Luis Rivera is an IT professional teaching networking, cybersecurity, Windows and UNIX admin, and wireless courses at the University of New Haven as a lecturer. He has many years of IT industry experience in network and security technologies and has performed a number of IT roles. Faculty profile.
Listen to the episode
Here is a full transcript of the episode
Steve Bowcut: Welcome to the Cybersecurity Guide podcast. My name is Steve Bowcut. I’m a writer and editor for Cybersecurity Guide, and the podcast’s host. Thank you for joining me today. We appreciate your listening.
Today, we’ve got a fascinating guest. Our guest is Luis Rivera. Luis is an IT consultant and network and security lecturer at the University of New Haven. We’re going to be talking about education and career opportunities for cybersecurity students and early to mid-career professionals, and specifically we’ll focus on those opportunities that could be found at the University of New Haven.
So before I introduce our guest, let me tell you a little bit about him. Luis is a self-motivated, results-driven IT professional teaching networking, cybersecurity, Windows and UNIX admin, and wireless courses at UNH as a lecturer. He has many years of IT industry experience in network and security technologies and has performed a number of IT roles. With that, welcome Luis. Thank you for joining me today.
Luis Rivera: Thank you, Steve. Great to be here. Thank you.
Key takeaways from the interview
- Cybersecurity and the cloud: There’s a significant shift towards cloud computing in cybersecurity, emphasizing the need for resilience in cloud systems to ensure uptime and reliability.
- Quantum computing and cryptography: Quantum computing poses future challenges to asymmetric cryptography, signaling a significant change in security approaches.
- Industry evolution: Rivera reflects on the evolution from hardware to software dominance in the industry over the past 40 years, noting the increasing role of AI and automation.
- Educational implications: For current students, Rivera suggests that the landscape of cybersecurity and technology will continue to evolve rapidly, particularly with advancements in cloud computing and AI.
Yeah, I’m looking forward to this conversation. This is going to be fun. So I think we want to help our audience understand who you are a little bit before we get into some of the meat of these questions.
So tell us how you first became interested in cybersecurity. What was your path getting to where you’re at?
Luis Rivera:
So my path actually started back in 1978 working for Digital Equipment Corporation. So I was a field engineer working on 12-bit computers, 16-bit computers, and then finally the VAX systems, which the very popular back then.
And then I ended up going back to school. I wanted to go back and get my degree. So I went to University of New Haven and I graduated there and then I went back into the industry and started working for the utility company.
And as I progressed through my career, I had a number of jobs within the utility company. First I was working on Novell NetWare and I went through that scenario and then eventually I got into the networking group working on Cisco routers, doing network performance, capacity planning, trending. So I had a really good understanding of the network, how things work.
And then I believe it was in 2002 there was a shortage of people in security, and so again, I said, hey, you guys are short, I’m kind of interested in security. So next thing you know I got into cybersecurity. And that’s how I pretty much worked until I actually left Eversource. But I did that position as a senior systems engineer for about 12 years.
Okay. That’s fascinating because, in my opinion, if you were to take one of those bubble graphs that shows where things concentrate and you were to have an input of something, where have people in this industry worked in the IT industry, where have they worked? I think the biggest bubbles would probably have to be DEC.
I mean anybody who’s over a certain age anyway. So many people started with that organization. And same thing with Novell and of course Cisco. So you’ve hit all the big ones.
Luis Rivera:
I hit all the big ones and I ended up getting certifications in some of them. But I think it gave me a really good background and understanding of enterprise-wise how networks worked within the enterprise. And that was one of the main reasons why they brought me on board as a lecturer at the university. Because I’m bringing a lot of industry experience based on the enterprise.
Right, exactly. Okay, interesting. Thank you for that. So research, I’d like to ask about research, but I don’t know how much research you’re doing. So let me just ask the question and you can tell us, are you doing any research currently and if so, what areas are you interested in?
