THE CIA TRIAD – THE BASIS OF CYBERSECURITY (AUTHENTICATION)

Kip Boyle:           
Hey everybody, it’s Kip Boyle. Welcome to Your Cyber Path. Jason Dion’s here with us, which is fantastic, because he has so much to share on the topics that we’re covering. And we’re actually in the tail end of a series of the CIANA, right. So CIA triad plus two more concepts, non-repudiation. Today we’re going to talk about authentication, but before we do that, we wanted to share a couple things with you. The first thing’s personal, but back when I was in college, I was actually a rower. I went to the University of Tampa, we got a river right in front of the main campus there, and we had this great boathouse.

And so I turned out for crew, and I rowed on the river in one of those big boats with a bunch of other rowers. And man, it was so much fun, but it’s a hard thing to do when you don’t have a boat, and you don’t have a river, or lake, or pond or whatever. So I haven’t rowed for years, and I just recently decided I wanted to get back into rowing, and then I found out that Peloton, that bicycle, treadmill company, they now have a rowing machine. So I bought it, right? It’s like the Tesla of rowing machines. It’s completely electrified, with a giant screen, and it’s classes and everything. I don’t know, I may hate this, I may really hate this. I’m not sure.

Jason Dion:       
I’ve heard from people who are the people who have the Peloton bikes, they just love them, they go crazy for them. I’ve never a done a Peloton myself. I do have a rowing machine I actually put together last night, I bought it for my wife over at Costco or Sam’s Club, it’s one of those $200, $300. Got the fan when you pull it out. So not as cool as the Peloton one. But I do enjoy the rowing.

Kip Boyle:           
Rowing is, I absolutely enjoyed it when I was on the water. It’s one of those exercises that helps you move and strengthen the vast majority of your muscles. It gets all your joints going. It’s great for core, and those of us who are getting older, why we need all that stuff Jason.

Jason Dion:        
Yeah, I feel you man. I’m getting old, and every time I get up bed I’m like, oh, another day. Too young to be this old.

Kip Boyle:           
And I can’t do high impact stuff anymore. My knees will not take it. So anything like running or parkour, I don’t know. I mean all the stuff that could be fun, completely off the list for me.

Jason Dion:       
Same with me. That’s why I went for it. I’m usually an elliptical guy, but my wife prefers the rowing machines. That’s why we went with the rowing machine, and so far I like it. It’s good.

Kip Boyle:           
Yeah, that’s cool. Okay, now one more thing we want to share with the audience, which is LPI, the Linux Professional Institute, is about to launch. And actually, when you listen to this, I think it will have launched, a security essentials course. You told me all about this, Jason, can you fill people in on what this is?

Jason Dion:       
Yeah, so at Dion Training we are a partner with LPI, the Linux Professional Institute, and we teach the LPI Linux Essentials course, but they also have a couple of other courses in that Essential series. One of them is Web Development Essentials, that’s been out for about a year. And the new one is Security Essentials, which is coming out in January of 2023. At the time you’re listening to this, it either just came out, or will come out this week. The launch is someplace in the second half of January. And so to work with that, Dion Training and Kip are actually partnering up and we’re going to be building a security essentials course to teach you how to pass this exam. And people might be wondering, well where does this exam lie on the spectrum? Well it’s an entry level exam, that’s why they call it Security Essentials.

I like to think about this as the exam and certification that’s going to happen before security plus. So a lot of people have been trying to jump right into security. And if you try to come in right at Security Plus and you have no prior experience, it’s pretty difficult, because there’s a lot of stuff you have to understand before you can get there. And so this Security Essentials was, that’s the idea of this, is take a lot of the stuff from Security Plus but not nearly as in depth or as broad, to give you a good introduction and say, “Hey, do I like this cybersecurity stuff? Is this for me?” And if it is, then you can move on to Security Plus, then you can move on to CISA plus, you go CAS plus, or CISSP, or CISM, and keep moving your way through the life cycle. But this is the entry level, right at the beginning of the bottom side of the path, and to be able to start getting your foot into the door, and start looking at this stuff, and how these certifications work.

