Presentación en el Seminario Introducción a la Seguridad de la Información y Controles contra Hackers

2. ABOUT YOUR INSTRUCTOR
• JUAN ORTIZ
• JORTIZ@BITSNCS.COM
• BLOG: JUANORTIZ.PRO
• BORN AND RAISED IN PUERTO RICO
• INFO SEC, VIRTUALIZATION, CLOUD,
ARCHITECTURE AND BUSINESS INTEGRATION

3. COURSE SCHEDULE
Start End Content
8:30 9:00 Class Introduction
9:00 10:15 Module 1: Basic facts, myths and sad realities
10:15 10:30 Morning Break
10:30 12:00 Module 1: Labs
12:00 1:00 Lunch Break
1:00 2:15 Module 2: Securing the Infrastructure
2:15 2:30 Afternoon Break
2:30 4:00 Module 2: Labs
4:00 4:15 Wrap up and Q&A

4. AGENDA
• DEFINE AND UNDERSTAND COMPONENTS OF INFORMATION SECURITY
• UNDERSTAND INFOSEC ENEMIES
• DEFINE VULNERABILITIES
• EXPLAIN COUNTERMEASURES
• DEMO & LABS

5. PURPOSE AND METHODOLOGY
• THIS IS AN INTRODUCTORY COURSE
• DESIGNED TO BE A FAST WAY TO GET UP TO SPEED IN INFORMATION SECURITY
• THIS COURSE COVERS A BROAD SPECTRUM OF SECURITY TOPICS AND IS LIBERALLY SPRINKLED WITH REAL LIFE EXAMPLES
• A BALANCED MIX OF TECHNICAL AND MANAGERIAL ISSUES MAKES THIS COURSE APPEALING TO ATTENDEES WHO NEED TO UNDERSTAND THE SALIENT
FACETS OF
• INFORMATION SECURITY BASICS
• THE BASICS OF RISK MANAGEMENT.
• WE BEGIN BY COVERING BASIC TERMINOLOGY AND CONCEPTS
• THEN MOVE TO EXAMPLES OF THREATS
• WE COVER THE BASICS OF CRYPTOGRAPHY, SECURITY MANAGEMENT, AND WIRELESS TECHNOLOGY
• THEN WE LOOK AT POLICY AS A TOOL TO EFFECT CHANGE IN YOUR ORGANIZATION.
• IN THE FINAL DAY OF THE COURSE, WE PUT IT ALL TOGETHER WITH AN IMPLEMENTATION OF DEFENSE IN-DEPTH.

6. CAVEATS
• THE COURSE IS DESIGNED TO BE PERFORMED ON A WINDOWS ENVIRONMENT
• YOU SHOULD NOT BRING A REGULAR PRODUCTION LAPTOP FOR THIS CLASS! WHEN INSTALLING
SOFTWARE, THERE IS ALWAYS A CHANCE OF BREAKING SOMETHING ELSE ON THE SYSTEM. STUDENTS
SHOULD ASSUME THAT ALL DATA COULD BE LOST.
• IT IS CRITICAL THAT STUDENTS BE ABLE TO LOGIN TO THE ADMINISTRATOR LEVEL ACCOUNT
• END POINT SECURITY SOLUTIONS CAN PREVENT PROGRAMS FROM BEING INSTALLED CORRECTLY ON THE
SYSTEM. STUDENTS NEED TO BE ABLE TO TEMPORARILY DISABLE END POINT SECURITY SOLUTIONS OR
MAKE EXCEPTIONS TO ALLOW PROGRAMS TO RUN.

7. MODULE 1 - BASIC FACTS, MYTHS AND SAD REALITIES
A FRAMEWORK FOR INFORMATION SECURITY

8. SECURITY
• IT HAS MANY DEFINITIONS
• IN REALITY IT IS A SENSE OF SECURITY
• KEY TERMS: THREAT, EXPOSITION, VULNERABILITY COPING, RISK
• CAT AND MOUSE GAME
• THERE ARE MANY STRATEGIES
• DEFENSE IN-DEPTH

9. ESSENTIAL TERMINOLOGIES

10. ELEMENTS OF INFORMATION TECHNOLOGY

11. DEFENSE IN-DEPTH

12. “
”
THINGS TO DO IF YOU WANT TO GET
HACKED
DON’T DO THEM, PLEASE

13. BAD PASSWORDS, BAD IDEA

14. WE ARE STILL NOT LEARNING

15. REPEAT YOUR PASSWORDS
• Facebook
• Twitter
• Gmail
• Youtube
• eBay
• PayPal
• BPPR
• Yahoo
• Instagram
• Pinterest
• Amazon
• Netflix
• Microsoft
• Spotify
• Pandora
• Dropbox
• OneDrive
• SmartPhone
• iCloud
• GoDaddy
• Linkedin
• IMDB
• Wikipedia
• Muchas más

