefer. In the end, we don’t like students to be exposed to a single brand and then work on a company that uses another brand.
  • Record short lectures to set the context – I also do video recordings of lectures to help explain technical concepts in a way that students will be able to understand easier. Theories are very important because they will be used in any industry or scenario that you may encounter. Another objective is to provide an industrial touch to the discussion. As an industry practitioner, I know that some of the concepts discussed in books are idealistic but some are impractical in the real world. I try to balance both by providing industry insights and let the students make their analysis.
  • Create Virtual Machines (VMs) that students can use to run the tools and exercises, anytime and anywhere. – An important aspect of technical classes is lab exercises. For networking and cybersecurity classes, I create my own VMs that contain the tools, environment, programs that students will need to practice what they learned in the lectures. I set up a web server in one VM and the attack tools on another. The good thing about it is that students will be able to try various ways of accomplishing the exercises in their own time. And if it fails, then they can just delete the current VM and load a new one in an instant.

Rubrics

I try to make the course very straightforward to students especially the expected outputs and outcomes. Here are the grading components I use for the online classes

  • Learning Log – The learning log is sort of a feedback mechanism from the students. It gives them a venue to speak what is in their mind since not everyone is given time to share in class. Usually, they share their thoughts about the lesson and other things that they observe/experience. They also provide feedback on whether their groupmates are working or if they are having problems with the lesson. The only add-on work for the instructor is to have time to read and respond to these learning logs.
  • Lab Exercise – The lab exercises will validate whether you can use the tools given a specific scenario in a practical sense. The good thing about a lab exercise that is in a VM with a plethora of tools is that there are many ways to achieve the objective. Everything will be based on the strategy of the students.
  • Case Analysis – The usual problem for technical people is that they are tool-centric. They are well-versed on how to use the tools and their features. However, the usual problem is deciding when to use them. The case analysis portion helps students analyze various cases so that they will carefully think about how they will resolve the problem methodically.
  • Exam – Of course, the course will not be complete without an assessment. I usually create an objective multiple-choice exam to check if they know the theories and terms discussed. At the same time, they will also be asked situational questions to check how they will analyze and resolve issues. I try to simulate how IT certification exams work since they will be taking some in the future.

Sample Lesson

On the usual lesson, I start with a question to get their attention and interest. Afterward, there will be a discussion and/or debate. For example, What web application attack is the fastest to exploit and difficult to detect? The answer may vary but what I want to discuss is Session Management. But the question will make the students think and spark sharing, discussion, and debate.

Then I go to the discussion proper. I’ll explain the issues on session management and its best practices when developing a web application etc. Afterward, we do lab exercises and simulate how to check the strength of session ID’s and how to exploit them if found to be weak.

Lastly, we then analyze real-world cases of the organization that has applications with poor session management. We’ll do a root cause analysis and provide recommendations on how to fix the issues.

This is just a sample order of instruction that I find helpful for students in their distance education.

Good Course References

  • Cybrary
  • Peerlyst
  • SANS Reading Room
  • Cisco Networking Academy
  • OWASP

Tips and Reasons: A Career in Cybersecurity

Is there a career in IT Security/Cybersecurity in the Philippines? – This is the question that is always asked when I give workshops or lectures in the academe. I always answer an astounding “yes.”

Here are the reasons why:

  • Reason #1: There is a need for cybersecurity professionals because of the increasing number of cybercrimes and data privacy issues.

We see the news every day, from global news such as the Bangladesh Heist and the San Bernardino shooting, or high-impact news such as the Equifax data breach to local ones such as when the UST Hospital was defaced or when a Public School Teacher’s identity was stolen. No matter how big or small these issues are, a key discipline required is in cybersecurity. There will always be a need for cybersecurity professionals

  • Reason # 2: The demand for cybersecurity professionals is high while the supply is low.

Various reputable sources say that a lot of cybersecurity roles remain unfilled. According to CSO, there were a million cybersecurity roles that remained vacant in 2014. It is also predicted that there will be 3.5 million cybersecurity jobs that will remain vacant by 2021. 

ISACA and CyberSeek concur with these trends. At the same time, the cybersecurity unemployment rate is 0% in 2016 and is expected to remain at 0% until 2021.

How to build your cybersecurity career?

  • Answer #1: Shape your career to be difficult to replace and high-value adding to the industry.

This idea is not only applicable to cybersecurity but for any role in general. In the human capital matrix, the “easy to replace and low value-added” roles are sure to be automated. “Easy to replace and high value-added” can be outsourced on the other hand.

