Security Chipmunks

Episode 6 - Support VetSec

Edna Season 1 Episode 6

Share episode

Send us a text

Welcome to Security Chipmunks podcast where we talk about the development of cybersecurity skills. To stay up to date in today's world you need to be resilient, that’s why as Advanced Persistent Chipmunks we keep chipping away at it.

Today we are joined by special guest Tom Marsland

https://veteransec.com/about/

https://veteransec.com/slack/

https://www.linkedin.com/in/thomas-marsland/

https://twitter.com/tmarsland

Additional reading on Yara
https://virustotal.github.io/yara/
https://github.com/Yara-Rules/rules

What are Yara Rules ( and How Cybersecurity Analysts Use Them)

https://www.youtube.com/watch?v=BM23_H2GGMA

Socials

UNKNOWN:

Thank you.

SPEAKER_01:

Welcome to Security Chipmunks podcast, where we talk about the development of cybersecurity skills. To stay up to date in today's world, you need to be resilient. That's why as advanced persistent chipmunks, we keep chipping away at it. My name is Nick Sedna-Johnson. I'm here with my co-host, Neil Smalley. And today we are joined by a special guest, Tom Marsland with VetSec. Welcome, Tom.

SPEAKER_00:

Hey, glad to be here. Thanks for having me.

SPEAKER_01:

Yeah, glad to have you.

SPEAKER_02:

That's

SPEAKER_00:

awesome.

SPEAKER_01:

God, that's really amazing. Sounds like a great organization.

SPEAKER_00:

It definitely keeps us busy. There are just so many different ways that we try and help and try and cover the gaps that the Veterans Administration and the federal government kind of lacks in, especially with newer industries in technology like cybersecurity.

SPEAKER_01:

Understood. So I've heard that civilian life is the longest deployment. I've heard that phrase said before. So can you talk about the transition from the military to civilian life? What is that like? And what are some considerations there?

SPEAKER_00:

Absolutely. As I mentioned, I haven't made that transition myself, but I do have the perspective of talking to a lot of people that have. Civilian life is drastically different than military. Most people that serve in the military did so joining right out of high school, or if they're on the officer side, they went straight to the Naval Academy or to college. So they don't have the experience that our civilian counterparts do in the realm of job interviews, resume writing, or those kind of, you know, I almost think of them as kind of basic skills for working in the civilian industry. And my last job interview was at McDonald's in high school before I joined the Navy. And that was 19 years ago today. The civilian industry is scary to a lot of those people in the military that just aren't sure. You know, we joke that we're not sure what we're going to do when we grow up. A lot of military skills don't translate into their civilian counterparts. And it's not just in cybersecurity. I did some research for our Navy hospital corpsman last year. They're the people that I work on submarines. So a hospital corpsman, we have one stationed on every submarine and they're the only medical professional we have when we leave on deployments. So we're gone for six months and we have this guy that has some pretty good medical training, but if he separates from the military, he's not certified on the outside world at all. He couldn't even draw blood at a hospital. But that's the guy that's trained in doing even rudimentary surgeries if we had to on our ships. And we see a lot of those gaps in the cybersecurity side as well. The DoD 8570 covers some certifications that you have to have to work in DoD cyber, like Security Plus for the information assurance side. But even that isn't the default for many of the people that do work in IT in the military They don't get the opportunities to have those certifications. It's just kind of on the job stuff. And if it doesn't directly translate, then there's a huge barrier for access to that job market.

SPEAKER_02:

Yeah, there's some really interesting points there. I've heard before it can be challenging trying to match the military job descriptions to what you would see in the civilian life. It can be really difficult, but if you can kind of translate it a little bit, it can be kind of helpful.

SPEAKER_00:

Yeah, absolutely. There's so many resources that have come up now. Google, actually, on their Job Finder you can put in your military job title or code and they kind of translate to what you'd be good at. But there's still so much on the back of the service member to write the resume that talks about that. There's so much military lingo that you aren't going to be able to put on a resume because our civilian counterparts just won't understand that. So that's where companies like Operation Code, Veterati, Vets in Tech, and mine, VetSec, try and bridge that gap.

