How to Teach Cybersecurity to K12 Students

k12 cybersecurity

In this episode, we discuss with our guest Ron Woerner what it’s like to teach cybersecurity and how a school can get started teaching it, adjusting to the new normal, K12 cybersecurity challenges after COVID and what the average person needs to know at home to be secure.

Protect Your School from Cybersecurity Threats

SecurityStudio helps schools ensure they’re protected against cybersecurity threats with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:03] Ryan Cloutier: Welcome back to another episode of the K 12 cybersecurity podcast. I’m your host, Ryan Cloutier. Today’s date is april 13th 2020. Our next guest has over 20 years of I. T. And security experience. He is a noted consultant speaker and writer in the cybersecurity industry. He holds both the Certified Information systems Security Professional and the Certified Information Systems Security Manager certifications as the president and chief security evangelist at cyber triple A. He works as a security consultant, delivering awareness, performing security risk assessments and advising small medium and large organizations. He has established the cyber security studies program at Bellevue University an N. S. A. Center of academic excellence where he still teaches, he also has a ted talk called hackers Wanted His crowning achievement was being selected as the Air Force Association Cyber Patriot mentor of the year in 2014 for the work. He does coaching high school students and cybersecurity. He loves to talk to others who are passionate about cybersecurity and privacy. Please join me in welcoming Ron Werner. Hey Ron how’s it going today?

[00:01:45] Ron Woerner: I am fantastic Ryan, thank you for having me on.

[00:01:48] Ryan Cloutier: Thank you so much for taking time to do this with us. Very cool stuff you know you and I have been on linkedin going back and forth, um probably about a year and a half now, um by the way, Lincoln’s a great resource to connect with others in the cybersecurity community and it is how Ron and I found each other and we got to strike up a conversation at a security conference earlier this year, which then kind of lead me to wanting to have run on as a guest. So again, thank you so much for joining us today.

[00:02:20] Ron Woerner: Oh my pleasure, Ryan, I love what you’re doing, trying to get information out to K through 12 and other types of small medium enterprises,

[00:02:28] Ryan Cloutier: definite passion that we share is, you know, taking care of our youth, we understand uh a lot of us that you’ll, you know interact with on linked in with us and as you listen to the podcast, you’ll see that really we’re trying to cultivate a community of like minded professionals who want to put the kids first and really have a strong passion for helping K 12 to get better at this, you know, Ron, as I was thinking about um kind of what questions to ask? The first one that came to mind is What is different today about teaching cybersecurity than it was when you started or even as it was say 20 years ago, can you share a little bit about that

[00:03:10] Ron Woerner: of course, that’s a great question because the more things change, the more they stay the same, There’s a lot of similarities to how we’ve been securing computing systems Even with from 50 years ago, you can read cultures and Schroeder’s design principles Published in 1975. The talk about least privilege in segregation of duties and all those other big terms. So those are still very much the same. What’s different today is that we have lots of more devices, lots more apps. 10 years ago, we’re just beginning to get into smartphones. Iphone was just beginning to roll out. So now we’re dealing with everyone having multiple computers around them, which is a plus and a minus. Like so many things, a double edged sword where 10 years ago, 20 years ago, trying to make sure everyone had a computer was a lot more of a challenge. But today Everyone has multiple computers. Many school systems with what’s happened with COVID-19, coronavirus are giving students computers to make sure they can get their homework done Connect with their teachers. But how do they make sure those computers are adequately secured? So we’re still going through that similar type of challenge we’ve had for the last 15 years. I call it security Groundhog Day, like the movie Groundhog Day with Bill Murray, where we’re reliving the same day. That’s often what I’m doing in cybersecurity because it’s still about the same fundamentals, but we’re doing it across so many more devices. So I guess it’s just learning a lot of those fundamentals and then building on it with today’s types of technology.

[00:04:53] Ryan Cloutier: Well that’s great. You know, I’ve noticed a change in, in the students um coming in that they tend to be a little bit more tech savvy, uh don’t have to explain some of the basics of navigating the device, like maybe we had to in the past, which I think is great because then it allows us to kind of hit the ground running

[00:05:14] Ron Woerner: somewhat. But the challenge, I sometimes see if they know how to use the computer, use the device, but they don’t know how it really works underneath and that’s really what we need to educate on. It’s one thing to use a network, but knowing how do I secure that network with access control and that the network layer as well, with different types of firewalls and intrusion detection systems, et cetera. Um making sure the right precautions are in place, whether it’s also a Bluetooth type of personal network who can connect to it and what can they do or can they just cause a denial of service? So there’s again in so many different complexities, but it all starts with the same beginnings.

