Stay Informed with the Gone Phishing Podcast | Phin

Is SSO Really Better? | Ep. 039

Written by phin | Mar 26, 2024 1:45:17 AM

Transcript: 

Connor Swalm:

Welcome to gone phishing, a show diving into the cybersecurity threats that surround our highly connected lives. Every human is different. Every person has unique vulnerabilities that expose them to potentially successful social engineering. On this show, we'll discuss human vulnerability and how it relates to unique individuals. I'm Connor Swalm, CEO of Phin Security. And welcome to gone phishing.

Hey, everyone. Welcome back to another episode of Gone Fishing. I'm your host, Connor, the CEO at Phin. And today we are joined by Jason Slagle, the president of CNWR, and the giant jerk in the channel with the huge bucket of rocks. How are you doing, Jason?

Jason Slagle:

I'm good.

Connor Swalm:

I'm good. I did it. Why don't you explain that last one to the folks that are listening?

Jason Slagle:

Yeah, I get so I don't have a filter and so I tend to say out loud the things everyone's thinking but are afraid to say because I just don't care. Right. I try to stay on the non unnecessary aggressiveness part of radical candor. But if you don't tell people, there shouldn't be these giant. Oh, everyone thinks that's crappy and no one's willing to say it. I'm just going to say it. This is not okay. Sometimes it works out, sometimes it doesn't.

Connor Swalm:

Basin says, you may live in a glass house, but that does not mean I do. And then he immediately starts chucking rocks.

Jason Slagle:

You may live in a glass house, but I have a bulldozer.

Connor Swalm:

That's fun. Just don't start welding any steel panels to the side of it and I won't get one. So how are you doing? You're doing great. I'm good. Busy.

Jason Slagle:

As life goes available work will grow to fill available time. So chugging along.

Connor Swalm:

Chugging along. For those of you who don't know yourself and who don't know CnWr, do you want to explain a little bit about your background and why you're qualified to even spew words here today?

Jason Slagle:

Oh, I don't know if you can tell me why I'm qualified to spew words, I would love it. I'm an MSP. We're an MSP now. 25 employees with the merger with Lawrence Tech. So we're out of the Toledo, Ohio area. Mid sized MSP support a good number of clients. I have a large, deep and varied background. I've basically held almost every job in it at some point or another, other than a Windows system admin. Somehow it's the one job that I've never officially done. I mean I've done a lot of work there, but I've been a Linux guy, a San guy, a network guy, hpux guy. I've held almost every job that can possibly exist out there. And so over the years I've gained a lot of knowledge and especially in the security always. I used to run the Delnet IRC servers exploits team. So I had a lot of time dealing with the very early days of scriptkitties and all the naughtiness that they do. So yeah, I just kind of became an outspoken guy. And so apparently when you're an outspoken guy, people want you to speak. And that's, I think, how I'm here.

Connor Swalm:

For those of you listening and don't know, Jason, he has the reputation of saying the quiet parts out loud and being very honest about his usually very correct opinions on how people should be treated and how companies should act and conduct themselves. So he's known as like, I don't want to say the pole bearer because that means we're in a casket, but you're definitely the pole bearer. Like, you're the guy with a giant flag running into battle. We need yelling at these people over here. So let's start.

Jason Slagle:

Yeah, I believe in generally, if you do good things and you do the right things long enough, then good things will happen and that's good thing to have.

Connor Swalm:

Yeah, no, I completely agree with that too. One of the early things, we definitely agreed on that. And the amount of sweat that I had when you said you were pen testing.

Jason Slagle:

Oh yeah, in the middle of the first MSP.

Connor Swalm:

Geek call that I, that's always fun. I love that. I'm not infallible too. I called it out when we did how I would hack you at secure. It's like I still have some of my infrastructure on my primary domain. You can go poke it. I am not infallible.

Connor Swalm All of us are fallible people. So today we're going to talk about a subject near and dear to your heart. Sounds like, yeah, single sign on SSO for short. For folks who don't know that acronym or don't know exactly what it is. What is SSO?

Jason Slagle:

So SSO is basically a concept where you have one source of identity in the world, MSP world. It's 95% of the time office 365. And instead of having separate logins everywhere, you just defer everything to that one source of identity. Again, usually office 365. And it's all the hot right now. Everyone's trying to SS. I mean it's been all the hot my entire career. But everyone's trying to move everything to SSO and push SSO. And I think our particular topic of conversation here is that always better? Is that why we're here?

Connor Swalm:

Oh yeah. Is SSO really better? Yes.

Jason Slagle:

What do you want to know?

Connor Swalm:

Is SSO really better? Also, for those of you who don't know, go to SSO tax and please don't end up on that wall of shame.

Jason Slagle:

Yeah. So generally I am favorable on SSO, but it really depends on the implementation. Everyone thinks, oh man, SSO is great, and now I don't have to remember all these passwords, and that's very true. But now you've unintentionally created this situation where this one thing has the keys to all of your kingdom, right?

