THE CIA TRIAD – THE BASIS OF CYBERSECURITY (INTEGRITY)

Kip Boyle:          
Hi everyone. Welcome to Your Cyber Path. Welcome back. Hopefully you’ve listened to previous episodes and we’re glad you’re here. I’m Kip Boyle. I’m here with Jason Dion. Hey Jason. How’s it going?

Jason Dion:       
Hey, Kip, nice to see you again.

Kip Boyle:          
It’s good to see you too. I told you I was going to Kazakhstan, but did I tell you what happened? Did I tell you anything about it?

Jason Dion:        
A little bit, but why don’t you share with the audience.

Kip Boyle:          
Yeah, okay. Listen, so everybody, the reason I’m telling you I went to Kazakhstan is because I never planned to go to Kazakhstan. All right? I see this as one of the benefits of being in the cybersecurity career field because you never know when someone’s going to walk up to you and say, “We need your help. And oh by the way, would you mind going to Kazakhstan to help people?” Because turns out people in Kazakhstan need cybersecurity just as much as anybody else, so-

Jason Dion:       
Go figure, right?

Kip Boyle:          
… Go figure. And that’s what happened to me. Actually the opportunity came over from somebody that I was loosely connected to on LinkedIn. I got to tell you, if you’re not on LinkedIn then these things will never happen for you. They don’t happen for me every day. But they do happen, I’d say once or twice a year somebody reaches out to me on LinkedIn and asks me would I be interested in an opportunity and this is one of those cases. So I went down to visit Jason in Orlando. We did the recording for the course, we talked about that last episode, and then I got on an airplane and off to Kazakhstan I went. Listen, Kazakhstan is an amazing place. It is unique. Whenever I go to a new place, I always ask myself, what does this place remind me of? Where else have I been that this place reminds me of? And I had to think about… I had to mash up five different places in order to just fully describe what I was experiencing in the capital of Kazakhstan, which is a Nur-Sultan, which is also known Astana.

And sometimes I felt like I was in an old Soviet bloc country, because of course they were and there were still remnants of that everywhere, including the uniforms that the police wore was pretty interesting. The Ministry of Defense building still had all that old Soviet architecture. Sometimes I felt like I was in a science fiction movie because the architecture, the steel, and the glass, and the way they had everything laid out on a lot of these places was very futuristic looking to my eyes. Sometimes I felt like I was home in a mall because they have these shopping malls that are just like the malls that we have here in America. And then sometimes I felt like I was in Las Vegas because some of the apartments… They have these huge apartment buildings and the facades on them reminded me of Caesar’s Palace in Las Vegas.

And just some of the ways that the city was laid out, also these huge wide boulevards, also kind of reminded me of Las Vegas. And anyway, so I’ll tell you the most interesting thing that happened to me, a pedestrian thing, normal thing, is we went to eat at a Chinese restaurant. We were served by Kazakhs, so people who were indigenous to that area and they spoke Russian.

Jason Dion:        
Huh. I guess [inaudible] a former Soviet bloc they probably had to learn Russia.

Kip Boyle:          
Yeah, they did. And Kazakhstan has a 3,000 mile border with Russia and a 3,000 or 5,000 mile border with China. So politically it’s been the geopolitical… They’re sitting right next to these two giant movers and shakers on the world stage. And I could go on for a long time about the implications of that, but I think you can probably imagine with what’s going on in Ukraine that people in Kazakhstan would be on a little edge right now.

Jason Dion:        
I can imagine. And probably why they need cybersecurity there to make sure they’re being well protected.

Kip Boyle:          
Yeah, exactly. Anyway, it was fabulous. If anybody gets a chance to go, I would say go. Don’t mention Borat, don’t say anything about that. Leave your mankini at home, you won’t need it.

Jason Dion:        
Yeah, it’s one of the countries I haven’t been to yet. I’ve been to 50, 60, 70 countries around the world. I travel quite a bit both in my previous job and in my current job. And I have not gotten to Kazakhstan yet, so I’ll have to keep an eye out for an opportunity to get out there.

Kip Boyle:          
Yeah. Well, I wouldn’t be surprised if more opportunities show up. They are trying to really assert themselves onto the international scene and boy, I met some really great people so I have a lot of good things to say about Kazakhstan. But anyway, so let’s get to the point of the episode, shall we? We’re going to talk about the CIA triad and particularly, we’re going to talk about the letter I in the CIA triad, which stands for what, Jason?

