“Where Theory is put into Practice”

The Webinar has been supported by vChapter – www.vchapter.org

Where Theory is put into Practice Webinar Series, October 2014

vChapter – A Proposal to ISACA Member

Course Convention and MotivationCourse Convention and MotivationCourse Convention and MotivationCourse Convention and Motivation

1.1.1.1. ScenarioScenarioScenarioScenario

2.2.2.2. Single SignSingle SignSingle SignSingle Sign----OnOnOnOn

3.3.3.3. Scenario (cont’d)Scenario (cont’d)Scenario (cont’d)Scenario (cont’d)

4.4.4.4. Program ManagementProgram ManagementProgram ManagementProgram Management

5.5.5.5. Project Management (incl. business case /w Project Management (incl. business case /w Project Management (incl. business case /w Project Management (incl. business case /w information security requirements)information security requirements)information security requirements)information security requirements)

6.6.6.6. Security Program InitiationSecurity Program InitiationSecurity Program InitiationSecurity Program Initiation

7.7.7.7. Project Team KickProject Team KickProject Team KickProject Team Kick----off Meetingoff Meetingoff Meetingoff Meeting

8.8.8.8. KickKickKickKick----off Meetingoff Meetingoff Meetingoff Meeting

9.9.9.9. Project Initiation DocumentationProject Initiation DocumentationProject Initiation DocumentationProject Initiation Documentation

10.10.10.10. What we did not cover ... and is important to know!What we did not cover ... and is important to know!What we did not cover ... and is important to know!What we did not cover ... and is important to know!

Where Theory is put into PracticeWhere Theory is put into PracticeWhere Theory is put into PracticeWhere Theory is put into Practice, Webinar Series, 2014

� Be acquainted with The Booster Course Convention Style.

� White coloured slide stands for Practice.

� YES! This course should be interactive as much as possible.� You may raise a discussion any time.� There are nononono stupid questions.

� Tired? Please, raise your voice! We will pace this course according to your capabilities to absorb information.

� Red coloured slide stands for Theory.

� Only the most necessary theory will be provided to establish common vocabulary.

� For those who are interested to learn more, a link to a quality professional literature will be provided below. Are those two problems familiar to you?� Only quality professional literature will be provided, so

you won’t waste your time searching right answers on Internet.

� Only quality professional literature will be provided, so you won’t waste your time reading low quality literature.

� [ ] Short descriptionShort descriptionShort descriptionShort description. Don’t waste your time searching on Internet. Don’t waste your time on reading low quality sources! Use rather a quality professional reference – use a [ ].

� Yellow coloured slide stands for Question, Puzzle or Debate time.

� It isn’t only important to hear how specific theory works in practice, but also to understand how its related to the material we have covered so far!

� Understanding the greater picture means that you will able to apply “theory & practice” in practice.

� We want you to see the forest – the big picture – not only scattered individual trees.

� The project success or failure is ultimately based on � senior management commitment as well as

� on your own experiences.

� We know – these experiences are hard to get, and this is where we can help you to advance.

� We are going to put the theory into the practice on the example of an identity management system rollout case.

� A unique opportunity to learn:� CISA/CISM Aligned Real-Life Case

� Based on Identity Management System Rollout (Single Sign-On).

� Complete: From Mandate Acquired to Lessons Learned.

� Don’t Reinvent the Wheel: Do’s, Don’ts, Caveats and Pitfalls.

� Best Practices to Save Money and Time.

� Study Support for Final Exam

The Booster Course: The Booster Course: The Booster Course: The Booster Course: “Where

theory is put into practice”

Looking for more specific Looking for more specific Looking for more specific Looking for more specific

knowledge? knowledge? knowledge? knowledge? Use provided

!

Still Cannot FindStill Cannot FindStill Cannot FindStill Cannot Find

Problem Solution? Problem Solution? Problem Solution? Problem Solution? Then use:

- or

- (“take the shortcut”).

� 2014-Mar-17: You met Mr. Vincent (ACME director) on a fair.� You know each other for a long time. He knows that

you are in InfoSec business and you know that he’s a successful businessman.

� In the discussion, you figure out, that his company (200+ employees) has problems with Information System.

� Specifically, Mr. Vincent complaints that he has to change password in 9 different subsystems due to new password management policy every month.

� Due to password handling policy, password aren’t allowed to be saved in browser, and they have to be entered every time a subsystem is accessed.

� 2014-Mar-17: You met Mr. Vincent (ACME director) on a fair. subsystem is accessed.� Mr. Vincent complains that they are handling confidential

information [threat],

� and while he is thorough at security, he cannot control every employee [control].

� He fears that one missing password update [vulnerability], or password under the keyboard [vulnerability]

� could expose confidential data [exposure] and

� compromise his business [impact & risk], not to mention the lost (and money) because employees are entering passwords instead of performing their regular work.

