Home

Search
Close this search box.
EPISODE 87
The CIA Triad – The Basis of Cybersecurity (Nonrepudiation)

THE CIA TRIAD – THE BASIS OF CYBERSECURITY (NONREPUDIATION)

About this episode

In the fourth video of this five-part series discussing the CIA-NA pentagram, Kips and Jason talk about nonrepudiation.

In simple terms, nonrepudiation means you can’t say you didn’t do the thing that you did.

Jason and Kip go over some examples of nonrepudiation in both the physical realm and the digital world highlighting that you should always use some type of example when you’re asked about a specific term like nonrepudiation.

They also dive deep into digital signatures, public keys, and how these are utilized in software companies and the reasons they are used.

In the end, they discuss some hashing algorithms, how they work, and what are the best practices when using them – emphasizing that you can’t have all the security and usability at the same time and you’re always going to have to balance these two with each other and find something which works best for you.

What you’ll learn

  • What is nonrepudiation?
  • What kinds of interview questions could you get related to repudiation?
  • How can a software company provide repudiation for their code?
  • How do you calculate a hash value?

Relevant websites for this episode

Episode Transcript

 

Kip Boyle:          
Hi, everyone. Welcome back to Your Cyber Path. My name is Kip Boyle. Great to be here with you today. And Jason Dion is here also. Hi, Jason.

Jason Dion:       
Hey, Kip. Great to be back.

Kip Boyle:          
Yeah, thanks a lot. We are in the middle of a five episode series. We’re covering the CIANA sequence, which used to be called the CIA triad all by itself, but now we’ve added a couple of items to the end of that triad. We’re going to talk about the first one in our episode today.

Before we do that, I think people would love to know that we are about to launch a brand-new experience. We’ve had a course that we’ve been delivering to people now for quite some time. Well, we retooled it and we’re ready to relaunch it. And it’s called Your Cyber Path Pro or we like to call it YCP Pro. Anyway, I’m really excited because it’s imminent. You’re listening to this episode around the end of December, any day now we’re going to launch this thing, and we are going to be looking for new folks to bring into the program. Jason and I were just talking about the high points of the program, because we’re putting the finishing touches on it. There’s really four really key things that we think that you should know about this program. The first is that it’s a mentorship program. And Jason, what should people think about when they hear mentorship program? What makes this different from a YouTube video that they could watch?

Jason Dion:        
Yeah. So when you think about a mentorship program, a lot of times I like to think about these as a mastermind or a group coaching or something like that. You’re going to have a much more high touch one-on-one type of experience and a one to many type of experience. So in this program, the way it starts out with YCP Pro is the first thing you’re going to do when you sign up for this program is you’re going to go through about three videos to get a good overview of the different jobs in the cybersecurity workforce.

Then you’re going to jump on a call with either Kip or myself, depending on who you sign up for based on your results [inaudible] path. And we’re going to go through that with you and figure out where you are and where you want to be and then what are the steps to get there. We call this Your Cyber Path because it is an individualized Your Cyber Path. That’s what we’re going to do at the beginning of this program is really hone in onto what does that look like for Mike or Jim or Mary or Susan or whoever.

Whoever you are listening right now, you sign up, you’re going to get a one-on-one personalized plan that says, here’s what you should be doing. And that may include things like, “Hey, you’ve got your Security+, but you need your CySA+”, or “You don’t have any certifications, these are the two I think you’ll need based on the role you want.” Or that “You want to be a pen tester, but you also told me you’re very checklist oriented and you hate thinking through a puzzle, so why you going to be a pen tester?” So we’re going to be talking through those things to help find the right job for you and build out your plan. That plan will take you through the next three months, and through that time we’re going to help you with resumes, interviews, negotiations.

If you need certifications, we’re going to help you with that part, because again, I teach certifications for a living. So if the answer is you need Security+, we’re going to make sure you get Security+. That’s an easy day for us. And lots of those type of things. Then in addition to that, every month we do at least two coaching calls with our group. One of those is going to be a very technical coaching call. The other one is going to be a very non-technical coaching call and much more career focused. So the first one may something like, “Hey everybody who wants to be a cybersecurity analyst, we’re going to teach you how to use Nmap.” We’re going to spend an hour together loading up Nmap, running through commands, teaching how to use Nmap or Metasploit or Wireshark or whatever it is with different challenges, different things like that, that are personalized to you and the group so you guys can build up your technical skills.