Luis Rivera:
So personally I’m not doing any research. However, I’m working with the undergraduate coordinator and one of the things that she wants to do is she wants to bring in a course on network defense, enterprise-wise, a network defense course. So we’ve been kind of talking about that and we’re going to meet early next year again. So from that end, that is really an interest that I have and one that she wants us to get involved in.
Also, we really, because of the cloud, we also want to start looking more at cloud security. And so that’s another area that it’s a little difficult because you have all the major players out there. You have AWS, you have Microsoft Azure, you got Google Cloud, but you have to crank it back and make something a little bit more generic. And that’s part of the challenge.
And in terms of research and things going on at the university, I can give you a quick list here.
Steve Bowcut:
Great.
Luis Rivera:
Some of the students, what they’re working on today, they’re doing forensics of popular apps that contain sensitive info like your SSN and bank routing info. They’re also working on malware analysis of ransomware and other current malware. They’re also working on IOT devices that work with phone apps. And then one more is literature review on natural language processing. So these are some of the items that they’re working on.
And in terms of publications, they’re currently working on continuous authentication of a secure system using keyboard dynamics of the users. And the second one is examination of trends in using digital evidence to investigate murder cases and how this evidence was used in the trials.
Steve Bowcut:
Oh my, okay.
Luis Rivera:
Yeah, and the school has actually put out a couple of other publications, but I can send you the link.
Steve Bowcut:
Yeah, we can put it in the show notes. Sure, that’d be great.
Luis Rivera:
Yeah, yeah, I can forward that to you. But, again, this was forwarded to me by the coordinator and so I just want to share that with you.
Editor’s note: Here are the follow-up studies and links mentioned in the conversation:
Research on the forensics of the Zoom app on Windows, Mac OS, Android, and iOS. Forensic Science International, March 2021
Mobile Forensics of Nine Social Media Applications. DFRWS.org, DFRWS 2022.
V8 Java Script Memory Forensics. Digital Forensics Research Conference August 2022.
Mapping Offensive Security tool to the MITRE ATT&CK framework. ARES 21: Proceedings of the 16th International Conference on Availability, Reliability and Security August 2021.
Forensic Artifact Finder (ForensicAF): An Approach & Tool for Leveraging Crowd-Sourced Curated Forensic Artifacts. ARES 21: Proceedings of the 16th International Conference on Availability, Reliability and Security August 2021
Steve Bowcut:
Yeah, that’s perfect. And so I think that gives our audience a good idea of the kinds of research or publication that they might be involved in if they were to come to school there. And I think you had mentioned to me before when we were chatting before we started the recording, that most of your students, if not all of your students currently are graduate students. So I would assume that most of that research would be limited to graduate students, but maybe not, maybe sometimes you have undergrads that are getting involved in some of that research.
Luis Rivera:
We actually expect the undergrads to get involved.
Steve Bowcut:
Oh good. Excellent.
Luis Rivera:
Yeah. Yes.
Steve Bowcut:
That’s a great opportunity for undergrads.
Luis Rivera:
It is.
All right. So I next wanted to ask you about if there is kind of a thread or a throughline over the course of your academic career. And just for fun, I’m going to take a stab at answering this for you. It seems like network security is your thing. So would that be how you’d answer that question?
Luis Rivera:
Yes, I would say my first love is networking and then obviously because of the work that I did in networking, I did a lot of packet tracing analysis, doing capacity planning and trending, and then basically doing deep dive packet analysis in some cases.
I got a really good understanding of how packets basically work and how networks work coupled with everything else that you need to know about networking. And that is how routing works and how you filter packets, et cetera. So that was really, I could say, the groundwork that kind of helped me understand and made it a little bit easy for me in the security.
Because all you’re really doing is… A packet is a packet, it doesn’t matter. And I tell this to my students, I’m like it doesn’t matter how you look at it, if you’re a networking person, you really need to understand security, you need to understand applications. If you are a security person, you still need to understand how networking works. You can’t undo one and the other. And as you go through the TCP IP model, you have to be able to follow how that data is traversing the network.
