[00:00:01] Chris Sienko: Infosec Skills is releasing a new free challenge every month with three hands on labs to put your cyber skills to the test. October’s challenge, celebrate Cybersecurity Awareness Week featuring a bundle of three labs that provide hands on training with in demand cyber skills. Level one, get hands on experience with the metabolic framework and investigate systemic vulnerabilities like the professional ethical hackers do.
Level two, leverage pseudo to set up user permissions and explore the harmful side effects of improper implementation. And for your boss level challenge, you’ll head over to our secure coding cyber range to correct secure coding errors commonly found in Python. Complete all three challenges, download your certificate of completion, upload it to LinkedIn and tag Infosec for your chance to win a $100 amazon gift card and Infosec hoodie and a one-year subscription to Infosec Skills so you can keep on learning. Just go to infosecinstitute.com/ challenge and kickstart your cybersecurity career skills today.
Today on Cyber Work, I spoke with Jasmine Jackson, AppSec engineer, Pentester, educator, and creator of our Infosec Skills course on Linux fundamentals. Find out about her work as coach for the CTF team of the US Cyber Games, why Linux fundamentals are a crucial part of any cyber security training and how she got over her natural hesitation for reverse engineering. That’s all today on Cyber Work.
[00:01:32] CS: Welcome to this week’s episode of the Cyber Work with Infosec podcast. Each week we talk with a different industry thought leader about cyber security trends, the way those trends affect the work of infosec professionals, and offer tips for breaking in or moving up the ladder in the cybersecurity industry.
Jasmine Jackson shares her passion for information security with presenting and teaching workshops with over 10 years of information security experience. She is currently the Jeopardy style Capture the Flag coach for the inaugural US Cyber Games. She is also an adjunct professor at Drexel University, and City University of Seattle with additional courses with Cybrary. Jasmine has certifications in secure programming, web application, pentesting and cloud security. Jasmine has a Master’s Degree in Computer Science and a Graduate Certificate in Information Security and Privacy from the University of North Carolina Charlotte.
Currently, she works as a senior application security engineer for a Fortune 500 company. She has presented her work domestically and internationally for such conferences as the Diana initiative, Bug Crowd, Blacks in Cyber Security and, not picked on, on topics of mobile security, and web application security.
So, because we’ve got so many new learning paths built into our infosec skills platform, and because our monthly skills challenges are ramping up, I’m inviting a lot of infosec skills authors onto the podcast to talk about their areas of expertise, where their passion comes from for their subjects and what they’ve learned about specific benefits of online skills-based training. So today we’re going to be talking Linux, with Jasmine.
Jasmine, thank you for joining me today. Welcome to Cyber Work.
[00:03:04] Jasmine Jackson: Thank you. Thank you for having me, Chris. I’m so excited.
[00:03:08] CS: It’s a pleasure to have you here. So, I like to start every show, as people know, with getting the story of our guest’s cybersecurity journey in their own words. How did you first get interested in computers and tech? And what was the first spark that made you excited about computers, coding and all the things that you’re involved in?
[00:03:24] JJ: My brother told this story to me, because I forgot. But in the fifth grade, I won a challenge contest for computer and I totally forgot that. And then, because my story always starts when I’m 14 with my first job, access to software for all people. It was a nonprofit. I’m originally from California, Bay Area, Berkeley, California. So, at this nonprofit, it was for any inner-city kids to expose them to technology. That was initially, that’s where my story starts. I always start at 14, but as I said, my brother reminded me some years ago. He was like, “Do you remember that contest where you want the computer in the fifth grade?” I’m like, “No, I totally forgot that.” That’s funny, but as I say, my story starts at 14 with my first job.
[00:04:25] CS: Okay, love it. How did you win the computer? What kind of computer was it?
[00:04:31] JJ: It was a Macintosh. I believe it was a scholastic content. I was the top of the class and I’ve won the computer. I had totally forgotten about it.
[00:04:50] CS: That’s awesome. Do you remember what you first did when you got the computer? What you started like digging into?