In addition to that, we’re also going to be doing the non-technical stuff, which Kip [inaudible] a lot more than non-technical stuff for us because he’s our resident hiring manager. And between the two of us, we’re going to be giving you a lot of advice, [inaudible] you all the technical skills all the non-technical skills, how to do interviews better, negotiations better, and we’re going to be feeding in the information that you and the other people in the cohort are experiencing and feeding that back into this so that it’s continued learning from both me and Kip as well as from your fellow cohort members of YCP Pro. There’s this private community in there where you can interact and talk with everybody else. You’ve got access to all of our podcasts, all of our videos, lots and lots of great stuff to really make sure that you are ready to jump into the cybersecurity field so that you will get through the hiring process faster, easier, and more efficiently.

Then once you are through that hiring process that you can actually take off in your first three months and show your new employer that they made a good decision in hiring you because you know what you’re doing, you know the right things to say, the right things to do, and the right way to add value to your company.

Kip Boyle:          
And you have a place to come back to if you have any questions as you kick the ball on your first 90 days. And even beyond that, Jason and I will be here and will be available to help you. That’s really what I think is… When I think of mentorship, that’s the part that really jumps out to me is Kip and Jason are available to help you with your unique question, your unique situation. You don’t just have to write, or sorry, watch some made for everybody YouTube video. You’re going to get what you need right from us.

We are ideal for mid-career crossover people. So if you already have a position in a different industry and you want to get into cybersecurity that’s exactly who we’ve designed this for. Doesn’t mean it won’t work for other people, but that’s who we really thought about. And this is a very high touch experience, so it’s not right for everybody, but if it sounds like it’s right for you, we’re going to share some information with you about how you can evaluate whether this is a good fit for you or not. But anyway, we’re super excited and we just wanted to let you know that.

So, today what we’re going to talk about is we’re going to talk about the N in the CIANA and that’s non-repudiation, which I don’t know if the folks listening to this episode have ever heard that term, non-repudiation, it’s really a techno-weenie sort of a term. It’s a very nerdy term, but let’s talk about, well, if it’s such a weird term, why are we talking about it? What is this Jason?

Jason Dion:       
Yeah, so when I hear the word non-repudiation, it just reminds me of one of those five dollar words that means something really simple, but people think of just using a complicated word, like quintessential, right? I hear that word and I’m like “What does that mean?” Then you go, “Oh, it just means that’s the perfect example of something”.

Kip Boyle:          
Yeah, yeah. It’s absolutely used [inaudible].

Jason Dion:       
So when you think about word like that, sometimes it’s just a really complicated word for something simple, and when I think of non-repudiation, it basically means can’t say, didn’t do the thing that you did. So let’s say I went over to Kip’s house tonight and I was really mad at him, so I decided to put a flaming bag of dog poo on his door and ring the doorbell and run away. He would never know it was me, right? But if I signed my name to that bag before I lit it on fire that he would know Jason did it.

Kip Boyle:          
Or if my ring doorbell caught you.

Jason Dion:      
Yes. Right. That’s the detective control though in that case.

Kip Boyle:          
That’s right. That’s right.

Jason Dion:       
But that’s what we’re talking about. When we’re talking about non reputation, it’s when you take an action on a computer system, you can’t say you didn’t do it. And so this all goes into your auditing process and capturing who does what when, in the system, journaling those things so we can go back and investigate them later if there’s an issue.

The way that we do non-repudiation is really with digital signatures in most computer networks. Since we’re going to dive into digital signatures and non-repudiation as we talk about this. What do you think about when you think about non-repudiation?

Kip Boyle:          
Well some common everyday examples I think would be very, very helpful, other than the flaming bag of poo.

Jason Dion:        
I’m sorry.

