Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Cybersecurity &
Project Management
Fernando Montenegro, CISSP
@fsmontenegro
Why Are We Here?
• Security is the new black
• Security is an issue of technical debt
• Challenges
– How to Deliver "Secur...
About me
@fsmontenegro
• Sales Engineer at Vendor
• PS Delivery (SME Network Security)
– 12+ yrs
• CompSci ’94
• Greying h...
About this talk
• Take a look at where things can go wrong
– Put things into context…
• Please “do” security early!
– Chea...
Project Management Phases
Cybersecurity & Project Management - PMI-SOC
Sep 26th, 2015
Project Manager objectives
Achieve Objectives
Respect Constraints
• Scope
• Time
• Quality
• Cost
Optimize Allocations
...
Human Triggers/Motivation
• “Just get it done…”
– Project Management -> …as planned
– Business -> … to get functionality. ...
Security Concepts
• Confidentiality, Integrity, Availability, …
• Terminology
– Vulnerabilities
– Threats
– Risk
• Complia...
Project Phase: Initiation
• Identify security needs early!
– Deliverable needs
– Own project needs
• Early involvement fro...
Project Phase: Planning
• Detailed security requirements
– Specific regulatory needs, C-I-A, platforms, …
• Security resou...
Project Phase: Execution(1)
Building
• Dealing with Externals
– Sharing Information
– User and Access Management
• Securit...
Project Phase: Execution(2)
Delivering
• Ongoing team access
• Change Window red flags!
• Preparation for Ops
– Training
–...
Project Phase: Monitoring
• Sharing Info with Externals
– Email threads
– “Fog of War”
• Secure Communications
• Storage C...
Project Phase: Closing
• Decommission
– Lost Data
– Information Wipe
• Cancel Accounts, change PWs
• Transition to Operati...
Security Impact on Constraints -
Scope
• Need to understand security across deliverable
• Fixing vulnerabilities adds to s...
Security Impact on Constraints -
Time
• Extra time to review/fix security findings
• Extra time to find out how things wor...
Security Impact on Constraints -
Quality
• Security is a “latent construct”
– Can’t be observed directly, only inferred
• ...
Security Impact on Constraints -
Cost
• Specialized resources cost $$$
• Opportunity costs of fixing, troubleshooting
• Fl...
Biggest Issues for PM
• Information Leakage
during Project
• Insufficiently Secure
Design
• Improperly Configured
Systems
...
WRAP UP
Cybersecurity & Project Management - PMI-SOC
Sep 26th, 2015
Things to keep in mind…
• local user databases
• git/cvs folders, temporary files
• something wide open “for testing only"...
Things to keep in mind…
• Leaked (and shared) credentials
– AWS keys
• Get Security Testing done right
– Unit Tests, Vuln....
PM Cybersecurity Success
• Build Security Practices in PM Methodology
• Understand your security needs ASAP
– Security sta...
Resources
• SANS Security Best Practices for IT Project Managers
– https://www.sans.org/reading-room/whitepapers/bestprac/...
Upcoming SlideShare
Loading in …5
×

Cybersecurity & Project Management

1,496 views

Published on

A presentation on how project managers should consider cybersecurity in their project delivery activities. Delivered at the PMI-SOC Cybersecurity workshop on September 26th, 2015, in Toronto.

