In this episode, we are returning to the Security Design Principles series, this time with Complete Mediation.
Complete mediation means the system checks the user trying to access a file or perform an action is authorized to access this file or perform this action.
Complete mediation is also implemented in the security reference monitor (SRM) in Windows operating systems. The SRM checks fully and completely that a user has access to perform an action each time they try to perform it.
It also ties back to one of the three As of cybersecurity, which is Authorization, since the user has to prove having access to something when they request it.
Complete mediation can be a huge challenge to usability, and it might be something that interferes with your operations. That’s where you need to understand that the security design principles are not a compliance list and that you should use them to enhance your systems. You should not be trying to get every principle to 100%.
What You’ll Learn
Kip Boyle:
Hey, everybody, welcome back. This is Your Cyber Path. We’re the podcast that’s going to help you get into your cybersecurity career, or if you already have your career underway, we are going to help you accelerate your career, get more compensation, more responsibility. That’s what this show is all about. I’ve got Jason Dion here to help me do that. Hey, Jason.
Jason Dion:
Hey, it’s great to see you again, Kip, for another episode of Your Cyber Path.
Kip Boyle:
Oh, yeah, listen, I’m really happy that we continue to be able to make these episodes available, and I got to say, I mean, I just think it’s fun to get on here and just talk with you about some stuff. Just share what we know. We want to hear from you. By the way, if you’re listening to this podcast, we’d love to hear what you think about it. If you have a suggestion for a topic, maybe you’re struggling with something at work, you’re trying to figure out how do I do well at this? And it could be a technical thing or it could be more of a people oriented thing, right?
Because we talk about how you’ve got to be successful with hard skills and also the so-called soft skills or the people skills. It doesn’t matter, if you’re struggling in one of those areas and you’re not sure what to do or how to deal with it, just come on over and pitch us your question. And we’ve got a spot on our website, yourcyberpath.com, where you can do that. Do you remember what the URL is for that, Jason? I don’t remember off the top of my head.
Jason Dion:
Yes. So if you go to go yourcyberpath.com/ask, A-S-K-
Kip Boyle:
It’s easy.
Jason Dion:
Yes. So you could ask your question of Kip and Jason, and in there it has the ability for you to enter your question in and do it by audio, which saves you a lot of typing. And you can simply go in there and say, “Hey, Kip and Jason, here’s my question.” And in one to three minutes, give us a little background of your issue, what’s going on in your world, what your question is, and that helps us answer the question better. For example, I get a lot of questions from people who say, “Hey, I want to become a pen tester. What should I take next?” And I’m like, “Okay, well, where in the world do you live? What’s your background? What certs do you already have? What degrees do you already have? How many jobs have you already had?” All that goes into my answer of what should you take next?
Because if you’re a brand new person, you should probably start with A+, Network+ and Security+ to learn the fundamentals before going to become a pen tester. But if you’ve been in the industry for five, 10 years and you’ve been an IT administrator and now you’re like, “I want to move into cybersecurity,” it’s a different answer. And so knowing your background is going to help us give you a better answer. So please, if you’re leaving us one of those questions, the more information you can give us, the better we can help you. On the other side, don’t give us so much information that it’s a 20-minute podcast episode you’re leaving us, one to three minutes helps, it gets us through quickly so we can try to answer your questions. And you can do that at yourcyberpath.com/ask, A-S-K.
Kip Boyle:
I forgot we made it so easy. That’s cool.
Jason Dion:
I always make it easy, Kip. That’s my thing. So if you’re thinking, “What is it?” It’s probably the thing you think it is.
Kip Boyle:
Probably. Yeah.
Jason Dion:
Like, “Hey, where’s the beta exam?” It’s at the slash beta page.
Kip Boyle:
Well, I’m grateful that you bring that to the team, so thank you. All right, so what are we going to talk about today? Well, in previous episodes we’ve mentioned that there are 10 security architecture and design principles that are so amazing and so useful that they were originally published in a paper in 1975. I got to think that a lot of you who are listening right now, you weren’t even around in 1975.
Jason Dion:
[inaudible] listeners, Kip. I wasn’t around in 1975.
Kip Boyle:
I was, but I wasn’t thinking about cybersecurity or computer security or any of this stuff. So-
Jason Dion:
You were a little child.
Kip Boyle:
I was, I was a little snot-nosed kid running around causing havoc for sure. So we’re going to do one episode for each of these principles so that you can understand each one and use them on the job. That’s what we really want to see you do. What we found is that when we use them on the job, quality of our work is higher and our supervisors are happier with what we are doing because all the technology around is changing all the time. These principles endure. They don’t change very often. Last time we talked about something called fail-safe defaults. I think we beat that one to death. So let’s not talk about that anymore. Today we’re going to talk about one of Jason’s favorite security design principles, the one he complains about the most, right, Jason?