[00:05:55] Ryan Cloutier: So to build on that question, what kind of challenges and concerns are there with teaching this topic to high schoolers who may or may not be fully mature to use the knowledge they have for good. Is there certain precautions we should be taking before teaching this to a student or certain things we should be monitoring for.

[00:06:18] Ron Woerner: We need to make sure that the students have a safe playground where they can learn and experiment and if they go and begin to explore, they’re not going to get into trouble. It’s actually pretty easy to do and not that expensive either to create a virtual type of a system or network letting the students have that area where they can practice their different types of technology skills this way, if they want to begin to see how things work and you can do this through. As I mentioned, virtual networks, you can even do it on one system, one computer using virtualization tools like the m where virtual box or even the native windows 10 Hyper Visor. I’ll have this capability where you can run multiple operating systems on one box and why do you need this is because students often are curious and we want to make sure that if they’re looking at things that it’s what we want them to see and nothing else on the school’s network. Um and this is where it does take a little bit of technical know how but there are many resources available for it. The other challenge though, I see Ryan is almost on the other end of the spectrum where kids are almost too afraid of breaking something that they don’t even try. So once they know they have a safe place to fail where if they make a mistake it won’t hurt anything, then that actually opens up the learning as well. I’ll often have a student who’s, yeah, my being graded on this. I’m like, no, I want to, I love it when students failed but use it as a learning experience. So for example, let me give a story and this is a little bit indicate of indicative of females versus males, but females are not as curious and tenacious as nails generalizing very much. But where as a young lady who showing how to use the command prompt on windows and showing her that she couldn’t hurt the computer were on virtualized everything like type something like, well I don’t know what to type, type the words something and hit enter and see what happens. Well, nothing happened. I just got an error message. He, you can’t hurt this because it was very much that safe playgrounds, that’s what we need developed for students.

[00:08:40] Ryan Cloutier: That’s really good advice and you know, I know myself whenever I’m trying something new, it’s always in a virtual environment, um, because you know, we wear the battle scars right? Um, you know, for those of us that were alive in the days before virtualization, we had to create entire separate environments to test this stuff out and sometimes it goes smooth and sometimes it wouldn’t, so that’s really great though. I, I appreciate that. Um, you know, you do a lot of, a lot of speaking around the country, obviously, you know, you do a lot of speaking in your classrooms, but, but you also tour around and go to various conferences, how are you adjusting to the, to the virtual conference in the, the difference that that is, um I know myself, I’ve been presenting to my monitor, which is not quite the same as an audience. I’ve actually taken to hanging up pictures of crowds so that I can look at it. Um and at least feel a little more like I’m, I’m there, how are you adjusting to all this covid craziness and its impact on presenting?

[00:09:43] Ron Woerner: So personally, I’m kind of in my element, but that’s because I’ve been preparing for this for 10 years and just didn’t realize it. So I teach at a university and I teach both face to face classes. Well now not quite face to face, what kind of sort of over zoom, but also online. And I’m often asked, what do you like better teaching face to face or online? And it’s, I really like both and they’re similar but very different. You brought up a great point brian, it is different talking to a camera and learning how to position camera and we need to take from broadcast journalists on how to center the camera how to have good lighting and sound. It’s just not as easy as it may seem, how to look at a camera. Here’s the challenge I give to folks. If you’ve never read from a teleprompter, it’s really hard the first time.

[00:10:36] Ryan Cloutier: It is, yeah, it’s odd, especially if somebody else is in control of the pace,

[00:10:42] Ron Woerner: right? Yes, because you’re frozen and you’re just reading it and you are not moving. So if you compare, like my first video is 10 years ago, reading from a teleprompter, I look worse than a robot

[00:10:54] Ryan Cloutier: to

[00:10:55] Ron Woerner: the ones I do today where I’ve learned how to be over animated. So here’s the one tip I got from a producer. This is actually was in southern California. So I could say Hollywood producer. Well the camera adds £10 so they say, but you know, it takes away 10% of your personality somewhere with podcasts, it’s so easy to a pure wooden and if I’m not using a lot of vocal inflection it gets boring in a hurry and you’re tuning me out, although you’re wondering where I’m going with that. So if you notice I’m using a lot of emotion with my voice, I do the same thing on camera as well. I think similar with an audience because that makes it more visually appealing face to face as well, but not quite so much as I’ll do on a camera were really go bigger with all of my gestures and vocal inflections because that’s what people rely on. Also using different voices. I went quiet on purpose because now everyone’s going what’s happening. And for Ryan is sitting there with his board trying to fix this? No, using different volumes as well as a way of catching people’s attention? All these little teaching tips come in handy in today’s new online teaching world, we just haven’t really thought of it,

