Security Practices Questions

It would be fun to record some of my answers to my cybersecurity course. 

Propose a NIST-style recommendation for passwords.

A recommendation for an enterprise is to implement the concept of passphrases followed by MFA as a requirement instead of making the user do gymnastics to come up with a complex combination of characters with uppercase, lowercase, and special symbols when creating a password. Another policy recommendation would be to allow or mandate a password reset if the enterprise experiences a breach or an individual's credentials are compromised. The move toward passwordless authentication models that the FIDO alliance proposes would be another recommendation for using biometric and hardware tokens. The advantages of these ideas are that they increase security best practices while moving & balancing user experience to comfort and security hygiene while avoiding frustration for users.

What does it mean if a website "leaks" information? What sort of information might a (poorly designed) website actually leak in practice?

A website that is not configured correctly in the backend unintentionally exposes the config file or shows unsecured log files, which can be exploited to sniff out user creds or allow threat actors to create SQL injection attacks where a poor DB design or exposed database architecture is some examples of a website leaking information. The website may also expose phone numbers and emails, allowing for social engineering attacks by threat actors. A website or a web app that uses unprotected or old APIs that are poorly configured can expose tokens or output JSON dump files that can allow for data theft and control of information. Administrative credentials can also be compromised for poorly designed websites, exposing user credentials in text and log files.

Suppose your boss asks you whether the company should use single sign-on (SSO) for the company's web app. Explain in a short paragraph why you might want to use SSO. But also explain why you might not want to use SSO.

An enterprise today, be it small, medium, or big, uses various types of applications in its environment. Identity management is crucial for protecting our employees and the organization’s

Image created by Dall-E

digital assets and helping employees increase security, adhere to policy, and prevent password fatigue. These are the primary advantages that I propose for using and enforcing a single sign-on (SSO) in the enterprise. Access management and layering security are other advantages. An argument against SSO would be that if introduced as the single point of entry for identity management, it creates a high risk of also being the single point of failure. Costs and licensing issues on how you go about it can impact your operational expense budgets. I saw this first hand at the global non-profit I served, where securing 1500 licenses cost increases per user with the identity management solution provider we used. Another disadvantage was complexity increased with integrating SSO with legacy software that was not designed to be served up for access that way, and the need to re-engineer or rebuild those apps pushed the overall costs up.

Suppose your boss's boss asks you whether the company should require password managers for all employees. In a short paragraph, explain why you might want everyone to use a password manager. But also explain why you might not want everyone to use one.

A password manager is a must in an age where individuals and organizations have a ton of passwords to store, keep, and use to access their apps and systems to get work done. Remembering all these passwords, reducing the risk of using weak passwords, reducing the risk of reusing passwords, and going through the gymnastics of making complex passwords that no one can remember are some challenges that password managers can easily overcome. Protocols for removing access when employees are fired, or transition and management of what systems they had access to, and features like breaking the glass for super admins who may leave are some features that password managers provide that are super useful. An argument against everyone using password managers could be creating a single pane of reliance, meaning if the vendor is attacked, it could compromise all your credentials. Many vendors provide individual accounts to be connected with corporate accounts, and the creation of policies and cross-contamination of passwords or password theft could happen. Employees have to be trusted with critical accounts, and a backup escalation policy may not be in place, which could create potential threats for the enterprise and, of course, the ongoing rise in costs when the password manager vendor raises the price per license.

Play The Password Game -- try to get through at least Rule 12.

While obviously, the game itself is, in many ways, meant to be humorous, it also critiques the experience many of us have when setting up new passwords. Explain in a short paragraph, at most, how there's a trade-off between usability and security in the context of passwords.