A lot of the usual triage or customer service support is already replaced by chatbots that can trace your problem without missing any questions for diagnosis. In the same way that traditional Security Operations Centers (SOC) have matured with the help of Machine Learning (ML) and Analytics that the old Security Analyst roles have already been replaced with more proactive tasks such as threat hunting and intelligence.

  • Answer #2: Assess yourself in the following aspects: Desire, Ability, and Practicality

I have always shared this in career talks- Desire, Ability, and Practicality are things that you have to seriously consider when choosing a career path. For cybersecurity, it is very straightforward. A lot of the roles require the cybersecurity professional to be critical, stealthy and skeptic. In the ability angle, the cybersecurity professional has to have knowledge of programming, networking and system administration to name a few. Lastly, there are so many opportunities for the cybersecurity professional that the practicality aspect is not a problem. I usually use the practicality question for those who intend to study very unique courses with little to no opportunities after graduation.

  • Answer #3: Start your career with operational roles going to management roles.

I started my career as a Security Analyst in a Security Operations Center (SOC) in a US company that caters to more than 500 financial institutions. The work was demanding and there was so much to learn- searching for logs, communicating with clients specifically C-level executives. , classifying which alerts are true and false positives, meeting the SLA, optimizing the SIEM, conducting QA on devices, etc. Our shift back then was 12-hours long and I spent the majority of my stay there in the night shift. The work was very tiring and not advisable for the older and/or family guys. But that stint helped me boost my cybersecurity career.

In my next work, I learned other domains in cybersecurity. I did risk management and a lot of vulnerability assessment and penetration testing (VAPT). Afterward, I moved to handle administrative tasks and became part of the management team creating programs and projects to strengthen cybersecurity in the organization.

I strongly believe that to be a good IT security leader, you must have a solid understanding of some important domains in cybersecurity. Management training alone may not be enough because of the cybersecurity’s nature that requires you to have experience working with frameworks and tools. Although you will not be configuring the tools on your own, it will help you in your decision-making if you will buy the tool/s based on the business requirements of the organization.

  • Answer #4: Invest in education and certifications.

I am not a fan of comparing universities and claim that one is superior to the other. I’ve met a lot of outstanding cybersecurity professionals from all over the world. Some came from the known schools while some graduated from relatively new schools. Some didn’t even finish their degrees but they are great at work.

Obtaining a college degree is a qualification (usually first in the list) in most cybersecurity jobs. Other than a qualification, I think significant experience is a better measurement of cybersecurity mastery. Schools may try to provide the best lab for the students but it is still different in the real-world. Cyber attacks don’t have scope and limitations. They just hit and harm.

Lastly, I personally think that certifications are important too. Aside from that, it is also a qualification, it helps you learn the body of knowledge in a standardized and systematic manner. It will also validate what you know and give you more inputs to advance your skill. I know there are different schools of thought on certifications and I agree with the important points. I even wrote a blog entry about it. But there are far more advantages to taking them to equip people with the right skills and knowledge for the job.

You can view the IT Certification Roadmap from CompTIA for a guide and sample here.

So what are you waiting for? Start your cybersecurity now!

hcm

orman

 

You can download my presentation slide on this topic here: A Primer on IT Security Career Privacy and Ethics v1.

 

A Primer on Ethical Hacking & Information Security for Senior High

In partnership with the Admissions and Marketing office of Asia Pacific College (APC), I was invited to give a short talk on Information Security education to incoming Senior High students. Students from different schools attended the seminar.

Slides used in the seminar can be downloaded here: A Primer on Ethical Hacking & Information Security

Ethical Hacking & Information Security for PATTS faculty

Last Feb 25, 2016, I was invited by PATTS to give a talk for their faculty members about Ethical Hacking and Information Security. I would like to thank their VP for Academic Affairs, Engr. Lorenzo Naval and VP for Student Affairs Dr. Emelita Javier for the heartwarming accommodation in your school.

To view my presentation for the event, you may see it here: PATTS_Ethical Hacking & Information Security

Information Security & Ethical Hacking 101 @ PATTS

Last July 31, 2015, I gave a talk about Information Security and Ethical basics at PATTS College of Aeronautics in Paranaque City. It was quite challenging because the audience were not familiar with IT concepts.

I started by showing them local news about hacking data in banks. Then I established the need for the information security field. I discussed the core concepts of information security.

I also talked about the steps in ethical hacking and the reason why it has to be conducted routinely. Lastly, I stressed the need for a cybercrime law that will protect our data handled by third-party organizations.

