It would be fun to record some of my answers to my cybersecurity course.
Propose a NIST-style recommendation for passwords.
A recommendation for an enterprise is to implement the concept of passphrases followed by MFA as a requirement instead of making the user do gymnastics to come up with a complex combination of characters with uppercase, lowercase, and special symbols when creating a password. Another policy recommendation would be to allow or mandate a password reset if the enterprise experiences a breach or an individual's credentials are compromised. The move toward passwordless authentication models that the FIDO alliance proposes would be another recommendation for using biometric and hardware tokens. The advantages of these ideas are that they increase security best practices while moving & balancing user experience to comfort and security hygiene while avoiding frustration for users.
What does it mean if a website "leaks" information? What sort of information might a (poorly designed) website actually leak in practice?
A website that is not configured correctly in the backend unintentionally exposes the config file or shows unsecured log files, which can be exploited to sniff out user creds or allow threat actors to create SQL injection attacks where a poor DB design or exposed database architecture is some examples of a website leaking information. The website may also expose phone numbers and emails, allowing for social engineering attacks by threat actors. A website or a web app that uses unprotected or old APIs that are poorly configured can expose tokens or output JSON dump files that can allow for data theft and control of information. Administrative credentials can also be compromised for poorly designed websites, exposing user credentials in text and log files.
Suppose your boss asks you whether the company should use single sign-on (SSO) for the company's web app. Explain in a short paragraph why you might want to use SSO. But also explain why you might not want to use SSO.
An enterprise today, be it small, medium, or big, uses various types of applications in its environment. Identity management is crucial for protecting our employees and the organization’s
Image created by Dall-E
digital assets and helping employees increase security, adhere to policy, and prevent password fatigue. These are the primary advantages that I propose for using and enforcing a single sign-on (SSO) in the enterprise. Access management and layering security are other advantages. An argument against SSO would be that if introduced as the single point of entry for identity management, it creates a high risk of also being the single point of failure. Costs and licensing issues on how you go about it can impact your operational expense budgets. I saw this first hand at the global non-profit I served, where securing 1500 licenses cost increases per user with the identity management solution provider we used. Another disadvantage was complexity increased with integrating SSO with legacy software that was not designed to be served up for access that way, and the need to re-engineer or rebuild those apps pushed the overall costs up.
Suppose your boss's boss asks you whether the company should require password managers for all employees. In a short paragraph, explain why you might want everyone to use a password manager. But also explain why you might not want everyone to use one.
A password manager is a must in an age where individuals and organizations have a ton of passwords to store, keep, and use to access their apps and systems to get work done. Remembering all these passwords, reducing the risk of using weak passwords, reducing the risk of reusing passwords, and going through the gymnastics of making complex passwords that no one can remember are some challenges that password managers can easily overcome. Protocols for removing access when employees are fired, or transition and management of what systems they had access to, and features like breaking the glass for super admins who may leave are some features that password managers provide that are super useful. An argument against everyone using password managers could be creating a single pane of reliance, meaning if the vendor is attacked, it could compromise all your credentials. Many vendors provide individual accounts to be connected with corporate accounts, and the creation of policies and cross-contamination of passwords or password theft could happen. Employees have to be trusted with critical accounts, and a backup escalation policy may not be in place, which could create potential threats for the enterprise and, of course, the ongoing rise in costs when the password manager vendor raises the price per license.
Play The Password Game -- try to get through at least Rule 12.
While obviously, the game itself is, in many ways, meant to be humorous, it also critiques the experience many of us have when setting up new passwords. Explain in a short paragraph, at most, how there's a trade-off between usability and security in the context of passwords.
Easy passwords are easy to remember and more straightforward to set up but are vulnerable to attack, while very complex passwords are hard to set up and remember. The trade-off between usability and high security is always up for debate, frustration, and user experience disruption/acceptance in accessing and using applications. A password policy and programming the user log-in interface approach that allows for a balanced approach that considers user experience, password hygiene, and high security is a tricky balance to achieve. Still, it needs to be pursued during heightened fraud and targeted attacks. As a software product architect, I strive and advocate for balancing security and usability to ensure a smooth user experience and awareness that we are taking security seriously and winning customers with delight. However, every use case and environment is different, and trade-offs have to be considered. A military application that works with nukes or scrambling fighter jet codes differs significantly from an entertainment game app on the mobile phone and requires appropriate evaluating and balancing of these trades.
Authenticated vs. Authorized
In no more than three sentences, what does it mean to be authenticated but not authorized to access some web page?
Authentication means your identity checks out with the app or system, your access to it is validated and verified, and you have the key to get in. However, Authorization to the system corresponds to permissions, roles, and attributes to access a resource, page, or asset. A user who is not authorized means you may be a valid user but do not have the necessary role, privileges, permissions, or attributes to access content or assets or perform specific actions.
Inherence Factor
Identify something that would typically be considered an inherence factor.
During authentication, an inherence factor is usually attributed to something the user inherently possesses, like a fingerprint, iris scan, voice, or facial recognition that is unique to the person. These biometric authentication, like fingerprint access on our Mac laptops or phones or facial scans in Windows 11, are authentication methodologies that add layers and make it harder for threat actors to replicate or break. We would consider inherence factors in authentication to provide a higher level of security. Inherence is intrinsic, unique, and associated with the individual. It is also harder to replicate. Thirdly, my favorite is that it's far more convenient to use my fingerprint or look at my computer than to remember a password.
2FA vs 2SA
In no more than a short paragraph, distinguish between two- (or multi-)factor authentication and two- (or multi-)step authentication.
MFA or 2FA requires multiple authentication methods that consider knowledge, which is something you know, like your password, inherence like a biometric fingerprint or facial scan, and something you have, like a Yubico USB or a hardware token. A two-step authentication (2SA) is similar, but it could be the user's password and a code generated that you must validate via email or text. Though both methods enhance security, MFA is stronger as a user can change and provide layers of defense that are harder to replicate for threat actors/attackers.