Kip Boyle:         
So an appetizer.

Jason Dion:      
Yeah. It’d be great for, especially if you’re brand new to cybersecurity, for a lot of our listeners, you probably are already in cybersecurity so it may not be the right fit for you, but you probably know people in your life who’ve asked you, “Hey, what’s this cybersecurity thing all about?” And this will be a great way to introduce them to that by using this security essentials course.

Kip Boyle:           
Right. Now Jason, one of the things that I talk to people about when it comes to Security Plus, which is not LPI, right? That’s [inaudible]-

Jason Dion:        
Yes, that’s right.

Kip Boyle:           
Okay. But one thing I talk to them about is like, well, do you know how computers work, A plus? Do you know how networking works, network plus? And if they don’t, or if they’re just, they’re not feeling really confident about it, that could be another thing that undermines their success with the Security Plus exam, which I would think would make Security Essentials even more approachable, right? Because it’s not going to assume so much of this A plus and network plus material.

Jason Dion:      
Yeah, exactly. I mean because this is an entry level certification in the LPI scheme, there is no prior knowledge that is expected of you. You can start out with zero prior knowledge, and we’re going to take you from nothing into being able to pass this security essentials exam. And so the other thing is if you’re thinking, “Hey, I’m not sure I want to go through the 25 hours that is security plus,” you may want to try this out first and say, “Let me learn this,” and this’ll be probably somewhere in the 10 to 15 hour range, because there’s a lot less material than security plus. So it’ll be an easier way for you to jump in and digest it, and get used to these concepts.

Kip Boyle:           
So this will be truly entry level, no prior experience required.

Jason Dion:       
Yeah.

Kip Boyle:           
Okay, well we’ve had an appetite for real, no kidding entry level things lately. So that’s nice. We get to tick the box. Here’s one thing that’s truly-

Jason Dion:       
Yeah. And the other one that came out recently for entry level, that just came out in the last three to four months was ISC2’s, which was their Certified in Cyber, the CC certification from them, which is their version of an entry level certification. I will tell you, talking to people who have already taken it, even though it is considered an entry level certification, they still ask questions the way that IC2 does, and IC2 asks questions in a really weird and convoluted way. So that Certified in Cyber, from the feedback I’m getting from people who took it, and people who are already certified in CIS and CISM and other things, they said it’s still a really hard exam. So I think IC2 has missed the mark, since they were going for entry level, and then they made the questions so hard that an entry level person will never pass. But that is not the case with LPI. They are doing a good job of keeping it at the entry level, and that’s the level you’re going to need to know for that exam.

Kip Boyle:           
Okay, that’s valuable insider. I appreciate you sharing that. Okay, why don’t we start talking about the last bit of CINA, which is authentication, right?

Jason Dion:      
Yeah, definitely. We are going to talk about the CIA triad and today we’re talking focused on authentication. We talk about the CIA triad, we’re talking about confidentiality, integrity and availability. And then we also talk about NA, which is non-repudiation and authentication. So confidentiality, we’re talking all about how we encrypt things and keep our data safe and secure from prying eyes. We talked about integrity, we’re talking about things like hashing, to make sure that your data doesn’t change when you save it and it stays in the same state it was in. You want to make sure that these data that you have and you’re putting in your database is the right data, and that’s what integrity’s all about. Then we talked about availability, which was all about uptime, and redundancy, and battery backups, and continuity and disaster recovery and all that good stuff.

Then last time we talked about non-repudiation, which basically meant we were going to use things like digital signatures so that when you sent something or did something, you couldn’t then turn around and say, “Nope, it wasn’t me, I didn’t do it,” because we know you did it, because you digitally signed it and that came from you and only you. And that brings us to today, which is the fifth pillar inside the CIANA, and this is what we’re going to be talking about with authentication. When we talk about authentication. We’re really talking about things like passwords, and how you’re going to verify that you are who you say you are when you’re trying to get onto a system and do something. So Kip, what does that really look like in the real world? When you hear authentication, what are you thinking about?