The presentation I used and created can be found here: PATTS_Infosec&EthicalHacking101

Special thanks to Prof. Diana Lachica for inviting me to their campus. 🙂

Photo Credit: Ashley Dy

10984111_1030960710256090_2495478400270029599_n 11145182_1030960843589410_5172429549901189908_n 11693961_1030960750256086_6222822229063846860_n 11813264_1030960723589422_614397325621181618_n 11822705_1030960820256079_7745031637066193848_n

Detecting Command and Control Traffic Using Botnet Correlator Module

Last June 8, 2015, I presented a paper entitled “Detecting Command and Control Traffic Using Botnet Correlator Module” in Kuala Lumpur, Malaysia. The paper was a product of a project in APC together with my students in INFOSEC. The trip was entirely sponsored by the school (thank you so much!) and the experience was very unforgettable.

Going to Kuala Lumpur

I rode a Cebu Pacific plane going to Malaysia last Jun 7 in NAIA Terminal 3. As usual, the airport was jampacked with people. The flight was around 4 hours long and arrived at the KLIA2. I then rode an express train (20-minute train) going to the downtown KL.

I met my former officemate in the Philippines who is already working in KL. He toured me around KL (Petronas, Jalon Alor) and brought me to the hotel, Melia Hotel.

1381942_1001804846505010_5715889195211344600_n
With Ashley Dy in front of the Petronas Towers (thanks Alfred for the picture)

Conference Day

It’s a good thing that the school booked in the hotel where the conference will be held. The parallel sessions started at 8am. It was my first time to present in an international conference and I was very nervous. The presenters were mostly Muslims coming from Malaysia, Indonesia, India other neighboring countries. The participants were very friendly and excited too. I met 2 other professors from the Philippines, Terry from UP-Diliman and Marylene from MUST in Mindanao.

With Terry from UP-Diliman (leftmost ) and Ederlyn from MUST (2nd from the right) after the presentation.
With Terry from UP-Diliman (leftmost ) and Ederlyn from MUST (2nd from the right) after the presentation.

I attended and listened to the keynote presentation of Dr. Rozhan Mohammed Idrus who discussed about “IT Education and Its Impact to the Society.” He coined the term, “technogogy” which means blending in of technology to the teaching pedagogy. In essence, Dr. Idrus pointed out that teachers and the curriculum must be able to adapt with the technological advances in today’s world.

My presentation was scheduled in the afternoon. The paper is an applied research on how to detect Botnet traffic in a Local Area Network (LAN) using Snort and aggregated reputable Botnet sources.

The presentation lasted for 10 minutes. The PDF presentation can be found in this link: BCM_Presentation.

11251047_1002485706436924_4995811343764475449_n 10622713_1002485633103598_4000319264568441150_n 11427220_1002485729770255_498091567338954458_n

I went to fetch my girl friend in Pavillion Mall and ate dinner there. We rode Uber going to another mall outside KL called Publika.

Last day in KL, walking around the city

Our third and last day in Malaysia was spent in touring around the city by foot. We went to Mydin, where wholesale products are sold. We bought a lot of Cadburry and other chocolates.The place was not very classy thought. We walked to Low Yat, a technology/gadgets mall. We then walked to the KLCC area and visited Kinokuniya. We checked out then rode Uber to the train station going to KLIA2.

Uber ride to Ritz Carlton
Uber ride to Ritz Carlton

Over-all experience

I heard a lot of negative stories in Malaysia (dangerous at night, a lot of street clubs, ill-mannered taxi drivers, snatchers riding motorcycles etc.) but I haven’t experienced those stories. Maybe they have already changed? Or I’m just used to living with a similar environment in the Philippines? I don’t know. The experience was great. Their express train is very convenient and spacious. The establishments offer items both expensive and cheap depending on your budget.

Infosec books at Kinokuniya
Infosec books at Kinokuniya

Since I did not want to experience the horror stories in the taxi, I always used Uber for the transpo around the area. Malaysia has more Uber cars compared to the Philippines.

In terms of value for money, I can say your money has a big value in their country.

Protection through Network Security

Last February 26, 2015, I gave a talk at the Pamantasan ng Lungsod ng Pasig for their CCS Week. It’s my first time to go there and to that part of Pasig City.

I was very fascinated by the campus because the classrooms and facilities are state-of-the-art. Also, the CCS students were very hospitable and accommodating during my stay.

My talk was about protecting your network through Network Security and discussed some types attacks and countermeasure. I started the talk with the latest security news on Superfish which affected Lenovo products. I also encouraged the school to participate with JISSA (Junior Information Security Systems Association) which can help the schools learn the IT trends in information security.