Jason Dion:        
Integrity. And just a quick reminder, we’re going through a five part series right now. This is part two. And we are talking about the CIA triad, which we talked about last week being that it’s really more of a pentagram I guess because there’s five points, not three anymore. The original CIA triad was confidentiality, integrity, and availability. And then they tacked on the N and the A at the end, so it’s now CIA NA, which is non-repudiation and authentication. And this week we’re really going to be focused on integrity. Now when we talk about integrity, how do we best define integrity? Well, I like to think about integrity as saying that the file, or computer, or the thing that you’re measuring has not been modified since you created it. So if I wrote down a list for a course that we’re going to build, I say okay, here is the 500 lessons we’re going to put in this course.

Once I do that and I stamped my… I say, hey, I’m done and I save that file, that file should keep those 500 lessons in the right order and should not be modified unless I specifically want it to be modified. So if I put it on my storage drive and all of a sudden I go back tomorrow and there’s only 300 lessons, that means we had a bad thing happen. Somebody touched my file and changed it without my permission and that would be a lack of integrity. So the whole idea with integrity is making sure that the thing hasn’t been modified or changed since you created it and you said that that’s where it needs to be. So Kip, I know when we were doing show prep you kind of gave me an example in the real world that really wasn’t even a digital example necessarily, but I thought it was a great example. So I’m going to let you go ahead and give the real world example of an ATM.

Kip Boyle:          
Sure. We’ll call it semi-digital because there’s a little bit of computer action going on here, but not much, certainly we don’t think about it. So if you go to an automated teller machine and you want $100.00 or whatever your currency is, and so you put your card in there, you tap in your pin and then you tell the ATM, I’d like $100.00 please. Well, it takes a moment for the ATM to decide whether it should give you $100.00. Well, what’s going on in the background is that the ATM has generated a message and it sent that message back to the central computer at the bank. It may not be your bank, but it is a computer that knows what your bank balance is wherever that account happens to be. Now, the important thing to know as far as integrity is concerned is that message that goes from the ATM that you’re standing at, that goes back to the computer that knows your account balance is not encrypted for confidentiality.

It is encrypted for integrity because they don’t want the amount of money that you’re asking for to change from the time you type it in on the keypad to the time that it gets back to the computer at the bank. Also, they don’t want that number to change because if the bank computer says, sure, Kip can have a hundred bucks, he’s got $101.00 in his account, so that’s okay, when that message comes back to the ATM, that ATM should not dispense $1,000.00. Right?

Jason Dion:       
Yep.

Kip Boyle:          
But if we could somehow get in there and mess with that message, the ATM would go, guess he’s got $1,000.00, let’s give him $1,000.00. But course I wouldn’t because I only have $101.00. So when people designed ATMs, they said, what’s the most important thing here CIA wise? And it was integrity. And so that’s what you have today.

Jason Dion:        
Yeah, and I think that’s a really good point because when you’re building a system, if you’re working as a cybersecurity engineer or even an analyst and you’re looking at a system and you’re trying to determine what is the most important thing, when we talk about the CIA triad, it’s not this perfect triangle of CI and A, but instead this triangle can get moved around. And so for some applications, confidentiality is critically important and others it really doesn’t matter at all. And so as you start thinking about what is the most important part of the C, I, or A for this application, you could start stretching and putting more resources against those things. For example, we talked last week a lot about confidentiality and in the world I came from in the DOD, we deal with a lot of things that are secret, and top secret, and caveated information and so we really focus highly on confidentiality, but integrity is important too.

And there’s some things where integrity is more important than confidentiality and that’s really what we’re going to be focused on today as we start going through this particular podcast episode. For example, one of the things I think about when I think about integrity, in one of my past jobs, I was doing digital forensics. And if I was going to get a hard drive, let’s say I’m working with the FBI, we kick down Kip’s door, we grab his computer because we think he’s got some bad stuff on there, right? Well the first thing I’m going to do is I’m going to make an image of his hard drive before I start doing my analysis because I don’t want to do my analysis on his actual hard drive because I might change his files. Right? And so instead I want to make a perfect photocopy or a disk image of your hard drive.

Kip Boyle:          
A clone.

Jason Dion:       
A clone of it, exactly. And once I clone it, how do I verify it is the same? Well, I take a hash of the original drive and the copy drive and if those hashes match, that means I have integrity because nothing has changed. And now I can do all my operations on that other drive that I made the copy of and if I change anything, it’s okay because I can go back to the original copy that I had. And even as I’m doing things I can continually run a hash and see have I modified any files on there? And if I did, I now have a lack of integrity. And if I have a lack of integrity and Kip was a bad guy and he was selling drugs or doing whatever, the evidence on his computer is no longer valid because I messed up the integrity.

Kip Boyle:          
And I walk.

Jason Dion:     
And so integrity in the digital forensics world is so critically important because Kip the bad guy is not going to jail anymore because we lost the evidence, right? That’s what integrity is about. And so depending on where you work in the cybersecurity realm, confidentiality might be really important, or integrity might be really important, or both are important. And then-

Kip Boyle:          
You may not have heard that word hash that Jason used, but we’re going to define that before we’re done today.

