SANS MGT512 Day 4

Day 4 is called “Leading Modern Security Initiatives” and covers a lot of the subjects that we now need to be considering as part of a complete, and up-to-date, security program. Not only do we need to worry about some of the new technologies and platforms (i.e. cloud), we also need to look at security with a more holistic approach. This includes security awareness and proper management of the initiatives we now undertake in a more mature security group.

The day starts with security awareness and the section is based on material from the excellent MGT433 – How to Build, Maintain, and Measure a Mature Awareness Program. The title says it all; this is about building a comprehensive and mature program for security awareness. Of course, this material is only a sample, so you’ll need to register for this two-day class to get the full training. This section covers a really good representative sample though and helps you to understand what makes a good, comprehensive, program. Topics include:

  • Breaking down the myths of awareness training
  • Using an awareness program to reduce enterprise security risk
  • How to affect behavioural change
  • How to build an effective plan for an awareness program
  • How to prioritize human risks

We all understand that these days, if we don’t focus on the human side of security, we’re leaving a very large gap in our security program.

Next, we cover portfolio, program, and project management. As security initiatives become more integrated into the business, we need to introduce the same rigour of project management within our security team as we have elsewhere in the organization. How you go about this is up to you, you may use existing PMO resources or build your own, but the need is there. This section is based on material from MGT525 – IT Project Management, Effective Communication, and PMP® Exam Prep and covers the PMI model of project management. This covers all the basics including:

  • Why projects fail
  • Portfolios, Programs, and Projects and sample team structures
  • The PMBOK 5 project groups
  • Key aspects to each of the groups

The bulk of the rest of day 4 is focused on the modern technology part of the day; Cloud and Zero Trust. These two sections really focus on what’s coming for most organizations, and what managers will need to know to help navigate their company into the new paradigms of cloud and Zero Trust. Zero Trust, in particular, is really an aspirational idea for most organizations, but is made more achievable by many of the new technologies that are being introduced. Cloud is here and now, but most companies are still at the experimental phase, especially with the aspects of cloud that are discussed in this section. What’s included?

  • Benefits and basic terminology of the cloud
  • An overview of the Cloud Security Alliance and the resources they have to offer.
  • An introduction to Amazon AWS and an explanation of why it’s the focus of this section
  • Technical aspects of cloud infrastructure including availability zones, regions, and networking within each
  • Internet gateways, NAT gateways, EC2 infrastructure, security groups, and how it all fits together
  • Lastly, microservices architecture, API gateways and functions as a service (FaaS).

Then the Zero Trust section covers:

  • Today’s model of trust vs. zero trust
  • Fundamentals of Zero Trust
  • Technologies that help to enable Zero Trust architecture
  • Challenges with Zero Trust

How good are your negotiating skills? We finish the day off by discussing negotiating tactics, different types of negotiators, and then play a little game where you get to test your negotiating mettle. Our final section is about vendors, salespeople and what drives them. Finally, a look at the Analytical Hierarchy method of vendor and tool evaluation to help reduce the subjectivity often found when selecting new tools and vendors.

Ready for Day 5?

The times, they are a changin’

It’s World Password Day and there seem to be a lot of posts suggesting that the end is nigh for passwords. I’m here to burst that bubble; Passwords may be going away, but not anytime soon, and so we still need to make sure that we’re taking care of all of the ones we have.

Passwords are still around because the user experience is really good. We know that to get into our favorite apps and websites, we need a username and a password. We memorize the passwords so that we really don’t have to do anything other than type it in to the box. We don’t need to go searching for a USB thingy to plug into our computer, we don’t need to go and get a code from some other device, we don’t need to find that book that we write them all down in. Username, same old password, done. The problem is, we’re not machines and we don’t have computers for brains. Therefore we take short-cuts; We use simple passwords and instead of choosing one for each site, we re-use the same simple passwords over and over again. This makes the experience even simpler but leaves us open to major breaches of our privacy and information.

Companies don’t help. Make sure the password is at least 8 characters, has at least one capital letter, one lower-case letter, one number, and one special character. You have to change it every two months and you can’t re-use the last 10 passwords you used. Oh yeah, don’t use your name, your pet’s name, your favorite sports team’s name, any variation on the company name, your mother’s maiden name, and no repeating characters. Passwords are hard and we’re really good at making the whole process harder.

There is a better way though and it isn’t the disappearance of the password (although that would be great). Times are changing because of the understanding that length is the most important characteristic of passwords, not complexity. Your password needs to be long, but memorable, and you should use a unique one for each service that requires one. Humans are good at remembering long, but simple things. It’s all that complexity stuff that tries our brains.

How hard is this to remember? “apple\Spiders2puppies” Not hard, and that’s a 21 character complex password (Pro Tip: Don’t use that example as your password). Variations of this for each different site or app are just as secure, but different.

Still don’t want to have to remember all of those passwords? Sign up for a password vault service like LastPass, 1 Password, DashLane, or a free local password saver like KeePass. The advantage to these tools is that they are integrated into your browsers and automatically fill in your passwords in addition to allowing you to generate completely random passwords. I only know the password to my manager, I have no idea what my passwords are for the vast majority of sites and apps I use. Of course, you should also use 2 factor authentication, also referred to as two-step verification. That’s another post on its own though.

So in honour of World Password day, go sign-up for a password manager and change all of your passwords. If not a service, at least change all of your passwords using the premise that length is most important. You’ll be glad you did and your online life will be easier and more secure. How often do we get to say that?