Kip Boyle:          
I can tell. So let’s see if we can reign it in here a little bit. So when you get a delivery and it’s a high value item, let’s say your next iPhone or got yourself a nice laptop or something like that, well when FedEx or UPS brings it to your door, they’re not going to just leave it at the stoop and walk away. They want a signature. And the reason they want that signature is because they want proof of delivery.

They don’t want anybody coming back to them and saying, “You didn’t deliver my thing. Pay me for my lost electronic item.” So that’s actually a form of non-repudiation. It’s an analog form, but we’ve been doing that for years and years and years, is the delivery company just wants to be able to say, “You can’t deny that we gave you this package over your door threshold.” So that’s a real life example where somebody else wants you to sign something because they don’t want you to get out of it. But Jason, can you think of a time when I would want non-repudiation for my benefit?

Jason Dion:        
Yeah. So one of the reasons I like to use non-repudiation is whenever I’m downloading new application. So if I’m downloading a new app in the iPhone store or in the app store or Google Play Store, or even from Microsoft store for Windows computers, when you download that code, the first thing your system does is checks that application package and verifies that it was digitally signed.

And the reason they do that is because if anybody added more ones and zeros, like some malware into that code, it’s going to drastically change the hash value, which is made up by that digital signature. And so it’d be very quick and easy to say, “Hey, somebody best with this, and this isn’t the Angry Birds app you thought it was. This is actually Angry Birds that’s going to hack your iPhone,” and so you don’t want to install that version, right?

Kip Boyle:          
Right. Angry Birds with bonus Trojan.

Jason Dion:        
Yeah, with bonus Trojan. Exactly. And so that’s use code signing for, and code signing is literally just a hash of the software code itself when it’s been compiled, and then they take that hash and they crypt that hash with a private key, which then becomes this digital signature that gets appended to that package. It doesn’t give us any confidentiality, but it does give us that integrity, and then we get this non-repudiation because the developer can’t say, “I didn’t do that code, I didn’t put that Trojan under there.”

Well, it was signed with your key, buddy, so I guess you did.

Kip Boyle:          
Yeah.

Jason Dion:       
Figure that out.

Kip Boyle:          
So as the person who downloads the app, I want the protection of knowing that what I downloaded is exactly what I was trying to download, and I didn’t get anything more than what I expected. That’s a great example and I think that you’ve done a wonderful job of moving us into the digital realm from the physical analog realm. So let’s keep going with…

Jason Dion:       
Before that, I do want to mention one thing on code signing. Common thing I see a lot of my Security+ and CySA+ students that they get confused. Just because it’s digitally signed does not mean it is a good program or that it is not malicious, it just means it was digitally signed. And when it’s digitally signed, it means the person who made it, signed it and said, “This is complete, this is how it is.”

But if I make an Angry Birds with a Trojan and I sign it with a digital signature, it can still be code signed, but it would be my signature, not Angry Birds signature. So you should that and see that, but just keep that in mind a little. Just because it’s signed by the developer doesn’t mean it’s good, it just means it was delivered the way the developer intended. If that was a good thing, great. If it wasn’t, [inaudible].

Kip Boyle:          
Right. Well, because we’ve had some supply chain attacks recently, some very high profile ones where code was snuck in prior to it being digitally signed. And so the publisher accidentally signed something that had malicious intent in it. And so that’s something that can happen, and we’re trying to figure out how to deal with that now as an industry. And that’s just why we have full employment for the rest of our lives because the bad people out there are constantly finding ways to circumvent the things we’ve put in place.

We thought digital signatures was going to take air out of this, and they innovated and they went to another place we didn’t expect and they found a way to work around it. Sometimes they just steal the signing keys outright, so that’s another exploit that can sometimes happen.

Jason Dion:        
Cybersecurity at Whackamole, right? As soon as we-

Kip Boyle:          
Yeah, exactly.

Jason Dion:       
… work around against it, we come up with something new.

Kip Boyle:          
That’s right. That’s right. Let’s talk about some keywords. So when I think of non-repudiation, some of the… You’ve already said some things I thought were closely related, like a digital signature, code signing, hash value. What are some of the keywords, Jason?