[00:04:55] JJ: At that time, so in the fifth grade, I think it was more so playing games on it. Because it was like, yeah, that was all that I really wanted to do. Again, I’m 14, when I started my job at ASAP, or Access to Software for All People, that’s when I really got started into tech, doing like web design, HTML and data base and things of that nature. I really didn’t start programming. So, honestly, until I went to college, after I graduated high school. It’s actually funny, because when I meet people, in computer science, and they’re like, “I’ve been programming since I was like, five.” And I was like, “I didn’t start programming till I was 17 or 18.” It was something that I wasn’t exposed to that’s one of the reasons, that I love teaching so much, exposing students, kind of exposing them to concepts that I didn’t have. So, that’s one of my passions for teaching.
[00:06:06] CS: I love that. I also think it’s important to people to know that you’re not behind if you haven’t been coding since you were five years old. We have people who are in their 50s, in their 40s, in their 20s, in their 10s. It’s all valid. So, as we mentioned in the bio, you’ve had a pretty good number of different full-time jobs, projects and consultancies. Can you tell us about your path from your computer science degrees in college to where you are now? I mean, I see some DevOps, some AppSec, engineering work, and some teaching. What’s your career path been like so far?
[00:06:39] JJ: Okay. So, I’ll give you the short version. I’ll keep it as short as I can. I graduated with my Master’s. I moved to Charlotte, North Carolina in 2009, graduated with my Master’s in Computer Science in 2011, a graduate certificate in information security and privacy. And then I started working for an investment firm in Charlotte, North Carolina at that time. I was an application developer using PL/SQL. So, procedural language SQL, so marrying the two of like functions and variables, with SQL queries.
I did that for about a year. When I tell people what I was doing, they always cringe. Because it was like, “Yeah, I was repairing production data.” And they’re like, “Well, what? You’re not supposed to touch production data.” I was like, yeah, changing it daily. And they’re like, “Okay.” So, that’s a different story.
I did that for about a year, and then moved into a full stack developer position. I did that for about three years. But in that time, I was always interested in securities. When I was 16, still working for ASAP in California, I stumbled – I’m going to reveal my age, but I stumbled onto a Yahoo group on cryptography. I was like, “Oh, wow, this is so cool.” You have like this message and then eat the scramble it to the naked eye. And then it’s like, so the outside observer, it just looks like gibberish and that you can transform it back to their original message. In the beginning, I was like, “Oh, I want to be like a crypto analysts and cryptographer”, because Bachelor’s in Computer Science and Minor in Mathematics. So, I was like, “Okay, that was the path I was going to go.”
Then, it was like, well, I didn’t like cryptography, I don’t see myself doing this. I’m not passionate about it. So, no. In 2012, skipping up, 2012 I started my blog at the time for Pentesting, but I have since changed it to thefluffy007, which is my handle on all social media. But if you type in passion for pentesting, it’ll just reroute you to thefluffy007.
I started my blog, because it was like, I was interested in security since I was 16. And then I learned about penetration testing, and I was like, “Oh, wow, this seems interesting.” I’m a nosy person. I’m a curious person. So, I was like, “Oh, this is great.” You hack into things and you find things and it seems great right. But it was like I was hired for jobs, but I will always get the auto generated rejection letter, right? Because I didn’t have certifications. I didn’t have experience. So, I started my blog, parts frustration, mainly frustration and then a portfolio.
What I started to do as I started to solve, capture the flag challenges and posted on my website and I will apply for the jobs, and then I will tell the prospective employer, like, “Go to my website, this is my experience.” At that time, still working as a full stack developer, still at this investment firm, smoking my manager, because it was just like, we had a one on one and he was just like, “I could tell, you do not want to be a developer.” He’s like, “I’m talking to you, you’re just stoic.” He was like, “I could tell you you’re not passionate about it.” When we’re talking about security, “I can tell this is your passion. I could tell you what you want to do. I’m going to help you get there.”
He kept his promise. I have to give him that. What he did, he started putting me in special projects. One of them, I’ve voluntold you and to like you’re going to be a volunteer of repairing vulnerabilities in the Java project for this company.” So, how it worked was the company will hire a third-party penetration, consulting company. They will come, do their engagement, provide the report, here’s your vulnerabilities. They were providing to the project manager of said application. The project manager will assemble the volunteers, who I was one of them. We will go, remediate the phones, and then push it to production and all the things. I did that for a year, while I was still a full stack developer.
