Tyler Flaagan is an instructor of computer and security sciences at Dakota State University.
The university is recognized as a National Center for Academic Excellence in Information Assurance Education, Information Assurance Research, Cyber Operations, and most recently as a Cyber Defense Regional Resource Center. Faculty profile.
Here are the key takeaways
- Research focus: Flaagan’s primary research area is offensive security, which he also focused on at the DoD. His Ph.D. research is more networking-based, dealing with networking protocols.
- Offensive security: The goal of offensive security is to identify and address vulnerabilities before they can be exploited maliciously. This includes penetration tests, vulnerability assessments, red team engagements, vulnerability research, and software exploitation.
- Cybersecurity at DSU: DSU offers a range of cybersecurity programs from associate to doctoral levels, including cyber operations and cyber defense. The university is a recognized Center of Academic Excellence by NSA and DHS and hosts the MadLabs research facility, where Flaagan works in the Deep Red lab focusing on offensive security.
- Advice for aspiring cybersecurity professionals: Flaagan emphasizes exposure to various aspects of cybersecurity to find one’s interest. He recommends participating in activities like the GenCyber camp at DSU and working on projects outside of class to discover specific interests within cybersecurity.
- Career paths for graduates: DSU graduates enter diverse fields in cybersecurity, including government roles (like DoD), national labs, and various industries that are increasingly recognizing the importance of cybersecurity.
- Cybersecurity awareness and future trends: There’s a growing awareness and improvement in cybersecurity practices among the general population. The field is rapidly evolving, with new challenges and technologies emerging constantly. Flaagan advises students to stay updated with the latest developments and trends.
How did you first become interested in cybersecurity and what did your early career look like?
When I was in high school, I had the opportunity to take a special networking class, it was based around Cisco networking. The way the course was laid out, it was designed to be kind of a CCNA bootcamp.
But basically what happened was the instructor of that course had a couple of students who had already come down to Dakota State University, and said they’d liked it and things were going great. So he was always pitching that to us.
I ended up coming down to Dakota State University as a freshman in 2011. So I started in 2011, and I graduated with my bachelor’s in 2014, and then I graduated with my master’s in 2016. I started my doctoral program immediately after that, but I also went full time into the Department of Defense (DoD). And then after a couple of years at DoD, came back as a faculty member now at DSU. I’m still working at finishing up my doctoral degree.
What kinds of things are you currently looking at or researching?
One of my primary areas is offensive security. That is the primary thing that I did at the DoD. Offensive security has always been one of the most interesting things to me so that’s one of my big research areas I’ve been focusing on. For my Ph.D., it’s a little bit more networking based, working with networking protocols, understanding how things work, stuff like that.
Okay. So can you just explain what offensive security is, and what maybe, what are some of the things that a person like yourself, a researcher, would look at or try to study?
The goal of someone doing offensive security is to find problems before someone else can do something malicious with those problems. There are so many different areas of offensive security and so many different types of assessments that you can do.
So, for example, when it comes to actually doing testing and things like that, I’ve done plenty of penetration tests, vulnerability assessments, red team engagements, all those varying types of assessments in an attempt to discover vulnerabilities and then and give plans to mitigate and eradicate those vulnerabilities before they’re able to be used against someone.
Some other areas that I’ve spent some time on are vulnerability research and software exploitation. So those kind of go hand in hand with the other pieces just because once a vulnerability has been found, through VR or software exploitation, all that kind of moves into a penetration test.
Okay. And then maybe you could just talk a little bit about what’s happening at Dakota State, what’s the state of affairs cybersecurity-wise? Do you have a department there? Is there a special unit looking at cybersecurity?
Like I said before, when I was in high school, I got this advice from an instructor that said that they’d had students attend the program at Dakota State and they really liked it.
DSU has had a cybersecurity program longer than I’ve even been here. So pre-2011 there was a computer network security degree and it’s been renamed to cyber operations.
We also have a network and security administration degree that’s slightly different from our cyber operations degree, but they’re still very much security-focused. We also have degrees from associate’s level all the way to the Ph.D. level. We have varying programs that offer cyber operations or cyber defense or computer science … the idea is we have multiple stacks going up.
So we have computer science degrees at the associate’s, bachelor’s, master’s and doctoral levels. We have a cyber operations degree at the associate’s, bachelor’s, and Ph.D. level. We have a cyber defense degree now in the Ph.D. level, and the master’s degree level. So we have all sorts of different stacks as far as programs go.
We’ve been a Center of Academic Excellence for NSA and DHS for, again, more years than I’ve been around and I think we have four of those right now. Then we have the MadLabs, which just opened up in October. So the MadLabs specifically are designed for research. There are lots of different labs with their own areas of focus. The lab that I work with is Deep Red, which is focused on offensive security.
Many of those labs are security-focused, pretty much all of them.
What’s a MadLab?
It’s Madison Cyber Labs.
And along those lines, do you have a recommendation, let’s say somebody is reading this and they’re like yourself, maybe a high school student who is getting interested in cybersecurity issues for the first time, or maybe this is something you talked to your students about if they’re just getting into the field. Is there a place you direct people or maybe it’s a programming language they should learn, what do you advise for first steps in getting into the cybersecurity field?
First steps are kind of hard, because there’s just so many areas. For a week in the summertime for the past six or seven years, we’ve run a GenCyber camp. We’re the largest residential camp in the nation and have been for a while, where we bring high school students on campus for a week.
They stay in the dorms, they go through a full day of classes where we’re doing all sorts of different cybersecurity stuff. The greatest thing with that is when it comes to getting them interested, is exposing them to as many different things as we can.