Jason Dion:
Yeah. So it’s not that I complain about it except the fact that I hate the way that they call it this because-
Kip Boyle:
That sounds kind of like complaining.
Jason Dion:
The title for it makes no sense to me. The thing makes sense and I understand it, but the title, for those in the audience who are wondering what the heck are these guys talking about, it says, “Complete mediation.” And when I hear that, I’m thinking about a husband and wife going to the lawyer’s office trying to work through their problems and talking through it so hopefully they don’t get a divorce. And to me, that’s what I think about with mediation. And I know that’s not what we’re talking about here, Kip, but that’s what it’s titled and that’s why it annoys me is because it’s called complete mediation. I’m like, “What the heck does that to do with cybersecurity?” And once I looked at the definition, I’m like, “Oh, yeah, I use that all the time.” But just the words complete mediation didn’t make sense to me. So what is that definition, Kip? What is that security design principle of complete mediation mean?
Kip Boyle:
Well, I’m going to tell you, but first I want to tell you why it’s called complete mediation because the people who wrote this paper that we’re pulling this information from, super smart guys, but they came out of academia. So I mean, we know, when we read an academic paper, it’s obvious. And so that’s one of the things that’s going on here is we’re kind of translating a little bit from a clinical, fairly sterile view of how this all works. We’re trying to bring it into the real world and turn it into a practical tool for you. So in the paper they say complete mediation means that the protection mechanism should check every access to every object.
Now, I’m going to tell you what that means in the digital sense in a moment, but first I want to offer you a real world example, something that we have all experienced, some of us more often than others, which is airport screening. So when you go through the airport screening, you’re trying to get on your airplane, every single person, every single object that passes through the security checkpoint, which by the way is also called a choke point, which is another security design principle that somebody else shared, we’ll talk about that some other time, is inspected. So when you go to the airport, there is complete mediation. That’s one of the real world examples I have. Jason’s got one right?
Jason Dion:
Yeah. When I was reading through it and I was thinking about these protection mechanisms, you need to check every access to every object. I was thinking back to when my kids were little and they’d come up to mom and they would say, “Hey, mom, I want to get a snack from the kitchen. Is that okay?” And she’d say, “Well, what snack do you want?” And they’d say, “Oh, I want a Snickers bar.” And she’d be like, “No, you can’t have that, but you can have some grapes.” Okay. And they go to the kitchen to get their grapes and they eat their grapes. And then if they didn’t want to go ask mom again, they go back to the kitchen and get more grapes, but they’re not supposed to because they were only permitted or allowed access to that object at that particular time. And then once they were done with it, if they want to come back three hours later, they had to ask again, right?
“Hey, can I have some more grapes now?” We don’t want to ruin their dinner. And that’s the way I think about this protection mechanism is every access every time on every object, everything should be checked. And I know we do this all the time in the digital world and it happens all the time behind the scenes without even realizing it. When you’re logging into your email, when you’re logging into your computer, when you’re logging into different programs, when you’re accessing things over the network, all of these things have different access checkpoints for each object you’re trying to access, whether it’s a file, whether it’s a website, whether it’s a port, all those type of things. You were talking about the digital part so let’s switch back over to the digital parts and how do we do this in something like Windows?
Kip Boyle:
Right. So here’s where we’ve got to go a little on Windows internals, right? I’m not trying to turn everybody here into a programming expert or an API expert or anything like that. I’m going to keep it as simple as I can, but it is important to understand that deep inside of the Windows operating system, every Windows operating system since Windows NT, which was a long time ago, there is something in there, a little piece of logic, a little piece of code called a security reference monitor. SRM is what it’s often referred to. So if you went and read the Windows API or the developer documentation, you’ll find this in here. Okay. So now what is the SRM? Well, we talked about this in the last episode when we were talking about Failsafe defaults, but the SRM is doing that complete mediation.
Every time you try to access something that has an access control list that can be restricted from users, then that’s what the SRM does is it checks to see are you really allowed to look at this thing? And that’s the complete mediation. Now, here’s something though that we have to understand about Windows is that it was originally designed, this SRM, to do complete mediation. In other words, if I touched a file and then I came back and touched it again right away, the SRM should check fully and completely both times who is this and are you allowed to get to this resource? Well, in early versions of Windows, it turned out that by doing that it was like trying to get through the checkpoint at the airport. Super, super slow. Now, when you go through the checkpoint at the airport, speed is not their top priority.