Jason Dion:       
Yeah, I like to think about things like proofing or identity, because you’re proving your identity and saying, “I did this thing and proof is there that I did it.” I think about PKI because again, we’re using public and private keys to do this code signing and to use non-reputation as the most common digital form of valid reputation is digital signatures.

And then again, like we said, digital signatures using that private key is really the bread and butter when it comes to these, but it can be done in the analog world, like you said, where I went to the Rocky Horror Picture Show on Saturday night with my family and I brought-

Kip Boyle:          
Back to the time warp again.

Jason Dion:       
We went through the time warp again. And my wife Tamara and my kid Alex, they were both Rocky Horror virgins, and so when you came in they said, “Oh hey, are you [inaudible] before? You are? Okay.” They put a V on your forehead, so they know to mess with that person. [inaudible] being shown at this bar club place. They checked everybody’s ID and said, “Are you old enough to come in? Are you the person who bought that ticket?” And so I just say, “I’m Jason, I bought the ticket, I’m over 18.”

“Okay, you can come in.”

And so that’s another way to do identity proofing in an analog sense, by showing your driver’s license saying, “I am Jason and I bought the ticket and they match so you can let me in.”

Kip Boyle:          
Right. Because the assumption is, just like with the digital signing of the software code that a driver’s license or a state ID is reliable, that it’s not going to be something that somebody makes in their basement. And so that’s why everybody trusts it. And so that’s a good analog for what we would maybe talk about as an X.509 certificate, is that here’s this document, this digital document that has an identity in it that somebody verified it, it’s now signed. And so you can think of that as a digital driver’s license for a server or a person or a machine or a device. Anyway, now I’m really starting to unpack this topic. I’m going to pull myself back for a second, but before we go on, I want to make sure people know you said PKI and that stands for Public Key Infrastructure.

And so I just wanted to make sure that we did an acronym blow up there. So we’ve talked about what non-repudiation actually is. Now since we’re talking about getting a job and going through an interviewing process, what kind of questions do you think a candidate might expect to hear with respect to non-repudiation, Jason? Give us an idea.

Jason Dion:       
Yeah, I mean the first one is going to be just really easy softball. “Hey Kip, what does non-repudiation mean to you?” Something like that.

Kip Boyle:          
It means that I get my iPhone from my UPS guy. Yeah.

Jason Dion:       
A little bit more.

Kip Boyle:          
What?

Jason Dion:        
[inaudible] What would your answer be if I asked you what [inaudible] non-repudiation?

Kip Boyle:          
Yeah, I wouldn’t just drop the UPS bomb and smile at the guy. That’s not the way to do it. But what I would say is it’s a way of proving that something is what it is and nothing more and nothing less. And it could be based on a digital signature, so that I know something has been changed from the time it was signed to the time that I receive it.

Jason Dion:      
Yeah, I think that’s a great answer. Short, sweet to the point. The only thing I might add, I tend to like to give analogies when I give answers like that. So I would probably use the UPS guy as my analogy. Like, “In the real world if I mail a letter using certified mail to ensure that the person received it, they have to sign, and I get a receipt that, yes, they received that, therefore they can’t say they never received the package.”

Kip Boyle:          
Boy, I really want to affirm that. I think as a hiring manager, it’s very valuable when somebody can give me an analogy, particularly when it’s in a different context that really makes the case that you understand what the heck you’re talking about.

So if you can do that, don’t use the word to define itself, give us an example. I think that’s fantastic. Another question you might expect to get, which is going to be a little bit more advanced, and may or may not show up depending on the job that you’re applying for, but it could be something like, “How can a software company provide non-repudiation for their code when they’re distributing it?” Now we’ve already talked about this, that they’re using digital encryption in order to sign the code, but Jason, you’re all over this. So tell us again how you would answer this question.

