My Big Idea

Often people claim to have the next big idea. To understand where my idea originated, we have to rewind. I was attending my former high school career fair (as the only cybersecurity professional) mid-way through 2024. It was the week prior to my one-way flight to Europe in pursuit of a career in London.

Lots of students came up to my stall and were genuinely fascinated by cybersecurity.

They had all these sensationalised ideas of what the field entailed. It was very inspiring to witness such an influence of pop-culture in a positive way on student’s perceptions and curiosity of the cyber space.

With all these intriguing thoughts of what the cyber industry entails, we should have plenty of students aiming to propel themselves down a cybersecurity career path… right?

Surprisingly, very few of the students I had a chat with embodied the conviction to actually pursue a career in cybersecurity in any way. I was very confused by this disparity of interest v.s. action.

And this is what got me thinking. If students think cybersecurity is cool, why don’t they pursue it? Of course, a multi-faceted answer is appropriate here, but a lot of the underlying reasons (doubt of own technical skills, unsure of activities that make up cybersecurity roles) were simply due to the absolute lack of exposure high school students get to cybersecurity. That’s it.

We’re literally asking students to buy the car without test driving it first.

There aren’t really any approachable opportunities for high school students to explore different skills, techniques and activities associated with cybersecurity in a school setting. Even in an extracurricular context. Yeah, there are offerings for general coding, game design, robotics… but cybersecurity - I just don’t think there’s anything really out there that caters to high school students.

So my answer - create an extracurricular lesson experience for high school students which introduces them (in a very guided and exciting manner) to different disciplines of cybersecurity like pentesting, digital forensics, blue team ops, OSINT etc.

But in a way that isn’t overly technical. Traditional certs and labs try to challenge participants to actually upskill. This would be purely to hand-hold students through experiencing what it would be like if you knew what you were doing. Hence, a “test drive”.

Get To Work

Creation of Business

I did some research and brainstorming of a suitable business name for introducing high school students to exciting cybersecurity concepts and inspiring them to enter the field.

Eventually I came up with Liftoff Cyber to represent starting from the ground and launching students into their cyber careers.

I quickly registered my business as a Sole Trader, to get my ABN, but mostly out of fear that somehow another business would take this business name and I would have to rebrand just before going live!

I also registered a domain name liftoffcyber[.]com[.]au (defanging in case change of ownership in future) - verified this via a WHOIS lookup (my details weren’t redacted, but I was planning on advertising myself openly as the founder of Liftoff Cyber so this wasn’t an issue 😎) once again to ensure my business wouldn’t need rebranding by reserving a succinct, related domain name. Along with this I bought some extra web domain protection services and basic email hosting for the domain.

A quick ping test verified the domain was live. Don’t worry, nothing valuable is actually being hosted on this domain at any point so I don’t care about sharing the domain’s public IP at this point. Just some web ports open to serve certificates and robots.txt file (which has no exposing OSINT entries).

I then came up with a catch phrase: Inspiring Next-Gen Cyber

I had ideas for branding, but wanted to leverage the artistic skills of my graphic design and CGI friends for creation of logos and promotional videos.

Having a very strong background in music production, I did however create a theme song which would be used for all marketing material. Motifs inspired by Mr Robot definitely seeped through 😂

Lastly, I created a LinkedIn Company page, for posting promotional content to in future.

Creation of High-Level Processes

I planned on creating flowchart diagrams for the different business processes needed to be developed into my website.

• CMS for public facing marketing website

• Ability to take enquiries (also handle spam/malicious lodged enquiries)

• Onboarding/offboarding of Schools, Students, IT Users (for testing my labs work in school IT environments), Parents, Admins, Marketers and Mentors [as I work full time, can’t deliver the lessons myself)

• Booking system for allocating Mentors to bookings requested by Schools (including validation that the lesson is profitable)

• Lesson quiz system - to track answers to lab questions for bookings/students

• Feedback component to build out a Career Insights section for students to review suitable career paths based on what skills/cybersecurity activities they enjoyed

• Financial assistance system for disadvantaged students or schools (“Cyber4Everyone”)

Full-Stack Web Dev

I made use of CakePHP in order to securely and easily setup an MVC type development environment. MYSQL database, which I hosted in AWS (RDS), with plans to use AWS for email notifications and S3 buckets for serving assets (videos, images, storing contracts).

I ensured to use CakePHP’s built in query builder for secure database transactions and any user input would be sanitised using the h() function within my backend PHP code. I used Bootstrap for the frontend framework, with mostly vanilla styling so I could implement brand fonts and colours later (through SCSS)

I had some fun with generating front-end animations (eg. this terminal type out, scramble, then delete) which dynamically make use of the underlying database data. In this way, my site would have lots of cool animations that are automatically updated whenever I add lessons or lesson modules etc.

