Diamond Application Development Crafting Solutions with Precision
Seguridad de la Información y Controles contra Hackers - Getting hacked 101 intro to info sec and controls
1.
2. ABOUT YOUR INSTRUCTOR
• JUAN ORTIZ
• JORTIZ@BITSNCS.COM
• BLOG: JUANORTIZ.PRO
• BORN AND RAISED IN PUERTO RICO
• INFO SEC, VIRTUALIZATION, CLOUD,
ARCHITECTURE AND BUSINESS INTEGRATION
3. COURSE SCHEDULE
Start End Content
8:30 9:00 Class Introduction
9:00 10:15 Module 1: Basic facts, myths and sad realities
10:15 10:30 Morning Break
10:30 12:00 Module 1: Labs
12:00 1:00 Lunch Break
1:00 2:15 Module 2: Securing the Infrastructure
2:15 2:30 Afternoon Break
2:30 4:00 Module 2: Labs
4:00 4:15 Wrap up and Q&A
4. AGENDA
• DEFINE AND UNDERSTAND COMPONENTS OF INFORMATION SECURITY
• UNDERSTAND INFOSEC ENEMIES
• DEFINE VULNERABILITIES
• EXPLAIN COUNTERMEASURES
• DEMO & LABS
5. PURPOSE AND METHODOLOGY
• THIS IS AN INTRODUCTORY COURSE
• DESIGNED TO BE A FAST WAY TO GET UP TO SPEED IN INFORMATION SECURITY
• THIS COURSE COVERS A BROAD SPECTRUM OF SECURITY TOPICS AND IS LIBERALLY SPRINKLED WITH REAL LIFE EXAMPLES
• A BALANCED MIX OF TECHNICAL AND MANAGERIAL ISSUES MAKES THIS COURSE APPEALING TO ATTENDEES WHO NEED TO UNDERSTAND THE SALIENT
FACETS OF
• INFORMATION SECURITY BASICS
• THE BASICS OF RISK MANAGEMENT.
• WE BEGIN BY COVERING BASIC TERMINOLOGY AND CONCEPTS
• THEN MOVE TO EXAMPLES OF THREATS
• WE COVER THE BASICS OF CRYPTOGRAPHY, SECURITY MANAGEMENT, AND WIRELESS TECHNOLOGY
• THEN WE LOOK AT POLICY AS A TOOL TO EFFECT CHANGE IN YOUR ORGANIZATION.
• IN THE FINAL DAY OF THE COURSE, WE PUT IT ALL TOGETHER WITH AN IMPLEMENTATION OF DEFENSE IN-DEPTH.
6. CAVEATS
• THE COURSE IS DESIGNED TO BE PERFORMED ON A WINDOWS ENVIRONMENT
• YOU SHOULD NOT BRING A REGULAR PRODUCTION LAPTOP FOR THIS CLASS! WHEN INSTALLING
SOFTWARE, THERE IS ALWAYS A CHANCE OF BREAKING SOMETHING ELSE ON THE SYSTEM. STUDENTS
SHOULD ASSUME THAT ALL DATA COULD BE LOST.
• IT IS CRITICAL THAT STUDENTS BE ABLE TO LOGIN TO THE ADMINISTRATOR LEVEL ACCOUNT
• END POINT SECURITY SOLUTIONS CAN PREVENT PROGRAMS FROM BEING INSTALLED CORRECTLY ON THE
SYSTEM. STUDENTS NEED TO BE ABLE TO TEMPORARILY DISABLE END POINT SECURITY SOLUTIONS OR
MAKE EXCEPTIONS TO ALLOW PROGRAMS TO RUN.