Kip Boyle:           
Well, I always like to start with a concrete example in real space, and that would look like showing an ID badge at a security desk. You want to go into a building, and you walk in, and maybe you have an appointment, maybe don’t, maybe it’s your workplace, but there’s somebody there who wants to make sure that you actually belong in this building, that you have a need to be in the building, and one of the ways that they’re going to do that is they’re going to identify you. “Who are you? I’ve never seen you before,” or, “I’ve seen you before, but are you fired? Do you still work here? Show me your badge.” And so that’s authentication in the real world. And then we extend that idea into cyberspace, into our data networks, and into our computer systems. But it’s different because when you’re in computer systems and not a network, nobody can really validate you, or I should say authenticate you, the way that they can at an entry at an entryway, right?

By looking at a photo ID, and then looking up at you, and giving you the I see you business. So we have different ways of doing that, and that’s what we want to explore here. And it could be things like a user ID and password combination, and it could include other things like “Hey, I’m going to send a text message to your mobile phone and because your mobile phone is under your control, then that’s going to help me feel confident that when you put the number in the text into the authentication field, that it really is Kip, and it’s not somebody who just stole Kip’s user ID and password.” And there’s all kinds of other ways to do multifactor authentication, which of course we’re going to unpack a lot of that. And there’s some other things that are going on right now in the real world, where multifactor authentication is concerned that we need to talk about, because the game is changing.

Jason Dion:       
Yeah. And then the other one that I think about in the real world that’s gotten really popular here in 2022, and you’re going to see even more of it in ’23 and ’24, is that you’re seeing a lot of password-less authentication schemes as well. We’ve actually played around with that a little bit on our own site, in how we were playing with it, and one of the ways you can do this is essentially the person would put in their email address, like support@diontraining.com, and when they do that to log in, they then get sent an email. And in that email is a one time use magic link, and when they click on it, it’s good for five minutes or 10 minutes, and will log them into the system. No passwords are needed. The only thing you need is your email. Now the problem with that is that if somebody has attacked your email, because you’re using a week username and password, well then you’ve now been able to get into my site as well because they have access to your email.

And so there are lots of different ways that this is happening. Another thing I’m seeing a lot with Google and Apple and Microsoft, they’ve been working together on the new passkey and that’s going to be another way of doing password-less authentication. So you’re going to continue to see authentication changing over the years. But right now, as Kip said, it’s things like badging, it’s things like multifactor, single sign on, federation, usernames and passwords, one time use codes, all those things all fit into this authentication bucket. And when you hear authentication, really it is, how do I know you are who you say you are? Prove it to me, right? You get pulled over on the interstate for speeding. First thing the cop is going to ask you is, “Give me your license, I want to see who you are.” That’s an authentication. He wants to figure out who you are and what you’re doing.

Kip Boyle:           
Exactly. And then I want to extend your comment too, to make the point that as an industry we’re talking very seriously about these zero trust architectures, and that is a very fundamental shift, a paradigm shift. I think it’s very reasonable to call it that, because you’re really flipping this model of, if you can be in the internal network, then I implicitly trust you. And we’re not going to do that anymore. We’re not going to say, “Well if you can get behind the firewall, all of a sudden you’re a trustworthy operator,” because that hasn’t been true for a long time.

We’re finally in zero trust architecture is going to formalize that and say, you know what? From now on we’re not going to trust but verify, we’re going to verify and then if you pass our verifications, then we’ll trust you. And so in the world of the future with zero trust, the ability to authenticate somebody with an account who is alleging an identity is going to become even more important than it’s ever been. And you’re going to have to suffer through multiple forms of authentication and verification depending on where you come from when you’re trying to access a resource, and how dodgy your device is when you show up, all kinds of things. So Jason’s absolutely correct, this is only going to get more intense as time goes on.