So I kind of challenge them and I bring this up in my security classes, you need to do baselining, you need to understand what’s on your network, you need to have some type of visibility and all these are important because if you are getting attacked you really need to know where or how you are getting attacked and what can you do to mitigate it if it’s obviously not a zero-day virus.
So it’s, again, working with and trying to convey the message because I’ve kind of lived through it but again, I also want the students to understand that they need to take a step back and kind of look at things. And the focus I usually try to tell them is don’t look at just one piece, look at everything. Look at the enterprise. And again, I come from the enterprise so I’m always pushing the enterprise.
Okay. Excellent. Thank you for that. I appreciate that. So let’s turn maybe toward many of our listeners, I think, turn in to find out what educational opportunities are out there for them. And so let’s talk about the University of New Haven specifically.
If I was just coming out of high school or I was an undergrad somewhere and I’ve decided that cybersecurity is where I want to go and even an early career professional if I’m working somewhere but I think cybersecurity is where I want to get some education, what kinds of programs or opportunities will they find at the University of New Haven?
Luis Rivera:
So just to take a step back, the University of New Haven was founded in 1920 as basically it was the New Haven, YMCA junior college, a division of Northeastern University.
Steve Bowcut:
Really? Okay.
Luis Rivera:
I did not know that until I read the bullets. And it actually shared buildings, laboratories, and faculty members at Yale University for 40 years.
Steve Bowcut:
Oh wow, okay.
Luis Rivera:
Yeah. So basically this is how the school came to be. So over the years, obviously cybersecurity is one of the areas. When I went to school at University of New Haven, I basically graduated with your traditional bachelor’s in electrical engineering because this was back in 1993.
And so over the years, obviously a lot of disciplines have come in. The cybersecurity obviously is the one that people like to look at. We also have artificial intelligence, we also have data science. Again, we have your traditional bachelor’s in engineering, and bachelor’s in mechanical engineering. And so we cover all the disciplines. And we are one of, when you talk about cybersecurity, we are one of 22 schools in the US that has what they call the CAECO, which is your National Center of Academic Excellence in Cyber Operations. So we’re one of 22, and you can look that up very easily at the website.
But we offer scholarships. So again, if you are coming on board, and so that’s either done through the Cys Ops. There’s two scholarships that we offer. And they’re on our website. And I can’t remember exactly, I think one of them is Cys ops and the other one is, can’t remember what it is. I think that one is, let’s see, CyberCorps Scholarship.
Steve Bowcut:
Oh, CyberCorps.
Luis Rivera:
Yep. CyberCorps and then the CysP scholarship. So we have those two scholarships.
In terms of the school, we have really good relationships basically in terms of companies that we’ve worked with and companies where we have placed people, the list is pretty extensive. Obviously Connecticut being the center of so much technology here because we have so much industrial industry here, we’ve always had Sikorsky, we’ve had, well now they’re not called Pratt & Whitney, but what used to be called Pratt & Whitney.
But I think from there we have, because of the relationships, we have relationships also with Electric Boat, with the FBI, IBM, Motorola, NSA, DHS. So we have a lot of relationships. And then the ones that people like, like Google, Facebook.
Steve Bowcut:
Yeah, exactly.
Luis Rivera:
The ones that everybody thinks about. And also with my former company, which I used to work for Eversource, which is again, the utility company.
And so we have a lot of relationships, we have funding. We also are part of the Connecticut Institute of Technology and we are trying to bring all that into light. So that basically is all the engineering disciplines that we have here. So, again, I know cybersecurity is kind of like the hot button, but again, you have to think about everything else. Manufacturing, other disciplines, your traditional engineering, computer science. So basically we are taking all of that together.
So the CIT, in terms of what we’ve done through the CIT, students have found security issues that have affected over 1.5 billion people worldwide.
Steve Bowcut:
Really? Okay.
Luis Rivera:
Yeah. Some of the students and professors, they actually have helped solve real crimes in Connecticut and beyond. They have secured external grants exceeding 7 million dollars. And again, these are the corporations that I just mentioned. NSF, NSA, DHS, MITRE, another big contributor.