SPEAKER_01:

That's very interesting. So how did you get involved with WebSec?

SPEAKER_00:

Honestly, it was just looking around for my own resources for transition. I've always been somebody who wants to know clearly what the path forward is going to be. And this is probably one of those biggest scary moments that I'm going to have in my life as far as I have definitely decided on retiring from the military and making that transition. So about a year and a half ago now, I started research and putting together a timeline for my own transition. And VetSec was one of those resources that came up. So I joined. We have a Slack community channel where we have channels about our military transition, technical channels, and a lot of social stuff, fitness, health, and outdoors, and all sorts of stuff for guys to just talk. So I got involved with them. About three months after I joined, they had earned a partnership with a company called eSports. E-Learn Security or INE now. That was before that merger. E-Learn Security gave VetSec 10 vouchers for their junior penetration tester program. And being one of the people that was kind of active in the channel at the time, the board at the time selected me as one of the 10 to receive that training.

SPEAKER_01:

How nice.

SPEAKER_00:

Yeah, it was a great experience. I've always had this goal of getting my OSCP at some point. So the EG EJPT was a great kind of starting point for that. So I went through with the other nine VETSEC members and got my EJPT. And then about a year ago now, the board had elections and there's a lot of members of VETSEC and kind of I think with most of those organizations where they come, they get the resources and then they're successful and they move on. So we have a lot of members, but not a lot of active in their everyday kind of members. So when the board elections came up, there weren't a lot of people volunteering. volunteering to run for a spot. So I tossed my name in and well, here I am today. Yeah, it's been a wild ride so far. I think having a lot of free time with the COVID pandemic helped me a little bit. About a year and a half ago, even the military for the people that aren't on ships kind of said, okay, if you can work from home, go work from home, stay safe and check in over the phone. So I had a lot of free time to devote to that and to my studies at the time.

SPEAKER_01:

Well, that's great. I know that I've seen you very active in social media channels talking about VETSEC and encouraging both military and veterans to talk to you if they have that interest.

SPEAKER_00:

Yeah, I've been trying to experiment with different ways to reach out to the community. Social media seems to be one of the best.

SPEAKER_01:

Do you have any success stories that you have? You don't have to name any names, but have there been any military or veterans that have been helped that you can talk about?

SPEAKER_00:

Yeah, absolutely. Just for the company as a whole, we grew over a thousand members in the past year. And then one of the partnerships that we were able to come out with was we partnered with a company called Virtual Hacking Labs. They're similar to Hack the Box or Try Hack Me in that they provide lab-based training for people working on offensive security. We partnered with them with Hack the Box and with Offensive Security and And two of our members last year, we kind of called it our premier scholarship for the year. Two of our members received that kind of package deal of training and are actively working on their OSCP certification right now, free of charge from VetSec.

SPEAKER_02:

That's awesome.

SPEAKER_00:

Yeah. And then the other thing is we partnered with a company that's basically us, but in the United Kingdom called TechVets. And just the collaboration between the two of us, we've, you know, sharing job postings, sharing just anything for the people in the different geographic locations. Just in the past year, we've contributed to over 30 of our members finding meaningful employment, finishing that military transition.

SPEAKER_02:

Very cool.

SPEAKER_01:

Wow. Yeah, that's great. Great news. Great to hear. It's great that you're getting these partnerships too, to be able to offer education and certifications to your members.

SPEAKER_00:

Yeah, I'm not afraid to hear the word no. So I've just been kind of shotgunning every educational company out there with our message. And, you know, I don't know, maybe they feel bad if they say no to me. I don't know. But I'm going to keep asking until, you know, I can help as many people as possible. That's my goal.

SPEAKER_02:

That's really cool. We've covered a bunch of them, but BetSec offers quite a variety of resources. Would you like to go over all of them or anything that you haven't touched on yet?

