As an assistant professor in the Department of Information Technology at MGA, Dr. Stines teaches cybersecurity for fintech, web development, database principles, web programming, web application development, ethical hacking, and advanced web development.
He earned a PhD in Cyber Operations from Dakota State University, a Master of Science degree in Applied Computer Science from Columbus State University, and a Bachelor of Science degree in Information Technology from Macon State College.
Alan is the Director of the Cyber Center of Education and Applied Research and Coordinator of the Center of Academic Excellence in Cyber Defense. Faculty profile.
Listen to the full episode:
Summary of the episode
- Academic and professional background: He started as a software developer and gradually transitioned into cybersecurity, becoming an expert in the field while maintaining a strong foundation in programming.
- Current research and interests: Dr. Stines is involved in research on the motivations behind offensive security and the evolution of cybersecurity professions, such as penetration testing.
- Educational opportunities at MGA: MGA offers a diverse IT degree with concentrations in cybersecurity, cyber forensics, software engineering, web application development, and more. The cybersecurity program at MGA is recognized by the NSA as a Center of Academic Excellence in Cyber Defense. The university also offers bachelor’s, master’s, and doctoral degrees in IT-related fields.
- Student engagement and activities: Students can participate in clubs like Cyber Knights, engage in cyber competitions, and contribute to cybersecurity seminars and projects.
- Addressing the cybersecurity skills gap: MGA is developing programs to fast-track students into cybersecurity roles, emphasizing the importance of advanced mathematics and practical skills.
The following is a transcript of the interview:
Welcome to the Cybersecurity Guide podcast. My name is Steve Bowcut, and I’m a writer and editor for Cybersecurity Guide and the podcast’s host. Thank you for joining us today. We sincerely appreciate your listening. Today on the show our guest is Dr. Alan Stines.
Dr. Stines is an assistant professor at Middle Georgia State University, and we’re going to be discussing the educational opportunities for cybersecurity students at MGA. Before I introduce him, let me tell you a little bit more about him as an assistant professor at the Department of Information Technology at MGA.
Dr. Stines teaches cybersecurity for fintech, web development, database principles, web programming, web application development, ethical hacking, and advanced web development. He earned a PhD in cyber operations from Dakota State University, a master of science degree, and applied computer science from Columbus State University and a Bachelor of Science degree in Information Technology from Macon State College, as Alan is the director of the Cyber Center for Education and Applied Research and coordinator of the Center for Academic Excellence in Cyber Defense.
And with that, welcome Dr. Stines. Thank you for joining me today.
Hey Steve, thanks for having me.
You bet. This is going to be interesting and fun. So I appreciate your time. Let’s help the audience understand how you got to where you were at first of all. So tell us how you first became interested in cybersecurity.
It’s kind of a tough question. I’ve always really kind of been interested in the computer side of it, but where did cybersecurity first hit me was probably when I was working for a company and I was doing web development, so I was writing software applications, kind of a full stack web developer. And we were browsing around one of our software applications.
And I remember looking at this file and I looked at this file and I was like, “this extension on this file is not right.” The extension is .JPEG: ASP. What’s this about? Right? What is this? And so I was like, it looks like a picture. It’s calling itself a picture on kind of looking at it from Windows Explorer. It’s calling itself a picture, but this extension’s weird. Let me open it up in a text editor.
Oh my gosh, this is a ton of VB script and this is a back door. And I was like, how did this get here? And so I started researching it and I’m like, okay with this extension is the first thing that I noticed. And then I went and found some stuff and basically I spent probably a good week just kind of researching this thing and found out it was a bug in Windows Web Server IIS version six.
There were recent posts about it from Microsoft. And basically Microsoft’s response was, “we’re not going to fix this because you should be updating to IIS seven anyway.” And it’s like, oh, well, but IIS six is still in supported, still supported up until this date. And then Microsoft’s response was, IIS seven is the new thing, and this doesn’t do that here.
So that was, I wasn’t specifically in cybersecurity at the time, but of course we had a cybersecurity person on our staff. And so I went and talked to him about it and I was like, “This thing says it’s been here for quite a while. You say you’re scanning our stuff, but you didn’t find it.” And he goes, well, if my scanner doesn’t find it, I don’t know. Yeah. And so basically I got hacked, or the software application that I was managing at the time got hacked and just by happenstance found out how and why and never really knew who.