You can download my presentation here: Protection through Network Security

Photo credit to: Jhes Ter Ladera

11035627_10204873574950491_6813368003208916790_o
I really am happy! haha

1655474_10204873564030218_4356033935283196982_o
Discussing Defense-in-Depth (layers of security)

10708700_10204873582350676_2446237824854056741_o
w/ the 3rd year student organizers of the program

10861019_10204873579430603_817000487512266403_o
Thanks for the caricature! Need to work on my exercise to achieve that weight. Beside me is Ms. Noreen Archangel, Dean of CCS.

10922289_10204873559630108_1579937846206966572_o
Superfish on Lenovo

10998899_10204873494308475_7926566154978347662_o
w/ Bernadine Bacolod, one of the lead organizers of the event

11018980_10204873561470154_642106652935180709_o
Determine if it is a Confidentiality, Integrity or Availability issue

1498966_10204873564230223_4517240199710062473_o 10371184_10204873577590557_2425693782663756280_o 10982595_10204873579990617_5053876611928926870_o 10991549_10204873537869564_2844852222877505467_o 11002699_10204873495268499_1573140387248946129_o

Infosec: Discipline and Opportunities at LPU Batangas

Last February 2, 2015, I was invited to conduct a talk during the CCS Days of Lyceum of the Philippines University (LPU) in Batangas City, Batangas. It’s a 2-hour drive from Quezon City to Batangas City with more than 100 kilometers from my place to the venue.

What I like about Batangas City is that it’s very clean and people are very orderly. The place didn’t look much of a province at all! It looks very progressive.

I was supposed to focus on Ethical Hacking. However, I learned that the theme was “CCS: Practicing Theories towards ASEAN Integration.” I introduced Information Security as a discipline and introduced career opportunities to students especially for those graduating ones.

Photo credit to the student photographer of LPU-Batangas.

10979311_10205887674729896_81024097_n
With the Department Chairs, Tina & Mischelle (from left), and Dean Roselie Alday,

10965875_10205887683850124_2030415691_n(1)
With Ernesto Boydon, my colleague in APC and the second speaker.

10966857_10205887683810123_199112349_n
With Irene Balmes, my former colleague in APC

10965543_10205887667929726_1758397814_n 10965927_10205887668009728_1338855883_n 10965467_10205887666449689_936184996_n 10966514_10205887667329711_802150987_n 10961925_10205887667649719_1207230235_nYou may download the slides of my presentation here: Information Security Discipline Opportunities

Ethical Hacking Workshop with SSS

Just this December, I was invited by DynamicMinds Business Solutions to conduct a 5-day Ethical Hacking Workshop in Makati. The participants in the workshop were employees of Social Security System Philippines. I followed the curriculum of the Certified Ethical Hacker by the EC-Council. We had lecture and discussion, assessment per lesson and lab exercises.

Over all, the workshop was great! The participants were very active and the discussion was interactive.

Photo Credit: Eden Dungca

1395923_900822596603236_4758897925518457254_n
Lecture time.

1920397_899287926756703_1185428698758128563_n
After the 5-day workshop, they look fulfilled!

10665368_900822736603222_5103678021730335164_n
Remembering the OSI and the network devices.

10151769_900822626603233_479811379083320292_n
Lab exercise time

10300789_900822573269905_2495592550596721669_n
Light moments during the workshop

10402587_900822679936561_332706450880114876_n 10003894_900822529936576_8764707224670948776_n

Secure Web Application Coding

I had a chance to give a training on Secure Web Application Coding under Bitshield Security. The company is a training and consulting center.

The first training I conducted was on October 2012 in their office in Shaw Blvd, Mandaluyong. The focus of my talk back then was on the OWASP tools and best practices.

The participants were relatively young and new to information security. The whole training was useful for the participants because they are developers. The good thing about it was that OWASP best practices can now be incorporated in their projects.

(Photos courtesy of Bitshield)

64514_446288185407096_1445104487_n
The participants look very serious. (and they know somebody’s taking their photo!) hehe

I really like writing something on the board! haha
I really like writing something on the board! haha

406851_446288332073748_1695298599_n
Giving a talk all day will make you tired. I need to sit from time to time.

531131_446288135407101_209406624_n 602456_446288015407113_1985333081_n

The second workshop that I conducted was for Bancnet. The training was customized and focused more on secure coding and more application-based approach. I included Payment Card Industry (PCI) Standard as one of the key topics in the discussion.