And again, students have landed really good jobs. We actually had one student that received a Google scholarship to attend a digital forensics workshop. And we’ve done that for the past three years. We also, just to help out the community, we’ve actually gone in and have helped some of the local schools where we’ve had cybersecurity camps, ages from 9th grade to 12th grade. And so we get involved with the community. And again, we also have a really excellent cyber research lab here in Connecticut.
Steve Bowcut:
Sounds like a great place to go to school.
Luis Rivera:
Yeah, just really quick, the facilities, we have a multimillion-dollar cyber center, we have a cyber operations lab, we have a data science laboratory, a CS laboratory, and a networking laboratory. So yeah, we’re kind of pushing ahead.
Yes. Yeah, no, that’s something you should be very proud of. You’re really addressed these issues as a university. That’s great.
I wanted to move to a question that’s kind of near and dear to my heart. And that’s what is commonly referred to as a skills gap. So just for our listeners who weren’t familiar with that term, a skills gap is bannered around in the industry a lot to describe the shortage of qualified cybersecurity professionals. And I’m finding that at every level really. I hear stories and I write articles about people who can’t find enough qualified people. So I think it would be interesting to get your perspective.
First of all, are you seeing that there is a skills gap in cybersecurity? And if so, is it having an impact on what your university is doing? Do you design certain courses to get people out into the industry sooner or quicker or in entry-level jobs? Or does it in any way impact what’s going on?
Luis Rivera:
That’s a great question. The skills gap, I think some of it really has to start with expectations that need to be set. I’ve had this conversation again because I have one foot in the industry, and the expectations that really need to be set is, you have someone, let’s say, who graduated from school with a cybersecurity degree.
Now the question is, did that person participate in other areas? Did they pick up skills as an intern? Did they do co-op? Did they join a hacking team? So the issue, I think it really comes down to, are the students that are coming out of school, are they, I guess the term is are they hungry? Are they actually going out there and wanting to grab and get a job and learn about different skills along the way?
So companies also have to be realistic because again, if you bring somebody on board, you can’t expect them to have obviously years of experience. So really it’s a two-way street. The student or the graduate needs to come in with an open mind and say, “Look, I’m here. Whatever you want me to do, whatever skills you want me to pick up, I can do it.” And then the employer has to do the same thing on their end and say, “We’re going to bring you in and we’re going to mentor you. We’re going to have you pair up with somebody and we want you to pick up these skills.”
Now, most of the skills in terms of people that I’ve asked, they would like to at least see someone that comes in as a SOC analyst or security analyst. However, if you have been in the industry and let’s say you’re graduating with a master’s, they’re going to expect a little bit more from you. They’re going to expect that you have more design skills and maybe eventually you might move up to maybe an architecture kind of position.
So a lot of this really, and I always had this conversation even with my students, that I basically tell them, your career is your responsibility. You need to make the choices, you need to find out what’s important, and then you need to pursue it.
And so I tell them, try to pick up as much skills as you want, because when you’re going out to the field, you bring a certain skillset. However, if someone else is bringing the same skillset, but they’ve done more, let’s say you just done security, they’ve done security, but they have done things where they’ve done automation, they’ve done programming, they’ve done this and that, and all of a sudden they have a bigger skillset, well, if you’re an employer, who are you going to hire? If all is equal. But again, it’s important that I think people, they want to bring folks in, but they also want to make sure that this person is going to fit into the culture.
The other thing that I do hear a lot is that they don’t want anybody who can just come in and just sit down and just stay in a corner and do the work. They are looking for people that can communicate. They’re looking for people with excellent soft skills. They’re looking for people that, and I hear this term, they’re looking for future leaders. They’re looking for future leaders too.
So again, one of the classes that I have is enterprise networking design, and I break it down into groups. Every person in that group has to present. So I basically say, look, you have to be able to do presentation. I need to hear from you. And these are the soft skills that companies are looking for. They’re looking for people that are organized, people that can lead people, et cetera, et cetera.
