Cybersecurity & Project Management

Cybersecurity &
Project Management
Fernando Montenegro, CISSP
@fsmontenegro

Why Are We Here?
• Security is the new black
• Security is an issue of technical debt
• Challenges
– How to Deliver "Secure"
– How to Deliver "Securely"
– How to Deliver "Security"
Cybersecurity & Project Management - PMI-SOC
Sep 26th, 2015

About me
@fsmontenegro
• Sales Engineer at Vendor
• PS Delivery (SME Network Security)
– 12+ yrs
• CompSci ’94
• Greying hair
• Curious
– Finance (DIY)
– Economics (EMH, Behaviour)
– Data Science (Coursera)
Sep 26th, 2015

About this talk
• Take a look at where things can go wrong
– Put things into context…
• Please “do” security early!
– Cheaper (maybe)
– More predictable
– But beware externalities…
• SDLC Security != Project Security
• Slides will be up at
http://www.slideshare.net/fsmontenegro
Sep 26th, 2015

Project Management Phases
Sep 26th, 2015

Project Manager objectives
Achieve Objectives
Respect Constraints
• Scope
• Time
• Quality
• Cost
Optimize Allocations
Sep 26th, 2015

Human Triggers/Motivation
• “Just get it done…”
– Project Management -> …as planned
– Business -> … to get functionality. [What details?]
– Technical -> .. and move to next task. [What impact?]
– Security -> … so it doesn’t expose us. [What impact?]
– Vendors -> … to keep business going.
• Beware Underlying Economics
• Externalities:
– security imposing controls
– business underscoping actual risks
• Moral hazard:
– Undue assumptions about risk model
Sep 26th, 2015

Security Concepts
• Confidentiality, Integrity, Availability, …
• Terminology
– Vulnerabilities
– Threats
– Risk
• Compliance != Security
Sep 26th, 2015
Nov 2015!

Project Phase: Initiation
• Identify security needs early!
– Deliverable needs
– Own project needs
• Early involvement from Security
• Key areas:
– Internal/External
– Regulatory Needs?
– Participants
Sep 26th, 2015

Project Phase: Planning
• Detailed security requirements
– Specific regulatory needs, C-I-A, platforms, …
• Security resources assigned
– SMEs
– Advocates
• Assess risk, choose controls
Sep 26th, 2015

Project Phase: Execution(1)
Building
• Dealing with Externals
– Sharing Information
– User and Access Management
• Security configurations
– Hardening
– Defaults!
• Security [unit] tests
– Other security testing?
• Temporary files
Sep 26th, 2015

Project Phase: Execution(2)
Delivering
• Ongoing team access
• Change Window red flags!
• Preparation for Ops
– Training
– Incident Plans
Sep 26th, 2015
Network – firewalls, VPNs
“allow ip any any”
allow “all” network ports
weak preshared keys
Windows or UNIX systems
“Everyone R/W”, “chmod 777”, admin/root
processes, …
Identity & Access Management
copy user profiles
use local passwords

Project Phase: Monitoring
• Sharing Info with Externals
– Email threads
– “Fog of War”
• Secure Communications
• Storage Considerations
Sep 26th, 2015

Project Phase: Closing
• Decommission
– Lost Data
– Information Wipe
• Cancel Accounts, change PWs
• Transition to Operations
– Security Operations
Sep 26th, 2015

Security Impact on Constraints -
Scope
• Need to understand security across deliverable
• Fixing vulnerabilities adds to scope
• Compliance mandates affect scope
– PCI DSS
Sep 26th, 2015

Time
• Extra time to review/fix security findings
• Extra time to find out how things work
• Time pressure to share info
– Externals
Sep 26th, 2015

Quality
• Security is a “latent construct”
– Can’t be observed directly, only inferred
• QA != Security
– But can really help…
• Measuring Security is Expensive/Uncertain
– Vulnerability Assessment
– Penetration Test
Sep 26th, 2015

Cost
• Specialized resources cost $$$
• Opportunity costs of fixing, troubleshooting
• Flipside – Security Cost
– “Oversecure”
Sep 26th, 2015

Biggest Issues for PM
• Information Leakage
during Project
• Insufficiently Secure
Design
• Improperly Configured
Systems
Sep 26th, 2015

WRAP UP
Sep 26th, 2015

Things to keep in mind…
• local user databases
• git/cvs folders, temporary files
• something wide open “for testing only"
• Defaults!
Sep 26th, 2015

Things to keep in mind…
• Leaked (and shared) credentials
– AWS keys
• Get Security Testing done right
– Unit Tests, Vuln. Assessment, Pen Tests, Audits
• Remediation impact on schedule!
• Must understand end-to-end
Sep 26th, 2015

PM Cybersecurity Success
• Build Security Practices in PM Methodology
• Understand your security needs ASAP
– Security starts at Project Initiation
– Security Architect & Privacy Officer
• Build security on your team
– Security SME & Security Advocates
• Build Time (&$) for remediation
• Beware "change window" blues
• Don’t ignore economics.
• Change defaults!
Sep 26th, 2015

Resources
• SANS Security Best Practices for IT Project Managers
– https://www.sans.org/reading-room/whitepapers/bestprac/security-practices-project-managers-
34257
• Information Security & Privacy as part of Project Management
– http://www.axenic.co.nz/2015/03/information-security-privacy-as-part-of-project-management/
• Software Security for PMs
– http://www.slideshare.net/denimgroup/software-security-for-project-managers-what-do-you-
need-to-know
• Security Efforts into Agile SDLC
– http://dadario.com.br/slides/SecureBrasil2014_Anderson_Dadario__EN.pdf
• OWASP - http://www.owasp.org
• Brian Krebs - https://krebsonsecurity.com/
Sep 26th, 2015

Cybersecurity & Project Management

More Related Content

What's hot

Similar to Cybersecurity & Project Management

More from Fernando Montenegro

Recently uploaded

Cybersecurity & Project Management