Is There a Day 5?

I left you all hanging, didn’t I? And judging by all of the comments and feedback, you were all terribly concerned.

Day 5 has changed, and did so even as I was writing that original series. It’s actually now a really cool capture the flag game that is the last half of Day 5. If you’re taking the class, there are even challenge coins for the winners. With the move to online teaching, that game has now also become an online series of recurring game days that anyone can participate in, free of charge.

There are actually three different ones; one for each of the management classes (512, 514, and 516) and there is one every month. This is a great opportunity to try out your management skills in a fun and interactive way with other cyber leaders from around the world.

Want to give it a try? Go here for more information –

The next Cyber42 game day is April 27th and will be the CISO for a Day version from MGT514: Security Strategy Planning, Policy, and Leadership.

SANS MGT512 Day 4

Day 4 is called “Leading Modern Security Initiatives” and covers a lot of the subjects that we now need to be considering as part of a complete, and up-to-date, security program. Not only do we need to worry about some of the new technologies and platforms (i.e. cloud), we also need to look at security with a more holistic approach. This includes security awareness and proper management of the initiatives we now undertake in a more mature security group.

The day starts with security awareness and the section is based on material from the excellent MGT433 – How to Build, Maintain, and Measure a Mature Awareness Program. The title says it all; this is about building a comprehensive and mature program for security awareness. Of course, this material is only a sample, so you’ll need to register for this two-day class to get the full training. This section covers a really good representative sample though and helps you to understand what makes a good, comprehensive, program. Topics include:

  • Breaking down the myths of awareness training
  • Using an awareness program to reduce enterprise security risk
  • How to affect behavioural change
  • How to build an effective plan for an awareness program
  • How to prioritize human risks

We all understand that these days, if we don’t focus on the human side of security, we’re leaving a very large gap in our security program.

Next, we cover portfolio, program, and project management. As security initiatives become more integrated into the business, we need to introduce the same rigour of project management within our security team as we have elsewhere in the organization. How you go about this is up to you, you may use existing PMO resources or build your own, but the need is there. This section is based on material from MGT525 – IT Project Management, Effective Communication, and PMP® Exam Prep and covers the PMI model of project management. This covers all the basics including:

  • Why projects fail
  • Portfolios, Programs, and Projects and sample team structures
  • The PMBOK 5 project groups
  • Key aspects to each of the groups

The bulk of the rest of day 4 is focused on the modern technology part of the day; Cloud and Zero Trust. These two sections really focus on what’s coming for most organizations, and what managers will need to know to help navigate their company into the new paradigms of cloud and Zero Trust. Zero Trust, in particular, is really an aspirational idea for most organizations, but is made more achievable by many of the new technologies that are being introduced. Cloud is here and now, but most companies are still at the experimental phase, especially with the aspects of cloud that are discussed in this section. What’s included?

  • Benefits and basic terminology of the cloud
  • An overview of the Cloud Security Alliance and the resources they have to offer.
  • An introduction to Amazon AWS and an explanation of why it’s the focus of this section
  • Technical aspects of cloud infrastructure including availability zones, regions, and networking within each
  • Internet gateways, NAT gateways, EC2 infrastructure, security groups, and how it all fits together
  • Lastly, microservices architecture, API gateways and functions as a service (FaaS).

Then the Zero Trust section covers:

  • Today’s model of trust vs. zero trust
  • Fundamentals of Zero Trust
  • Technologies that help to enable Zero Trust architecture
  • Challenges with Zero Trust

How good are your negotiating skills? We finish the day off by discussing negotiating tactics, different types of negotiators, and then play a little game where you get to test your negotiating mettle. Our final section is about vendors, salespeople and what drives them. Finally, a look at the Analytical Hierarchy method of vendor and tool evaluation to help reduce the subjectivity often found when selecting new tools and vendors.

Ready for Day 5?

SANS MGT512 Day 3

So, you’re still a bit brain-dead from day 2, I don’t blame you it’s a lot of material. Then again, what else have you come to expect from SANS? Day 3 starts you off a little easier, maybe to let you soak in the material a little more, or maybe just because there’s a little bit of baseline-setting going on first. Day 3 is all about protecting and patching systems, but it’s a little broader than that and includes malware-types and attacks, integrating security into the SDLC and devops, and a little bit about infrastructure in the cloud. Physical security and safety make an appearance on this day as well. It’s important to understand what risks we have there and the implications for everything else we put in place within them.

If you think back to day 1, it was all about risk. Day 2 was focused on the underlying layers of networking, but ultimately about possible risks and how to mitigate them on the network. Day 3 is really about understanding the risk from attacks against our systems primarily at the application layers.

To start the day, we talk about host security and it includes:

  • Anatomy of attacks: including the attack life cycle and examples of the different types of common attacks occurring at the various phases.
  • Malware examples and includes information about the different types of malware and how they are commonly used today
  • Tools to use to combat these attacks on the host, including end-point protect platforms and end-point detection and response.
  • The last section is really focused on security in IaaS. It explains the fundamental differences when your infrastructure is all software-based instead of hardware and VM, and what the security implications are.