Jason Dion:      
Yeah. Most definitely. And you’re going to see the zero trust come up time and time again, been on a big path for the last five years at least. It started about 10 years ago, start getting really good traction about five years ago, and this year I’ve seen just even more traction going that way. So you’re going to continue to see zero trust in authentication playing a key role in our enterprises.

Kip Boyle:           
Our customers are talking to us about it all the time now.

Jason Dion:       
Oh yeah. And that brings us up to our second part here, when we talk about authentication. And what I want to cover here is I’m a big certification person, I teach a lot of certification, and when you hear certain words, you should be thinking about authentication as the answer. So if you hear something like authentication, you should be thinking of usernames and passwords, tokens, whether those are hardware tokens or software tokens. It might be a digital certificate, it might be multifactor or two-factor authentication, it might be single sign-on or federation, things like biometrics, where you’re using facial ID, or fingerprints, or a voice print, or things like that.

And also X509 certificates, which are another form of digital certificates. All of these are things that tie into authentication. And when you hear any of these keywords, your mind should immediately be thinking, okay, I’m in the authentication section, the answer has to be something to do with these things. And that’s normally what you’re going to see on a certification exam, because again, if you could figure out is this a confidentiality issue, an integrity issue, an availability issue, a non-repudiation issue, or an availability issue, you’re going to be able to at least be able to talk intelligently and identify the right answer based on knowing which of those five categories you’re in.

Kip Boyle:           
Yeah, that’s great advice. A framework to keep in your mind.

Jason Dion:       
Yes, definitely. And then the rest of this episode, we really want to focus on helping you in your job interviewing process. And just like we’ve done in the last four episodes, we’ve been talking about what questions can you expect about this category, or this pillar inside of the CIANA area. And when I think about it, I like to think about things like the five factors of authentication. So in an interview, it would be completely fair for somebody to ask you as a cybersecurity analyst, or a penetration tester, or even an entry level help desk person, to be quite honest, what are the five factors of authentication? So Kip, what are the five factors of authentication?

Kip Boyle:           
Jason, I really appreciate you asking me about this. I know it’s completely relevant to the job that I’m being considered for. Well the five types of authentication as I understand them, the first type would be something that you know, that is something that I have in my brain, and that could be a password for example. A second type of authentication is something that I have or that is in my possession. And I think about my iPhone, or somebody may have an Android device or something, but that’s in my possession, it’s under my control, it’s a thing, and that’s another way that you might be able to authenticate me. A third type would be something that you are, and this really goes back to things like a fingerprint or face geometry. Several years ago when I was working at data centers, I’d have to put my hand in a hand geometry reader.

And these are things about myself that don’t change, that are pretty durable. I mean I would have to have some kind of an accident in order for these things to change. So that’s something that you are. Something that you do, and this is a relatively new factor, Jason. This is where maybe the way I type is a way that you can authenticate me. The speed and the cadence of my typing is actually unique to me, and so that might be a way for you to know, is that really Kip at the keyboard or not? And then finally, location. So geography, if I’m trying to authenticate into my account, and I’m coming from an address in Kazakhstan, but there’s no reason for Kip to be in Kazakhstan because he just authenticated 15 minutes ago from Seattle, well that’s another way that you can detect that that’s probably not Kip coming from Kazakhstan, so we can go ahead and we can block that. So those are the five factors, Jason.

Jason Dion:       
Awesome. Great answer. Yeah. And just for the audience here, the way Kip listed those out is the generic terms, which is totally fine in interview, but there are also specific terms for those as well. So the generic terms that we just used were things like something you know, something you have, something you, excuse me, something you do, something you are, and somewhere you are, right? We talked about those five things. And another way we would talk about this is the more traditional way of saying it. So instead of saying something you know, you could say that’s a knowledge factor. Something you have is considered a possession factor. Something you are would be considered a biometric or inheritance factor. And then if you do something you do that’s considered a behavior or action factor. And then if you look at somewhere you are, that’s considered a location based factor.