Jason Dion:        
… Most definitely. Yeah, we’re definitely going to go through and talk about what a hash is, and how we use it, and all that kind of stuff, so that’s kind of the basics as we get started here in talking about integrity. So the next thing I want to do is I want to kind of put on my certification instructor hat again.

Kip Boyle:          
Definitely.

Jason Dion:        
And I want to tell you that if you’re going to study for a certification or you hear these terms in a job interview, you should be thinking about integrity. So anytime I hear integrity, what are the words I always associate with it? Well, the first one is hash or hashing and that really serves as a digital fingerprint that uniquely identifies an individual file, a collection of files, or an entire hard disk of information. And we’ll talk more about hashing in just a second. We also talk a lot about digital signatures when we start talking about integrity because digital signatures use hashing and encryption to be able to serve as an integrity check.

And then the other thing we always hear, especially in the military side, we use a lot of anti-tamper physical devices. So you may have bought a iPhone, or a PlayStation, or something like that and if you try to open up that device, you’ll find there’s a little sticker on there that can’t be removed. And if you remove that sticker, they know you have broken the seal and that somebody’s been inside of it and so your warranty is now invalid. And that’s what we’re talking about with an anti-tamper physical device. For instance, my wife just got her new iPhone last night, they shipped it in, and on the side of the box there was an anti-tamper seal and we could tell that nobody has touched that phone since it left the factory because it has that seal on it. If that seal is broken, that’s a physical indication that somebody has messed with that device.

Kip Boyle:          
And then you can’t trust the integrity of it. You don’t know if somebody’s put something on there.

Jason Dion:        
Exactly because they may have gone in there and added a little extra chip in there that’s taking a copy of every password that goes through that phone. Right?

Kip Boyle:          
Mm-hmm.

Jason Dion:       
You don’t want that to happen. So that’s why we really focus on this whole idea of integrity, especially in cybersecurity. So when it comes to integrity, we mention the word hash and I think it’s probably a good time for us to define hash and hashing. And then we’ll talk about digital signatures and I’ll take hashing and I’ll let Kip prepare himself for digital signatures.

Kip Boyle:          
Yeah. Yeah. Yeah. Okay, so now when you say hash, you’re not talking about that stuff that comes in a can, right?

Jason Dion:       
No, no, no, no. We’re not talking about hash, or drugs, or anything like that, or hashish, when we’re talking about a hash, it is an encryption process that is special. Now this special encryption process, when we deal with confidentiality, we generally use what’s known as a two-way process. So if I take a piece of data and I encrypt it and then I hand it to Kip and he can decrypt it because we only want him and I to be able to read it, that would be confidentiality. And the idea of that is I take this paper, this one page document for instance, I scramble it all up and then I give it to Kip and he knows how I scrambled it so he can de-scramble it by using a certain key and that’s what we call a reversible encryption. Well, a hash only does that one way. It doesn’t do it two ways.

So if you take a hash of something, you’re going to get a value and most hashing algorithms are what are known as a fixed length output. So whether I take a sentence, I take a book, I take a movie, I take entire Encyclopedia Britannica with hundreds of books, put them together and put them through this hash algorithm, I will get the same value on the outside as far as the length. For instance, MD5, which is one of the most popular commonly used hashing algorithms up until a couple of years ago, it was 128 bit hash. So if I put in the word A, or the letter A, or the word Jason, or an entire Constitution of the United States, I’m going to get 128 bits back in hex decimal format. That thing serves as a fingerprint that identifies that file.

Now, the great thing about hash is that you can have the entire file and then you have this hash and I can send you both of them. Now when you get it, you’ll take that file, you’ll put it through the hash, and then you’ll get a hash, and you’ll compare that hash to the one I sent you. If they match, that means that file hasn’t changed from the time I hashed it and sent it to you and that means you have integrity of that file. But if you add a single period, you take an A and make it capitalized instead of lowercase inside this entirely hundreds of page documents, it’s going to make that hash look completely different. And that’s the way that we use hashes. It works as this digital fingerprint. Now I mentioned MD5, MD5 is what was really used for a long time.

These days though, almost everything is using SHA256 or something higher than that. And the reason for this is that when you’re dealing with a fixed output but an infinite number of inputs, you’re going to have some things that are able to have the same hash value, right? And we don’t want that to happen a lot. If it happens, we call that a hash collision. And so for instance, let’s say I had the sentence, Jason is the best instructor, and I had the sentence, Kip is the best instructor. If both of those have the exact same hash value at the end, I can then substitute one message for the other. And that can be a breach of integrity because you think you’re getting the file I sent, which says Jason is the greatest instructor, but instead you got the one that says Kip is the greatest instructor and they have the same hash value. And that’s-

Kip Boyle:          
So you can’t tell it’s been tampered with.