The next section is all about security in the software development life cycle and the benefits to integrating security within the processes instead of adding it on later. This is a bit of a mixed-bag of concepts but covers what’s needed at a high-level to help leaders understand what today’s application weaknesses are, why they exists, and how to reduce risk. Topics include:

  • Secure SDLC with information about what a SDLC looks like and what security activities should take place when.
  • This section introduces the OWASP Top 10 and the resources available to development teams
  • Tools available to use at different phases including code testing tools, web application firewalls, and other active tools.
  • We finish this section with devops and how to ensure that security helps, rather than hinders, ensure that teams succeed when embarking on automation of the life cycle.

After a small, but valuable, discussion of physical security, the remainder of the day is spent discussing vulnerability management. You have a scanner and you even use it to scan stuff sometimes. Great! A vulnerability Management program is so much more than that though, and this section dives into how to ensure that you’re covering the entirety of a program. Vulnerability management is a critical part of the organization’s risk management program as well as providing a huge amount of valuable information for measuring the effectiveness of your technical controls.

This last section covers the PIACT (Prepare, Identify, Analyze, Communicate, Treat) process and its importance in having a complete program. It then goes on to cover each of the phases in detail including how to prioritize patching in order to help your patching team, communicate risks to management, and how to measure the program and communicate to all of the stakeholders involved.

You’re now over half-way through the week!

SANS MGT512 Day 2

As I mentioned in the last post, Day 2 gets pretty technical. However, for this class, the importance is to understand the concepts so that, as a manager, you can make educated decisions around technical concepts. You don’t have to know the math for Elliptic Curve Cryptography, nor do you have to memorize the seven layers of the OSI stack. You should be able to understand when someone says, ” This is a layer 7 firewall.” though.

Day 2 is titled Protecting Data and Networks so, unsurprisingly, that’s the focus of the day. This day, similar to day 1, lays a foundation for security that covers the concepts and tools that we need to secure our data as well as the network infrastructure. The network portion also gives us the basic knowledge we need as managers to be able to understand why we would want to encrypt something at layer 3 vs. layer 7.

The day is pretty much split in half, with the focus of the first half being on encryption and privacy, and the second half being on networking. Encryption looks at:

  • Encryption Concepts (things like symmetric vs. asymmetric encryption)
  • Encryption algorithms; enough to have an understanding of how they work, but without having to do really hard math.
  • Encryption applications; things like VPNs and Email encryption
  • There’s also a short unit on privacy where we discuss the overlap of privacy and security and what some of the key privacy concepts are (PII, Consent, and some legal precedents)

The network section is a bit of a deeper dive as it’s good for managers of technical staff to have a slightly deeper knowledge base. With this knowledge you will have to ask fewer questions and you’ll be better prepared to discuss products with vendors and concepts with non-IT management. The sections are broken up in layers (TCP/IP stack layers, not OSI stack layers) and are as follows:

  • Layers 1 and 2 overview and attacks
  • Layer 3; more discussion on VPNs and encryption at this layer, as well as an introduction to IP version 6.
  • Layer 4 with discussion of both TCP and UDP.
  • Application layer discussing proxies, firewalls, and other technologies that apply to network layer security

Day 2 is a heavy day and your head will be very full by the end of it. However, I’m pretty confident that you’ll find it is either an excellent refresher for those who once knew this stuff really well, or a solid, practical, introduction for those who may have come from non-technical areas of the business. In either case, it does a great job of preparing you for the topics around system security that come on day 3.

SANS MGT512 Day 1

If you’re not familiar with it, this class is very true to it’s full name: Security Leadership Essentials. It’s designed primarily for two types of audience; 1) Non-technical managers who have to manage technical security people and, 2) technical people who are now managers but haven’t had much formal management training. It works for a lot of other types of security professional too, but those are for whom it is really perfect.

This duality of audience means that the class has a bit of a duality itself. You’ll learn about the essential security concepts that security managers need, and you’ll get an introduction to management with a focus on managing a security program. For the management “half” the focus is, now more than in previous iterations, on managing a security program and interfacing with the business. We all know that security managers today need to understand and communicate in terms the business understands and this class helps with that. The technical “half” is designed to help you understand the key concepts that the teams you’ll manage deal with on a day-to-day basis. This helps to ensure that you and your team are communicating effectively, just as you must with management.

So what does day 1 bring? Day 1 is all about building a program; We understand that today, security isn’t just about buying fancy toys, but it also includes communicating risk to the business and measuring how well you are identifying and mitigating those risks. This day is, like day 1 in most SANS classes, all about building the foundation for what is to come the rest of the week. The security program is the fundamental piece for the week. Topics include:

  • Security Frameworks. Specifically control, risk, and program frameworks including introductions to the CIS 20 Critical Security Controls, NIST Cybersecurity Framework, and the FAIR model for quantitative risk measurement.
  • Understanding Risk. How do we define, communicate, and measure it?
  • Security Policy. While not everyone’s favorite, nor most thrilling topic, it is one that is crucial to the foundation of an effective security program. This section includes material from SANS MGT514 – Strategic Planning, Policy, and Leadership, also written by Frank Kim.
  • The day ends with material focused on the Who, What, Why, and How or, the Program Structure. It delves into what all of the pieces of the program are and how you put people and process together into a workable format. This helps to ensure you have all of the necessary duties covered and an organizational structure that fits your company.