And so you may see these on certification exams using either of those terms, something you know or knowledge factor, and things like that. So keep that in mind as well. You can use either in a job interview, and you may be asked if the person behind the table wants to really check if you know what you’re doing and say, so you just mentioned somewhere you are, what would that be considered? Oh, that’s a location based factor. Okay, great, let’s move on. So keep those things in mind as well as you’re talking about this stuff in the real world. Because you’ll hear people talk about it the way Kip did, and that’s usually how I refer to it. But I also hear a lot of people and on certifications I see them use those single words, like inheritance, behavior, location, possession, and knowledge as those five factors. So keep that in mind as well.

Kip Boyle:           
Right.

Jason Dion:        
I’ll let Kip go ahead and have the question. I’ll let him stump the chump here.

Kip Boyle:           
Yeah, it’s my turn. Okay. Jason, really appreciate your interest in our role here, and I would like to know a little bit about your take on multifactor authentication, and specifically do you think that one time codes delivered by short message service, or text messages, is that a strong form of MFA, and why or why not?

Jason Dion:      
Yeah, thank you. That’s a great question. So in my experience, SMS messaging for two-factor authentication is better than using something like a username and password, because you’ve now moved into a two-factor or multi-factor authentication situation, where you have something you know, like your username, and something you have, like your phone getting that SMS code, as opposed to just using two knowledge factors, which would be considered a single factor, like a username and password. That being said, SMS is constantly under attack. And so while it’s better than a standard username and password, it is not better than using a different way of doing MFA, such as using a hardware token, like one of the RSA key fobs that changes the digits every 30 to 60 seconds, or using an authenticator app that also does that changing every 30 to 60 seconds as you’re logging in.

The reason for this is that SMS is vulnerable to other types of attacks, such as when an attacker is able to take over your cellular service to be able to gain access to your two-factor code. And the way they do this is normally by using something like SIM cloning, where they basically convince your wireless company, like I use T-Mobile, you call up T-Mobile and say, “Hi, I’m Jason, I’m transferring my service to Verizon,” and they’ll move your SIM card over, and your phone number now goes to the attacker’s phone instead of your phone. So when they ask for the secondary code, that code is being texted to the attacker instead of you and therefore you’re now vulnerable. So while it is better than username and password, it’s still not the strongest type of MFA we could be using, and there are better options for us as an organization. And safe.

Kip Boyle:           
That’s great. Yeah, I think that’s a wonderful response to the question. You actually filled out the situation a little bit more than I had even asked, which I think is perfectly fine, to demonstrate that additional knowledge that you have that I didn’t even ask for, but it just showed how well rounded you are on the topic.

Jason Dion:      
And I think it’s important also depending on the position you’re applying for. So I’m thinking me, if I was going for a job, it would be as a cybersecurity engineer, or a higher level manager, or a CTO, or a CIO, or something like that. And so I think it’s important to say that’s an okay solution, but there’s a better solution that we should be considering as an organization, and here’s the risks and benefits of each, right? So that’s where my mind was answering that question. But if I was a simple cybersecurity analyst, just getting started, or I was an entry level going for a service desk position or a field service technician, or something like that, as Kip said, you can keep it just answering the question they asked, which was what do you think about SMS? And you wouldn’t have to go into all the other stuff that I went into. So again, you want tailor your responses based on the job you’re going for.

Kip Boyle:           
Right. So I just want to make sure that if you are using jargon, if you’re using formal knowledge, and I may wonder, did you just memorize that, or do you really understand what you’re saying to me? So when you’re interviewing with somebody or having a conversation with somebody, I would say lean towards the less formal language, I think you’re going to come off a little bit better.

Jason Dion:       
Yeah, I will tell you that when I’m doing interviews, I really love it when people use analogies and bring things down to a physical level, or they show me that this thing, this technical hard concept, is like this other thing that we know. So earlier on we talked about the fact that we said, how does this work in real life, and Kip, the first example he gave was, well, if I go and show my security badge, that’s a form of authentication. I’m proving who I am by using this physical thing that you can see, or I said earlier, you get pulled over by a police officer, they’re going to ask for your ID, that shows who you are. That’s what you’re doing. You’re proving your identity, and that’s what authentication’s all about.