Of course went through the whole reporting process and all that. But yeah, that kind of got to me, it was like I had never even thought how that could happen, how that bug could basically be transformed into a back door on a server that gave him basically full access. So that was kind of interesting. That was 10, 15 years ago, so it’s been quite a while. Whenever IIS six was still supported. I don’t know what we’re up to now, but yeah.
It got me interested. And then I started learning about bugs and software vulnerabilities. It had always been on my radar a little bit: SQL injection has always been around as a software developer, as a web developer, we were always kind of cautious about that, but this was something new that totally wasn’t on my radar.
Interesting. And so now if we fast forward to the current state, so I guess I’m interested in learning about what you might currently be researching or working on. And when I look at all the classes that you’re teaching, it’s pretty broad. It’s not just cybersecurity stuff. So you’re teaching lots of web development, application development courses. Is it fair to characterize your academic career as being mostly about cybersecurity? Or do you see yourself more as a developer guy who knows a lot about cybersecurity?
I am the latter, I started as a software developer guy. I just started doing front end web development work and just making pretty websites in the long, long ago and eventually just kept getting stuff added on. That’s kind of why I got hired to come teach is because they needed a strong full stack developer to teach web applications.
It’s a very high demand field. And then of course it was like, well, someone told me you got to get a PhD in order to be relevant in education. So I was like, well, cybersecurity’s always interested me and there’s just really neat program at Dakota State. Let’s go for it. So I come from a development background. I would say I was more of a programmer prior to… a programmer with interest in cybersecurity and then kind of transition into being, I guess our cybersecurity expert on staff these days.
So now that you have your PhD and you’re into teaching, do you still have any time or inclination to do research? Is there anything that you’re currently researching?
All the time. It’s hard to say what is and isn’t research. I always tend to be reading stuff here and there. We’re currently collecting data for survey on motivations for offensive security. It’s not this, it’s not called that.
The colleague I’m working with likes to, what’s the motivations of people that want to hack? And it’s like, okay, hacker’s kind of a dated term. We call that space offensive security these days. You’re conducting operations against targets and devices. Right. But still, what are the motivations behind someone that likes to work in that space? That’s one of the things that we’re working on.
That’s fascinating. Is there any parts of that you can share with us, or do we have to wait till your research is done and your report comes out?
Well, we’re still working on, the older research is based on research from the mid two thousands, which I think is why some of the terminology is a little dated. And a lot of it is machismo. Right? We want to be able to prove that I can do it right, first of all. Right. And then the second part of it was actually money, of course. Why you working in the offensive space?
I think the biggest difference between then and now is back in the two thousands, pen testing wasn’t really a profession. It was something you did if you, you’ve worked in the offensive space, but you weren’t really, if you were a security person, you might be testing your own stuff, but you wouldn’t be called a pen tester. You’d just be called an information specialist or security specialist. But these days we have pen testing as a job. We have entire companies dedicated to doing pen tests for other companies. And that’s something that wasn’t around before.
So that’s why I think that the terminology’s changed a little bit because that offensive side has fleshed itself out into a legitimate industry. And you’re not just looking at hackers from, you’re doing illegal stuff. There’s an actual legitimate side to hacking. And it’s still kind of complicated to explain to people sometimes you teach people how to crack passwords, and I’m like, why not? And they’re like, why would you do that? That’s terrible. And I’m like, well, I mean-
Would you rather the good guys know how to do that or the bad guys?
Right. Right. I mean, locksmithing is a very professional, legitimate career path. If you want to go unlock people’s locks for a living, you have to know how to break into locks. Right. I see it the same way with passwords and cybersecurity, so.
Yeah, certainly. All right. Thank you. All right. So lets kind of get to the main topic here. So talk to us about the educational opportunities that a student would find if they were considering going to Middle Georgia State University as it relates to cybersecurity.
Yeah. Well, so what I like to tell people is we have one IT degree with a lot of different flavors and cybersecurity is our most common flavor. It’s what most students are taking these days. Mainly I think because they like the term. But the other side of that is that our cybersecurity degree is designated by NSA as a center of academic excellence in cyber defense.
So we have a very strong degree. There’s about 390 institutions across the US that have this designation and we’re one of them. We have a bachelor’s degree that has that designation and we also have a master’s degree that has that designation. And we just added a doctoral degree.
It’s a cross-functional IT doctoral degree. It’s not specific to cyber, although the publication process could be in the cyberspace. But that is something new that is just in the past two years that we became a doctoral granting institution and we were the first to offer it. So of course Southern Association, SACS, which is our accrediting agency, was all up in our business to make sure that we’re doing the right thing. Right. So it is good times.
