CyberWire Daily - Identity 3.0. [CSO Perspectives]
Episode Date: October 21, 2024Rick Howard, N2K CyberWire’s Chief Analyst and Senior Fellow, turns over hosting responsibilities to Kim Jones, the Managing Director at Ursus Security Consulting. He takes a first principles look a...t the idea of identity. Check out Rick's 3-part election mini-series: Part 1: Election Propaganda Part 1: How Does Election Propaganda Work? In this episode, Rick Howard, N2K CyberWire’s Chief Analyst and Senior Fellow, discusses personal defensive measures that every citizen can take—regardless of political philosophy—to resist the influence of propaganda. This foundational episode is essential for understanding how to navigate the complex landscape of election messaging. Part 2: Election Propaganda: Part 2: Modern propaganda efforts. In preparation for the US 2024 Presidential Election, Rick Howard, N2K CyberWire’s Chief Analyst and Senior Fellow, discusses recent international propaganda efforts in the form of nation state interference and influence operations as well as domestic campaigns designed to split the target country into opposing camps. Guests include Nina Jankowicz, Co-Founder and CEO of the The American Sunlight Project and Scott Small, Director of Cyber Threat Intelligence at Tidal Cyber. Part 3: Election Propaganda: Part 3: Efforts to reduce the impact of future elections. Thinking past the US 2024 Presidential Election, In part three of the series, Rick Howard, N2K CyberWire’s Chief Analyst and Senior Fellow, discusses reducing the impact of propaganda in the future elections with Perry Carpenter, Chief Human Risk Management Strategist at KnowBe4 and host of the 8th Layer Insights Podcast, Nina Jankowicz, Co-Founder and CEO of the The American Sunlight Project, and Scott Small, Director of Cyber Threat Intelligence at Tidal Cyber. References: Olivia Gulin, Tomberry., Peter Steiner, Alan David Perkins, 2012. On the Internet, Nobody Knows You’re a Dog [History]. Know Your Meme. Staff, 2019. US Patent for Mutual authentication of computer systems over an insecure network Patent Patent]. Justia Patents Search. Staff, 2023. Federal Bureau of Investigation: Internet Crime Report [Report]. Internet Crime Complaint Center (IC3). Staff, 2024. Data Breach Investigations Report [Report]. Verizon Business. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
DeleteMe's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for DeleteMe.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash N2K and use promo code N2K at checkout. The only way to get 20% off is to go to joindeleteme.com slash N2K and enter code
N2K at checkout. That's joindeleteme.com slash N2K, code N2K.
Hey, everybody.
Welcome back to Season 15 of the CSO Perspectives podcast.
This is Episode 5, where we turn the microphone over to our regulars
who visit us here at the N2K Cyber Wire
Hash Table. You all know that I have a stable of friends and colleagues who graciously come on the
show to provide us some clarity about the issues we are trying to understand. At least, that's the
official reason we have them on the show. In truth, I bring them on to hip-check me back into reality
when I go on some of my more crazier rants. We've been doing
it that way for almost four years now. And it occurred to me that these regular visitors to
the hash table were some of the smartest and well-respected thought leaders in the business.
And in a podcast called CSO Perspectives, wouldn't it be interesting and thought-provoking
to turn the mic over to them for an entire show to see what's on their mind.
We might call the show Other CSO Perspectives. So, that's what we did. Over the break, the interns
have been helping these hash table contributors get their thoughts together for an entire episode
of this podcast. So, hold on to your butts. Hold on to your butts. This is going to be fun.
My name is Rick Howard, and I'm broadcasting from the N2K CyberWire's secret Sanctum Sanctorum studios located underwater somewhere along the Patapsco River near Baltimore Harbor, Maryland,
in the good old U.S. of A. And you're listening to CSO Perspectives, my podcast about the ideas,
strategies, and technologies that senior security executives wrestle with on a daily basis.
I just recently met Kim Jones, and to my astonishment, he's almost exactly my career doppelganger.
He's a West Pointer, graduated a year after I did, and served 10 years in the U.S. Army as an intel officer, became a serial CISO in
the commercial world, taught at various universities, and is on the advisory board of several startups.
When I met him, it was like looking in the mirror, only he's way better looking than I am.