So these analogies, it shows that you’re thinking through what the definition is and how to apply that in the real world and dumb it down so that you can explain to somebody who’s a 10 year old, or a 12 year old, so they can understand. If you can do it at that level, that means you really understand the concept well, if you can dumb it down.

Kip Boyle:           
That’s real [inaudible].

Jason Dion:        
Yeah. And so that’s why I think that’s really important. Next question we’re going to ask, I’m going to put Kip on the spot here. So Kip, thanks again for joining us today for this interview. I would like to know what are the dangers that exist when an organization is using SSO, and what is SSO?

Kip Boyle:           
Sure thing, Jason. So first of all, I’m assuming that you are defining SSO as single sign on, is that correct?

Jason Dion:       
That is correct. Yep.

Kip Boyle:           
Okay, great. Well there are potentially many dangers with SSO. Of course there’s a lot of upside, and so I understand why it’s in demand, and it’s helps with people’s productivity, because they only have to log on once, and then they have access to multiple different systems. And so there’s a huge upside, but the downside includes things such as if your credentials are compromised, then an attacker can access everything that you’re able to get to. Instead of having to go from system to system, and try to break into each system at time, they’re going to be able to get into everything. Another downside for SSO is it’s a bit more complicated. There’s more moving parts. You have to do a lot more integration work, and that stuff can fail and it can fail with no notice. And that could keep people from being able to access the systems that they need to if the single sign on service isn’t functioning. So those are two big risks that I can think of.

Jason Dion:        
Great job. Yeah, I love that answer, and in my mind, when I’m hearing single sign on, the flags that always go up to me are the one you first talked about, which is, hey, single sign on is great, you make life easy for everybody, but you only have one password for everything. It’s the keys to the kingdom, it’s that master skeleton key. And so if that key gets lost and somebody steals Kip’s identity, well now they’re able to do everything that Kip could do. Instead of just, it’s not just tied to Kip’s system, or Jason’s system, or you and me system, or LinkedIn system, it’s everything.

And so that becomes the big danger. And we use a lot of federated systems as logins these days. Almost every website you go to, you can log in using Google or Facebook or LinkedIn. And if you do that, that’s fine, but if your Google account gets compromised, now people have access to everything you’re able to log into. And so that is the big danger there with SSO. I think the next question we’re going to do is for me, and we’re going to talk about SSL and TLS, right Kip?

Kip Boyle:           
Yeah, absolutely. So here’s a good question around authentication that you might hear in an interview. Hey Jason, there’s SSL, TLS, and I think most people know that that’s a form of encryption for data that’s being moved around. But I was curious to know, is there a way to do authentication? And if there is, how does that work?

Jason Dion:     
Yeah, that’s a great question. So when we talk about SSL and its newer version, TLS, which is what we currently use, TLS is usually an encryption technology that we’re using to create a secure encrypted tunnel between a web server, and a client who’s trying to access that web server. Now that gives us confidentiality, but it doesn’t give us authentication. So how do we get authentication with this? Well, one of the pieces in authentication that’s happening is that we are actually having the web server authenticate itself to our client. So if you go to your website, diontraining.com for instance, and you see that little padlock in the corner, what that means is that when my client went to that web server, it said, “Hey server, tell me who you are.” And the server said, “Hey, I’m diontraining.com, here’s my digital certificate, here’s the public certificate for that.”

I can then go and take that public certificate that’s trusted from a third party, like Verisign or OpenSSL or whatever, and I can create a random number and encrypt it using that public key. Once I send that back to the web server, the web server can then use its private key to decrypt that and get that code that I just sent, and then use that as the secret key for that tunnel we’re creating. By doing that, we now authenticated that the web server is who they say they are, because only the web server has the web server private key, and I encrypted that number with the web server public key, and therefore I now know that that server is somebody I can trust. Because they are who they say they are, and therefore they have been authenticated from my machine to them.