[00:12:16] Ryan Cloutier: those are great, I’m going to be stealing a bunch of that actually because you know, that’s, and for any teachers listening, you know, these are great tips to help engage your classroom as well. I think, you know, that’s that’s a big issue, is just keeping audiences engaged when you’re now, you know, on the left hand screen and we’re all guilty of this. You, you go to, you know, you take a webinar, you sign up for a meeting or something like that, you got it going on the left hand side and you’re busy working away on the right side. So I think it’s, it’s important and I’ll definitely be taking that to heart um you know, as we, as we navigate this, this weird time that we’re in. I have affectionately started to refer to pre Covid as the before times, because I really feel like when we come out of this, it’s it’s going to be different and it’s not quite sure how, but I stand firm on the idea, you cannot go through something like this with the level of disruption to daily life that we’ve had and come out the other side, 100% the way you entered in and yeah, and to that point, what do you think the biggest challenge is going to be for cybersecurity in a post covid world?

[00:13:29] Ron Woerner: We’re seeing it right now and we’re going through it with everyone now working remotely. It would be that companies would think, oh yeah, we have a few people working remote, we can, you know, it’s not really a big risk now, it’s really raised up as to that level of risk, as far as looking at the center for internet security, top 20 security control number one is hardware, number two is software, So do you know everything that everyone is running that’s really being raised up into the forefront and that’s where I think a positive from all of this will be security and privacy will become that much easier because now it’s part of everybody’s life lives, same thing with the availability to learn and work remotely. Um it’s going to be huge to where we’re no longer relying on having to be in a physical location for learning or working, we can do it anywhere and everywhere, something I’m looking forward to is being able to get into a lot more classrooms and help out and mentor and coach because there used to be, I’d have to go to that school can’t entry into the school and meet when that class met. Now I can record something for any teacher and so we’ll be able to bring in so many more professionals into the classroom and be able to draw on their experiences. Um and being able to use tools like slack discord and even gaming platforms like Mixer and Twix as a part of this whole learning process. People haven’t thought of thinking twitching. Those are just for gamers. Right. No, it’s just a way to be able to share information.

[00:15:13] Ryan Cloutier: Well, I know, yeah, and and for me, twitch has actually been a place uh to do some chair shopping. So if anybody’s at home sitting in an uncomfortable chair, just go on to twitch and look at what those folks are sitting in because most of them are, you know, there in that chair in front of the camera, you know, playing those games for for extended periods of time. And so they’ve kind of done your market research if you will for a really comfy office chairs, That

[00:15:40] Ron Woerner: is a great example. Yes. Yeah.

[00:15:42] Ryan Cloutier: Right. You know, and and then the other thing that I was thinking about, you know, I’ve heard, I’ve heard some rumblings of some companies now offering stipends to their employees to upgrade their home routers, uh knowing that, you know, a fair amount of their workforce are running on equipment that is potentially five years or older out of date. And so they’re they’re not getting the security updates or not possibly even having some of the options available. Um So I’ve kind of heard about that and I’m wondering if if that’s something that we’re going to see continue similar to how in the early days, if you did have some type of remote work arrangements, um perhaps you were an out of state employee or something like that, the company would reimburse you for your internet. Do you think? Do you think we’re going to see a growing trend in in companies and schools, you know, kind of providing um those at home routers and firewalls to make sure that their their current and up to date and not some legacy one left over from the early 2000s that still kind of limping along.

[00:16:46] Ron Woerner: Well, the benefit for this is efficiency. And really when you can tie efficiency and security together, it’s a win win. If you think about it right now, Let’s just say we’re a school system with 200 teachers. I don’t know if that yeah, teachers and each of those teachers have a different type of home router and you know, if the teacher runs into a problem and needs to figure out what is that router, what does make, etcetera, what patch level with the firmware and he takes so much longer to troubleshoot when everyone is on a similar type of device or the same device across the whole school system then it’s a lot easier to troubleshoot or if there’s a problem, you can say, okay, I’m just going to ship you out a new router and you can plug it right in and we know exactly how it works. So the standardization will improve efficiency as well as security, then you can just make sure everyone’s at the same patch level, you know, with the device and have similar type of configuration and you don’t need to have separate directions on how to run it. It’s just, here’s my cheat sheet on how to use, you know, this type of router, so it really will help with the teachers, you know, or whoever has to work from home.