Or this Offensive-Defensive spectrum which animates based on the Lesson domain from the database.

Cloud Implementation

Web Server

I started out by just using an EC2 for UAT, planning to have a production auto-scaling group of EC2’s which I could load balance. However, I found that what worked in my Mac’s local dev environment had issues when deploying to UAT / Production.

I talked to some of the devs at my cybersecurity company, and we discussed the use of containerisation. I ended up running my CakePHP fullstack web app on top of an Ubuntu Apache docker image, copying in all source code, env variables and dependencies upon creation of the docker image.

I then created (after MUCH trial and error) a Github Workflow to implement CI/CD, so that any push to the GH branch uat would update my Elastic Container Registry image in AWS, then run a new task within Elastic Container Service using this updated Docker image.

I had plans to implement a Github Workflow for deploying to an auto-scaling and load-balanced ECS Task in future but didn’t want to pay for it at early stages of dev.

Launching of VM Labs

I had plans to build an EC2 with all the configurations and applications required to complete a particular lesson, then save this as a snapshot (possibly need to store EBS associated, didn’t dive into this yet) and have some sort of remote session available through my website. The details on this were still fuzzy, but given lab VMs are used for online cyber certifications all the time, I knew it was achievable in some way.

Cybersecurity Considerations

I created a Risk Register for Business and for IT concerns, which assessed impact, likelihood, risk response (Accept by default) and any controls used for mitigation. The top risks were considered when developing the high-level processes, to ensure for a Secure Development Lifecycle, by designing the web app with security and business risks in mind, from the get go.

One of my top security risks was having my Root AWS Account breached. I chose to implement a hardware based token as my 2FA (2x Yubi Keys) to mitigate social engineering attacks, as well as setup an AWS Cloudwatch detection for Root Account usage which emailed my LIFTOFF CYBER business email, which I monitored from my phone.

Tomato is a fruit, but maybe leave it out of the fruit salad

I genuinely believe I can design this extracurricular service. But it would take sacrifices. Financial. Effort. Most importantly - time.

As a sole developer, unable to contract or employ others to assist with my startup, time was the ultimate currency which I was paying out. And it would be during off-work hours.

And for a while, I could justify the significant amount of time I would have to invest in the full-stack web app / cloud integration and business/legal aspect of the extracurricular activity offering, because it was a worthwhile cause that would benefit the cybersecurity industry immensely. As well as teaching myself a lot about cloud services, web dev, business administration… a lot of knowledge and skill to gain. Maybe as it scaled it could become profitable and almost a form of semi-passive income. Bottomline - it was a really good idea in my opinion, so it warranted someone manifesting it.

But the more I worked on it, the more I realised the scope was absolutely enormous. And I wasn’t reallllly doing it for the financial benefits - I risked losing hundreds of my own dollars trying to help out high school students. The legal requirements for operating a business within school extracurricular environments might cause even higher costs due to insurance and background checks.

Abandoning my big idea felt many ways at first - like a failure, like a waste of effort and money, like this frustration of never materialising all the thought that went into it.

I needed to take a step back.

Some decisions should be based on intelligence. When it came to achieving the more granular goals of the LIFTOFF CYBER project, decisions of intelligence were paramount. How to best structure my database, architect my business flow, assess my top cybersecurity risks and provide mitigations, how to market the offering effectively, understanding what lesson content would inspire students.

But other decisions should be based on wisdom. Not the how, but the why.

Why am I investing so much time in this project? Does the project align with my broader long-term life goals? Is it something I would endeavour to take on full time at some point if successful? Is the risk of failure worthwhile in this particular aspiration.

And the answer was always no.

I knew deep down that the scope was just too insane. And the risk of failure too high for how much I actually cared about it. The time investment too taxing.

My main goal within cybersecurity is to transition to DFIR or digital forensics for law enforcement. LIFTOFF CYBER didn’t really align at all with my primary career goals. And my other life priorities - surfing, gym, guitar, socialising, exploring - were also significantly impeded by this development project.

It’s not all for nothing - I learned a hell of a lot about business, fullstack dev, cloud tech and cybersecurity; in that sense it was a really beneficial project to aspire to and I’m happy I gave it a go. I further realised I want to spend my time in becoming a DFIR wizard as that’s where my career passion lies.

The public are welcome to take direct inspiration from any of the ideas I have shared, at their own liberty :)