Now, that doesn’t mean that me as a client, that I have been authenticated to that server yet, but now that we have this encrypted tunnel, I can then use things like usernames and passwords, two-factor authentication, SSO or federation, or whatever you’re going to use on that website, to log myself in and then validate myself to the server. But the initial SSL/TLS connection does have this authentication happening where the web server is authenticating itself to the client that it’s connecting to.

Kip Boyle:           
Followup question if you don’t mind. So can I use-

Jason Dion:       
No, I’m done. Sorry, I’m leaving. No, I’m just kidding.

Kip Boyle:           
Okay, great. You just made my life a lot easier, [inaudible]-

Jason Dion:     
No, I’m kidding. What is your question, Kip?

Kip Boyle:           
So my followup question is, can SSL/TLS be used in the reverse direction, where a server could authenticate the connection of a client machine? I mean, is that possible?

Jason Dion:     
Yes, in an enterprise environment, we can configure each of our clients with a digital certificate themselves, and using a PKI infrastructure of public and private keys. If we’ve done that, then the client will have its own private key to use. For example, I used to work for the military, and in the military we all had our common access cards that included it, which is a smart card with our digital certificates in it. I could log into any machine and put that card in, and then when I connected to a service, they can then request my authentication. And I would do that by using an encryption of some kind of a random fact using my private key certificate, and send that to the server. In those cases, the server can then open it using my public key and know that that was sent by me. And I know previously we’ve talked about that with non-repudiation. It’s the same concept, and that does tie in where non-repudiation and authentication can work together.

Kip Boyle:           
Great. Thank you, Jason. I really appreciate that you elaborated on that.

Jason Dion:      
Oh, no problem. Thank you so much. And then I’m going to switch back and I’m going to interview Kip here with my last question, because I know this is one that he will have lots of things great to say about. So Kip, what are the dangers that exist when we’re using password managers, like the built-in one into Safari or Chrome versus something like a standalone one, like Bitwarden or Last Pass or something like that. What are your thoughts on, are password managers good? And if so, which one should we be using?

Kip Boyle:           
Well Jason, you have triggered me big time, because I have so much to say about this. It would be very easy for me right now to leap onto my soapbox and just go and go and go and go. I’m not going to do that to you.

Jason Dion:       
It sounds like we’re going to have a future episode on password managers, is what I just heard.

Kip Boyle:           
We probably should, and if people can handle me railing for a long time, but I’m going to keep it nice and neat at the moment. A little bit more clinical. Password managers can be wonderful. They are one of these unusual combinations of benefits when you get a password manager, where you get more security, which is what motivated you to do this, but you also get more productivity. So it’s one of those strange beasts in security, where you actually get return on investment and that’s really, really cool. Now the assumption there is that you’re choosing the right password manager, and this is where I get tempted to get on my soapbox, because a lot of people buy password managers or choose password managers the way they choose other software. Should I use Linux, or should I use Windows, or should I buy a Mac?

They’re looking at things like how much does it cost, is it easy to use, and things like that. Does it look nice? But with security tools like a password manager, none of that stuff should be your first consideration. Your first consideration should be, is this thing attack resistant, because I’m putting all my eggs in this basket. Is this a wicker basket that I would be dropping from four stories up every day? Or is this a wicker basket that people are going to try to knock out of my hands, like I was running for a touchdown with a football in my arms? In any event, you need to choose a really strong basket, and that’s really the thing. Let me give you an example, if I can, of a password manager that doesn’t cut it, and that would be something built into a web browser. That’s just a convenience password manager, and those things are really easily exploited.

I don’t recommend them. On the other end of the spectrum, you would have things like One Password, which is published by a commercial company, you pay money for that. Or Last Pass, which does have a free version, which is limited, but in order to get all the features you have to pay for that. And I know there’s open source password managers out there. This is one of those cases where I actually feel more comfortable purchasing a password manager from a company where that’s all they do, because I think that’s going to give the best results, particularly if they come under attack. So anyway, so there’s my take on password managers.