So I asked him to take a new look at my first principle zero trust strategy and the tactic
of identity. He calls it Identity 3.0. Here's Kim.
Rick, thank you for having me on. It's been a pleasure and a privilege to get to know you.
Thank you again for allowing me to speak on a topic that's near and dear to my heart.
The latest Verizon data breach investigations report
cites stolen credentials as a core component in almost one-third of breaches.
As increased scrutiny and liability continues to mount around data breaches, there's been a concurrent upswell in the industry around how to improve identity and access management, or IAM for short.
or IAM for short.
Many of these discussions have centered around how artificial intelligence might create new opportunities to improve the existing IAM paradigm.
While I'm happy these discussions are taking place,
so far they're mere updates to what's come before.
Just as technological improvements such as cloud technologies and wireless connectivity
have for the most part simply migrated old problems into new technology arenas,
applying new technologies to the existing identity construct will at best represent a speed bump to our adversaries.
security community are serious about re-engineering identity, then it's time to have a first principles discussion that questions the assumptions around our existing approach to the problem.
I intend to start that discussion here today. Now, please understand that I'm not here to
convince you that my principles are the only possible right answer. Rather, I want to achieve
two things. Number one, I hope to help the
community step back and reassess the challenges of digital identity by taking a first principles
based approach. And number two, and most importantly, I hope to spark a dialogue that
takes us in a different direction beyond just making tint control changes to the existing
tool sets and technologies. And yes, for you old timers out there, tint control changes to the existing tool sets and technologies.
And yes, for you old-timers out there, tint control is a direct reference to the old comic strip Bloom County.
If you disagree with my proposed principles, that's perfectly fine.
If this discussion prompts you to think about the problem even just 5% differently than you did before,
then I've succeeded.
So let's get into it.
For my purposes here, identity is the unique set of characteristics that can be used to
distinguish an entity as itself
and as nothing and no one else. Most importantly, though, is its purpose. Identity is the primary
basis of a relationship. Step back for a second. What comes to mind when you think of mother,
comes to mind when you think of mother, spouse, boss, friend, coffee. Those words and the identities they represent convey relational information instantaneously. We make presumptions and draw
conclusions based solely upon identity. If you had positive relations with your parents, for example,
then the identities of mother and father may invoke positive emotions when you hear those terms.
And, by the way, if you're a coffee drinker, like I am, and it's morning, then the identity coffee may elicit equally strong reactions.
Identity forms the beginning of that relationship experience.
Now, sticking with the relationship analogy,
say you receive a text from someone claiming to be your father, asking how your date went last
night. You verify that the phone number is indeed your father's. You remember you mentioned the date
to him a few days before. And while your relationship with your father is cordial,
he's no longer the intimate confidant he was when you were, say, nine or ten.
Thus, instead of a detailed count of the evening, you tell him the date went well and that you're going on a second date soon.
Within the space of a few seconds from the time you received that text, your personal central processing unit performed the follow-on tasks associated with identity
authentication verifying the phone number and the fact that your father did indeed know about the
date authorization deciding that your father is allowed to know more about the date and should
receive an answer to his query and access determining how detailed an answer you intend to give. These decisions start with the relationship represented by the identity of the entity
with whom you are interacting.
Now, this is the point where things begin to get tricky.
With in-person interactions, which I'm calling atomic interactions, the establishment and
authentication of identity
can be relatively simple.
For example, I see my friend Stash,
I recognize my friend Stash,
I buy Stash a cup of coffee and we catch up.
When atomic interactions are limited or removed altogether,
on a Zoom call, for example,
especially where video is disabled,
through emails or through text,
or even with phone calls, through emails or through text, or even with
phone calls, things can become ambiguous fairly quickly. Here are some of the reasons why.
Reason one, uniqueness requires complexity. Consider four pictures you would find on the
internet if you searched for my name, Kim Jones. One might be a picture of a female
Filipino influencer. One might be a picture of the female rap artist, Lil' Kim. A third would be
of a female NFL reporter working for a major sports network. And a fourth would be of a male
British fashion designer.
It's not the differences between these individuals that I want to point out here, but their similarities.
Specifically, any of these individuals could claim to be me
if only a name was used as an identity.
It would still be difficult for Kim Jones,
the Filipino influencer, to masquerade as Kim Jones,
the old security guy, to someone who knows me.