Published in: Technology

Cybersecurity & Project Management

  1. 1. Cybersecurity & Project Management Fernando Montenegro, CISSP @fsmontenegro
  2. 2. Why Are We Here? • Security is the new black • Security is an issue of technical debt • Challenges – How to Deliver "Secure" – How to Deliver "Securely" – How to Deliver "Security" Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015
  3. 3. About me @fsmontenegro • Sales Engineer at Vendor • PS Delivery (SME Network Security) – 12+ yrs • CompSci ’94 • Greying hair • Curious – Finance (DIY) – Economics (EMH, Behaviour) – Data Science (Coursera) Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015
  4. 4. About this talk • Take a look at where things can go wrong – Put things into context… • Please “do” security early! – Cheaper (maybe) – More predictable – But beware externalities… • SDLC Security != Project Security • Slides will be up at http://www.slideshare.net/fsmontenegro Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015
  5. 5. Project Management Phases Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015
  6. 6. Project Manager objectives Achieve Objectives Respect Constraints • Scope • Time • Quality • Cost Optimize Allocations Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015
  7. 7. Human Triggers/Motivation • “Just get it done…” – Project Management -> …as planned – Business -> … to get functionality. [What details?] – Technical -> .. and move to next task. [What impact?] – Security -> … so it doesn’t expose us. [What impact?] – Vendors -> … to keep business going. • Beware Underlying Economics • Externalities: – security imposing controls – business underscoping actual risks • Moral hazard: – Undue assumptions about risk model Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015
  8. 8. Security Concepts • Confidentiality, Integrity, Availability, … • Terminology – Vulnerabilities – Threats – Risk • Compliance != Security Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015 Nov 2015!
  9. 9. Project Phase: Initiation • Identify security needs early! – Deliverable needs – Own project needs • Early involvement from Security • Key areas: – Internal/External – Regulatory Needs? – Participants Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015
  10. 10. Project Phase: Planning • Detailed security requirements – Specific regulatory needs, C-I-A, platforms, … • Security resources assigned – SMEs – Advocates • Assess risk, choose controls Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015
  11. 11. Project Phase: Execution(1) Building • Dealing with Externals – Sharing Information – User and Access Management • Security configurations – Hardening – Defaults! • Security [unit] tests – Other security testing? • Temporary files Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015
  12. 12. Project Phase: Execution(2) Delivering • Ongoing team access • Change Window red flags! • Preparation for Ops – Training – Incident Plans Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015 Network – firewalls, VPNs “allow ip any any” allow “all” network ports weak preshared keys Windows or UNIX systems “Everyone R/W”, “chmod 777”, admin/root processes, … Identity & Access Management copy user profiles use local passwords
  13. 13. Project Phase: Monitoring • Sharing Info with Externals – Email threads – “Fog of War” • Secure Communications • Storage Considerations Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015
  14. 14. Project Phase: Closing • Decommission – Lost Data – Information Wipe • Cancel Accounts, change PWs • Transition to Operations – Security Operations Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015
  15. 15. Security Impact on Constraints - Scope • Need to understand security across deliverable • Fixing vulnerabilities adds to scope • Compliance mandates affect scope – PCI DSS Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015
  16. 16. Security Impact on Constraints - Time • Extra time to review/fix security findings • Extra time to find out how things work • Time pressure to share info – Externals Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015
  17. 17. Security Impact on Constraints - Quality • Security is a “latent construct” – Can’t be observed directly, only inferred • QA != Security – But can really help… • Measuring Security is Expensive/Uncertain – Vulnerability Assessment – Penetration Test Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015
  18. 18. Security Impact on Constraints - Cost • Specialized resources cost $$$ • Opportunity costs of fixing, troubleshooting • Flipside – Security Cost – “Oversecure” Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015
  19. 19. Biggest Issues for PM • Information Leakage during Project • Insufficiently Secure Design • Improperly Configured Systems Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015
  20. 20. WRAP UP Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015
  21. 21. Things to keep in mind… • local user databases • git/cvs folders, temporary files • something wide open “for testing only" • Defaults! Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015
  22. 22. Things to keep in mind… • Leaked (and shared) credentials – AWS keys • Get Security Testing done right – Unit Tests, Vuln. Assessment, Pen Tests, Audits • Remediation impact on schedule! • Must understand end-to-end Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015
  23. 23. PM Cybersecurity Success • Build Security Practices in PM Methodology • Understand your security needs ASAP – Security starts at Project Initiation – Security Architect & Privacy Officer • Build security on your team – Security SME & Security Advocates • Build Time (&$) for remediation • Beware "change window" blues • Don’t ignore economics. • Change defaults! Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015
  24. 24. Resources • SANS Security Best Practices for IT Project Managers – https://www.sans.org/reading-room/whitepapers/bestprac/security-practices-project-managers- 34257 • Information Security & Privacy as part of Project Management – http://www.axenic.co.nz/2015/03/information-security-privacy-as-part-of-project-management/ • Software Security for PMs – http://www.slideshare.net/denimgroup/software-security-for-project-managers-what-do-you- need-to-know • Security Efforts into Agile SDLC – http://dadario.com.br/slides/SecureBrasil2014_Anderson_Dadario__EN.pdf • OWASP - http://www.owasp.org • Brian Krebs - https://krebsonsecurity.com/ Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015

×