So everyone lost their mind when Lastpass had that thing going on, and now everyone could log into your Lastpass potentially. I've never actually seen a case where somebody's actually been compromised via that, but I'm sure they exist. So everyone's losing their mind over that. But no one loses their mind over the fact that they basically outsource their authentication on 80% to 90% of the things they do to office 365. It's essentially the equivalent of Lastpass. It's the equivalent of storing all your usernames and passwords in one single place. It comes with the added unbefit of your recovery email, and password is almost always to the same account, right? So the recovery email for a lot of the services I use, if you lose access to your SSO, it comes to my CNWR account, which is a 365 account, right?

So now if they manage to get my SSO, they can also log into my email and get any other information they need out of that. With regards to these accounts, I don't necessarily know that this is a terrible thing, because people are bad at remembering passwords, and I believe that's the case. But I think people need to really sit back and consider the implications of what that means. Right?

So if my last pass, I'm not worried that the keys to whatever the last pass got out and whatever it is, because my master password in Lastpass I think it's like 47 characters long. It's a full sentence with punctuation and capitalization. The heat death of the universe would happen nine times before you brute force that unless you came across it somewhere else, right? And it's unlikely that you're going to either, you require either duo or my UV key to log into it, even if you did that, right, so for my password manager, I've taken a ton of steps to ensure that you can't get into that because it is the keys to the kingdoms that I control on.

What I find on the SSO side is a lot of MSPs companies, people turning to SSO for everything, but then their 365 account is not that secure. Like maybe it has MFA, but it's probably security defaults MFA. So it's not really MFA. It's like Microsoft gets to decide when they think they need to prompt you for MFA, it's not MFA. Refresh tokens are 90 days, right? So these people can literally if they ever capture if you go to a computer at a hotel and log into your email and forget to log out and clear the cookies, I can take the cookie from that hotel home with me and use it to get into your 365 account for 89 days. And most people don't consider those risks when they look at things like SSO. So as you move to doing that, you really need to consider the risk profile and what it looks like from a risk standpoint and put the policies in place to ensure that maybe we don't need refresh tokens to log in every 90 days. We have ours set down to, depending on the service, it's either seven days or a day. I have services that, via conditional access, I have to log into them every day in their SSO to 365. It's just that the data in them like my documentation system, the data in that, is so important and so critical and so protected that I will not allow that token to log you in for more than a day. So every single morning I have to come in, I have to log into that documentation system after logging into my email. Is it a pain in the butt? I hate it. It's so obnoxious and so annoying. Will I do it every day of the week if it stops the threat actor if they happen to pop one of my users email credentials 100% of the time?

Connor Swalm:

Yeah, we just had Jimmy Hatzel on the podcast talking about privileged access management and the importance of not only having privilege escalate when you need it, but also having it time out and having it on certain pieces of information because you don't have to treat every threat. You don't have to treat every vulnerability the same because their vulnerabilities are different and they lead to different results.

Jason Slagle:

Yeah, I think that on the MSP side, like, 80% of breaches still last time I saw were credential reuse. And to me, that is totally on the human side of it. But, yeah, you're right. The human failing can be protected by other controls. We do that.

Connor Swalm:

So what's an alternative? Somebody could choose SSO.

Jason Slagle:

So regardless of all the mud I just threw an SSO generally use a password manager. I mean, that's probably the biggest alternative. Use a password manager with a strong password. Use two factor on that password manager and just store the passwords in there. What SSO does gain you is it gains you a single point of management. And there's a lot to be said for that. So generally, I am actually not opposed to SSO. I just think that it's not a silver bullet that can solve all problems.

Connor Swalm:

Statement. Josh always tells me there's no silver bullet. All bullets are made with lead. I know that's not true anymore.

Jason Slagle:

I make my bullets out of ICE. So when I shoot people that can't tell who did it.

Connor Swalm:

So mythbusters actually busted that myth. I know because I grew up watching that one too. And now you're here busting myths about SSO. Look, it's come full circle. Is there any last minute advice? Anyone that's listening who wants to learn a little bit more about security or wants to know more about this that you have for them?

Jason Slagle:

Go research conditional access policies. Because again, 80% to 90% of you are going to be using office 365. Do Google like what are conditional access policies? Or properly configuring conditional access policies? And go on a Google Wikiwalk of the 30 pages that you'll end up reading and you'll learn a lot and that will make you more secure.

Connor Swalm:

Sweet. Go look up conditional access policy. Educate yourself. What I heard in there. Rtfm. Rtfm read the manual.

Jason Slagle:

Oh, that's a great idea. Okay, cool. This is fun. Thank you.

Connor Swalm:

Sweet. Thanks for joining us, Jason and everyone. You will see us next time. Thanks so much for tuning in to gone fishing. If you want to find out more about high quality security awareness training campaigns, how to launch them in ways that actually engage employees to change their habits, then check us out. Phin security at Phinsec.io. That's P H I N S E C . IO or click all of the wonderful links in our show notes. Thanks for fishing with me today and we'll see you next time.