After the year, senior management was like, wow, she’s like, really excited, and she really, really liked it. So, then I became the project manager of special projects. I was in charge of the vulnerabilities, after the – consulting company, I would take it, assemble the volunteers, help them remediate, push it to production, meet with senior management, close vulnerabilities. I did that for another year. I finally transitioned to the security team at the investment firm and I was doing like security automation. So, at that time, the company was moving to a DevOps model. Helping teams creating automated security test cases, and authorization, authentication and cross site request forgery. I should say, our cross site request forgery was very rudimentary, because we were checking the header flag, no, the referrer flag, and as you know, that can be easily spoofed.
As I said, this was like in 2016. So, it was very, very rudimentary. I did that for about a year, then I left the company, started working at a bank, because Charlotte, the banks is king. Started working at the bank, and I was a penetration tester full time, using automated tools, such as IBM app scan, HP web inspect, doing manual, penetration testing. I did that for about two years, two and a quarter. And then moved to FinTech company still in Charlotte, and was an intermediate application security engineer, it was myself and the senior application engineer. He was responsible for, like, 80 application team. All problems came to the both of us, and it was, I learned a lot at that company, actually. I really liked it. It had like a startup feel, it was great.
Now, I’m at a Fortune 500 company as a senior application security engineer. So, as I said, I was going to try to keep it short, but it’s it’s kind of – in in between that, at the bank, I started teaching, Cybrary, and all the things.
[00:13:47] CS: Okay. There was something you said in there that leads nicely into my next question so that, early on that you were not getting called back because your resume was sort of being a gatekeeper because you didn’t have experience. So, what are your thoughts on certification in cert studies? We get a wide range of answers from guests ranging from it’s unimportance as long as you can demonstrate the skills to completely crucial and always. So, where do you see certs as fitting into the modern cybersecurity landscape, especially with regards to attempting directly upskill and place people in cybersecurity and what’s the so-called skills gap?
[00:14:24] JJ: I’m in the middle. I believe certs are important. But I also believe that you need to demonstrate the skill as well, right? Because it’s like, you can’t just have the certs. You can’t just pass a test and then believe that’s going to be enough. Because cybersecurity is very much hands on. You’re very much going to be – right? You can pass a test and then you get into position and then it’s like, “Hey, we need you to do this engagement.” And you’re looking like what’s an engagement, your employer is looking like, “We’re looking at your resume. You’re saying you have all these certs, what are you talking about?” It doesn’t match.
I’m in the middle. It’s important, the certs are important, but you also need to have real world experience. But my thing is, you touched on the key point of gatekeeping. That’s what grinds my gears is I see a lot of cybersecurity positions and some of these certs that they’re asking for, for entry level, even when I started in 2012, some of these certs, and I’m like, these are not entry level certs. I know people who are very passionate, want to get into the field, and they’re frustrated, because they’re the same thing. Close to 10 years later, I’m being auto rejected. No one has given me a chance.
We’re talking about we have a pipeline problem. There’s no pipeline problem. There’s a gatekeeper problem. That’s the problem. That’s the issue. Know, the issue is, there’s a gatekeeper problem, there’s an issue of companies, or HR, a breakdown of communication of what you really want, and it’s like you’re meeting with someone and they’re writing these job descriptions, and it doesn’t match what you’re looking for. Because they’ve been in positions where I’ve done positions, and it’s like, the job description says one thing, you do the position, and it’s something totally different. What is this?
[00:16:31] CS: I have that cert. I didn’t even need to use it for that job.
[00:16:36] JJ: Right.
[00:16:36] CS: That’s really that’s really interesting. I don’t know what the blockage is, because we’ve been seeing it for so many years now. I don’t understand why they think they’re going to get better candidates just because they have all these – because you meet people who are also sort of inveterate cert collectors who, just who get all the certs, but they haven’t done anything with them. So, is that the person you want on your team?