[00:18:03] Ryan Cloutier: Yeah, we like to uh security studio, we like to say that complexity is the enemy of good security, right? And the simpler, the simpler it can be, the the easier it can be, so no, I think those are all really great points. So, you know, the other thing we’re starting to see and I don’t know if you’ve caught up on this news story yet or not, but Nice. Uh National uh, institute initiative, Thank you. Thank you, acronym land over here. Um so they recently put out kind of an open call um and freed up some funding um to kind of expand that, which I thought was really great cause they’re taking a K 12 focus um which kind of segues me to my next question, which is, you know, how can schools get started in teaching cybersecurity curriculum if they don’t have a program in place today,

[00:18:53] Ron Woerner: uh reach out to the local community, so where there are cyber security professionals all throughout the United States and throughout the world. And that’s where it’s sometimes difficult for the school is to find that person that teacher who already is knowledgeable in cybersecurity or even information technology. Often they have to come from other areas. I’ve known many schools that have had math teacher has to teach computer science or the cad teacher teaches computer science because computer aided design has computer in the title. So that means you know, computer science where they may or may not be familiar. So no teachers need to know that there is a community out there that can help them support them training the teacher in it and cyber security and help provide that curriculum for them as well. And then there are many resources for cybersecurity curriculum. This is where rather me provide a lot of them here. If you can contact me and I know Ryan, you and I have had this conversation, but there is the curriculum available. Start a cybersecurity club like cyber patriot. So you go to u S cyber patriot dot org. They also provide a lot of curriculum for free. Um, and it’s a way of kind of gamifying the class, making it fun because it’s not just about the lecture. This is one of the things I love about cybersecurity. Ryan is we love playing games. Many of us are gamers at heart. Okay. One of the top activities I’m seeing in cybersecurity right now to stay current is the proliferation of capture the flag contest cts or what they’re called. And it’s a way of practicing your cybersecurity hacking skills and again, a very safe environment where you might have a hacking defense, you’re an attacker and you’re trying to get the other team’s flag just like physical capture the flag while they’re trying to do the same thing, trying to steal your flag on your computers. Um, there’s also jeopardy style. So these are a great way to teach as well as be able to assess students and then give them a fun environment in which to do it. And we’re doing these all the time as cybersecurity professionals. That’s why I say grab a local cybersecurity professional, whether they’re from I C squared Sokka I have to say in regard, you know, and say, hey, can you help me start this program?

[00:21:28] Ryan Cloutier: And that’s really great advice. I love the game ified aspect of it. I think that, you know, the more we can make this fun, you know, the more people are going to want to get into it. You know, I run into this a lot to where somebody thinks, oh, I’m not, I’m not a code writer. And so there’s no work for me in cyber. And I said, no, that’s not true, right? I actually had a linked in uh, comment debate if you will the other day. And I said we need to be exposing the industry to all students of all types and see what within our industry fits because there’s the technical aspects, the nuts and bolts, if you will the pen testing and the auditing and the working in the trenches with the tech, but there’s also because this is a booming industry sales and marketing jobs management positions, um graphics, you know, infographics have never been more in demand, you know, that’s graphic artist stuff. And while I’m, you know, fairly good at the cybersecurity business, um not the hottest graphic artist you’ll ever meet, right, My my drawings tend to look more like, you know, something you would find on the wall of a cave, but it’s, I think it’s just so important to expose kids because what they might be interested in now as say, a middle schooler potentially could be different by the time they get to high school. Um and, and so just exposing them to this is a whole industry that that has a job function. Um no matter what your natural talents are and using Gamification as a, as a means of entering them in, I think it’s just really solid and honestly I believe will be the future of how we do this. Yeah,

[00:23:12] Ron Woerner: well it’s about problem solving and that’s really why I like to use the word hacker because that’s what we’re, most businesses are looking for are people who can solve problems and be tenacious on how they do it. They see a wall and they figure out and try to figure out how do I get around it over it, under it or through it, you know, don’t just stop because they see the wall and it’s that those are the skills we really want to be building within the school systems, those troubleshooting. And it’s not just about how good are you with hands on the technology, it’s that that’s solving of analysis.