We know that, right? We live that. But in an operating system, if you can’t use it’s so slow, no one’s going to buy it, no one’s going to use, it’s optional. So Microsoft said, “Yeah, that’s not going to work.” So what they did is they actually made some compromises to this complete mediation principle. And so instead of checking every single time you try to access a file or folder, the SRM just checks to see if you’ve been fully authenticated once in the past few hours. And this is a setting that you can actually manipulate if you want. But this shortcut does a couple of things. It speeds things up a lot, and it also keeps you from having to type your username and password every single time you want to access something, even if you just accessed it two seconds ago. So this whole idea of complete mediation doesn’t always work in the real world, and it certainly didn’t work in Windows. And so that’s how it’s actually implemented. Now, there’s some downsides when you compromise on these principles, right, Jason?
Jason Dion:
Yeah, most certainly. And before we go into those, I do want to talk about the fact that like you said, with Windows, we were doing this caching mechanism using these tickets, right? And if anybody’s ever heard of the term a golden ticket or a silver ticket, those are things we’re talking about here in the Kerberos ticketing system inside of Windows. But again, that goes really in depth and we’re not going to go dive all the way in there. But the point I wanted to make here is that in the Windows system, they are using this cash credentials as a mechanism to speed things up. But that doesn’t mean that every system does that. And as we keep moving forward and people keep talking about zero trust, we have these checkpoints over and over again where you don’t use these cash credentials or use a very, very short time on those cash credentials.
In the old days, it’d be very common to authenticate once and use that same ticket for 24 hours or even up to seven days in some cases. And nowadays, we don’t usually allow those to be any more than an hour at most because of that caching and the fact that our systems are so much faster and the way to reach a system, we’re not using a 10 megabit per second CAT3 ethernet anymore, we’re using gigabit ethernet or 10 gig ethernet. So another authentication isn’t really going to slow us down that much. And so now we can have more security and less of that caching going on. So that’s one of the things I think it’s important for you guys to think about that as we talk about this.
Kip Boyle:
And of course, when Windows NT first came out, we were using 486SX processors with four megs of RAM, right? So the hardware just didn’t have the oomph to push around the complete mediation as it was originally designed. I think if we designed Windows again today, we probably could do it, right? We wouldn’t probably ask somebody authenticate, but we probably could afford the processor time to actually do complete mediation from that point of view. But that’s a good point that you’re making is that with zero trust networking and zero trust architectures, we are actually going back to a more complete mediation implementation. And so that’s another actually really productive way to think about it. Now, another point that I want to make is that with multifactor authentication these days, guess what? You’re also using authentication tokens, which is conceptually very similar to the shortcut that Microsoft made when it’s used these Kerberos tickets in order for you to have a token in your digital hand and run around the network and just access all kinds of stuff without having to go through a security checkpoint every time.
Well, in the web world, when you authenticate to a website, you are getting a little session cookie on your computer. And that’s how a lot of multifactor authentication schemes are being exploited these days is that the criminals are figuring out if they can just reach into your browser cache and pull out that authentication token, then they can run around and impersonate you for a long, long time. So another example of how complete mediation when it’s not completely implemented, these shortcuts that we take sometimes on these architecture and design principles can have nasty consequences. So we have to be really thoughtful and really careful when either we design exceptions or if like when you work with a programmer team and they come to you and they say, “Hey, listen, our web app cannot handle complete mediation. We’ve got to find some way to speed this thing up,” and they want you to help them figure out how to make those compromises, it’s your job to help them figure that out. Just do it smartly. That’s what we want to encourage you.
Jason Dion:
Yeah, I think the big thing there is, remember that these are principles and they don’t have to be followed 100%. They are not hard and fast rules that you must do. No one’s going to come by and say, “Oh, you missed principle number six. Sorry man, you fail.” That’s not the way it works.
Kip Boyle:
[inaudible].
Jason Dion:
Yeah, these aren’t compliance requirements necessarily, but they’re good principles for us to use as we think through the designs of our system. And you and I are deep in the throes of designing our system for our website over at Accolade.
Kip Boyle:
That’s right.
Jason Dion:
And we are in version two at this point going into version three, and there’s a lot of different functionalities we’re adding, and those are discussions that we’re having on a daily basis with our programming team where they say, “Well, it’s going to cost this much to implement this level of security, or it’s going to cause this much delay every time somebody wants to access your website because it’s going to take 30 seconds because they got it through a two-factor authentication for every page you load.”