[00:17:02] JJ: Yes. I mean, I’ve interviewed people before, and the same thing. I’m interviewing people with the host of what I call, the alphabet soup. All research behind them, you interview them and you just ask them simple questions that they’re like, “Oh, I don’t do that.” “Excuse me?” And they’re like, “No, that’s a junior level position.” “Oh, what are you talking about?” The tools tell me that. But again, these tools are program. A SaaS or as DaaS, well, SaaS tool, and a DaaS tool, these tools, some of them are signature based.
If it doesn’t bid a pretty formula, it’s either not going to find it, and it could be critically – it could be a vulnerability, or it’s going to flag it. It’s not an issue. So, you have to use deductive reasoning skills to actually figure that out. You can’t just rely on the tool 100%. But the main issue is gatekeeping. The gatekeeping is using the certs, which is unfortunate, because I know so many people who are like, I really want to get into cybersecurity, and we’re losing key talent, right? Key people, key talent, big brains of solving these issues, solving these problems with, honestly, something that’s so trivial is so stupid.
I mean, with most companies, have an education budget. If the person doesn’t have a certain – you have an education budget, just – with with cyber security, you’re going to have to train your talent. No one is going to come off the street, knowing everything that you need for your particular company. You’re going to have to train them. So, it’s like, just looking at this, with all the smart people, it’s like the problem is really stupid. It’s actually infuriating because it’s so stupid, and it can be fixed so easily. I think it’s more so ego that people don’t want to fix it.
[00:19:08] CS: Yes. Can you sort of walk me through your sort of ideal version of like a job description that sort of gets passed as gatekeeping? Instead of asking for certs as a measure of knowledge, when you’re writing a job description for someone that you want to hire, what would you sort of put in that would help you to attract the kind of people that you want to have in your company?
[00:19:31] JJ: So, my job description and I would actually – it would be improved parts. So, the first part would be I would ask them what experience that they had, a website, a YouTube, just anything, just any tangible experience, open source. That’s why I tell a lot of perspective. Open source projects, trust me, if you speak with the lead at an open source project, they will not turn you down. They have so much work, they will be like, “Thank you. Come.”
Any projects, because that to me, that shows initiative, that shows passion. You can’t buy initiative, you can’t buy that. So, that shows me that you – that would be number one. Number two is the – portfolio. Number two would be like the interview, where do you see yourself? And then three, the certs, I will see if you have the certs, but it wouldn’t be super crucial. That would be at the bottom of the list.
[00:20:41] CS: Or if it’s something where you really need to know this –
[00:20:46] JJ: It’s optional.
[00:20:47] CS: Or you need to know this very specific thing for this specific job.
[00:20:49] JJ: It would be explicitly stated optional and if you do not have it, we will train you.
[00:20:57] CS: That is heavily weighted as actual experience. So, in your opinion, what are the cybersecurity skills that are most in demand at this moment? And which are most likely to accelerate your career? What skills are people overlooking in their studies and preparation as we read some of his research studies?
[00:21:14] JJ: I would say cloud. I see a lot of cloud. I see a lot of like data science. I haven’t really touched that, but I do see a lot of data science and also some of the fundamentals. I’m piggybacking off from my class Linux fundamentals. Because even with my – when I was in the beginning of my career, the app, the developer, so the position I was in was production support. I was supporting a product that was already in production and any issues, my team will handle it but. It was like going on servers, I was a Windows – I have a PC. I really wasn’t too familiar. I knew basic things of Linux but not a lot. But that job really taught me a lot. In industry, you have Windows, but most industry servers are Linux. So, you need to be comfortable with the command line like. Cloud and data science, all of these things are sexy, the new sexy terms but but you need to know the basics. You need to know the fundamentals. The scripting and things of that nature. Those things will never go wrong, never steer you wrong, steer you wrong, wherever you go because you will be using that as some facet.
[00:22:43] CS: It’s like learning languages. You have to front with the dog walked across the street before you can get to the sort of philosophy or something.
Let’s let’s talk about that. You’ve got a long list of skills and achievements, but I specifically want to talk about your infosec skills path covering Linux fundamentals. Obviously, it’s right in the name. But what will students learn from your Linux fundamentals class? I know it’s Linux fundamentals, but what does that mean exactly?