SPEAKER_00:

Yeah, absolutely. So our biggest thing is the Slack community. So a member, you know, I'll just kind of go from somebody discovering VetSec to what they can get access to. So a member discovers our website. It's VeteranSec.com. They applied to join our Slack community, and that's where all of our resources live. We have about 3,000 members now in the Slack. I'd say looking at our analytics, about 400 active week-to-week who are in the channels commenting, posting, asking questions. The channels revolve around military transition, technical topics such as red teaming or industrial control, SCADA, education, social, and then the channels for our leadership to put out announcements. There's also mental health resources that we share for people making the transition. And that's more of a confidential discussion channel for people to share their kind of struggles. Also help with VA medical disability ratings and how people can go through that process. So I'd say 90% of the resources that we have is that Slack. It's the members giving back It's the people who have made those transitions kind of taking up their own little mentorship and giving back to those people that are coming in behind them. On the tangible benefit side, over the last year, we had 10 members go through YARA training that was given to us by Kaspersky. And then we give numerous discount codes. So we are a CompTIA authorized partner academy. So our members can buy vouchers for us at about half the cost that they would buy them on their own. We also do giveaway vouchers for for six months of Hack the Box. I'm working a partnership with Offensive Security this year, hopefully again. I'm going to have to try and make them say yes to me. I'd like to get some more OSCP certifications. And then we have access to Immersive Labs platform. That's another learning tool for free of charge for our members. And then Fortinet. We're a Fortinet NSC Academy. So anybody that's familiar with Fortinet's certification can gain access to all those through us, the training and the certs free of charge. Those are kind of the big ones. We have some goals over the next year that haven't come to fruition yet. We're working on some financials, but really my goal is, you know, there's so many resources out there. There's YouTube videos, there's Professor Messer for the CompTIA certifications, Hack the Box, Try Hack Me, you name it. There's hundreds of different learning resources. My goal is to have a program where a member joins. We talk to them, kind of find out what their interest in cyber is. Because so many people say, I want to go into cybersecurity. Well, what do you want to do in cybersecurity? So say they want to go into offensive security. Then we pair them with a mentor in that field. And we have, my goal is to have like five or six different learning paths. So a member wants to go into red teaming. They work on this learning path and it's comprised of resources that we've procured for them. Or that we've just kind of compiled across the web. They go through it. And if they complete the path, my hope is that I can get some industry leaders to guarantee those members that complete our kind of educational path, at least an entry-level job interview. Bypass the HR filters, you complete a program with VETSEC, you get an interview. That's the vision. That's the goal.

SPEAKER_01:

Oh, wow.

SPEAKER_02:

That's really cool. One quick note. I've met some SOC analysts who don't even know what you are. Yara is a kind of a framework to help you write signatures or rules for detecting certain malware or whatnot. So it can be a really cool and useful tool for researchers to share different detections for various malwares that you could go and then plug into your monitoring and that way you could find stuff on your network. So that's my understanding of

SPEAKER_00:

it. Yeah, that's the basics of what I understand for, I didn't go through the training that we provided to our members on that. I'm definitely more of a Kali Linux capture the flag penetration testing. That's kind of where my interests lie.

SPEAKER_01:

Yeah. I know I've done some immersive labs. You mentioned that. And I think I remember seeing the Vetsak rank kind of high on there. So I guess your members are being really busy getting their labs in and working on that resource

SPEAKER_00:

yeah it's a relatively new offering for us but uh definitely as soon as we announced it uh it was kind of the bright and shiny thing for people to go after so we've got about 30 or 40 guys uh and gals kind of working through all that stuff i like how it's modeled after the mitre attack framework and so people that are interested in certain areas they they know what labs to kind of go after in there

SPEAKER_01:

yeah so i heard you did the sans cyber fast track ctf

SPEAKER_00:

i did so

SPEAKER_01:

how was that

SPEAKER_00:

oh i think my first time trying it was probably my best attempt

SPEAKER_01:

I

SPEAKER_00:

went through it last spring, 48 hours going through the CTF. It was rough. As somebody who was very new at that point, it was a lot of, hey, I'm going to sit down for 48 hours and use Google a lot. But it taught me a ton. It definitely kind of showed me where some of my passions lie. There's so many different problems in that CTF from steganography, from some of the blue team defender side of the house, malware analysis. You know, it gave me a lot of exposure to different tools. My first attempt was definitely my best. I think there were about 3000 people that went through at that time. And I was number like 65, somewhere in there. And then, you know, based on how you place in the sand cyber fast track, they are, you submit a, like a video interview and a resume, and then they choose people for their follow on. I didn't get picked for that, but I keep plugging at it. One of these days, maybe. What

SPEAKER_02:

are some of the challenges facing Vetset?