But for the undergraduate, the bachelor’s degree, we have one IT degree, cybersecurity is one flavor. We also have cyber forensics, so we’re a DOD cyber crime forensic center. We have transfer programs between us and them. So you can get a concentration in cyber forensics if you’re more interested in that side versus cybersecurity. There is a lot of overlap, but there’s a lot of stuff that’s not there.
The law is a big part of that. The criminal justice aspect is kind of heavy in the digital forensics side. We also have two degrees in software engineering and web application development. In both of those, I’m kind of a jack of all trades, honestly. That’s why you looked at my thing and you’re like, you teach all these classes and it’s like, yeah. I’m kind of in all of it.
So we have two software engineering is requiring a little bit more of the heavy math and then web applications is more the full stack and that the math has substituted with some of the design stuff like graphics design that you wouldn’t see if you were just doing straight software engineering. We do have a digital media and forensics and not forensics, digital media and gaming concentration. So if you want to learn Photoshop and 2D and 3D rendering and even how to use Unity to do game development, we have a program that’s kind of related to that.
Again, all part of the same IT degree. We have data analytics, which is database and using things like R to do statistical analysis. And then the list goes on. We have the fintech, which is also kind of part of that. Sorry if my phone is beeping in the background, I thought I had it on silent.
We have a health informatics one as well, which is basically a health flavored database and software engineering degree. So a lot of different flavors with our IT degree. Basically we sub out courses that we feel like help students guide to a particular job that they’re looking for. Like I said, cybersecurity is the most popular one.
So with the undergraduate degree, what is the degree, excuse me, what is the degree called? Is it an IT degree with concentration in? And then different flavors?
So it’s the same degree. Yeah. Bachelor of science and IT. With a concentration in cybersecurity or concentration in digital forensics or concentration in data analytics or health informatics.
So the core basic classes are probably the same and someplace in a later year then you start to converge off and take more cybersecurity classes that how much there’s… Okay.
There’s about seven courses that all the IT students share and they’re typically the business related courses like project management and systems analysis.
Because we find that those students need a good foundation no matter where they’re going in project management, whether you’re IT or forensics or even game design or software. Yeah. It’s a core class everybody can benefit from.
Interesting. So if I was a student considering coming to Middle Georgia State University for cybersecurity education, what kinds of things might I be involved in? Are there clubs or are there projects that I would be involved in as a cybersecurity student that you can share with us?
Sure. So one of the main ones is our Cyber Knights organization. It’s our student organization. We’re mostly active on Discord. We have a very strong face-to-face and online presence, so we tend to be multifunctional in that regard. But the Cyber Knights are always looking to do cyber competitions or outreach events.
National Cyber League is one that we pretty much hit every spring and fall and they really enjoy that one. I don’t know if you’re not familiar with National Cyber League, it’s a cybersecurity competition that kind of tests you to use your cyber skills and it can be a lot of fun. The challenges are always new. They’re very topical. I think the one they enjoyed best was maybe a year ago. All the challenges were based on Squid Games. So if you’re familiar with Squid Games, a lot of the challenges were Squid, had a background in the Squid Game universe. So it was a lot of fun.
Other things that we do, we always have a cybersecurity seminar in the spring. Then that’s kind of from the whole school perspective. But the cyber nights themselves, we build out our own, capture the flag and then host that for other students. And so we use that as kind of a recruitment tool to get new students into the organization.
And our students always have a lot of fun writing their own challenges. Again, they had a lot of fun answering squid game competition exercises and it’s like, well what are we going to do? And so what was it like two years ago? They built them all based on Star Wars references. So it’s like gold squadron questions and red squadron questions and stuff. So they have a lot of fun writing the challenges and hosting events and stuff.
How fun. So I want to change topics just a little bit here. I’m always interested in getting the perspective of people like you, leaders in the industry. So we’ve got what people call a skills gap or a labor shortage for cybersecurity professionals. Change cybersecurity workers. Does that change? Does that affect educational programs at MGA, do you guys, are you adapting in some way what you teach the students to meet this need that industry is clamoring about or not?
So I’m going to go ahead and mention it because it is something that we’ve been working towards, although it’s not official yet, it’s still working its way through the State of Georgia. It’s made it through our department. It’s made it through the university. It was supposed to be voted on in December by the board of regents in the State of Georgia. But I can’t find record that they actually addressed it.