Jason Dion:        
… Exactly. And that’s how we can get around this integrity protection.

Kip Boyle:          
Right.

Jason Dion:       
This is how bad guys get around integrity protection. And so we had to have better algorithms that have a longer hashtag digest, so we went from 128 bits to…

Kip Boyle:          
1,024?

Jason Dion:      
Well, we went to SHA256, we’re at 256.

Kip Boyle:          
[inaudible].

Jason Dion:      
256 bits, which is kind of the common one now. SHA3 uses 384 and there’s a couple that go higher. But in general, 256 is considered pretty good because 256 bits, the amount of combinations is in the billions of numbers. So it’s a pretty big number and so there’s a chance of collisions, but it’s a lot less than when you’re using something like MD5, which has 128 bit outputs. And so that’s why we kind of move to these bigger and bigger ones all the time, so that’s kind of the basics of hashing. And we’re going to talk more about this as we go through and do some of our mock interview questions and things like that. But before we do that, I did mention before digital signatures as well, digital signatures use hashes. And so let’s talk a little bit about what is a digital signature, how they’re created, and how they’re used. Kip, which part of that do you want to take first?

Kip Boyle:          
Well, these days I don’t operate as a cybersecurity analyst and I’m not doing deep technical work. So once upon a time I had that all in the front of my brain, I don’t anymore because I don’t need it. I have other people I can turn to and say, “Quick, how does the digital signature work?” And they will tell me. But I just want to talk about where you can expect to see digital signatures. Commonly where I see them all these days is DocuSign because I’m executing contracts for my business with customers, and subcontractors, and that sort of thing, and everybody’s all over the place. And the idea that I’m going to get somebody to put an ink pen to a piece of paper is just never going to happen anymore. It’s just not the way things work in this environment, this post-COVID environment. And so we need to find a way to get people’s signatures without physically meeting up with them and so digital signatures are wonderful for using to sign contracts.

If you refinanced your mortgage recently before the interest rates went up, you probably did some kind of an online signature and that used encryption to produce a digital signature both for integrity to show that the document hasn’t changed since you signed it, but also for something we’re going to talk about later on, which is non-repudiation, which means you can’t deny that you’ve signed it.

Jason Dion:        
Yeah, that’s a great point. And we just talked about digital signatures in a very generic way, I want to point out that there are two terms that sound very, very similar, but they are very, very different. So listen carefully. The first one is digital signature, we just mentioned that. The other one is digitized signature.

Kip Boyle:          
Ah-ha.

Jason Dion:       
Notice they’re very, very close together, but they are very, very different. So if I’m using a digital signature that is using this hashing idea and encryption to prove that you signed that document in a digital way, that is what is used with DocuSign and other services like that. Now, if I send you an email, I can digitally sign that email using, we’re going to talk about how it works, and that will give you integrity and it is a digital signature. Now on the other hand, there’s something called a digitized signature and I use digitize signatures a lot because a lot of organizations don’t accept a digital signature or they’re not configured for that. For example, when I’m filing my quarterly report with the IRS, there’s a PDF document that we have to fill out and they want me to physically print it off, and sign it, and then mail it in. Well, if I’m on travel at the time and I’m overseas, I won’t do that. Instead, I will use a digitized signature, which is literally my signature in a digital format.

It’s a picture of my signature that can be placed on that document and then I can send it to my operations officer and she can print it out at her house in Orlando and mail it into the IRS. Now, that doesn’t mean that it is actually secure because Kip could have had a copy of my signature, a picture of it, and he could put it on any document he wants. And in fact, my operations officer, she has a copy of my digitized signature. And so if she needs to fill out that paperwork for the IRS, she doesn’t even have to ask me, she just goes and stamps it. It’s basically like doing a rubber stamp in a digital form with Jason’s signature on there and that’s how it goes out, so that is a digitized signature, not a digital signature.

Kip Boyle:          
I love it. Thank you so much for distinguishing between those because it’s really important because they’re two completely different, technically completely different things. And you would not want to think that a digitized signature gave you the integrity protections of the digital signature.

Jason Dion:      
And it doesn’t, right?

Kip Boyle:          
Right.

Jason Dion:       
So if you go to the store and you buy something on your credit card, when I go to the restaurant to go buy lunch, they often will bring you out the little tablet for you to sign on. Right? It looks like a little credit card terminal, you stick your card in, and then they say, “Oh, would you like to sign and add a tip?”, and you sign your name. That is not a digital signature, that is a digitized signature. All they’re doing is capturing your signature that you did.

Kip Boyle:        
It’s like taking a picture. Yep.