SPEAKER_00:

So with any nonprofit, I think financials is always going to be a challenge. Our operating footprint's pretty small. It's really our website. Slack was gracious enough to donate the space to us, even at their higher Slack standard offering. So really it's website, corporate renewal fees, stuff like that. So that's pretty small. I think the biggest challenge is getting the word out there. Like I said, we have 3,000 members and we gained 1,000 over the last year, which is awesome. And I'm super happy about that. But when I look at the bigger picture, there's 200,000 people separating from the military across the United States every year. Now, I know all 200,000 people aren't interested in cybersecurity, but I think it's got to be more than 1,000 out of that 200,000 in a year. And really, there are resources that benefit people who wouldn't just be going cyber, but into IT. in general. And there's a lot of resources just from the VA transition, the mental health side that would help more people. Probably the biggest challenge that I see is getting the word to active duty members still. The DOD has this workshop that they require everyone getting out of the military to go through. It's five days long and it's how to write a resume. This is what an interview looks like. But if I wanted to get my name on a list of resources that they provide at that workshop, I can't just contact like the big DOD and they put it out everywhere. I have to contact basically every individual military base across the country and ask their program coordinator to add it to their slide deck. There's no centralization of that process. So finding volunteers that are willing to, in their area, reach out to those bases and kind of get that word out. And that's why the big push on social media is, I do have a lot of military connections that way. So if I can amplify our voice through that method, I do. And then just, yeah, there are so many people that just don't know what those resources are. And unfortunately, the longer you're in the military, I think the job gets a little harder. You get more responsibilities. So that last six months of a military member's transition when they should be focusing on job interviews and finding resources and all that. They're probably being tasked more with their job than at any other time. So trying to lobby for the military to give those members time to make that transition because it's not as simple as working a normal civilian job and looking for something else. It's, hey, at this day, you're done. And once you put in your paperwork to be done on that day, you don't take it back in most cases. So it's definitely more of a wall. And I think that's one of the challenges that our members face is, you know, it's kind of a scary world for them out there, especially with unemployment doing what it's doing. And I had several people that even I work with personally that, you know, the pandemic hit and now, oh, well, I don't want to get out of the military in the middle of pandemic, I'm really not gonna be able to find a job now. And they just don't, they don't know all the resources out there. So I think the biggest challenge is getting that word to as many people as possible.

SPEAKER_02:

If our listeners want to help out or get involved, what do they have to do? They just step on the Slack or?

SPEAKER_00:

Yeah, the best place would be to go to VeteranSec.com. There's a link to join the Slack. We do a little bit of OSINT to make sure that people are in the military because the Slack is just for people that are in or have been veterans of the military. There's also donation links on the page. So people that are hearing about us that aren't in the military, if they want to help, we do accept donations that our major funding sources and mostly from insider membership. And then, yeah, just, you know, if you see posts about hire a vet, please help amplify that voice out there. That's a, that's a big way to help.

SPEAKER_01:

Where can our listeners connect with you?

SPEAKER_00:

LinkedIn is probably the best place. You know, Thomas Marsland on LinkedIn or T Marsland on Twitter. Those are, those are the biggest places and I'll never turn down a connection request. So even though even the annoying sales pitches. I just try and copy paste a vet sex sales pitch back to them.

SPEAKER_01:

Nice. All right. Very good. Well, thank you so much. It was a pleasure having you here

SPEAKER_00:

today. Oh, thank you so much for having me. I really appreciate the opportunity. Thanks again.

SPEAKER_01:

So thanks for listening to the Security Chipmunks. And remember, if it seems overwhelming, just keep chipping away at it.