There used to be a program called GAMES, the Georgia Academy for Mathematical Engineering and Sciences. It used to be a residential program on our Cochran campus. However, we lost federal funding for that or more accurately, the federal government stopped funding programs like that. And so we lost our funding as a part of that cutback. So they’re transitioning the program to be a kind of more of commuter program in the Warner Robins area. Because Warner Robins is a very large population, very large high school population.
Houston County schools is huge. So one of the things that we’re setting up to kind of deal with that, and it’s not necessarily cybersecurity specific, of course me, I’m from a software development background, so I’m software development and cyber. And so I see software development as a pathway to a later career in cyber.
Or cyber career, depends on how you look at it. But Warner Robins Air Force Base, colloquially, Warner Robins is known as War Town because Robins Air Force base is there. It’s very large Air Force base. And they have the 402 Software Engineering Division. They also have other things that they work on that requires a lot of software engineering expertise. I hear cybersecurity will have more prominence in the future, but I don’t get paid enough for that.
Anyway, one of the things that we’re working on at MGA is that we’re trying to build a dual-enrollment pathway for Houston County High School students or really regional students that can come to Warner Robins as a dual-enrollment program to basically fast track a way into Robins Air Force Base as a software engineer, or more specifically from USA Jobs, a computer scientist role.
That program will be residential in Warner Robins. It won’t technically be an online program. It’ll be computer science. It’ll require the higher levels of math because that is one thing that we hear a lot from not just the Robins Air Force base, but a lot of the other defense contractors in the area is they want advanced math, calculus one and calculus two is really sought after for a lot of these companies.
So anyway, we’re working on trying to get that program in place as a dual-enrollment program to get opportunities for students to basically fast track into Robins. And then the other half of that is that if they don’t necessarily want to go that route, there’s a second concentration. We love concentrations. There’s a second concentration that subs out some of those programs and lets them fill it in with programs from our teacher education department.
Because the other part that we see in Georgia is that we have a lack of K-12 computer science teachers. So instead they can sub out some of the courses from that program to get the minimum set of courses they need to sit for the Georgia, I think it’s called GACE, G-A-C-E. Basically the Georgia test that says that they can teach in the K-12 space.
It’s an accreditation test for teacher education programs, but there’s a certain number of courses they have to take in order to sit for that test. And so that’s the second half of that program. One will be a fast track to Robins with the advanced math. The second part of that, if they don’t want that route, they can take the teacher education route, go back into the K-12 space and start teaching AP computer science at the K-12 level.
And that’s definitely something that we have seen as a need, not just in our local area, but statewide. And to be honest, kind of like a nationwide problem is how do we get more K-12 involvement in computer science or cybersecurity specific and if you need the teachers to teach it. But then we don’t really have a good teacher education program that teaches these foundations of computer science either. Right? So we’re hoping to be kind of first in that space.
Like I said it’s past the institutions, past the departments past the institution. It’s been passed up to the Georgia Board of Regents. It’s got letters of support from Houston County high schools and base leadership and us and local leaders in the area. And we’re very hopeful that the Board of Regents in state of Georgia and I’m trying not to guilt them into passing it, but.
Whatever it takes, right?
Whatever it takes. So hopefully by the time, hopefully early next year, we’ll know for sure. Like I said, it was supposed to be voted on in December and I think they decided that December was not going to be a voting meeting at the last minute. So it didn’t quite make the schedule.
Okay. So awesome. So there are definitely some programs in place to fast track people into the workplace should they want to. And then of course, the other takeaway that I got out of that is students that are listening to this don’t shy away from advanced math classes. They need people with those skills.
So I think our audience would find it interesting. If you were to give us your top picks of our reading list, well, I’m calling it a reading list, but it could include books, papers, lectures, websites, conferences, YouTube videos, but resources out there that someone who really wants to get a good vision of what it’s like to work in the field of cybersecurity, where would you direct them?
It’s going to be funny that I’m going to say this because Black Hills, South Dakota.
There’s a company that operates out of the Black Hills in South Dakota, Black Hills InfoSec at BHIS, Black Hills Information Security. They’re very active in the community. I mean they’re kind of an offensive related company and they do engagements for corporate partners and stuff like that. But the other part of their company that they do is they have a fantastic outreach program.
They have a very active Discord server with tons of areas of topics for everything for recent news to just posting memes if you’re looking for a mentor to work you through, what did the beginning stages of an IT career look like? They have a whole kind of thread related to that. They do podcast on the news every week. They have a Twitch channel, Antisyphon that they do as well. They offer free trainings here and there, one or two hours long, sometimes half day or full day trainings.