Jason Dion:      
That’s exactly what they do. And that way they hold it in the record so if you over dispute it with the credit card company, and say, “I never ate lunch there,” they’ll go, “Well, you signed for it.” And then they’ll compare that to what’s on your card and make sure it matches, and if it does, they’ll say that’s good enough. But it’s not an actual digital signature.

Kip Boyle:          
Right.

Jason Dion:       
Now a digital signature on the other hand is something like if I’m going to send you an email and you want to make sure that I sent it. When I send that email and I attach a digital signature to it, and in Outlook it does this for you automatically if you’ve configured your digital signatures, it will take the message that I wrote, it will run it through a hash algorithm, generate that hash value, so let’s say SHA256, it’s got this 256 bit value, then it takes that value and instead of just sending that with the message because that would give me integrity, but it doesn’t say that I’m the one who sent it, to make that a digital signature we take that 256 bit hash value and we encrypt it using my private key. Because if I encrypt something with my private key, only my public key can be used to decrypt it. And who has access to my public key? Everyone in the world.

Kip Boyle:          
Everybody.

Jason Dion:        
That’s right, anybody.

Kip Boyle:          
That’s why it’s public.

Jason Dion:        
Exactly. And that’s what we want because you want to be able to get that message, take that signature, which is essentially just an encrypted hash value, decrypt it, and now you’ve got the hash value and you know that Jason sent it because only Jason had a private key for it. Now you run the same message through the hash, you see if your hash matches the one I sent you, and if they do, you know that digital signature is valid and that message has not been changed. Now anywhere along the line, anybody else could have read that email. We didn’t encrypt the email. All we did was encrypt the hash value and that is the difference here when we talk about digital signatures. Digital signatures give you integrity, they do not give you any confidentiality. If you want confidentiality, you have to also encrypt that message and I would encrypt that using the person’s public key that I want to send it to.

So if I’m sending a bunch of banking documents over to Kip, I’m going to encrypt it with Kip’s public key so only Kip can decrypt it. But I’m also going to take my hash value of the message I sent and encrypt it with my private key so Kip knows it has integrity and it came from me. And that’s how you get this confidentiality, and integrity, and non-repudiation using digital signatures. But the digital signature itself is just there to be able to encrypt that hash and that is what gives you that integrity.

Kip Boyle:          
[inaudible]

Jason Dion:       
That’s what we’re talking about when we talk about all these things.

Kip Boyle:          
Yeah. And I want to say something about public key, private key. Some of you who know about public key and private key might say, “What? You can use a public key, private key pair to do a digital signature? Really? Because I’m only ever used to thinking about it as something that I use to provide confidentiality for data.” And yes, it’s true, which is one of the things that’s so fantastic about public key encryption and why we’re so fortunate that it was invented is because you can use it for both.

Jason Dion::        
Yes, exactly. So if you want… And this for the certifications, if you’re taking a certification exam, remember if you want confidentiality, you’re going to encrypt the message using the receivers public key so only they can decrypt it using their private key. But if you want to prove that there is integrity of the message, you want to encrypt the hash value of that message using your private key because that way they know that message is not changed and only you could have sent it because only you have your private key. And so when you do both of those things, now you have confidentiality and integrity of that message as you send it. So I think that’s a good coverage for certifications of what you need to know when it comes to integrity, right

Integrity is used for hashing, it’s used for digital signatures. And digital signature really is just taking that hash and encrypting it using your private key to say, “I sent this, I promise it was me.” And then we also have these physical anti-tamper devices, whether that is some kind of a sticker that you’re going to use, some kind of… When you buy a jar of mayonnaise, there’s that little plastic seal around it, that is anti-tamper device. If that little plastic isn’t there, you shouldn’t trust what’s in that jar because maybe somebody puts some poison in that mayonnaise as well. And so that’s what we’re talking about with anti-tamper.

Kip Boyle:          
And sometimes when you go to buy those jars like of jam or something like that and you twist the top and it makes that little noise, right?

Jason Dion:       
Yep.

Kip Boyle:          
Yeah, that’s also a tamper resistant feature because if it doesn’t make that pop, even though there’s no seal under there, it means somebody’s already opened it.

Jason Dion:    
Yep and you can feel that right on the top of the jar. You’ll see the little bump comes up instead of going down. Right?

Kip Boyle:          
Yep.

Jason Dion:      
And that’s how you can tell. All right, so now that we’ve covered what is integrity, what is hashing, what is digital signatures, how those affect you on certification exams, let’s move into the job interview process. And so we’re going to play hiring manager and employee trying to get a job. And in this case Kip is going to be the hiring manager and he’s going to ask me a question first and then we’ll reverse the roles and we’ll go through two or three of these to give you guys some examples of interview questions you may get asked and what a good answer might sound like.