Getting to know the participants
Getting to know the participants

374693_513570998678814_1155381997_n 381483_513570825345498_1301883168_n 381519_513571468678767_1921722547_n

In-house training in their office
In-house training in their office

935184_513569948678919_226485340_n 935212_513571542012093_1462015745_n 942278_513569702012277_95381743_n

Demonstrating a source code analyzer from OWASP
Demonstrating a source code analyzer from OWASP

945758_513571555345425_257896355_n

4th Bicol Youth Congress in IT

I was invited to join and give a talk in an IT Youth Congress last November 2013. I came with my colleagues, Ernesto Boydon and Noel Anonas from Asia Pacific College (APC) Makati City, Philippines.

The event was held in Camarines Sur Polytechnic Colleges in Nabua, Camarines Sur in the Bicol Region.

The key points of my talk are:

1) Define ethical hacking (specifically to answer the question: Is there such thing as ethical hacking?)

2) Information Security as a discipline. I included this as a key point because majority of the audience are either Computer Science or Information Technology undergraduates. I wanted them to know that Infosec exists and there are a lot of career opportunities for them in the said field.

3) The need for cybercrime law. I obviously had to emphasize the need for a “real” cyber crime law that will protect the people especially their virtual assets.

The PDF version of my presentation can be downloaded here: 4th BYCIT Presentation

I really enjoyed my stay in Nabua. I would like to thank the Camarines Sur Polytechnic Colleges for sponsoring my trip there!

Speaker's profile
Speakers Profile in the Invitation booklet for the 4th BYCIT

A talk on Ethical Hacking
A talk on Ethical Hacking

Discussing reconnaissance, the first step in hacking.

Career talk for incoming college students

Every year, I think most high schools conduct a career exploration/talk series every July for senior students who will be applying for college. The career exploration event intends to help them have a clear mind on what course to take, jobs awaiting them etc.

For my alma mater, Elizabeth Seton School-South (ESS) in Imus, Cavite, this career exploration is a week-long event. Various alumni of ESS give their talk and insights about college and career. Last July 2011, I was invited to give a talk about college life and real-world work experience in the industry.

I was still employed in my first company, Perimeter E-Security (known as Silversky now) during that time. My presentation can be found here: Career Talk slides.

My goal that day was to make students realize that choosing a course must be taken with a thorough analysis rather haphazardly. I realized that there are still many instances where it’s the parents who decide for their children. For instance, my thesis mate who wanted to take Com Arts ended up taking Com Sci because his father wanted him to take a technical course. Otherwise, his dad won’t allow him to go to college.

Other students choose a particular school because of its prestige. A lot of students will limit their choices to the so-called “Top Schools.” Some other students will take a trending course like Nursing, for instance.

I realized also that a good number of students still don’t know which course to take and they end up choosing some course they are not really sure they want.

career_formula

I emphasized 3 key important aspects when choosing a course:

  1. Desire — So you are planning to take Nursing for example. Are you good in assisting and servicing other people? Or are you the type who is shy and a person who doesn’t want to interact with people? Desire is important because it will be your motivation to fulfill your course. If you are into helping people as a profession, then Nursing can be for you.
  2. Ability — You want to take up Architecture. You really want to design and create patterns etc. You need to understand that you must have the “hands” for Architecture. You have to be keen, meticulous and detailed when doing your designs. In short, you need to have these minimum abilities in order for you to have a free-flowing journey in finishing your course.
  3. Practicality — So, you want to take Culinary Arts in college. You have the Desire and Ability to cook and experiment on creating your dishes. That’s good. You’re planning to go to College of St. Benilde (CSB) because it’s known for their Culinary Arts program. However, your family cannot afford a 100,000php tuition and fees (excluding materials) per trimester to sustain your stay there. So what will you do? The best decision might be to look for another school that offers the course with a more affordable tuition and fees.

The scenarios above are hypothetical. I believe that these components are very helpful in determining which course to take. These components have to be balanced.

I do not fully agree that a student must limit himself/herself to Top Schools that they say, such as UP, Ateneo, La Salle and UST. There are a lot of schools out there that provide quality education as well. I won’t agree that successful people only come from those “top schools.” I think that due to massive advertising and marketing, these schools are very much overrated.

I’ve met and made friends at work who are very smart and skilled who graduated from universities in the province. They are so down-to-earth but a subject matter expert (SME) in our field. So, although it’s good to aim for schools in Manila, I can say that there are good schools found in other places in the Philippines.

My point is, it boils down to how the person develops himself/herself. The school may be a key, but the choice and decision to do best is up to the person.