[00:23:15] JJ: My class, how I teach my classes is I teach them for the absolute beginner. So, going back to when I started my blog, it was I read other blogs and it was, when I was starting out, I was reading some of them and reading them it was like an implicit this that you had to have like this brand knowledge. Well, that was good. I was like, “I’m going to approach it for like the absolute beginner.” That’s how I do my blog posts and my teaching.
My teaching starts from ground zero and build yourself up. By the end of my – I assume, you have never done anything with Linux or virtualization software, because we use virtual machines. Mint Linux, so I use VirtualBox, which you can use VMware or whatever virtualization you want to use. But I make an assumption like, students have done none of those things and I walked you through that.
In the course, you do the command line. We touch a little bit of security, of course. We do a little bit of scripting, a little bit of networking. So, by the end of the course, you’re not going to be a Linux master. But by the end of the course, you should be able to move around in the Linux operating system and get a good working knowledge of how to move around. If it’s like, I need a course, I’m at this job, and I need something to just get me up and running really quickly, that’s how I designed this course.
[00:25:02] CS: Nice. Okay. You’re not going to be scared of the command line anymore after your class. You sort of touched on this before, but just to unpack a little more, what does a solid background in Linux fundamentals unlock for you? What are some aspects of cybersecurity that are harder or impossible without a solid grasp of Linux?
[00:25:21] JJ: I mean, Linux is pretty much used everywhere. So, that’s why I touched that in the beginning of the introduction of my course. It’s used in space. When I did the research, it it’s used in space. I didn’t know that it’s used in Hollywood. IoT devices, it’s pretty much your fire stick. Everything you use pretty much is using Linux. Like I said, in enterprise, if you’re working at a company, you’re going to be touching Linux at some point.
You’re going to need to know how to use it. The command – I was like that, at the beginning of my career. As I said, I used Windows. really wasn’t comfortable with the command line. It will hinder you so much, especially in security, right? Because in security, there’s certain things you can’t do on the GUI, the graphical user interface. There are certain things you cannot do. And you’re going to have to use the command line. So, it’s like, it seems daunting and scary, once you get comfortable with it, there’s some things it’s just like, I’ll just do it on the command line, because it’s just easier and faster.
[00:26:36] CS: Nice. Okay, that’s great. Since so much of the show is about sort of taking away basic fear of where to get started, hopefully our listeners are hearing this. This is like a really, really great place to sort of get started in terms of feeling comfortable in the space and so forth.
Once students have taken and passed your your Linux fundamentals skills path, what are some next steps you would recommend them to go in different directions? Once they have comfort with the command line, what what’s the next thing, whether it’s a skills course, or whether it’s something else? What do you do with that next? What do you do to sort of build on that foundation?
[00:27:10] JJ: Yeah, so as I said, this last three modules of my class, the security, networking, and scripting, those are just primers, and I can say that. They’re just quick primers. Each of those modules are its own separate classes. I would say, pretty much, after my class, do those three modules, especially scripting. Because I just scratch the surface on scripting. Definitely scripting that will be something to definitely delve deep into networking. Linux, it’s something to delve deep into insecurity. If you want to do pentesting, or whatever it’s like, that’s something to delve deep into. Because the pseudo and the SUID, and all of those things, escalation of privileges and cron jobs and everything of those natures of how you can exploit, that’s a separate topic of its own. I touched on that a little. I said, I’m only touching on this a little bit but these are his own separate topics, its own separate courses.
[00:28:37] CS: So, in your class you’ve sort of left openings where it’s like if you’re getting this, keep going this way. Nice. You’ve done a lot of different kind of education, you’ve given a lot different education, what are some benefits to skills-based education and training of other things like more formal long-term education paths that people might not be aware of?
[00:29:01] JJ: With skills base, I mean, for me, I’m a kinesthetic learner. So, I learn by doing. Again, I’ve done both. I have a Master’s, the skills base. But for me, it’s like I’m a lifelong learner. So, for me skills base helps with that portion of my personality, plus I’m a kinesthetic learner, and I can apply what I’ve learned. Again, if you want a quick way to actually apply the knowledge that you’re learning, skills base will give you that. Because it’s short chunks, tangible chunks with projects, quizzes, so reinforcement learning, and those things. It’s really good.