Kip Boyle:          
Mm-hmm. Yep. And remember, a typically good answer for just about any of these is going to be somewhere between one and three minutes or two and four minutes, something like that. And remember that a… Don’t get lost in a 15 minute response. Try to keep it within those timeframes because if a hiring manager wants more details, they’ll ask you. But if they feel like they’ve heard enough, they’ll move on to the next question. So by not launching into a 15 minute explanation you’re showing respect to the hiring manager and you’re letting them decide how much they want to hear from you. Okay, so Jason?

Jason Dion:        
Yep. Oh, I was going to say-

Kip Boyle:          
[inaudible].

Jason Dion:       
… Yeah. The other thing I was going to say is the format of your answer will also depend on the format of the interview. So in this case, if Kip and I are doing this interview over Zoom, I’m not going to have a whiteboard and paper to be able to draw little pictures and show them what I’m doing. If I’m in a conference room and I see there’s a whiteboard, I may say, “Is it okay if I draw this out for you and explain it?” Because if I’m explaining something like digital signatures, it’s a lot easier to start drawing a picture showing public and private keys and how they’re all used to make my point. So keep that in mind as well. In this case, we’re doing kind of a one-on-one Zoom type interview. So it’s going to be mostly an audio response or maybe I’ll use my hands a little bit because that’s who I am as you see me constantly using my hands as I talk and that would be okay in the Zoom interview setting.

Kip Boyle:          
Yeah. Yeah. Cool. Okay, so I’ll play hiring manager. Jason, thanks so much for spending some time with me today. And what I’d like to ask you first thing is what exactly is a hash and how does it provide data integrity?

Jason Dion:       
Yeah. So a hashing algorithm is a one way encryption algorithm, which means that we can take some amount of data, run it through this hash and create a fixed length output. So for example, if I take something that is a very long book like the Harry Potter book series, right?

Kip Boyle:          
Mm-hmm.

Jason Dion:        
I can put it through this hashing algorithm and if I change just a single space, or a capitalization, or a word, or anything that gets changed, that hashing algorithm’s output, that hash digest, which is what we call it, would be drastically different. And so this individual 128 bit hash or this 256 bit hash serves as a digital fingerprint that uniquely identifies this file in its current state exactly how it is. And if anything gets changed on it, that hash algorithm is going to output a different hash digest and this tells us that something has changed and therefore we don’t have integrity anymore of those files or folders.

Kip Boyle:          
And scene.

Jason Dion:        
Yes. I get the job, right?

Kip Boyle:          
You’re here, aren’t you?

Jason Dion:        
Yeah. Again, I mean that’s like a one minute response.

Kip Boyle:          
Yeah.

Jason Dion:        
Very quick, to the point.

Kip Boyle:          
Yeah.

Jason Dion:        
I showed you that I have the technical knowledge and I gave you an example of what it looks like. The other thing that I often will do in these type of things is if I’m dealing with a non-technical audience, in this case, Kip is being my hiring manager, I know he’s got 20 something years of cybersecurity experience so I can talk a little bit more technically, but if I was being interviewed by a panel of people and there were some people who maybe there was somebody from HR there, I would actually dumb down my response even more and say what I said. But then I would also go back and give it some sort of a… Use some kind of an expression, or a simile, or a metaphor, or something like that to really drive home the point. And I might even say something like bring up the jar of mayonnaise example that we had with the little plastic routing and the hash value, the hash digest basically serves as that plastic wrapper.

If you see that digest is different, that means somebody has gone in and used that mayonnaise and you don’t trust it anymore. And so you could say things like that as well. It just depends on your audience.

Kip Boyle:          

Yeah. Right. And I appreciate the way that you talked about it at a high level and gave me the option to ask you follow up questions about some of the more nuanced technical aspects if I had wanted to.

Jason Dion:       
Yeah, so in this case, what would be some good follow up questions that Kip might have asked? He might have asked me, what’s the difference between MD5 and SHA256? And that’s getting much more technical because now we’re talking about how long the digest is, what kind of an algorithm it is, what’s the difference between this one and that one. He might follow up with questions about collisions, and what is the birthday paradox, and all those other things that you hear about when you’re studying for things like Security+. Those are all fair game, but we’re just trying to keep it high level here to give you some basic examples in how you may see that. So now we’re going to switch roles and I’m going to ask Kip a question and we’ll see how well he responds. So Kip, thanks for joining us today. How can you verify that a file has not been modified by an attack or in a system when your working as a cybersecurity analyst?