Jason Dion:       
Okay, so if I’m putting on my Jason the interviewee hat, I would say, “Well, a lot of software companies use code signing as a way to provide non-repudiation for their code. When they’re done creating their code, and it’s gone through the software validation process and software testing process in the software development life cycle, we get to the point we’re ready to distribute it. As we’re get to distribute it, we’re going to create a hash value of that code as it currently exists. We’ll compile the software, create the hash value of that, and then we will digitally pick that hash value and encrypt it using the company’s private key that is the known good private key for this corporation. And because only our corporation has that private key only we can sign that code. And that means the code is the same way it was when we distributed it, as the time is received by the end user. And that’s how we end up using code signing as a method of doing digital signatures with non-repudiation to achieve that goal.”

Kip Boyle:          
That’s great, Jason. Thank you. Now I have a follow up question. So if I receive this signed code, well I don’t have the private key of the organization that distributed it, so how do I know that it’s… What do I do, what do I need in order to be able to test this code to find out if the signature is valid?

Jason Dion:       
So to be able to test the code and verify that it’s valid, you’re going to use the public key for that organization. And because it’s public, it exists out on the internet. So whichever organization created that public private key pair, for example, Verisign is one of the most common ones. I would go into Verisign’s server and say, “Hey, I need the public key for Kip’s Software Company.com, and they’ll give that to me. Once I have that, I can then do a hash value of the binary, that I downloaded, and I will then unencrypt the digital signature, which I have from the code signing, and I’ll compare those two. If the two [inaudible] match, that means nothing’s changed in the code, and that this code has good integrity and that it came from Kip’s Software Company.com and therefore it’s valid.

Kip Boyle:          
Perfect. And seeing what I was trying to do there is get to the idea that in order for this to work, you have a private key that nobody except the author of the software has access to, but then you have a public key that everybody in the world needs to have access to in order for them to actually check that the digital signature is valid. So that’s a little practical application of public private key encryption. So this stuff really does happen in the real world and oftentimes these code signing public keys are actually going to be pre distributed to you in the operating system that you install. So Windows, for example, already has the public keys for Microsoft software embedded inside of it so that you don’t actually have to physically go out and retrieve it. But if you did buy Kip’s Software, I probably don’t have the clout to get Microsoft to put my public key in as a pre-installed certificate. So in that case you might have to go and fetch my public key.

Jason Dion:       
But the nice thing is most of the operating systems in the app stores already have that happening in the background. So you wouldn’t necessarily have to go to Kip’s website to download his public key because it’s already in, if I got your software through Google Play, [inaudible] store, the iTunes app store, or [inaudible] store, all of those already used digital signatures and we call those our developer keys. Once you create a developer account, you get a key and you can then use that to do all your digital signature. If you’re going to use something like Pretty Good Privacy or G2G instead, then you’re going to have to actually physically download my public key because there’s no centralized server that’s-

Kip Boyle:          
Right.

Jason Dion:        
[inaudible] method of public key-

Kip Boyle:          
Yeah. And you might run into that if you’re going to download a piece of code off of GitHub or something like that, where you’re going to download a pre-compiled binary, but you’re going to check it to make sure that nobody has actually spiked it with a Trojan or some other piece of malicious code. And that’s a very manually intensive process typically.

Okay, now, we talked about hashing as a function, but in order to either calculate a hash… Well, I guess if you’re going to verify a hash, you’re going to just generate a new hash and compare them, but how does that actually work, Jason? How do you actually do that? How do you actually calculate the hash value?

Jason Dion:       
Yeah, so a hash value is simply an encryption algorithm, but what makes it special is that it takes a variable length input and it creates a fixed length output. So even if I take a really long book like the dictionary or the Bible or the Encyclopedia Britannica and I put it through this hashing algorithm, I’m still going to get the exact same size value on the outside. So if I’m using something like MD5, I’m going to get 128-bit hash. If I’m using SHA-1, I’m going to get 160-bit hash. SHA-2, I’m going to get a 256-bit hash as my result.

And even if I have one character or a million characters, it’s going to create the same length on the outside. So I can say whatever thing I want and put it through this hash and always get a unique individual fingerprint that I can use to identify that file. And I know on a previous episode, going back a couple weeks, we talked about integrity. We delved really deep into integrity and hashing back then as well.

Kip Boyle:        
Yeah.

Jason Dion:      
[inaudible] If you ever list to that episode, I recommend going back and listening to it. But that’s the basics of how a hash works.