Easy passwords are easy to remember and more straightforward to set up but are vulnerable to attack, while very complex passwords are hard to set up and remember. The trade-off between usability and high security is always up for debate, frustration, and user experience disruption/acceptance in accessing and using applications. A password policy and programming the user log-in interface approach that allows for a balanced approach that considers user experience, password hygiene, and high security is a tricky balance to achieve. Still, it needs to be pursued during heightened fraud and targeted attacks. As a software product architect, I strive and advocate for balancing security and usability to ensure a smooth user experience and awareness that we are taking security seriously and winning customers with delight. However, every use case and environment is different, and trade-offs have to be considered. A military application that works with nukes or scrambling fighter jet codes differs significantly from an entertainment game app on the mobile phone and requires appropriate evaluating and balancing of these trades.

Authenticated vs. Authorized

Grading comment:

In no more than three sentences, what does it mean to be authenticated but not authorized to access some web page?

Authentication means your identity checks out with the app or system, your access to it is validated and verified, and you have the key to get in. However, Authorization to the system corresponds to permissions, roles, and attributes to access a resource, page, or asset. A user who is not authorized means you may be a valid user but do not have the necessary role, privileges, permissions, or attributes to access content or assets or perform specific actions.

Inherence Factor

Identify something that would typically be considered an inherence factor.

During authentication, an inherence factor is usually attributed to something the user inherently possesses, like a fingerprint, iris scan, voice, or facial recognition that is unique to the person. These biometric authentication, like fingerprint access on our Mac laptops or phones or facial scans in Windows 11, are authentication methodologies that add layers and make it harder for threat actors to replicate or break. We would consider inherence factors in authentication to provide a higher level of security. Inherence is intrinsic, unique, and associated with the individual. It is also harder to replicate. Thirdly, my favorite is that it's far more convenient to use my fingerprint or look at my computer than to remember a password.

2FA vs 2SA

In no more than a short paragraph, distinguish between two- (or multi-)factor authentication and two- (or multi-)step authentication.

MFA or 2FA requires multiple authentication methods that consider knowledge, which is something you know, like your password, inherence like a biometric fingerprint or facial scan, and something you have, like a Yubico USB or a hardware token. A two-step authentication (2SA) is similar, but it could be the user's password and a code generated that you must validate via email or text. Though both methods enhance security, MFA is stronger as a user can change and provide layers of defense that are harder to replicate for threat actors/attackers.

Random Thoughts - Lessons from 'Don't say UM'

 

Among all the podcast cycles I listen to, Brad McKay’s “The Art of Manliness” is one of my favorites. Brad is skilled in many ways, but his approach to questioning the experts he invites on the show provides practical insights you can implement in your ongoing journey to become a better man. For instance, in one of his latest podcasts featuring Michael Chad Hoeppner, the author of “Stop Saying ‘Um,’” I gleaned some valuable nuggets that I want to share here.

 

Michael discusses the concept of creating a virtuous cycle. To illustrate this, he compares looking through binoculars, where your left hand resembles the letter ‘C,’ and your outer right hand appears as a capital ‘D.’ He suggests talking as a blend of content and delivery, where joining your hands forms a reinforcing loop. Pausing to breathe, embracing silence, and enhancing your voice’s vocal variety by expressing your content’s emotions through precise enunciations can significantly improve your delivery. When your delivery is strong, you sound better and project confidence and empathy, boosting your self-belief.

 

Michael argues that talking is a physical act, much like any sport or physical activity. It takes about 100 muscles to perform this miracle that we often take for granted. The more intentionally we warm up and practice, the better we become at delivery, whether in first meetings, on dates or when speaking to teams or large crowds. One quote that resonated with me was when he said: “Talking is just a series of decisions. It is a flowchart of words where your brain performs the miracle of choosing one word after another and assembling them into a system that can be meaningful, powerful, and persuasive to others. So embrace that decision-making process you engage in all day, and don’t shy away.”

 

In his book, Michael presents practical exercises, such as using a Lego during your delivery to help you tolerate silence, be concise, and eliminate fillers like ‘um’ or ‘does that make sense’ (something I often do from my teaching/professor days). Instead of rushing through your ideas, slow down before picking up the

next Lego brick. With our world shifting to audio communication through Zoom meetings, he suggests another exercise: walking your fingers across the table while delivering your idea, pausing, and then walking them back. These practices can prevent you from rambling and help create meaningful conversations.