Jason Dion:      
Awesome. Yeah, the only thing I would add to that is in general, as Kip said, a built-in browser is not going to be as good as a dedicated tool, and so keep that in mind. Yes, there are built-in password managers into Mac OS, and Linux, and Windows, and Edge, and Safari, and Chrome, and Firefox, and every other browser out there. But it doesn’t mean that it’s a good place for you to use those things. I can tell you as a forensic technician, I can get your passwords out of most of those browsers. They’re not stored in the most secure way. So using something like-

Kip Boyle:           
And servers can sometimes [inaudible].

Jason Dion:        
Yes. And so things like One Pass, Last Pass, Bitwarden, are all great options. Dedicated password managers. I will tell you at our company we use Bitwarden, we used to use Last Pass. Last Pass was sold to another company in the last couple of years, and that company is based out of a country that we didn’t want to trust our data with, to be quite honest. And so for that reason, once they got sold to that company, we left and we went somewhere else. So that’s another thing you have to think about. If there is a password manager out there and it’s owned by China, Russia, some other country that you don’t want your data in, you want to make sure you realize that as well.

These are all those business decisions that we make as cybersecurity analysts and engineers, any of those password managers I mentioned, One Pass, Last Pass, Bitwarden, they all work basically the same way. They’re all just about the same security level, but where’s your data being stored? Is it being stored in a server in China, or the US, or Canada, or France, or whatever? And if that matters to you, then you need to pick the one that’s going to store in the place you care about, right?

Kip Boyle:           
Exactly.

Jason Dion:       
And so for us, we went with Bitwarden, it has a US data center, and we trust it more. So that’s why we have our data there. And so that’s the summary of the five questions we just went over. I think those are five really good questions for you to keep in your mind as you’re thinking about how to answer these interview questions, that have to do with when you’re dealing with authentication. There’s probably many more out there that we can think of, but these are the five most common ones that Kip and I use in interviews, and a lot of our other friends who are hiring managers use these same type of questions as well. So if you’re applying for a cybersecurity analyst role, you’ll probably have questions very similar to what we just said.

If you’re applying for a pen testing role, we’ll probably change those questions around to ask you how would you attack these things. So instead of saying, would SMS be considered a strong form of two-factor authentication, or multifactor authentication, like we might ask a cybersecurity engineer or an analyst. If you’re a pen tester, I might ask you how would you break into a system that is protected using SMS for two-factor authentication? And in that case, you need to flip the script on me and start saying, “Well, to do that I would have to do a SIM cloning. I’d have to take over the person’s phone, and be able to get the two factor code, and blah, blah, blah, blah,” all right, we’d go into all of that detail. So just think about it that way, defense versus attack, two different perspectives for the same type of thing that we’re going to be doing. Kip?

Kip Boyle:           
Yeah, I agree, Jason, these are excellent interview questions. There’s obviously going to be more. If you focus on these then you’ll probably be able to draw on these if you hear a question that you’re not anticipating, because this is a very good fundamental knowledge base for you to have on this subject. So I think that pretty much wraps it up, Jason.

Jason Dion:       
Yep. Yeah, definitely. So I think we had another great episode of Your Cyber Path, and again, if this is the first episode you heard, I want you to go back four episodes, back to episode 83 through 87. That’s where we talked about confidentiality, integrity, availability, and non-repudiation. And then this week in episode 88, we’ve been talking all about authentication. And that’ll give you a really good coverage, and the basis of cybersecurity for you, because almost everything we do in cybersecurity can really be tied to one of these letters, CIAN or A, depending on where you are in these five pillars of cybersecurity. So keep that in mind as well, and until next time, I hope you come back and see us at the next episode of Your Cyber Path, and we’ll see you then.

Kip Boyle:           
See you later everybody.