Even inside the small area of offensive security, there’s all sorts of different little areas that you can kind of go into. And within security as a whole, there’s just so many more. So we try to expose them to as many different things, so they can find their interest and kind of go from there. If we can get them interested from there and excited about it, we can get them to DSU and they can further develop that interest as they go through their coursework.
At the end of a program our bachelor’s graduates are coming out, and they’re not all going into the same exact line of work. There’s all sorts of different areas of security that they can go into and we don’t know where they’re going to go until they decide.
At what point do students need to make those kinds of decisions? In some kinds of degrees, you kind of need to decide early, “Oh, I’m going to specialize in whatever it might be.” But in cybersecurity, is there such a thing as a general cybersecurity degree? Do students have to choose early on, or is there such a thing as a general preparation cybersecurity degree and then you go on to the job training or maybe then you decide to do a master’s degree or something like that?
I’d say at a very general level there is. Like I said, at DSU we have two primary programs that deal with it. We also have computer science that … It’s not completely security focused, but since it’s in the same college, that same unit, they’re still getting some of that security around them and they’re still working with security students.
I’d say having a general idea of what you want to do at the beginning, anyways, is a good thing. It’s not always required. At the end of the day, students coming out of our cyber operations program can go into a ton of different things. They’re not specialized into one area at that point. Cyber operations is so broad, and then there’s so many different topic areas that they can still go wherever they want.
One thing we always encourage our students to do is work on projects outside of class… stuff that interests them. Many of them usually find the things that interest them before they get to the end and that’s usually the area where they start looking for jobs.
Whether it’s offensive specifically or defensive, or vulnerability research and software exploitation, or threat hunting or whatever. So even even as a cyber operations program, it’s general enough to where they can still get out and go to anything really in security, or even even out, getting on the edge of security, going to software development type roles. We’ve had students do that as well.
What are some other places or other kinds of jobs that you see your students leaving the university and kind of where are their employment areas?
So outside of DoD specifically, we see a decent amount of students go to national labs. So whether those are federally-funded research and development centers (FFRDC), or labs from the Department of Energy. We see a decent amount going there now, especially with our scholarship for service students.
Outside of that, I think we’re getting to the point now in 2020 that most other industries are starting to kind of have those roles at their organizations. Where most places, 10 years ago, 15 years ago may have only had a couple of people. Those parts, those business units are growing. So we are seeing people go all over the country and to all sorts of different industries.
Do you think cybersecurity is becoming a mainstream concern?
I definitely think it’s moving in the direction of people starting to have a better understanding of cybersecurity. So earlier I mentioned I work in one of the MadLabs, the Deep Red lab — we do penetration tests and red team engagements and things we’re seeing on those assessments is people are getting better.
They’re not clicking on phishing emails as much. Even when we spend the time to create a really good phishing email, they’re not entering their credentials when they’re prompted. A lot of those things that we would use and that would be gangbusters years ago, really easy stuff like that, it’s getting harder to do. So, yeah, I definitely think there’s definitely more awareness now than there has been even in the last couple of years. It’s getting better.
Yep. And then moving on now to sort of our advice category. What advice do you give your students?
I always tell them to try to find the things that they’re interested in. One big thing for me when I was working in government, is that I want to work on stuff that I’m actually interested in. I don’t want to just go to work from 8:00 to 5:00 and then just go home at the end of the day. I really want to show up and be interested in what I’m doing, and solve challenging problems.
Is there one kind of quintessential cybersecurity resource or reading material that you point people to or that you keep coming back to maybe when you’re teaching? Anything like that that you recommend?
So depending on the topic, I have some specific things that I point students towards. But one big thing where I think I might differ from a lot of the other people that you ask when it comes to reading lists is that I always tell my students when it comes to offensive security, I don’t have them buy books or anything like that. The reading list consists mainly of blog posts.
In offensive security, the people that are doing a lot of the research when it comes to penetration tests and red team engagements, it’s not usually academic papers. It’s people out in the field working in industry. Really what I tell them is if you want to know about it first, you have to follow the right people on Twitter, and you have to read through Reddit.
So when they come out with new stuff, the first place that it’s going to show up is it’s going to be on Twitter, a tweet that’s a link to their blog post. So that’s one of the things when I was red teaming day in, day out, one of the first things I did every single morning, it’s something one of my mentors taught me — is I would get on, look through Twitter, I’d look through Reddit and basically any other blogs and news posts that I had lined up. I would spend 20-30 minutes going through all that to see what happened overnight or the day before to find the newest stuff.
Yeah. Cool. So the last question is, this is a little bit maybe speculative looking ahead somewhat, but I also think it’s interesting just to get everyone’s take on. Thinking about the future, what do you think the cybersecurity field will look like in the next five or ten years? What are some things that you see developing that are maybe new trends, or things that are just always going to … The fundamentals will always be there, but what do you see when you look ahead? What kinds of things are you thinking about or advising your students to keep an eye on?
So looking ahead, the next five, ten years. Cybersecurity is going to change. Obviously it’s a very fast moving area. I think there are still going to be problems in five or ten years. They’re just going to be different problems.
So that’s one of the things that I think is going to change in that way, but it’s still going to be around, we’re still going to have to deal with it. When it comes to teaching students, it’s really just trying to keep up with what’s going on.
Technology changes every day. It’s fast moving in and in and of itself. So if they’re kind of paying attention and working with some of the latest stuff and at least keeping up to date.
That makes it kind of unique too, in how fast it is moving fast it’s changing