[00:29:49] CS: Nice. Now, one of the things that we – I think this is sort of human nature but without a professor assigning weekly tasks, it might be hard to stay on track to meet your learning objectives. Do you have any tips for helping lifelong learners stay focused on training when there’s not sort of a deadline?
[00:30:05] JJ: Yeah. I’ve actually fell victim to this too. What I do is I use my calendar and I have set reminder every week for a deadline. And it’s just like, “J, you have to get your assignment by 10 PM on Sunday.” The first time you miss this, because I’ve missed – you’re going to miss it, the first time. It’s going to be like, “Oh, crap, my assignment, I missed it.” But then once you miss it the first time, then you remember. “Oh, I have this assignment. It is due on Sunday.” It kind of keeps you on track.
I also would say, do not wait to the last minute to try to cram and do everything. You do not retain. I would say, “Do little chunks every day.” Even if it seems like you’re not retaining, I would say probably do like a video and a quiz every day. Just do small manageable chunks instead of like, “I’m going to start at 9:30 on Sunday, and I’m going to whiz through.” You’re not going to retain.
[00:31:15] CS: Absolutely. It’s kind of like, you turn the bath tub, the water is not going to get warm if you turn it off. It will just keep running in and every single day in your head, you’re thinking about it. So, I think that’s really good advice and I hope people take you up on that. I want to ask you about the US Cyber Games and your role as coach for the Capture the Flag competitions. How does the competition work? And what do you do as your team’s coach?
[00:31:43] JJ: So, as the coach, so there are six categories. There’s web exploitation, cryptography, surprise, surprise, reconnaissance, networking, forensics, and reverse engineering. I got all six. It’s an international competition with other countries. And yeah, going next June to Athens, Greece to compete. It’s said the first eSports cybersecurity competition. Meaning, we just finished the combine, which is like over the summer, have the athletes do those six different topics over the summer, prepping them and everything are – the draft is on October 5th.
[00:32:52] CS: Right around the corner.
[00:32:53] JJ: Yes, that’s where we pick the athletes that will represent the United States in Greece. So yeah, that’s October 5th. We’re going to Greece, representing the United States, as the first eSports for information security. It’s similar to what I was saying earlier, with the skills base. Because some athletes weren’t exposed to some of the topics that we were taught. Just seeing them at the end of the combine, and it’s just like, “Oh, wow. I was afraid of doing reverse engineering.” Now, it’s not so bad and I’ve learned a lot.
That’s what it’s about. The teaching and things of that nature. That is the problem that I see with cybersecurity. Sorry, because I’m going to go –
[00:33:52] CS: Go do it.
[00:33:54] JJ: Earlier with the gatekeeping, because it’s not a gatekeeping problem. It’s like, going back to the skills, because we need to employ people, because there are people that are hungry, that want to show their skill. If we’re closing the door in their face, because they don’t fit the criteria, whatever it is, narrow criteria is we’re missing out on key talent.
[00:34:25] CS: Yeah. Can you can you talk a little bit about how team members or members of the US team are chosen and what you would – I’m sure there’s people in the audience who are listening right now who were like, “Oh, my God, that sounds great. I’d love to do that.” What kind of experience do they need if they don’t need specific qualifications? What should have they been doing to get to the point?
[00:34:45] JJ: Yeah. I can’t tell you how it’s selected. So, that’s top secret.
[00:34:52] CS: Come on, you can tell us.
[00:34:52] JJ: No, I can’t. Sorry. What I can say is that the next – essentially how it works, how it worked, and how it’s going to work again, I think the next draft is and March 2022. How it works is there’s a CTF that’s going to be open, the website is uscybergame.com. What’s going to happen is, a CTF is going to be open, in the six areas that I described, web exploitation, cryptography, reconnaissance, forensics, networking and reverse engineering, and you’re going to complete the CTF. After that, if everything looks good, you will be selected for the combine and the combine is where you’ll meet the other athletes. We’ll delve deeper into the different domains that I described and work with your potential teammates. And then you will be selected, and then after that, further drilling down and preparing you for – when we compete this this year, it will be in Athens. The next go around, it will be somewhere else, TBD.