Along with those topics, there are some group discussions to alleviate what can seem like an endless number of slides. These discussions help you to better understand the frameworks you use, how you can quantify risk, and where you might have gaps in your policies. Day 2 gets technical pretty fast, so get ready.

SANS Security Leadership Essentials – MGT512

I’ve taught this class for a number of years now and it has always been one of my favourites. It was usurped for a time by “Implementing and Auditing the CIS 20 Critical Controls” (SEC566) as 512 became a bit dated and I found 566 to be a bit more relevant. However, that all changed this year when a significant re-write was completed and the new version of the course went live. Frank Kim and other contributors have done a great job of bringing this back to be a true essentials course.

I’ve taught a couple of classes already and have a bunch more lined up this year so I thought I’d take some time to give a run-down of the new material and let you know what to expect. This class has quickly risen in the popularity ranks once again and it’s a great opportunity for people in a variety of roles to get a thorough introduction to security and management principles. Stay tuned for the next 5 posts to learn more about this great class.

Day 1
Day 2
Day 3
Day 4
Day 5

Join me for this class, next in New Orleans, Louisiana

The times, they are a changin’

It’s World Password Day and there seem to be a lot of posts suggesting that the end is nigh for passwords. I’m here to burst that bubble; Passwords may be going away, but not anytime soon, and so we still need to make sure that we’re taking care of all of the ones we have.

Passwords are still around because the user experience is really good. We know that to get into our favorite apps and websites, we need a username and a password. We memorize the passwords so that we really don’t have to do anything other than type it in to the box. We don’t need to go searching for a USB thingy to plug into our computer, we don’t need to go and get a code from some other device, we don’t need to find that book that we write them all down in. Username, same old password, done. The problem is, we’re not machines and we don’t have computers for brains. Therefore we take short-cuts; We use simple passwords and instead of choosing one for each site, we re-use the same simple passwords over and over again. This makes the experience even simpler but leaves us open to major breaches of our privacy and information.

Companies don’t help. Make sure the password is at least 8 characters, has at least one capital letter, one lower-case letter, one number, and one special character. You have to change it every two months and you can’t re-use the last 10 passwords you used. Oh yeah, don’t use your name, your pet’s name, your favorite sports team’s name, any variation on the company name, your mother’s maiden name, and no repeating characters. Passwords are hard and we’re really good at making the whole process harder.

There is a better way though and it isn’t the disappearance of the password (although that would be great). Times are changing because of the understanding that length is the most important characteristic of passwords, not complexity. Your password needs to be long, but memorable, and you should use a unique one for each service that requires one. Humans are good at remembering long, but simple things. It’s all that complexity stuff that tries our brains.

How hard is this to remember? “apple\Spiders2puppies” Not hard, and that’s a 21 character complex password (Pro Tip: Don’t use that example as your password). Variations of this for each different site or app are just as secure, but different.

Still don’t want to have to remember all of those passwords? Sign up for a password vault service like LastPass, 1 Password, DashLane, or a free local password saver like KeePass. The advantage to these tools is that they are integrated into your browsers and automatically fill in your passwords in addition to allowing you to generate completely random passwords. I only know the password to my manager, I have no idea what my passwords are for the vast majority of sites and apps I use. Of course, you should also use 2 factor authentication, also referred to as two-step verification. That’s another post on its own though.

So in honour of World Password day, go sign-up for a password manager and change all of your passwords. If not a service, at least change all of your passwords using the premise that length is most important. You’ll be glad you did and your online life will be easier and more secure. How often do we get to say that?

Crowdsourcing: I need your help.

I’m looking to build a presentation for a future conference and I need your help. My subject is “Communicating with Managers” and is intended to help non-management security folks better communicate with non-security security managers. Seem clear?

Here’s what I need from you: I’m looking for your stories, tips, or rants for when you’ve a) had to communicate with a security manager who wasn’t a security person or b) you’re a manager who has seen far too many technical people fail to communicate their message to you.

You can leave your story as a comment or tweet it to me @kentonsmith and I’ll be sure to share the presentation once it’s polished and ready to go.

End-to-End WhatsApp: An Opinionated Series on Why Signal Protocol is Well-Designed

Here’s a good look at what the Signal protocol is all about.

“WhatsApp recently announced that client communications are now end-to-end encrypted using Open Whisper System’s “Signal Protocol” (previously Axolotl). This has received quite a bit of press lately due to WhatsApp’s massive user base, along with the controversial going dark debates. Less importantly, the crypto-nerd in me loves Signal. Because of all of this, I thought I would write a blog series on some of Signal’s design decisions that I feel are well-designed.”

Source: End-to-End WhatsApp: An Opinionated Series on Why Signal Protocol is Well-Designed