7. MODULE 1 - BASIC FACTS, MYTHS AND SAD REALITIES
A FRAMEWORK FOR INFORMATION SECURITY
8. SECURITY
• IT HAS MANY DEFINITIONS
• IN REALITY IT IS A SENSE OF SECURITY
• KEY TERMS: THREAT, EXPOSITION, VULNERABILITY COPING, RISK
• CAT AND MOUSE GAME
• THERE ARE MANY STRATEGIES
• DEFENSE IN-DEPTH
16. DON’T USE MULTI FACTOR AUTHENTICATION
• AUTENTICACIÓN
• ALGO QUE SABES
• ALGO QUE TIENES
• ALGO QUE ERES
• EN QUE LUGAR ESTAS
• DISPONIBLE COMÚNMENTE
• AUTORIZACIÓN
19. DON’T ENCRYPT YOUR DATA
• FTP
• Telnet
• Simple Mail Transfer Protocol (SMTP)
• HTTP
• Post Office Protocol 3 (POP3)
• Internet Message Access Protocol (IMAPv4)
• Network Basic Input/OutputSystem
(NetBIOS),
• Simple Network Management Protocol
(SNMP)
20. DON’T USE ANTI-MALWARE
• Any system can be
vulnerable to
infection
• The attacker uses
naiveness as
weapon
• There are many
effective tools
Before After
21. DO NOT PATCH YOUR MACHINE
• ERVERY HUMAN MADE SOFTWARE HAS FLAWS
• THIS APPLIES TO OS, FIRMWARE, DRIVERS AND SOFTWARE
• BE AWARE – WINDOWS UPDATE DOES NOT PATCH THIRD PARTY SOFTWARE
23. DO NOT BE SUSPICIOUS
• COMMON SENSE IS THE LEAST COMMON OF THE SENSES
• IF ITS TOO GOOD TO BE TRUE, IT PROBABLY IS
• IF A LIE IS WELL DEVELOPED, WE WILL NOT HESITATE TO CLICK THAT MALICIOUS LINK
• POLL: ASK A RANDOM PERSON WHAT IS HIS WEAKEST PASSWORD IN EXCHANGE FOR A PEN
• RECIPROCITY: IT’S NATURAL TO RETURN THE FAVOR.
• PEOPLE LIKE TO BE PRAISED
• PEOPLE ARE AFRAID OF POWER POSITIONS
24. MODULE 1 - EXERCISES AND LABS
• LAB 1 - CREATE A STANDARD USER ACCOUNT
• LAB 2 - CONFIGURE MICROSOFT UPDATES
• LAB 3 - CONFIGURE THIRD PARTY SOFTWARE UPDATES (SECUNIA PERSONAL SOFTWARE INSPECTOR)
• LAB 4 - CONFIGURE PASSWORD MANAGEMENT (LASTPASS, KEEPASS)
25. MODULE 2 - SECURING THE INFRASTRUCTURE
APPRECIATING THE RISKS ASSOCIATED WITH BEING CONNECTED TO THE INTERNET
28. ATTACK TYPES
• PUBLIC INFORMATION - SEARCH ENGINES, SOCIAL NETWORKS AND EVEN JOB SEARCH
• NAME RESOLUTION ATTACKS
• SESSION HIJACKING, SPOOFING, MAN IN THE MIDDLE
• DENIAL OF SERVICE
• CROSS SITE SCRIPTING, COOKIE STEALING
• VIRUS, TROJANS, KEYLOGGERS AND WORMS
• VULNERABILITIES
• COVERT TRACKS
29. ATTACKER RESOURCES
• LACK OF PLANNING AND PROTECTION PROVIDE THE BEST ATTACKING ENVIRONMENT
• THERE ARE A LOT OF TOOLS FREELY AVAILABLE, OTHERS READY FOR SELL
• THERE ARE REALLY BAD PEOPLE ON THE INTERNET, ON BUSINESS
• DEEP WEB AND ANONYMIZERS – THEY EXIST AND ARE PRETTY EFFICIENT
30. DEFENSE MECHANISMS
• POLICIES AND DATA WIPING
• UPDATES AND CLIENT SECURITY SOFTWARE
• ENCRYPTION – SYMMETRIC VS ASYMMETRIC, ONE WAY HASHES, CERTIFICATES AND DISK ENCRYPTION
• FIREWALLS, IDS, DMZ, HONEY POTS
• SECURE NETWORK PROTOCOLS
• SEGMENTATION
• BACKUP, REPLICATION AND REDUNDANCY
• SECURITY AWARENESS TRAINING
• ASSESSMENTS – PENTEST AND VA
32. CONCLUSION
• THERE IS NO SUCH THING AS “COMPLETELY SECURE”
• IF IT IS TOO GOOD TO BE TRUE, IT PROBABLY IS
• A LAYERED PLAN WILL BE THE MOST EFFECTIVE
• KEEP IT SIMPLE, WHEN POSSIBLE
• MOST ATTACKS ARE EFFECTIVE DUE TO IGNORANCE
• ONCE YOU RUN YOUR SECURITY PLAN, DO NOT LEAVE IT AS IT IS. VERIFY IT CONSTANTLY
• MAKE DRILLS AND TESTS