SlideShare ist ein Scribd-Unternehmen logo

Cybersecurity & Project Management

Fernando Montenegro
Fernando Montenegro

A presentation on how project managers should consider cybersecurity in their project delivery activities. Delivered at the PMI-SOC Cybersecurity workshop on September 26th, 2015, in Toronto.

Technologie
1 von 24
Downloaden Sie, um offline zu lesen
Cybersecurity & Project Management Fernando Montenegro, CISSP @fsmontenegro
Why Are We Here? • Security is the new black • Security is an issue of technical debt • Challenges – How to Deliver "Secure" – How to Deliver "Securely" – How to Deliver "Security" Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015
About me @fsmontenegro • Sales Engineer at Vendor • PS Delivery (SME Network Security) – 12+ yrs • CompSci ’94 • Greying hair • Curious – Finance (DIY) – Economics (EMH, Behaviour) – Data Science (Coursera) Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015
About this talk • Take a look at where things can go wrong – Put things into context… • Please “do” security early! – Cheaper (maybe) – More predictable – But beware externalities… • SDLC Security != Project Security • Slides will be up at http://www.slideshare.net/fsmontenegro Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015
Project Management Phases Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015
Project Manager objectives Achieve Objectives Respect Constraints • Scope • Time • Quality • Cost Optimize Allocations Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015
Human Triggers/Motivation • “Just get it done…” – Project Management -> …as planned – Business -> … to get functionality. [What details?] – Technical -> .. and move to next task. [What impact?] – Security -> … so it doesn’t expose us. [What impact?] – Vendors -> … to keep business going. • Beware Underlying Economics • Externalities: – security imposing controls – business underscoping actual risks • Moral hazard: – Undue assumptions about risk model Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015
Security Concepts • Confidentiality, Integrity, Availability, … • Terminology – Vulnerabilities – Threats – Risk • Compliance != Security Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015 Nov 2015!
Project Phase: Initiation • Identify security needs early! – Deliverable needs – Own project needs • Early involvement from Security • Key areas: – Internal/External – Regulatory Needs? – Participants Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015
Project Phase: Planning • Detailed security requirements – Specific regulatory needs, C-I-A, platforms, … • Security resources assigned – SMEs – Advocates • Assess risk, choose controls Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015
Project Phase: Execution(1) Building • Dealing with Externals – Sharing Information – User and Access Management • Security configurations – Hardening – Defaults! • Security [unit] tests – Other security testing? • Temporary files Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015
Project Phase: Execution(2) Delivering • Ongoing team access • Change Window red flags! • Preparation for Ops – Training – Incident Plans Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015 Network – firewalls, VPNs “allow ip any any” allow “all” network ports weak preshared keys Windows or UNIX systems “Everyone R/W”, “chmod 777”, admin/root processes, … Identity & Access Management copy user profiles use local passwords
Project Phase: Monitoring • Sharing Info with Externals – Email threads – “Fog of War” • Secure Communications • Storage Considerations Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015
Project Phase: Closing • Decommission – Lost Data – Information Wipe • Cancel Accounts, change PWs • Transition to Operations – Security Operations Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015
Security Impact on Constraints - Scope • Need to understand security across deliverable • Fixing vulnerabilities adds to scope • Compliance mandates affect scope – PCI DSS Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015
Security Impact on Constraints - Time • Extra time to review/fix security findings • Extra time to find out how things work • Time pressure to share info – Externals Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015
Security Impact on Constraints - Quality • Security is a “latent construct” – Can’t be observed directly, only inferred • QA != Security – But can really help… • Measuring Security is Expensive/Uncertain – Vulnerability Assessment – Penetration Test Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015
Security Impact on Constraints - Cost • Specialized resources cost $$$ • Opportunity costs of fixing, troubleshooting • Flipside – Security Cost – “Oversecure” Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015
Biggest Issues for PM • Information Leakage during Project • Insufficiently Secure Design • Improperly Configured Systems Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015
WRAP UP Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015
Things to keep in mind… • local user databases • git/cvs folders, temporary files • something wide open “for testing only" • Defaults! Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015
Things to keep in mind… • Leaked (and shared) credentials – AWS keys • Get Security Testing done right – Unit Tests, Vuln. Assessment, Pen Tests, Audits • Remediation impact on schedule! • Must understand end-to-end Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015
PM Cybersecurity Success • Build Security Practices in PM Methodology • Understand your security needs ASAP – Security starts at Project Initiation – Security Architect & Privacy Officer • Build security on your team – Security SME & Security Advocates • Build Time (&$) for remediation • Beware "change window" blues • Don’t ignore economics. • Change defaults! Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015
Resources • SANS Security Best Practices for IT Project Managers – https://www.sans.org/reading-room/whitepapers/bestprac/security-practices-project-managers- 34257 • Information Security & Privacy as part of Project Management – http://www.axenic.co.nz/2015/03/information-security-privacy-as-part-of-project-management/ • Software Security for PMs – http://www.slideshare.net/denimgroup/software-security-for-project-managers-what-do-you- need-to-know • Security Efforts into Agile SDLC – http://dadario.com.br/slides/SecureBrasil2014_Anderson_Dadario__EN.pdf • OWASP - http://www.owasp.org • Brian Krebs - https://krebsonsecurity.com/ Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015