If you just get on their little newsletter, they’ll send you a notice and saying, “Hey, we’re going to have”… The last one that I listened in on was an hour-long lecture on how to set up a home lab. And so if you want to do cybersecurity at home was basically, it was one of the BHIS guys and he’s pointing at the server rack behind him and he’s like, so this is what I’m doing.
And then describing everything that might be useful if you wanted to do your own home lab, it was a lot of fun. So they’re one of the ones that I stay engaged with because they are on the edge. They also do a lot of Wild West Hacking Fest is another popular conference they’re involved in. Anti siphon training is another thing that they’re involved in.
Anti siphon is anywhere from a day to about a week or even longer training sessions. And they typically market those as pay what you can. I mean it’s kind of weird. It’s like how much does this cost? And it’s like, well you technically can pay a dollar, but we would hope that you would pay more.
Yeah. But they’re really in tune. They have a really good active community and I try to be out there as well. They also published a card game that you can buy, Breaches and Back Doors. It’s a tabletop game for doing cybersecurity exercises. As an educator, you sign a form and they’ll send you a whole care package with stickers and starter packs and stuff. So it’s one of the things that our groups kind of like too. I also like the Humble Bundle Series or Humble Bundle Series cybersecurity series.
If you’re familiar with Humble Bundle, seems like every couple months they’ll put together about 20 cybersecurity books into a kind of, again, sort of pay what you can model. So 15 bucks for like 20 bucks or you can pay a hundred bucks for 20 bucks, however much you want to pay. And a lot of those are a lot of good books. That’s where I got my web applications pen testing book. And I really like that book. It’s a little dated, but it’s good.
Cool. Well we’ll make sure we put those in our show notes. We’ll put links to those in our show notes, so people can check out those resources. And thank you. I appreciate that. So we’re about out of time. So I have one final question. This is where we like you to dust off your crystal ball and look into the future. And from your perspective, do you see anything coming in the future that students may should be prepared for, incorporate that into their educational, what they’re learning now so they can be prepared in the future or not? Maybe there’s nothing that you see.
It’s kind of a mindset thing. One of the things that our institution that they’ve been pushing from the administrative level is the growth mindset concept. The difference between having a growth mindset and a fixed mindset. Different fields work different ways. If you’re going to be an electrician, you have to learn X, Y, and Z. You’re certified in X, Y, and Z and you’re going to do X, Y, and Z for the rest of your life. Probably not going to be a lot of difference.
You might have to keep up with housing codes or as they change, but you’re not really, you’re learning a set pattern of knowledge that you need to apply. That’s kind of a fixed mindset. You’re never going to learn anything new or what you’re going to learn that’s new is sort of fixed. The growth mindset is more of you have to be willing to adjust and learn new things and you’re never going to know it all, but you can get better at what through hard work and practice.
And so that growth mindset, I think is the most important thing. And that’s going to make you a good cybersecurity professional, not just in three years or five years, or 10 years or 15 years, is recognizing that you’re going to have to grow your knowledge set and change your knowledge set with time.
There’s no one thing that you can learn. There’s a lot of good things out there to learn, but there could be a radical shift in the next two years that will completely change everything that we know. You can’t plan on it. But if you have that growth mindset that things will change and I will learn change with them. You’ll be ready for it. Whether that’s the biggest thing that you can take away, I think.
Okay. That is awesome. I love that. So instead of trying to predict a point in the future that I should prepare myself for, just prepare yourself for change because it’s going to be coming.
So growth mindset that the lifelong learning is that you’re never going to, and it’s something that’s been really hard for me to kind of accept because I kind of want to know it all. At some point you had to accept the fact that you’re never going to know it. One of my teachers kind of told me that and he was like, Alan, you’re dumb if you think that you’re going to be an expert in everything. That’s not how the life works. Right.
At best, you’re going to be good in one specific thing. Focus what you’re trying to do here. Right. So yeah, kind of a growth mindset. And then also that lifelong learning aspect is that you’ll always be picking something new. Always learning something new. You’re never going to not, it’s like when you ask the research question, I’m always researching. I don’t think I’m never not researching because there’s always something new that I don’t know that I didn’t know yesterday.
That’s a great way to look at it. That’s a great mindset for life. I appreciate that. All right, so we’re out of time, but thank you so much. This has really been fun. I think our audience is really going to enjoy this. So thank you for your time and a big thanks to our listeners for being with us today. And please remember to subscribe and review if you find this podcast interesting. And join us next time for another episode of the Cybersecurity Guide Podcast.