Kip Boyle:          
Why is there multiple hashing algorithms?

Jason Dion:        
Yeah, so-

Kip Boyle:          
You just named off three of them, why do we need three?

Jason Dion:       
Yeah, there’s more than three, but those are the three most common ones. And really what it comes down to is the longer your key the fixed length output, which is not the key, sorry, the fixed length output, the hash value, the hash digest, the longer that is, the stronger that algorithm is considered.

So if I have something MD5 and I have 128-bits as my output, there’s an infinite number of inputs because I can have every movie, every file, every letter, every one and zero in the world will create a unique half value. But there’s only two to the 128 individual values that we have. And because of that, we have what’s known as collisions, that’s when you take the same thing, take two different things and get the same result. So for instance, if I walked into a classroom, oh, I used to be a college professor, if I walked into a classroom with 30 people, the chances are if I asked if people had the same birth month, lots of people have the same birth month. If I asked, “Hey, who else was born on the same day as John or Mary?” Generally there’s going to be at least two people in the class that share a birthday if you have 22 or more people.

Not the same year but the same month and day. We call that the birthday paradox or the birthday collision. And this is how you can see how, because there are only 365 days possible for people to have birthdays, and if I put 22 people in one room, the chances are two of them are going to match up. There’s a greater than 50% chance that two of them will match up. And so that’s why we have this thing called a collision. What’s happening is because we can create these collisions and hash values by having two different inputs creating the same output, I might have a no good file that is digitally signed with an MD5 hash that says this is Kip’s good program file digitally signed. I say, Wonderful, let me go and create another file that will have the same exact hash digest, but it includes Kip’s code and some Trojans and some other white space until I can get it so I get the exact same hash done.

And if I can do that, I can then put my malicious code out there, and people will download it thinking it’s Kip’s good software, but it’s actually a hacked version that I create.

Kip Boyle:          
But even though it’ll generate the same hash?

Jason Dion:       
Exactly. And so this becomes what we know as a collision, and because we kept having these collisions with MD5, we moved to swing stronger, which was SHA-1. So go from 128-bits to 160-bits, which means we have a lot more unique bounds. But again, that wasn’t enough. So we went to 256 and then 384 and then 512. We keep adding more, and the longer the hash digest on the outside is the less likely it is to have collisions from what you generate. And so that’s why we have these weaker hashing algorithms like MD5, we don’t want to use it anymore because they are weak and they are vulnerable to this collision or… We call this the birthday attack.

Kip Boyle:          
Right, right.

Jason Dion:        
[inaudible].

Kip Boyle:        
I think you explained it very, very well. And if anybody gets this question on your interview, just listen to what Jason had said it again because he did a great job answering the question and then the follow up question that I gave him. Now I want to do a check on a couple of acronyms that we use. So MD5 stands for with Message Digest. Number five-

Jason Dion:       
The Digest version, version five.

Kip Boyle:          
Version five.

Jason Dion:       
Which is 128-bit hash algorithm.

Kip Boyle:          
Yes. So we used to have like MD1, MD2, MD3, and all that stuff is rubbish. Don’t ever use any MDX. Don’t do it, because it’s just as you’ve learned, it’s game-able. You don’t want to do that. Now this SHA-1 that Jason said, that’s S-H-A, so that’s an acronym and it means Secure Hash Algorithm version one.

So we’ve got SHA-a, SHA-2, and presumably SHA-3. There’s going to be a whole series of them. And as computing power gets better and greater, we’re probably going to have to just continue to produce new versions of the secure hash algorithm to be able to resist attacks in the future that are not feasible today. So that’s just another kind of characteristic of this work that we do is that things are always changing. Okay-

Jason Dion:        
And the one thing with SHA that I will mention is that SHA-1 was SHA version one and is 160-bit hash algorithm. SHA-2 is SHA version two, and it starts with a 256-bit algorithm or hash digest. But there are other versions of SHA-2 that have 384 or 512. And so there are some longer bit sizes, but-

Kip Boyle:          
Great.