� “The competition in his industry is though”, he says and fears industry espionage [threat agent].

� [ ] Information Security Terms Definitions:Information Security Terms Definitions:Information Security Terms Definitions:Information Security Terms Definitions: ISO/IEC 27000:2009, “Information technology -- Security techniques -- Information security management systems -- Overview and vocabulary,” 2009. Click and get the golden reference!

� [ ] Information Security Explained in simple language: Information Security Explained in simple language: Information Security Explained in simple language: Information Security Explained in simple language: B. Schneier, Secrets and Lies: Digital Security in a Networked World. John Wiley & Sons, 2004. Click and Get the golden reference!

� 2014-Mar-17: You met Mr. Vincent (ACME director) on a fair.� You’ve followed ACME from the beginning and you know

they gradually upgraded theirs IS. While company was small, identity and password management wasn’t the best, but efficient enough. Also risk management was effective and efficient.

� However, as soon as business expended, this wasn’t the case.

� You carefully listened to Mr. Vincent and from conversation recognised [threats,...,risk]. And you knew about the solution that would help Mr. Vincent for sure!

� This means you know about [effective and efficient control] that would [mitigate risk] to an [acceptable level].

� Q1:Q1:Q1:Q1: Can be risk reduced to zero (0) ?

� A1:A1:A1:A1: No. Risk can never be reduced to zero. Why?

� Q2:Q2:Q2:Q2: if it can’t be reduced to zero, how much effort we shall undertake to reduce it?

� A2:A2:A2:A2: first it depends on the risk appetite you have, second at least you need to stop the mitigation process when the costs of controls exceeds the value of the asset.

� 2014-Mar-17: You met Mr. Vincent (ACME director) on a fair.� You explain the benefits of Single Sign-On solution

on a simple example...

� Single Sign-on: A real-life analogy� Image that:

� you spend your vacation in all-inclusive hotel.

� And how cumbersome would be, if every hotel guest had to identify himself with ID card to get hotel services.

� Impact: Very long queue lines and displeased customers (“at the restaurant, at the hotel bar,at the hotel beach, the room service, etc.”)

� In reality (and luckily), the customer access control is optimized for efficiency.

� Single Sign-on: A real-life analogy� In reality (the SSO analogy):

� At the “check-in” Hotel clerk asks you for your government issued ID [authentication].

� Next, you receive a hard-to-forge bracelet that is worn around the writs [credential / hotel grants you a credential for the period of your stay / you are authenticated for duration of your stay].

� When you request a hotel service, identification [authentication] is no longer required, because you ware the bracelet [credential / we say the authentcation process is delegated] which is recognized by the staff.

� Thus, the service is efficient, because identification is no longer required, except at the check-in.

� [ ] Many more realMany more realMany more realMany more real----life information security analogies can be found in life information security analogies can be found in life information security analogies can be found in life information security analogies can be found in B. Schneier, Secrets and Lies: Digital Security in a Networked World. John Wiley & Sons, 2004. Link to buy it.

� The technological counterpart:� Single sign-on (SSO) is a mechanism that uses a

single action of authentication:

� to permit an authenticated and authorized user [“the bracelet”] to access all related,

� but independent software systems or applications

� without being prompted to log in again [“identify”] at each of them during a particular session.

� Benefits:

1.1.1.1. Benefit B1:Benefit B1:Benefit B1:Benefit B1: It reduces the risk of administration error by managing user access control centrallycentrallycentrallycentrally.

2.2.2.2. Benefit B2:Benefit B2:Benefit B2:Benefit B2: It increases user productivity by allowing users to access multiple services or applications after being authenticated just oncejust oncejust oncejust once.

� V. Radha and D. H. Reddy, “A Survey on Single Sign-On Techniques,” Procedia Technology, vol. 4, pp. 134–139, Jan. 2012.

� The technological counterpart (cont’d):� Local vs.vs.vs.vs. centralized vs.vs.vs.vs. centralized /w SSO

B1: NOB2: NO

B1: YESB2: NO B1: YES

B2: YES

� Life demonstration:� Single sign-on (SSO) using

� Debian GNU/Linux,

� Apache

� Kerberos

� Firefox (/w enabled GSS-API)

� Test:� kinit iztok@GOV # acquire credentialacquire credentialacquire credentialacquire credential

� firefox &

� > Enter Address: "cars.com" (it should log-in without login prompt)

� > Enter Address: "tires.com" (it should log-in without login prompt)

� Life demonstration:� Test (cont’d):

� Go to the bottom.

� What is reallyreallyreallyreallyhappening“on the wire”?

Wireshark protocol analyser

output for the presented

test case

(http://www.wireshark.org/)

� Q: Are there any new business threats that are related to deployment ofSSO technology?

� A: Yes. E.g. DOS.� Employees and

customers may be unable to log-in to company services due to Kerberos authentication server failure.