Steve Bowcut:
Okay. Yeah. And that’s good. And I think that helps me, at least in my mind, help me formulate where the skills gap may exist. Sometimes I hear from people and they say, I just need warm bodies. Somebody with a bachelor’s degree can sit in a SOC and respond to alarms all day. But that doesn’t take a lot of skills to do that. And so I think where this real skills gap, if there is one, exists, it’s above that. It’s where you may have plenty of people to sit in your SOC, but what you really need are some pen testers or some threat intelligence analysts or something like that.
And it’s getting people to that next level that maybe there’s a shortage right now. And hopefully the people that are sitting in a SOC right now are going to get tired of sitting in the SOC and they’re going to get whatever education or attain whatever skills they need to move up through the organization.
Luis Rivera:
In one of the polls that I did, because I reached out to some of my friends, some of my peers, they’re telling me that yes, they’re also looking for people that can do forensics. They’re looking for people that can do other types of jobs. Because I do mention the SOC of security analysts, but obviously if you can bring somebody on board who can do other tasks and again, pair them up and mentor as a junior person, then that helps also. And that would relieve the load. But the employer has to really have someone there to kind of guide that person.
Steve Bowcut:
And everybody’s situation is different. I know sometimes there’s a tendency to give advice. If one of my kids was looking at making this decision in their life right now, I might say, well get the basic education, maybe graduate with a bachelor’s degree, then go find a job and then see what you want to do for additional skills and come back and get more schooling.
But if you’ve got the ability to go in as an undergraduate and then start working on your postgraduate work immediately before you actually enter the job market, you’ll enter at a different place. And if that’s where your interest lies, then that’s probably the course you should follow. So interesting.
Luis Rivera:
Yeah, and I also tell them, just because you have this particular job within the industry doesn’t mean you’re going to stay there. I’ve had five different jobs in my career, so I’ve morphed from one to another, but eventually you find your niche.
Steve Bowcut:
Right, that’s true.
Luis Rivera:
And you find your niche and then eventually you end up becoming a subject matter expert.
Steve Bowcut:
You pick up skills along the way and eventually you’ve picked up enough skills that you add some real value to any organization.
Luis Rivera:
Exactly.
All right, well let’s move on here. Maybe speaking of advice, and this is, I don’t know if this qualifies advice, but I’d be interested in hearing some of your top picks for a reading list. And I use the term reading list quite broadly. It could be books, papers, lectures, even websites that people should spend time on or conferences that they should attend.
But essentially it’s if you’re someone thinking that you want to get into cybersecurity and you really want to figure out what that industry is about and what life in that industry would look like, what would you suggest? What kind of a reading list or would you suggest?
Luis Rivera:
So I had the opportunity when I worked at the utility company to put an RFP together, and we were outsourcing security. This was back in 2003, I think. And we basically were looking for someone to, at the time they’re called an MSSP, now they call them MSPs to help provide additional resources.
Again, we worked from nine to five or eight to five, and we wanted someone to kind of monitor our firewall logs and our IDS logs and alert us if something happened. And that was my job. So I ended up putting this extravagant RFP out and there were a number of vendors that were on the list, and it came down to a couple of vendors. And then eventually I ended up choosing one. And I came to find out that the person who actually responded to my RFP and answered every single question was Bruce Schneier.
Steve Bowcut:
Okay. Doesn’t surprise me.
Luis Rivera:
Yes. This was, I believe at the time when he was working for Counterpane or he was doing work for Counterpane and that’s what we ended up going with. So I follow him, he’s got his website, Schneier on Security, is his blogs.
Steve Bowcut:
I follow him faithfully as well. If any of our audience doesn’t know who Bruce is, you should look him up and follow him. He’s kind of a legend in the industry by now.
Luis Rivera:
And then also, I’ve been a member of IEEE. So I do get, I think it’s monthly, it’s called the Edge, their monthly magazine. And I like it because it talks about a lot of things that I’m not following blockchain and quantum computing and just things that are being done today. I’m like, okay, that’s great because there is so much information out there that you can only pick and choose so much. I also like to watch TED Talk. There’s a lot of cool videos in TED Talk and I got to watch a few of them and then that kind of led to a book that I read, which is this one right here.