So, that’s how it works. I really want – the age, right now, it’s 18 to 26 for the age. You do not need to be in college. So, that’s another thing because I’m sure people are like, “Well I’m not in college.” You don’t need to be in college to apply as long as you’re 18 to 26, you can apply for this. Everyone, it doesn’t matter what you are, as long as you’re 18 to 26. Come and apply and we want you. We want your brain and want you to compete and see what you can do.
[00:37:02] CS: I want to watch this. It sounds cool. Do you create capture the flag puzzles yourself?
[00:37:07] JJ: I created a capture the flag puzzles for the biohacking village. I created the mobile challenges for the biohacking village. That’s fun because I played so many and I always thought it was like the wizard and like this really secret coveted thing where I was like, “Oh, my God, it takes so much work to create CTF challenges. I don’t think I can do it. I’m not worthy.” So, then I started doing it. Yeah, it’s so fun. I’m starting to do it, starting to get my feet wet into that it, but it’s really fun. I like it.
[00:37:46] CS: I love it. What’s the most intriguing CTF puzzle you ever solved or designed? Where the solution is way to go, “Wow, that was so cool.”
[00:37:56] JJ: Honestly, I would say, I did a Pico CTF with Carnegie Mellon, and it was a reverse engineering. I completed one reverse assembly class in undergrad and close to 20 years ago. It was just like doing reverse engineering. It is not my thing, because it’s like, is it a little Indian? Is it big Indian? Do I need to flip? It’s just so much right? It’s so funny, because one of the coaches is like putting YouTube web. There are so many categories. I’m like, “Web is fun. Web is life.”
So, I would say, it was a reverse engineering challenge and it wasn’t difficult, but it was like turning the code into from the assembly to like a higher-level language, from like that, to like Java or C++ or something like that. But it was affirming for me because I was like me, reverse engineering, we do not get along. We’re like oil and water. In the beginning, I had like, close my mind off to reverse engineering. That’s another thing. When you’re learning, you have to have an open mind. Because if you close your mind off, you’re not going to learn, you’re not going to retain. I was like, “Let me try.” When I do CTFs, I just ignored the reverse engineering because I was like, “I’m not good at this. I’m going to get frustrated.” But I was like, “Well, let me try, let me see.” I did it and I solved it. I solved a few more, but we have to have an open mind.
[00:39:43] CS: Nice. Okay. I mentioned I felt great to sort of – you’re not only just solving the puzzle, but sort of getting over a fear that you had. I think that’s probably a good thing for these kinds of CTF things anyway. So, as we wrap up today – oh, sorry. Go ahead.
[00:39:58] JJ: Yeah, I was going to say, CTFs, I have learned so much information with CTFs. If you’re new to the field and you’re like, I don’t know how to get started, I don’t know how to show my skill, even with CTFs that have been solved. Because that was something that I shot. This CTF has already been solved. But I tell people, you have your own sauce. No one is going to think like Jasmine, right? So, you want to put your own spin to it. Even though a million people have solved the challenge, no one is going to solve the challenge like you.
[00:40:40] CS: You might find it completely different.
[00:40:42] JJ: Yeah, so I might come after you, and they might have been stuck, and they read your blog post or looked at your TikTok or YouTube, and the light bulb goes off and they understand. But I would say definitely do CTFs, gaming, that’s something else with the cyber games. Gamification with learning because. I’m a gamer, so that’s actually learn and retain. CTFs are really great in that regard, because you just learn a lot. You’re in like this time constraint, all these different subjects, you research. For a learner like me, I’m just in my element. I’m just like, “Oh, yes, let’s go, let’s go, let’s go.” You just learn a lot. You take it back to your job. Because I mean, some people who were like, “Yeah, I did this CTF and I saw this at a job or this or that.” It’s good.
[00:41:40] CS: We had one of our guests was doing one from offensive security. She was saying that capture the flags are so important, but also that, there’s not flags in the real world. You’re doing a CTF to learn the process. It doesn’t matter if you win it or not. It’s like the process you do along the way.