Empfohlen

NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...
Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...
Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...Edureka!
 
Cyber security career development paths
Cyber security career development pathsCyber security career development paths
Cyber security career development pathsChelsea Jarvie
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 
Cyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptxCyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptxChandanChandu928137
 
The information security audit
The information security auditThe information security audit
The information security auditDhani Ahmad
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?rbrockway
 

Empfohlen

NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...
Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...
Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...Edureka!
 
Cyber security career development paths
Cyber security career development pathsCyber security career development paths
Cyber security career development pathsChelsea Jarvie
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 
Cyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptxCyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptxChandanChandu928137
 
The information security audit
The information security auditThe information security audit
The information security auditDhani Ahmad
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?rbrockway
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecturePriyanka Aash
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security RoadmapElliott Franklin
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness TrainingDr Madhu Aman Sharma
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 
Cyber Table Top Exercise -- Model Roadmap
Cyber Table Top Exercise -- Model RoadmapCyber Table Top Exercise -- Model Roadmap
Cyber Table Top Exercise -- Model RoadmapDavid Sweigert
 
Presentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMPresentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMShantanu Rai
 
Cyber Security For Organization Proposal PowerPoint Presentation Slides
Cyber Security For Organization Proposal PowerPoint Presentation SlidesCyber Security For Organization Proposal PowerPoint Presentation Slides
Cyber Security For Organization Proposal PowerPoint Presentation SlidesSlideTeam
 
Cloud Security using NIST guidelines
Cloud Security using NIST guidelinesCloud Security using NIST guidelines
Cloud Security using NIST guidelinesSrishti Ahuja
 
SOC 2 and You
SOC 2 and YouSOC 2 and You
SOC 2 and YouSchellman & Company
 
Security architecture
Security architectureSecurity architecture
Security architectureDuncan Unwin
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMSBusiness Beam
 
Introduction to Cyber Resilience
Introduction to Cyber ResilienceIntroduction to Cyber Resilience
Introduction to Cyber ResiliencePeter Wood
 
From Cybersecurity to Cyber Resilience
From Cybersecurity to Cyber ResilienceFrom Cybersecurity to Cyber Resilience
From Cybersecurity to Cyber Resilienceaccenture
 
Cybersecurity
CybersecurityCybersecurity
CybersecurityEng Hasan Shamroukh CISCO Exams Author
 
PwC Point of View on Cybersecurity Management
PwC Point of View on Cybersecurity ManagementPwC Point of View on Cybersecurity Management
PwC Point of View on Cybersecurity ManagementCA Technologies
 
Zero Trust
Zero TrustZero Trust
Zero TrustBoaz Shunami
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalPriyanka Aash
 
Security Operation Center - Design & Build
Security Operation Center - Design & BuildSecurity Operation Center - Design & Build
Security Operation Center - Design & BuildSameer Paradia
 
Info Security - Vulnerability Assessment
Info Security - Vulnerability AssessmentInfo Security - Vulnerability Assessment
Info Security - Vulnerability AssessmentMarcelo Silva
 
Unified Security Governance
Unified Security GovernanceUnified Security Governance
Unified Security GovernanceCan Demirel
 
The New Security Practitioner
The New Security PractitionerThe New Security Practitioner
The New Security PractitionerAdrian Sanabria
 

Weitere ähnliche Inhalte

Was ist angesagt?

Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecturePriyanka Aash
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security RoadmapElliott Franklin
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 
Cyber Table Top Exercise -- Model Roadmap
Cyber Table Top Exercise -- Model RoadmapCyber Table Top Exercise -- Model Roadmap
Cyber Table Top Exercise -- Model RoadmapDavid Sweigert
 
Presentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMPresentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMShantanu Rai
 
Cyber Security For Organization Proposal PowerPoint Presentation Slides
Cyber Security For Organization Proposal PowerPoint Presentation SlidesCyber Security For Organization Proposal PowerPoint Presentation Slides
Cyber Security For Organization Proposal PowerPoint Presentation SlidesSlideTeam
 
Cloud Security using NIST guidelines
Cloud Security using NIST guidelinesCloud Security using NIST guidelines
Cloud Security using NIST guidelinesSrishti Ahuja
 
Security architecture
Security architectureSecurity architecture
Security architectureDuncan Unwin
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMSBusiness Beam
 
Introduction to Cyber Resilience
Introduction to Cyber ResilienceIntroduction to Cyber Resilience
Introduction to Cyber ResiliencePeter Wood
 
From Cybersecurity to Cyber Resilience
From Cybersecurity to Cyber ResilienceFrom Cybersecurity to Cyber Resilience
From Cybersecurity to Cyber Resilienceaccenture
 
PwC Point of View on Cybersecurity Management
PwC Point of View on Cybersecurity ManagementPwC Point of View on Cybersecurity Management
PwC Point of View on Cybersecurity ManagementCA Technologies
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalPriyanka Aash
 
Security Operation Center - Design & Build
Security Operation Center - Design & BuildSecurity Operation Center - Design & Build
Security Operation Center - Design & BuildSameer Paradia
 
Info Security - Vulnerability Assessment
Info Security - Vulnerability AssessmentInfo Security - Vulnerability Assessment
Info Security - Vulnerability AssessmentMarcelo Silva
 

Was ist angesagt? (20)

Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness Training
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
 
Cyber Table Top Exercise -- Model Roadmap
Cyber Table Top Exercise -- Model RoadmapCyber Table Top Exercise -- Model Roadmap
Cyber Table Top Exercise -- Model Roadmap
 
Presentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMPresentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCM
 
Cyber Security For Organization Proposal PowerPoint Presentation Slides
Cyber Security For Organization Proposal PowerPoint Presentation SlidesCyber Security For Organization Proposal PowerPoint Presentation Slides
Cyber Security For Organization Proposal PowerPoint Presentation Slides
 
Cloud Security using NIST guidelines
Cloud Security using NIST guidelinesCloud Security using NIST guidelines
Cloud Security using NIST guidelines
 
SOC 2 and You
SOC 2 and YouSOC 2 and You
SOC 2 and You
 
Security architecture
Security architectureSecurity architecture
Security architecture
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMS
 
Introduction to Cyber Resilience
Introduction to Cyber ResilienceIntroduction to Cyber Resilience
Introduction to Cyber Resilience
 
From Cybersecurity to Cyber Resilience
From Cybersecurity to Cyber ResilienceFrom Cybersecurity to Cyber Resilience
From Cybersecurity to Cyber Resilience
 
Cybersecurity
CybersecurityCybersecurity
Cybersecurity
 
PwC Point of View on Cybersecurity Management
PwC Point of View on Cybersecurity ManagementPwC Point of View on Cybersecurity Management
PwC Point of View on Cybersecurity Management
 
Zero Trust
Zero TrustZero Trust
Zero Trust
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formal
 
Security Operation Center - Design & Build
Security Operation Center - Design & BuildSecurity Operation Center - Design & Build
Security Operation Center - Design & Build
 
Info Security - Vulnerability Assessment
Info Security - Vulnerability AssessmentInfo Security - Vulnerability Assessment
Info Security - Vulnerability Assessment
 

Ähnlich wie Cybersecurity & Project Management

Unified Security Governance
Unified Security GovernanceUnified Security Governance
Unified Security GovernanceCan Demirel
 
The New Security Practitioner
The New Security PractitionerThe New Security Practitioner
The New Security PractitionerAdrian Sanabria
 
Essentials of Project Management
Essentials of Project ManagementEssentials of Project Management
Essentials of Project ManagementLiving Online
 
Cybersecurity Critical Infrastructure Framework Course Textbook and the class...
Cybersecurity Critical Infrastructure Framework Course Textbook and the class...Cybersecurity Critical Infrastructure Framework Course Textbook and the class...
Cybersecurity Critical Infrastructure Framework Course Textbook and the class...AVEVA
 
A New Security Management Approach for Agile Environments
A New Security Management Approach for Agile EnvironmentsA New Security Management Approach for Agile Environments
A New Security Management Approach for Agile EnvironmentsPECB
 
Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Rightpvanwoud
 
501 ch 1 mastering security basics
501 ch 1 mastering security basics501 ch 1 mastering security basics
501 ch 1 mastering security basicsgocybersec
 
The Cloud is in the details webinar - Rothke
The Cloud is in the details webinar - RothkeThe Cloud is in the details webinar - Rothke
The Cloud is in the details webinar - RothkeBen Rothke
 
NTXISSACSC3 - Beyond ISO 27034 - Intel's Product Security Maturity Model (PSM...
NTXISSACSC3 - Beyond ISO 27034 - Intel's Product Security Maturity Model (PSM...NTXISSACSC3 - Beyond ISO 27034 - Intel's Product Security Maturity Model (PSM...
NTXISSACSC3 - Beyond ISO 27034 - Intel's Product Security Maturity Model (PSM...North Texas Chapter of the ISSA
 
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...bugcrowd
 
Liberty Summit - Symantec Open Community
Liberty Summit - Symantec Open CommunityLiberty Summit - Symantec Open Community
Liberty Summit - Symantec Open CommunityDavid ( DTL ) Lin
 
Cybersecurity model and top cloud security controls for product development e...
Cybersecurity model and top cloud security controls for product development e...Cybersecurity model and top cloud security controls for product development e...
Cybersecurity model and top cloud security controls for product development e...James DeLuccia IV
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalrkadayam
 
Secure by Design - Security Design Principles for the Working Architect
Secure by Design - Security Design Principles for the Working ArchitectSecure by Design - Security Design Principles for the Working Architect
Secure by Design - Security Design Principles for the Working ArchitectEoin Woods
 
501 ch 8 risk managment tool
501 ch 8 risk managment tool501 ch 8 risk managment tool
501 ch 8 risk managment toolgocybersec
 
AWS Enterprise Summit London 2013 - Stephen Schmidt - AWS
AWS Enterprise Summit London 2013 - Stephen Schmidt - AWSAWS Enterprise Summit London 2013 - Stephen Schmidt - AWS
AWS Enterprise Summit London 2013 - Stephen Schmidt - AWSAmazon Web Services
 
Logmatic at ElasticSearch November Paris meetup
Logmatic at ElasticSearch November Paris meetupLogmatic at ElasticSearch November Paris meetup
Logmatic at ElasticSearch November Paris meetuplogmatic.io
 

Ähnlich wie Cybersecurity & Project Management (20)

Unified Security Governance
Unified Security GovernanceUnified Security Governance
Unified Security Governance
 
The New Security Practitioner
The New Security PractitionerThe New Security Practitioner
The New Security Practitioner
 
Essentials of Project Management
Essentials of Project ManagementEssentials of Project Management
Essentials of Project Management
 
Cybersecurity Critical Infrastructure Framework Course Textbook and the class...
Cybersecurity Critical Infrastructure Framework Course Textbook and the class...Cybersecurity Critical Infrastructure Framework Course Textbook and the class...
Cybersecurity Critical Infrastructure Framework Course Textbook and the class...
 
A New Security Management Approach for Agile Environments
A New Security Management Approach for Agile EnvironmentsA New Security Management Approach for Agile Environments
A New Security Management Approach for Agile Environments
 
Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Right
 
501 ch 1 mastering security basics
501 ch 1 mastering security basics501 ch 1 mastering security basics
501 ch 1 mastering security basics
 
The Cloud is in the details webinar - Rothke
The Cloud is in the details webinar - RothkeThe Cloud is in the details webinar - Rothke
The Cloud is in the details webinar - Rothke
 
NTXISSACSC3 - Beyond ISO 27034 - Intel's Product Security Maturity Model (PSM...
NTXISSACSC3 - Beyond ISO 27034 - Intel's Product Security Maturity Model (PSM...NTXISSACSC3 - Beyond ISO 27034 - Intel's Product Security Maturity Model (PSM...
NTXISSACSC3 - Beyond ISO 27034 - Intel's Product Security Maturity Model (PSM...
 