Steve Bowcut:
The Cuckoo’s Egg.
Luis Rivera:
The Cuckoo’s Egg with Cliff Stoll. So this is a fascinating story, I don’t want to give it away, but he was working at Berkeley Labs in California in the late eighties on VAX Systems. He was an astronomer, an astronomer who was a systems manager managing VAX systems. And he was finding a 75-cent accounting error every month, and that’s what led to this right here.
Steve Bowcut:
Oh, okay.
Luis Rivera:
Yeah. So this is, again, they call this a tracking a spy through the maze of computer espionage.
Steve Bowcut:
We’ll put a link to that in our show notes so that our listeners can find it.
Luis Rivera:
And again, I was fascinated because I understood what he was doing because he was doing it all in the VAX system. So I’m like, wow, I can relate to that.
Steve Bowcut:
Very cool.
Luis Rivera:
And then there’s others out there too. I mean there’s SC Magazine and there’s Krebs on Security, but I can’t read all that.
Steve Bowcut:
That’s true. And that’s kind of why we asked the question because there is so much out there that it’s kind of nice to have someone say, “Well, if you’re interested in a certain area, this is where you should look.” Because there’s no time to read it all, so you have to kind of specialize. All right.
Well, I want to wrap up here with kind of a fun question. This is the question where we ask you to dust off your crystal ball and look into the future and tell us what you think the cybersecurity industry is going to look like in five years or ten years or anytime in the future you can pinpoint.
Luis Rivera:
Oh boy, that’s a really good question. The way things are going, we are obviously seeing a big push to the cloud. And some of the things that are popping up, we talk about cybersecurity resilience. Again, how do you make sure that if you’re using the cloud, that your systems are staying up if something happens out in the cloud, which could happen to anything. It could be if you have an ISP, your ISP can go down that day too.
So the other thing, so I think about things like that, I think about quantum computing.
And how that might eventually break asymmetric cryptography. Thank goodness I won’t be around in the industry when that happens.
Steve Bowcut:
I agree with you there. That’ll be more than just a few years. But when that happens, things will have to change.
Luis Rivera:
Things will have to change. It’s fascinating how when I first started in the industry, and that was 40 years ago, and how I started working, I would actually have an oscilloscope in my car and I would run around fixing things to where we are today. Everything back then was mostly hardware based. And now everything nowadays is all software-based. AI.
And so it’s going to be interesting how AI all plays out and where I kind of see that area really growing into… Between AI and automation, those are the areas that I think are going to shake things up. I don’t know how and when things will actually take place, but you just see the transformation that’s going on where we’re shifting to the cloud, we’re shifting to AI, we’re shifting here, so we’re moving off of your on-prem kind of setup, and everything is all shifting to the cloud. It’s going to be interesting. It’s going to be interesting. Where that takes us next, I would say the next generation.
Steve Bowcut:
Yeah, no, I agree. And that’s very helpful. I think our listeners will find that helpful. They’ll be able to remember that for many of these students starting now or in the next year or so, things are going to look quite a bit different. Particularly if they go for a master’s degree, things are going to be different before they actually enter the workforce. And so it’s helpful to start thinking about the changes that we’re just seeing starting to happen now in five or six years, what that might look like. So that’s very good. Thank you. I appreciate that.
Well, that’s all the time we have. Thank you so much, Luis. This has been fun. I appreciate your perspective.
Luis Rivera:
Thank you.
Steve Bowcut:
I’m sure that our audience is going to appreciate it as well. A lot of good stuff. So thank you. I appreciate it.
Luis Rivera:
Thank you.
Steve Bowcut:
And a big thanks to our listeners for being with us today as well. Please remember to subscribe and review if you find this podcast interesting. And join us next time for another episode of the Cybersecurity Guide Podcast.