� This is a potential Single Point of Failure.

� [ ] Full stepFull stepFull stepFull step----bybybyby----step solutions is available at the following link.step solutions is available at the following link.step solutions is available at the following link.step solutions is available at the following link.Click and get the source.Click and get the source.Click and get the source.Click and get the source.

� [ ] VMware virtual image of this solution is available VMware virtual image of this solution is available VMware virtual image of this solution is available VMware virtual image of this solution is available at the following link (U: root P:deb ). at the following link (U: root P:deb ). at the following link (U: root P:deb ). at the following link (U: root P:deb ). Click and get the source.Click and get the source.Click and get the source.Click and get the source.

PREVIOUS:PREVIOUS:PREVIOUS:PREVIOUS:

1.Scenario

NOW:NOW:NOW:NOW:

2.Single

Sign-On

UPCOMING:UPCOMING:UPCOMING:UPCOMING:

3.Scenario

(cont’d)

IT IS IMPORTANT THAT YOU FOLLOW THE COURSE.DON’T HESITATE AND ENTER “?-)“.WE WILL BE HAPPY TO PROVIDE ADDITIONAL EXPLANATION

TO ALL! YOUR PROBLEM IS MAYBE SOMEONE ELSE’S PROBLEM.:-)

� 2014-Mar-17: You met Mr. Vincent (ACME director) on a fair.� You have explained and demonstrated the SSO from

business and (technological perspective: he’s a non-typical CEO interested in technology ;-)).

� Mr. Vincent is interested to improve the ACME’s IS. This is a situation where internal business driver drives the changes of (both are important!):

� Organization infrastructure andprocess;

� IT infrastructure and processes

� 2014-Mar-17: You met Mr. Vincent (ACME director) on a fair.� You agree a kick-off meeting with Mr. Vincent on

2014-Apr-17. You are happy that you have established a first contact.

� In your mind, you setup a great Risk Management Program ...

2014-Mar-17: You met Mr. Vincent (ACME director) on a fair.

� In your mind, you think over how actions should evolve:

4.4.4.4. Program ManagementProgram ManagementProgram ManagementProgram Management

5.5.5.5. Business CaseBusiness CaseBusiness CaseBusiness Case

6.6.6.6. Project Management (incl. business case /w Project Management (incl. business case /w Project Management (incl. business case /w Project Management (incl. business case /w information security requirements)information security requirements)information security requirements)information security requirements)

7.7.7.7. Security Program InitiationSecurity Program InitiationSecurity Program InitiationSecurity Program Initiation

8.8.8.8. Project Team KickProject Team KickProject Team KickProject Team Kick----off Meetingoff Meetingoff Meetingoff Meeting

9.9.9.9. Project Initiation DocumentationProject Initiation DocumentationProject Initiation DocumentationProject Initiation Documentation

PREVIOUS:PREVIOUS:PREVIOUS:PREVIOUS:

2. Single

Sign-On

NOW:NOW:NOW:NOW:

3.Scenario

(cont’d)

UPCOMING:UPCOMING:UPCOMING:UPCOMING:

4.Program

Management

IT IS IMPORTANT THAT YOU FOLLOW THE COURSE.DON’T HESITATE AND ENTER “?-)“.WE WILL BE HAPPY TO PROVIDE ADDITIONAL EXPLANATION

TO EVERYONE! :-)

� Relating benefit-, change-, programme- and project management.

� Difference between US and UK terminology:

� Gower Handbook of Program Management

USUSUSUS ActivitiesActivitiesActivitiesActivities UKUKUKUK

Project Project Project Project Portfolio Portfolio Portfolio Portfolio

ManagementManagementManagementManagement

SELECTING WHICH

PROGRAMS TO INVEST IN

Programme Programme Programme Programme managementmanagementmanagementmanagementProgram Program Program Program

ManagementManagementManagementManagement

MANAGING A NUMBER OF

PROGRAMS

MANAGING A NUMBER OF

PROJECTS

MANAGING BENEFITS

� Q:Q:Q:Q: What are greatest risks, if benefits are not described/identified when initiating a project?A: A: A: A: The benefits or why we want to undertake this program/project is the justification of it and the main part for the entire Business case, which makes it crystal clear, if the benefits are missing or calculated wrong the justification for, what we want to undertake is wrong, and therefore the whole Business Case is for the bin.

PREVIOUS:PREVIOUS:PREVIOUS:PREVIOUS:

1.Scenario

(cont’d)

NOW:NOW:NOW:NOW:

4.Program

Management

UPCOMING:UPCOMING:UPCOMING:UPCOMING:

5.Project

Management

IT IS IMPORTANT THAT YOU FOLLOW THE COURSE.DON’T HESITATE AND ENTER “?-)“.WE WILL BE HAPPY TO PROVIDE ADDITIONAL EXPLANATION

TO EVERYONE! :-)