 

Michael also emphasizes how focusing on enunciation can benefit us by encouraging a slower pace. This idea is not new; it dates back to ancient Greece. The orator Demosthenes practiced by placing round pebbles in his mouth, a technique noted by the historian Herodotus. You can replicate this by using a wine cork or a toothbrush on the side of your mouth, ensuring every syllable is clear and pronounced, even with the impediment in your mouth.

 

Another tool that actors and voice actors use is tongue twisters. I used to enjoy them in high school without realizing that voice specialists utilize tongue twisters as warm-up exercises, like the examples below.

 

Making eye contact, reading cues, and gathering feedback are crucial in conversations and when addressing teams or crowds. Observe individuals in the audience and try to elicit nonverbal cues to determine whether your message resonates. Shift your focus to different people throughout the room. In large audiences, making eye contact with everyone is unnecessary—if you’re speaking to thousands, that would be impossible. However, your communication naturally strengthens by connecting with individuals in various sections. Eye contact enhances engagement and makes your message more impactful.

Three AI Frameworks adoption model for Organizations

 

Leaders are scrambling today to somehow integrate AI into their organizations. Many companies and institutions who are at the forefront of this have written some whitepapers, and I have picked 3 AI Usage Frameworks that I liked for developing your own Organizational AI Adoption Plan. A good plan, like any, should bring cross-functional leadership to the table and discuss a model and a plan before driving the implementers or engineers to adopt it because everybody else is doing it. 

---------------------

Microsoft’s AI Maturity Model proposes the stages of AI adoption in organizations and how human involvement changes at each stage:

 Source: https://devblogs.microsoft.com/azuregov/fed-agencies-exec-order-ai-part1/

• Provide a framework for Federal agencies to shift from Cultural Shift to Ownership, recognizing governance, innovation, risks, and compliance as key pillars. 
• Assisted Intelligence: AI provides insights, but humans make decisions.
• Augmented Intelligence: AI enhances human decision-making and creativity.Mic
• Autonomous Intelligence: AI makes decisions without human involvement.                                                      

HBR's Human-AI Teaming Model outlines a framework for this type of collaboration. It emphasizes that AI should augment human work rather than replace it.

• AI as a Tool: AI supports human decision-making by providing data-driven insights.
• AI as a Collaborator: AI assists humans by sharing tasks and improving productivity.
• AI as a Manager: AI takes over specific management functions, such as scheduling or performance monitoring.

Source: Human-AI teaming: leveraging transactive memory and speaking up for enhanced team effectiveness

The “Human-in-the-Loop” AI Model (MIT) ensures that humans remain integral to AI processes, particularly for tasks requiring judgment, ethics, and creativity.

Source: Human in the Loop AI Training

• Active learning is a form of human-in-the-loop training in which the model selects the data to be annotated. This helps in rapid model iteration and reduces by 10x annotation requirements, making these models augmentative ready and efficient. AI Automation: 
• Tasks AI can handle entirely.
• Human-in-the-Loop: Tasks where humans make critical decisions or review AI outputs.
• Human Override: Tasks where humans can override AI outputs in sensitive areas.

PwC’s AI Augmentation Spectrum highlights six stages of human-AI collaboration:

Source: Human-AI Augumentation Model (pwc)

PWC believes that content generation will fall into a couple of scenarios: human-created, AI-created, AI-created and validated, and AI-created augmented. And this will evolve a process that builds an exciting and creative AI-augmented human society with a broad spectrum of co-creation. AI as an Advisor: Providing insights and recommendations.

• AI as an Assistant: Helping humans perform tasks more efficiently.
• AI as a Co-Creator: Working collaboratively on tasks.
• AI as an Executor: Performing tasks with minimal human input.
• AI as a Decision-Maker: Making decisions independently.
• AI as a Self-Learner: Learning from tasks to improve over time.