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
 
Liberty Summit - Symantec Open Community
Liberty Summit - Symantec Open CommunityLiberty Summit - Symantec Open Community
Liberty Summit - Symantec Open Community
 
Agile security
Agile securityAgile security
Agile security
 
Cybersecurity model and top cloud security controls for product development e...
Cybersecurity model and top cloud security controls for product development e...Cybersecurity model and top cloud security controls for product development e...
Cybersecurity model and top cloud security controls for product development e...
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps final
 
Secure by Design - Security Design Principles for the Working Architect
Secure by Design - Security Design Principles for the Working ArchitectSecure by Design - Security Design Principles for the Working Architect
Secure by Design - Security Design Principles for the Working Architect
 
NocExplorer
NocExplorerNocExplorer
NocExplorer
 
501 ch 8 risk managment tool
501 ch 8 risk managment tool501 ch 8 risk managment tool
501 ch 8 risk managment tool
 
AWS Enterprise Summit London 2013 - Stephen Schmidt - AWS
AWS Enterprise Summit London 2013 - Stephen Schmidt - AWSAWS Enterprise Summit London 2013 - Stephen Schmidt - AWS
AWS Enterprise Summit London 2013 - Stephen Schmidt - AWS
 
Building Cybersecurity into a Greenfield ICS Project
Building Cybersecurity into a Greenfield ICS ProjectBuilding Cybersecurity into a Greenfield ICS Project
Building Cybersecurity into a Greenfield ICS Project
 
Logmatic at ElasticSearch November Paris meetup
Logmatic at ElasticSearch November Paris meetupLogmatic at ElasticSearch November Paris meetup
Logmatic at ElasticSearch November Paris meetup
 

Mehr von Fernando Montenegro

The 4 Eyes of Information Security - AiS 2019
The 4 Eyes of Information Security - AiS 2019The 4 Eyes of Information Security - AiS 2019
The 4 Eyes of Information Security - AiS 2019Fernando Montenegro
 
Evolution of Container Security - What's Next?
Evolution of Container Security - What's Next?Evolution of Container Security - What's Next?
Evolution of Container Security - What's Next?Fernando Montenegro
 
4 Eyes of Information Security - Converge Detroit 2017
4 Eyes of Information Security - Converge Detroit 20174 Eyes of Information Security - Converge Detroit 2017
4 Eyes of Information Security - Converge Detroit 2017Fernando Montenegro
 
Navigating Career Choices in InfoSec - BSides Detroit 2017
Navigating Career Choices in InfoSec - BSides Detroit 2017Navigating Career Choices in InfoSec - BSides Detroit 2017
Navigating Career Choices in InfoSec - BSides Detroit 2017Fernando Montenegro
 

Mehr von Fernando Montenegro (6)

The 4 Eyes of Information Security - AiS 2019
The 4 Eyes of Information Security - AiS 2019The 4 Eyes of Information Security - AiS 2019
The 4 Eyes of Information Security - AiS 2019
 
Evolution of Container Security - What's Next?
Evolution of Container Security - What's Next?Evolution of Container Security - What's Next?
Evolution of Container Security - What's Next?
 
4 Eyes of Information Security - Converge Detroit 2017
4 Eyes of Information Security - Converge Detroit 20174 Eyes of Information Security - Converge Detroit 2017
4 Eyes of Information Security - Converge Detroit 2017
 
Navigating Career Choices in InfoSec - BSides Detroit 2017
Navigating Career Choices in InfoSec - BSides Detroit 2017Navigating Career Choices in InfoSec - BSides Detroit 2017
Navigating Career Choices in InfoSec - BSides Detroit 2017
 
Economics of Cyber Security
Economics of Cyber SecurityEconomics of Cyber Security
Economics of Cyber Security
 
Docker security - TASK Jan 2016
Docker security - TASK Jan 2016Docker security - TASK Jan 2016
Docker security - TASK Jan 2016
 

Kürzlich hochgeladen

Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 

Kürzlich hochgeladen (20)

Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 

Cybersecurity & Project Management

  • 1. Cybersecurity & Project Management Fernando Montenegro, CISSP @fsmontenegro
  • 2. Why Are We Here? • Security is the new black • Security is an issue of technical debt • Challenges – How to Deliver "Secure" – How to Deliver "Securely" – How to Deliver "Security" Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015
  • 3. About me @fsmontenegro • Sales Engineer at Vendor • PS Delivery (SME Network Security) – 12+ yrs • CompSci ’94 • Greying hair • Curious – Finance (DIY) – Economics (EMH, Behaviour) – Data Science (Coursera) Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015
  • 4. About this talk • Take a look at where things can go wrong – Put things into context… • Please “do” security early! – Cheaper (maybe) – More predictable – But beware externalities… • SDLC Security != Project Security • Slides will be up at http://www.slideshare.net/fsmontenegro Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015
  • 5. Project Management Phases Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015
  • 6. Project Manager objectives Achieve Objectives Respect Constraints • Scope • Time • Quality • Cost Optimize Allocations Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015
  • 7. Human Triggers/Motivation • “Just get it done…” – Project Management -> …as planned – Business -> … to get functionality. [What details?] – Technical -> .. and move to next task. [What impact?] – Security -> … so it doesn’t expose us. [What impact?] – Vendors -> … to keep business going. • Beware Underlying Economics • Externalities: – security imposing controls – business underscoping actual risks • Moral hazard: – Undue assumptions about risk model Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015
  • 8. Security Concepts • Confidentiality, Integrity, Availability, … • Terminology – Vulnerabilities – Threats – Risk • Compliance != Security Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015 Nov 2015!
  • 9. Project Phase: Initiation • Identify security needs early! – Deliverable needs – Own project needs • Early involvement from Security • Key areas: – Internal/External – Regulatory Needs? – Participants Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015
  • 10. Project Phase: Planning • Detailed security requirements – Specific regulatory needs, C-I-A, platforms, … • Security resources assigned – SMEs – Advocates • Assess risk, choose controls Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015
  • 11. Project Phase: Execution(1) Building • Dealing with Externals – Sharing Information – User and Access Management • Security configurations – Hardening – Defaults! • Security [unit] tests – Other security testing? • Temporary files Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015
  • 12. Project Phase: Execution(2) Delivering • Ongoing team access • Change Window red flags! • Preparation for Ops – Training – Incident Plans Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015 Network – firewalls, VPNs “allow ip any any” allow “all” network ports weak preshared keys Windows or UNIX systems “Everyone R/W”, “chmod 777”, admin/root processes, … Identity & Access Management copy user profiles use local passwords
  • 13. Project Phase: Monitoring • Sharing Info with Externals – Email threads – “Fog of War” • Secure Communications • Storage Considerations Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015
  • 14. Project Phase: Closing • Decommission – Lost Data – Information Wipe • Cancel Accounts, change PWs • Transition to Operations – Security Operations Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015
  • 15. Security Impact on Constraints - Scope • Need to understand security across deliverable • Fixing vulnerabilities adds to scope • Compliance mandates affect scope – PCI DSS Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015
  • 16. Security Impact on Constraints - Time • Extra time to review/fix security findings • Extra time to find out how things work • Time pressure to share info – Externals Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015
  • 17. Security Impact on Constraints - Quality • Security is a “latent construct” – Can’t be observed directly, only inferred • QA != Security – But can really help… • Measuring Security is Expensive/Uncertain – Vulnerability Assessment – Penetration Test Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015
  • 18. Security Impact on Constraints - Cost • Specialized resources cost $$$ • Opportunity costs of fixing, troubleshooting • Flipside – Security Cost – “Oversecure” Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015
  • 19. Biggest Issues for PM • Information Leakage during Project • Insufficiently Secure Design • Improperly Configured Systems Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015
  • 20. WRAP UP Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015
  • 21. Things to keep in mind… • local user databases • git/cvs folders, temporary files • something wide open “for testing only" • Defaults! Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015
  • 22. Things to keep in mind… • Leaked (and shared) credentials – AWS keys • Get Security Testing done right – Unit Tests, Vuln. Assessment, Pen Tests, Audits • Remediation impact on schedule! • Must understand end-to-end Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015
  • 23. PM Cybersecurity Success • Build Security Practices in PM Methodology • Understand your security needs ASAP – Security starts at Project Initiation – Security Architect & Privacy Officer • Build security on your team – Security SME & Security Advocates • Build Time (&$) for remediation • Beware "change window" blues • Don’t ignore economics. • Change defaults! Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015
  • 24. Resources • SANS Security Best Practices for IT Project Managers – https://www.sans.org/reading-room/whitepapers/bestprac/security-practices-project-managers- 34257 • Information Security & Privacy as part of Project Management – http://www.axenic.co.nz/2015/03/information-security-privacy-as-part-of-project-management/ • Software Security for PMs – http://www.slideshare.net/denimgroup/software-security-for-project-managers-what-do-you- need-to-know • Security Efforts into Agile SDLC – http://dadario.com.br/slides/SecureBrasil2014_Anderson_Dadario__EN.pdf • OWASP - http://www.owasp.org • Brian Krebs - https://krebsonsecurity.com/ Cybersecurity & Project Management - PMI-SOC Sep 26th, 2015