[00:41:57] JJ: Yes, the journey.
[00:42:00] CS: Totally. You mentioned blogs and things, I also want to give a little shout out to our own infosec resources site, because we have a couple of writers who do capture the flag walkthroughs of old home hubs, and as you said, they’re all solved. But you know, if you’re stuck on it, it’s great to have a crib sheet there. Folks who are thinking about this, go check it out. We got literally hundreds of them.
As we wrap up today, I just want to ask, where do you see cybersecurity education going in the years to come? With more time being currently spent on with laptops and good Wi Fi? Do you see career learning changing demonstrably in the next decade?
[00:42:36] JJ: I do. I definitely, because when I was doing the education, it was pretty much like you went to a hotel, or you went to a conference and you did the training there. But with the pandemic and everything, I definitely see that continuing. I definitely do see – I believe that at some point, it will be hybrid, and it will be more up to the consumer if they want to do remote or if they want to come in. If they want to go on site, and it would be up to the consumer and the employer. But before it was pretty much like you had to be on site, it was on prem. But yeah, we’re moving. We had to move from that right now because of the pandemic. But I definitely see that continuing after the pandemic as well.
[00:43:34] CS: Yeah. All right. So, as we wrap up today, what’s next for you, Jasmine? If our listeners want to know more about you, Jasmine Jackson, and your many other activities, where can they go online?
[00:43:44] JJ: Okay, so my handle is @thefluffy007 on all social media. So, you can reach me there. What’s next for me? I currently am an author now.
[00:44:05] CS: Wow. Do you want to talk about that?
[00:44:10] JJ: The editor, Christina Morello, of the Divine Techie Girl. Let me make sure I get her handle correct. Yeah, Divine Techie Girl. Yes. She is the editor in chief. She did a post on Twitter and was like, “Hey, I’m writing this book with O’Reilly. I’m the editor for like – what are some of the things for infosec hopefuls. If you can tell someone that want to get into the infosec field, what would you tell them?” So, I contributed two articles.
The first one is pentesting, why isn’t it like the movie. I’m talking about so sexy in the movies and how it is in real life. And then the second is like, how many ingredients does it take to make an infosec professional and then talk about some of the things that are key, that perspective and information security professionals should have. So, the eBook should be available on O’Reilly Media, and I believe the print will be available in three to four weeks. There’s that.
Also, still doing the teaching, the adjunct teaching. I’m still working at the Fortune 500 company. Also, still, I mentioned a little bit with the biohacking, so I’m interested in like medical security, so still hacking medical devices and things of that nature. I like to say I like to hack all the things. I’m still doing that. I’m working on building my YouTube presence, because YouTube, but I go all in and then I stop and then it’s like consistency. I need to work on that. So, I’ll be working on that some more.
[00:46:20] CS: YouTube is also thefluffy007?
[00:46:22] JJ: Yes. Everything. So, that’s a little about me. That will keep me busy, for sure.
[00:46:32] CS: Great. And that’ll keep our listeners busy getting to know you a little better. Jasmine, thank you for your time today. It was so much fun.
[00:46:38] JJ: Thank you. I hope your listeners have learned a lot. And yes, if you have any questions, definitely reach out to me. I will respond, usually in a day, but I do respond.
[00:46:51] CS: You heard her folks. Go say hi. Thank you again to Jasmine. And as always, thank you to everyone who is listening to our podcast at home, listening at work, or listening at work from home. New episodes of the Cyber Work podcast are available every Monday at 1 PM Central both on video, at our YouTube page, and on audio wherever find podcasts are downloaded.
I’m also excited to announce that our infosec skills platform will be releasing a new challenge every month with three hands on labs to put your cyber skills to the test. Each month you’ll build new skills ranging from secure coding, to penetration testing, to advanced persistent threats and everything in between. Plus, we’re giving away more than $1,000 worth of prizes each month. Go to infosecinstitute.com/challenge and get started right now.
Thank you once again to Jasmine Jackson and thank you all so much for watching and listening. We’ll speak to you next week.