Kip Boyle:          
Well, what I would do in that case is I would grab the file and without changing it I would actually use a utility to generate a digital signature for that file. And then once I’ve got that signature and making sure that I’m using a modern algorithm and a key length that is also considered to be secure, I now have a basis for doing a comparison. And so since I’m starting with the file that I suspect has been compromised, I will now have to go and retrieve the file that is known to be good and I might do that by doing a file restoration from a backup. I would then repeat the digital signature process on the restored file that would then allow me to compare them to know if they were the same or not. If they were not the same, that’s when the real work would begin because I’d have to launch some kind of a disk command to identify, to really have a computer hone in on what had changed.

Jason Dion:       
Good response. The only feedback I’d have on that is I’d be careful about saying digital signature in the response like Kip did. And the whole reason I’m saying that is, digital signature is a type of hash, but it is not the only type of hash. And in this case, if I’m looking at a file on the file server that I think is corrupted, for instance, Jason’s taxes 2019, you’re not going to have a digital signature on that file, but you may have a hash value from… You can run a hash off the backup from three years ago and then a hash on the current file system and see what the difference is. So all that is the same except for saying a hashing algorithm instead of a digital signature because a digital signature requires that you’re using a PKI infrastructure and you have something to encrypt it with. And you don’t necessarily have that if you’re dealing with a file on a hard drive. So just keep that in mind as you’re working through those.

Kip Boyle:          
Good point.

Jason Dion:       
The other thing that I think is good is when we talk about a file that may be modified by an attacker, it depends on what the file is that we’re researching. So if you think that it is a system file, you’re on a Windows 11 system and you think that one of the system files has been modified by an attacker, how would you validate that? Well, there’s a lot of ways to answer that question, right? One of the ways is we can use SFC, which is the system file checker. And if you’ve ever used system file checker in Windows, all it’s doing is checking hash values of your current system against what Microsoft says is the valid hash for those. And if they don’t match, it says that file’s been tampered with, we don’t know why, we don’t know how, we don’t care, let’s replace that file with a known good copy from our digitally signed version from Microsoft. And so that’s just something to keep in mind.

That said, where are you going to see digital signatures used inside of files? Generally the most common place you’ll see it with is what we call as code signing. Have you ever heard the term code signing or package signing, if you’re downloading an app from the App Store? It is a digitally signed file that has been code signed using the public key, or excuse me, using the private key. Essentially there’s a digital signature placed on it, which is the private key of the organization, such as Microsoft, that has digitally encrypted that hash value and that serves as the digital signature. So if you’re using a Microsoft product, they have digital signatures. If you’re using an Apple product, they do. Some smaller developers may not. Most developers, if you have an account with the App Store or Google Play store, all those files are digitally signed by a manufacturer to say, “Yes, this is what the file looked like when I put it in the store and anything that doesn’t match this is no longer trusted.”

So keep those things in mind when we talk about hashes versus digital signatures, just keeps those differences apart. And again, as Kip said earlier in the episode, he has not been on that technical end of it for the last couple years because he is working at the C-suite level. And so those are things that-

Kip Boyle:          
I’m happy to be your straight man.

Jason Dion:      

… So it’s okay, right? But again, if you’re going to take a certification exam or you’re going for a cybersecurity analyst role at a junior or mid level, we would expect you to know the difference between those two and so just keep that in mind as well.

Kip Boyle:          
Yep.

Jason Dion:       
All right. And the third one, I guess I’ll play the interviewee again.

Kip Boyle:          
Okay. All right. Yeah. Okay, Jason, just got another question for you here. How would you validate that a backup was successful, like a data backup, and how would you validate that the files are intact and unchanged?

Jason Dion:       
That’s a great question. So one of the things that I see a lot in the industry is that people do backups and then they just assume they’re good. And you can’t do that. A backup is only as good as your ability to restore it. And so one of the things I’ve always done in my systems is anytime I do a backup, about once a week we will pull a random file from the backup and restore it to verify we have the ability to restore the file properly. Now this brings us to our second point, which you asked, was how do I validate that that backup was successful?

Kip Boyle:          
Right.

Jason Dion:       
Which is being able to restore from it, but also making sure that file hasn’t changed since it was backed up. So when you do a backup, all of those files in most backup softwares will create a hash of each file being saved into the backup at the time of its backup. When I do the restore and I restore the file called Kips pay Scale 2019 or whatever, I can then grab that and I can run it through a hash once I’ve restored it. And then I compare the hash that I calculated versus the hash that we calculated when we saved that to backup. And if they match, I know that file hasn’t changed since it’s been backed up and therefore we can validate the backup was successful and we’ve been able to successfully restore it. How’s that?

Kip Boyle:          
Thank you, Jason. When can you begin?