And let's be honest, why would she want to?
Conversely, anyone who's heard me sing would know that, gender notwithstanding, I could never pretend to be the rapper Lil' Kim.
Online, though, any of these individuals could begin the process of accessing data that is restricted to my personal use by honestly and truthfully providing their names.
One of the ways the traditional model of identity attempts geolocation data in authorizing financial transactions.
If someone attempts to buy a television in, say, Phnom Penh using my debit card number, my bank will most likely flag the transaction as fraudulent given that I live in Arizona.
flag the transaction as fraudulent given that I live in Arizona. As we provide more data to organizations, it's theoretically possible to create a unique identity using seemingly innocuous,
non-regulated information. Some organizations have taken to calling these identities fingerprints
and the process fingerprinting. Reason two, Atics breaks complexity. Once created, organizations store and secure
identity in an atomic fashion. In other words, they give identity a level of pseudo-physicality
by capturing it in a file or a database of some sort. Our model of identity requires this in order for a user to enter into the
enterprise and begin the relationship. Unfortunately, once identity is given an atomic dimension,
that identity becomes a type of token, and tokens can be tampered with or stolen. In
my debit card example, what would happen if my identity token was modified to remove the geolocation flags?
Possibly one or more Cambodian families would be enjoying new big screen TVs as gifts from me.
Further, repositories of these identity tokens, such as Active Directory, represent high-value targets for bad actors.
value targets for bad actors.
Now, as a quick side note, I want to note that I am not going to discuss adding complexity to the authentication process, such as multi-factor and or out-of-band authentication, because
first, such methods are merely attempts to compensate for the fundamental weaknesses
in the identity construct that I am discussing, and second, despite their own complexities,
these efforts are also breakable
and bypassable with effort.
Our tokenized atomic identity
also has the challenge of being universal
within the enterprise.
The identity defines all interactions
within the given enterprise without exception.
A compromised or stolen token
grants authorization and access to all
predefined and preauthorized repositories for all predefined transactions unless or until I change
out the token. Until that token is changed or revoked, the possessor of that token now has the
same relationship associated with that identity as I did. Think about that for a second when someone proposes biometrics
as the solution to the identity conundrum.
So our atomic-based identity paradigm is insufficient for a digital world.
As we become more digitally connected and less personally connected,
it becomes easier to impersonate anyone and
therefore take over the associated relationship. As processing speeds improve, practical AI leaves
its infancy, and the specter of quantum computing looms, it's time to reconsider the fundamental
principles upon which identity should be built. Bluntly, we need to eschew the atomic model altogether.
I suggest the following principles.
Principle one, identity should be bidirectional.
The current identity paradigm reminds me of Peter Steiner's 1993 New Yorker cartoon.
It's a drawing of two dogs,
one sitting at a desk with a computer on it,
the other sitting on the floor looking at the dog.
And that's our show.
Well, you know, part of it.
There's actually a whole lot more,
and if I do say so myself, it's pretty great.
So here's the deal.
We need your help so we can keep producing the insights that make you smarter and keep you a step ahead in the rapidly
changing world of cybersecurity. If you want the full show, head on over to the cyberwire.com
slash pro and sign up for an account. That's the cyberwire, all one word, dot com slash pro.
For less than a dollar a day, you can help us keep the lights and the mics on and the insights flowing.
Plus you get a whole bunch of other great stuff like ad free podcasts,
my favorite exclusive content,
newsletters and personal level up resources like practice tests within Duque
pro you get to help me and our team put food on the table for our families.
And you also get to be smarter and our team put food on the table for our families, and you also get to
be smarter and more informed than any of your friends. I'd say that's a win-win. So head on
over to thecyberwire.com slash pro and sign up today for less than a dollar a day. Now, if that's
more than you can muster, that's totally fine. Shoot an email to pro at n2k.com and we'll figure something out.
I'd love to see you over here at N2K Pro. One last thing, here at N2K, we have a wonderful team of
talented people doing insanely great things to make me and this show sound good. And I think
it's only appropriate you know who they are. the president of N2K. I'm Peter Kilby, the CEO and publisher at N2K.
And I'm Rick Howard.
Thanks for your support, everybody.
And thanks for listening. Thank you. and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.