Well, we don’t want to do that. So we have to start making design choices where we might say, “Okay, we don’t need complete mediation anymore. We need 80% mediation.” And once you’re in the system and we’ve checked you once or twice, what are they going to say? You’re good for the next, I don’t know, 30 minutes. We make those decisions as a design principle. The other thing I think it’s important we talk about this complete mediation is remember, this ties back into our triple A’s of security, our authentication, our authorization, and our accounting. We talked a little about accounting and some of our earlier design principles we talked about you need to log everything so you know what’s going on? But when we talk about these triple A’s, the first part is that authentication, right?
We need to make sure you are who you say you are. So when somebody goes to my website, I can say, “Oh, that was Kip. He logged in with Kip@emailaddress and his password. I know that’s Kip now because only Kip should have his username and password.” And then we can say, “Now that I know your Kip, what things can Kip access?” And so if you’re trying to access your exam results, but you are not an admin and you can only access your exam results and not everyone’s exam results. And so those are those authentication pieces where the authorization comes into it and says, “Okay, now that I know your Kip and I know you’re an admin, you can see everyone’s test scores. Or now they know your Kip and you’re just a student account, you can only see your account and your scores.”
And then we would log that by having the accounting function as well. And so all of that does tie back into this complete mediation. And if you’re trying to prove that you’re doing complete mediation, you’d be able to look at those logs and see that. Again, the challenge here though is if we’re doing complete mediation, that’s every access, every object, every time. And I can think about just me on a daily eight-hour basis when I’m in front of my computer, I’m accessing a lot of files, a lot of emails, a lot of websites, a lot of network connections. And that would be pages and pages and pages in our log files just for me. And I’m one user, and if I expand that to the last network I ran where I had a million end users, that is a lot of logging, and that costs us a lot of money to build log it all.
And so going back to our logging principle, we decide how much of that we’re going to log. Are we going to log all the successful attempts or just the unsuccessful ones or both? And all those kinds of things go into playing when you start using these security design principles together. And it is really hard to talk about each one individually because they do do interconnect so much.
Kip Boyle:
Excellent examples. Really appreciate that, Jason. We could continue to beat on complete mediation, but I think we’ve actually done a pretty good job and we should probably quit while we’re ahead. What do you think?
Jason Dion:
It sounds like a good plan, Kip.
Kip Boyle:
Okay, cool. Well, listen, as we wrap up this episode, I just want to remind you that we’ve got a few more security design principles to go. So we’re going to have I think, three more episodes in order to hit that 10 because there’s 10 altogether. And then, I don’t know, maybe we’ll release a greatest hits album. Who knows? Don’t know what we’re going to do. But listen, if you’re interested in accessing our show notes or if you see the entire transcript of this episode, you’re welcome to it. You can do whatever you want with it. All you have to do is go to yourcyberpath.com/, and then put the episode number in, and then it’ll take you right to the dedicated webpage for each episode.
Not just this one, but really any episode that you want to access. And another suggestion I have for you is why don’t you sign up for my mentor notes. So this is about a 500 word email I send out every other week with actionable advice to help you accelerate your career or start your cybersecurity career. So if you go to yourcyberpath.com, you can sign up for it there. If you don’t like it, just unsubscribe. It’s totally cool. We’re not going to put you on a no-fly list. Everything’s going to be fine. We’re still going to like you, but just give it a try. See what happens. Any last words, Jason?
Jason Dion:
No, I think you covered it. And again, this episode was 109. So if you want to visit the notes for this episode, just go to yourcyberpath.com/109 and hit enter. It’ll pop right up. You can listen to the episode, you can watch the video, you can see the transcript, you can see the notes. All that kind of good stuff is right there for you. And as Kip said, the mentor notes is on the homepage at yourcyberpath.com. Go ahead and sign up. And as he said, really easy to sign up, really easy to unsubscribe if you don’t like it, but I think you’ll find a lot of great value there. We’re not going to spam your inbox. We’ll send you an email about once a week, once every two weeks with some great information that is not always covered here on the podcast. And it’s just additional great tips and tricks and things like that that come directly from Kip. So definitely check that out. And until next time, this has been Your Cyber Path.
Kip Boyle:
See you everybody.
YOUR HOST:
Kip Boyle serves as virtual chief information security officer for many customers, including a professional sports team and fast-growing FinTech and AdTech companies. Over the years, Kip has built teams by interviewing hundreds of cybersecurity professionals. And now, he’s sharing his insider’s perspective with you!
YOUR CO-HOST:
Jason Dion is the lead instructor at Dion Training Solutions. Jason has been the Director of a Network and Security Operations Center and an Information Systems Officer for large organizations around the globe. He is an experienced hiring manager in the government and defense sectors.
Don’t forget to sign up for our weekly Mentor Notes so you can break into the cybersecurity industry faster!