[00:23:51] Ryan Cloutier: Oh, absolutely. I mean the critical thinking skills and the problem solving skills really kind of trump the tech and a lot of regards because the tech honestly, and I know this sounds a little facetious to non technical people, but the tech isn’t near as hard as our industry has led you to believe it is uh you know, it works exactly the way you told it to and it’s gonna continue to work that way until it breaks. Um but it is the critical thinking, it’s the puzzle and problem solving. It’s the how am I going to make this work? Uh That is the bigger value. I’ve met many coders who are great code writers, but not necessarily architects or designers. Um and and really the folks that are actually solving the problems a lot of times these days don’t write a lot of code, their engineering, a workflow, their engineering a process, some some way that the, you know, data moves through the application from Point A to point B giving the results that the business, the school, the the end customer needs. So I think that’s really important. And I’m glad you touched on that. So that leads me to my, to my last question for you, what is every person need to know about cybersecurity? The average, the average person at home? What do you think they need to know

[00:25:21] Ron Woerner: when I’m particularly when I’m speaking to a younger folks, I asked you have an Aunt sally or an uncle joe in your life, You know that person who comes to you and says, can you help me fix my computer? These are the basics we need to teach to the aunt sally and uncle Joe’s in our lives. For me, it’s my mom who’s in her upper 80s lives about 800 miles away from me and I’m trying to help her. She’s very much getting connected in the way we communicate, of course, is through the Internet. Um first of all, just be a discerning consumer. Okay? So if something doesn’t seem right and very well may not be. So if someone is trying to convince you to do something and you’re not wanting to do it, like you get a piece of email that says, yeah, we need to test you for for Covid or we have to cure click here to find more or open this attachment to question it. That’s the first thing. Always be curious. Always be questioning.

[00:26:20] Ryan Cloutier: So is that having healthy skepticism. Yeah. The old if it’s too good to be true, it probably is,

[00:26:28] Ron Woerner: definitely, definitely. And then tied into that directly. And I’m actually thinking of the better business bureau is a great resource for this. Cause they’re always saying similar things is that if you’re not sure, ask if you get an email that looks weird, it’s okay to question it, go back to the source, you know, say it’s from your bank, call your bank and ask, hey, did you really send this to me or if the IRS is saying, hey, you owe taxes? Well, IRS would not send you an email saying you owe taxes by the way, but you get the idea, it’s having that healthy skepticism and being willing the question. Um, and then learning a lot of the basics. So I know what you’re doing there, uh, security studio is getting a lot of fundamentals out right, Which is fantastic. So it’s like knowing your car. Okay. Do you need to be an expert on how the engine works? No. Do you need to know the basics about the engine or the basics about, you know, making sure your oil stays up to date. Getting an oil change that’s like patching for us. Okay. So staying up to date whether it’s with your vehicle or with your computer system. There’s another fundamental, knowing who has access to it. So do you keep your car open and let anyone take it wherever? Well, of course not. Same thing on your computers or your smartphone who can gain access to your smartphone, Where can they go on it? Where can they go with your car? So this is where I like to use these types of analogies just to show how computers are really not that different than other things in our daily lives.

[00:28:12] Ryan Cloutier: Yeah, and I completely agree. I think it is, you know, uh you’ve maybe heard my series that I do, where I say, you know, uh, cybersecurity is a basic life skill and I like to think of some of those foundations as you know, just knowing the same thing we would about, you know, our vehicles or you know, how to safely use a stove. Right? Something that we learn in our youth. Um, you know, looking both ways before you cross the street, you know, a lot of those basic foundational things that we, as people need to know to be successful in society and you know, with the uh, the aggressive rate at which we have adopted technology into our lives, it’s time to kind of go back and catch up on some of those fundamentals on how to use that safely? Well, Ron I can’t thank you enough for joining us. Um, why don’t you tell the folks where they can get a hold of you and what you’ve been up to with the cyber triple a

[00:29:07] Ron Woerner: Certainly. So yeah, my email, Please feel free to connect with me there If you have questions or through LinkedIn, As Ryan mentioned, We use LinkedIn a lot as professionals reach out to me through LinkedIn. My Twitter is @RonW123. If you want to connect with me through twitter, I love just chatting with people like you, Ryan and meeting new people around the globe because we’re all in this together and together, we can solve a lot of today’s tough problems.

[00:29:41] Ryan Cloutier: I completely agree. And you know, the cybersecurity community is here to help you guys. We really are. It’s probably the most helpful group of people that I’ve come across in in life. It’s just the cyber communities like no, really we’re here to help. We want you to be better at this so well, thank you so much for taking time to talk with us and thank you to the listeners for listening. Um we’ll get to where you are going to continue to produce these podcasts. Um please reach out to us and let us know the topics you’d like to hear about. You can reach us on twitter at studio security. Um and you can find me on twitter @CloutierSec and with that. Thanks everyone have a great day and stay safe out there. We’ll talk to you soon