Jason Dion:        
[inaudible]. It hasn’t necessarily mean that we’ve gone to SHA-3 or SHA-5 or SHA-10 yet. But we’re getting there as we keep moving down the road. And there’s some other ones out there like RIPEMD and some others that are out there. But the most common you’re going to come across these days definitely SHA-2 with the [inaudible] hash algorithm.

Kip Boyle:          
And one day you might be asked to recommend an algorithm like, “Hey, we’re building some new product, we need to generate digital signatures. Hey Kip, you’re this cybersecurity expert in the company, what algorithm should we be using?”

Don’t give a snap answer. Go and do the research first, because what you thought worked this morning when you got up might have been broken by lunchtime. So it’s just sometimes it can move that fast. So it’s just be careful and know that there’s all kinds of choices and you want to be careful which one you recommend because you want to recommend something that’s going to last a long time but not be too computationally intensive. There’s just all kinds of engineering issues there.

Jason Dion:        
Yeah, right, because if you want ultimate security, the system would be super expensive and super slow.

Kip Boyle:          
Yeah.

Jason Dion:       
But you want ultimate usability, your security really sucks. And so it is always this [inaudible]. We’re building a lot of software dlTrain right now, and we use a lot of different hashing algorithms [inaudible] four passwords and other data and encrypting things and decrypting things. And it is always a trade off, because you are computing at the highest level it would cost us a lot more in compute time, and you have to make risk decisions.

Kip Boyle:          
Yeah, so it’s fascinating once you start to apply these things, but the first thing you have to do is know what they are. So we’re glad you were here today to listen to us do our very best to explain to you what is non-repudiation, how does it work in the real world, analog and digital versions.

And I don’t think there’s anything more we have to add. I don’t know. What do you think, Jason?

Jason Dion:       
Yeah, I think we did a really good job of covering this whole idea of non-repudiation. And really the takeaways for the audience, if you’re new to cybersecurity, is just remember we talk about non-repudiation, there’s the no in there, and it means you can’t say, “No, I didn’t do it.” So non-reputation means you can’t say you didn’t do something because we have proof you did. That’s the whole concept of non-reputation. That could be done analog with a signature, digitally with code signing or digital signatures, things like that. And usually we’re going to use these with hashing. And as we said back to the integrity episode, hashing is one of these things that’s used in both places. And so because of that, you are going to see an overlap between the I and CIA and the N and CIANA for integrity and non-repudiation.

So that being said, I want to thank you all for joining us for yet another episode of Your Cyber Path. And I hope you come over to YourCyberPath.com to learn more about our new Your Cyber Path Pro mentorship program that we have. It is a 12 month program and you’ll get a ton of value in this to help you either advancing your current career or move into a new cybersecurity career. And Kip and I would love to work with you in a more high tech manner instead of a one to many, our voices over the podcast. We’d love to work with you individually, jump on some Zoom calls with you and figure out exactly where you are, where you want to be in your career, and the best way to do that is through YCP Pro.

Kip Boyle:          
Yeah.

Jason Dion:       
Yeah.

Kip Boyle:          
We want you to kill it. We want to see you out there succeeding. We want you to have amazing jobs doing phenomenal work, making a big difference, having all this purpose in your day job, in the things that you do. It could just make everything so much better for you. Anyway, I could go on and on and on, but I think that’s a wrap. Okay. See you all next time.

Jason Dion:       
See you next time. Bye.

Headshot of Kip BoyleYOUR HOST:

    Kip Boyle
      Cyber Risk Opportunities

Kip Boyle serves as virtual chief information security officer for many customers, including a professional sports team and fast-growing FinTech and AdTech companies. Over the years, Kip has built teams by interviewing hundreds of cybersecurity professionals. And now, he’s sharing his insider’s perspective with you!

Headshot of Jason DionYOUR CO-HOST:

    Jason Dion
      Dion Training Solutions

Jason Dion is the lead instructor at Dion Training Solutions. Jason has been the Director of a Network and Security Operations Center and an Information Systems Officer for large organizations around the globe. He is an experienced hiring manager in the government and defense sectors.

Wait,

before you go…

Don’t forget to sign up for our weekly Mentor Notes so you can break into the cybersecurity industry faster!