Jason Dion:        
Never. I’m too busy. Thanks for interviewing me. I’m not taking the job. No. Yeah. And again, as you saw, that was a very quick 60 to 90 second answer. We went through what is a backup, how do you know a backup is good, and how do you validate the files once you’ve restored them? And those were kind of the three key points I wanted to make when we’re talking about a backup in terms of integrity and the ability to be able to restore from your backup, because that is one of the most common things that I see people miss inside of interviews I’ve done when I talk to them about backups and restores. People think that once you back up and you have it on tape, you’re good. It’s like, well, if that tape doesn’t actually work and you can’t read from it and you can’t restore that file, then guess what? Your backup is garbage and it doesn’t matter.

And I’ve been at organizations where I show up and I’m like, “When’s the last time you guys restored from backup?” And they’re like, “The last time we had a server crash was two years ago.” I’m like, “So you haven’t done a backup restore since then?” “No, we do backups every night though.” “Yeah. And how good are they?” “I don’t know.” “All right, let’s pull a tape nad let’s see.” And I had them pull a tape and when they tried to restore it, they couldn’t restore. And the last good backup that they could find was about two and a half weeks ago. And so that tells you hey, you could back up every night, but if you’re never trying to restore, you don’t know if it’s good or not and so that’s really what we’re focusing on.

Kip Boyle:          
And that happens way more than you think.

Jason Dion:       
Oh, all the time.

Kip Boyle:          
Way more.

Jason Dion:       
[inaudible] secrets you’re going to experience in the real world of cybersecurity.

Kip Boyle:          
Yeah, because backup systems will back up to almost any command combination you issue to it.

Jason Dion:      
Yes.

Kip Boyle:          
But if you’re issuing the wrong commands and then you’re trying to restore, nope.

Jason Dion:       
Or I mean, the other thing is, depending on where you’re backing up, the backup thing you’re backing up to may not be good. So in the case of this organization, they were using a grandfather, father, son backup tape rotation method, and everything they were doing was on these LTO terabyte sized tapes. And they’re like, “Yeah, they’re great, but these tapes are stupid expensive.” Right? And to do a grandfather, father, son, they need about 30 to 40 tapes and so it was very, very expensive to run this, and they weren’t rotating their tapes frequently enough, and they were using the same tapes that they’ve been using for three or four years. Well, tapes only have a certain number of read and writes to them. And so after about a year or two, you probably want to replace those tapes and that was the problem is they weren’t doing that and they were just assuming they were good because again, they never tried restoring because they never had to.

Kip Boyle:          
Right.

Jason Dion:       
And so if you’re setting up integrity, and backup, and restore practices in your organization, always make sure you’re setting up where you’re doing a restore at least once a week to test that you can restore things because that is going to be critical for you in this whole backup world.

Kip Boyle:          
Yeah. Talk about a false sense of security. We’re covered, everything’s backed up.

Jason Dion:      
Yeah, we’re good. We’ve got backups, we’ve got a whole drawer of backup tapes. No, they don’t work. Oh, well that doesn’t matter.

Kip Boyle:          
Yeah.

Jason Dion:      
All right. So we’ve been going for a while and I think it’s probably time for us to start wrapping up this episode. Hopefully you found value today as we covered lots of different things in terms of integrity. Remember, when we talk about integrity, we are talking about making sure that the data that exists in your system is the right data. So if I look at my bank balance and it says I have $1,000.00 in there, the bank would be really mad if I added a zero by accident and I have $10,000.00. Conversely, I would be really mad if they dropped a zero and said I only add $100.00. And that’s what we’re talking about with integrity. I don’t care that you can see what my bank balance is. I care that my bank balance is actually right and it is the amount of money I put in that account. That’s what we’re talking about with integrity.

And we do this through things like hashing, digital signatures, or in the real world, we use anti-tamper physical devices like the mayonnaise jar with the little plastic wrap or the jelly jar with the little pop sound that you made earlier, so that’s what we’re talking about when we talk about integrity inside the CIA triad. If you enjoyed this episode, I hope you join us again next time. Next time we’ll be diving into the A in the CIA triad and we’ll be talking all about availability and we’ll talk more about backups, and restorations, and continual plans of making sure you’re up and running, and business continuity, and disaster recovery, and all that fun stuff, so definitely join us. We’ll have a lot of great stories to share in terms of availability because it’s something that really does affect all of us on a daily basis.

And other than that, I do want to recommend that you go over to yourcyberpath.com and go over to the main page and sign up for our mentor notes. Every week Kip sends you out a great email that gives you a lot of good information that you can put to work in your daily practice, either as a cybersecurity professional or somebody trying to break into the cybersecurity market. Either way, you can do all of that over at yourcyberpath.com and then just click on the front page there. You’ll see there is a spot to enter your email and sign up for those free mentor notes. They cost you nothing and they’re really, really valuable for you. So I hope you join us there and until next time, we’ll see you on the next episode of Your Cyber Path.

Kip Boyle:          
Take care everybody.