16. DON’T USE MULTI FACTOR AUTHENTICATION
• AUTENTICACIÓN
• ALGO QUE SABES
• ALGO QUE TIENES
• ALGO QUE ERES
• EN QUE LUGAR ESTAS
• DISPONIBLE COMÚNMENTE
• AUTORIZACIÓN

17. CLICK EVERY POSIBLE LINK

18. PAY RANSOMS WHEN ASKED

19. DON’T ENCRYPT YOUR DATA
• FTP
• Telnet
• Simple Mail Transfer Protocol (SMTP)
• HTTP
• Post Office Protocol 3 (POP3)
• Internet Message Access Protocol (IMAPv4)
• Network Basic Input/OutputSystem
(NetBIOS),
• Simple Network Management Protocol
(SNMP)

20. DON’T USE ANTI-MALWARE
• Any system can be
vulnerable to
infection
• The attacker uses
naiveness as
weapon
• There are many
effective tools
Before After

21. DO NOT PATCH YOUR MACHINE
• ERVERY HUMAN MADE SOFTWARE HAS FLAWS
• THIS APPLIES TO OS, FIRMWARE, DRIVERS AND SOFTWARE
• BE AWARE – WINDOWS UPDATE DOES NOT PATCH THIRD PARTY SOFTWARE

22. DOWNLOAD FREE STUFF
• THE PIRATE BAY
• KICKASSTORRENTS
• TORRENTZ
• EXTRATORRENT
• YIFY-TORRENTS
• EZTV
• ISOHUNT.TO
• LuckyWire
• BearShare
• Morpheus
• LimeZilla
• Nodezilla
• Warez
• Blubster

23. DO NOT BE SUSPICIOUS
• COMMON SENSE IS THE LEAST COMMON OF THE SENSES
• IF ITS TOO GOOD TO BE TRUE, IT PROBABLY IS
• IF A LIE IS WELL DEVELOPED, WE WILL NOT HESITATE TO CLICK THAT MALICIOUS LINK
• POLL: ASK A RANDOM PERSON WHAT IS HIS WEAKEST PASSWORD IN EXCHANGE FOR A PEN
• RECIPROCITY: IT’S NATURAL TO RETURN THE FAVOR.
• PEOPLE LIKE TO BE PRAISED
• PEOPLE ARE AFRAID OF POWER POSITIONS

24. MODULE 1 - EXERCISES AND LABS
• LAB 1 - CREATE A STANDARD USER ACCOUNT
• LAB 2 - CONFIGURE MICROSOFT UPDATES
• LAB 3 - CONFIGURE THIRD PARTY SOFTWARE UPDATES (SECUNIA PERSONAL SOFTWARE INSPECTOR)
• LAB 4 - CONFIGURE PASSWORD MANAGEMENT (LASTPASS, KEEPASS)

25. MODULE 2 - SECURING THE INFRASTRUCTURE
APPRECIATING THE RISKS ASSOCIATED WITH BEING CONNECTED TO THE INTERNET

26. WHAT DOES A HACKER DO

27. NETWORK DESIGNS

28. ATTACK TYPES
• PUBLIC INFORMATION - SEARCH ENGINES, SOCIAL NETWORKS AND EVEN JOB SEARCH
• NAME RESOLUTION ATTACKS
• SESSION HIJACKING, SPOOFING, MAN IN THE MIDDLE
• DENIAL OF SERVICE
• CROSS SITE SCRIPTING, COOKIE STEALING
• VIRUS, TROJANS, KEYLOGGERS AND WORMS
• VULNERABILITIES
• COVERT TRACKS

29. ATTACKER RESOURCES
• LACK OF PLANNING AND PROTECTION PROVIDE THE BEST ATTACKING ENVIRONMENT
• THERE ARE A LOT OF TOOLS FREELY AVAILABLE, OTHERS READY FOR SELL
• THERE ARE REALLY BAD PEOPLE ON THE INTERNET, ON BUSINESS
• DEEP WEB AND ANONYMIZERS – THEY EXIST AND ARE PRETTY EFFICIENT

30. DEFENSE MECHANISMS
• POLICIES AND DATA WIPING
• UPDATES AND CLIENT SECURITY SOFTWARE
• ENCRYPTION – SYMMETRIC VS ASYMMETRIC, ONE WAY HASHES, CERTIFICATES AND DISK ENCRYPTION
• FIREWALLS, IDS, DMZ, HONEY POTS
• SECURE NETWORK PROTOCOLS
• SEGMENTATION
• BACKUP, REPLICATION AND REDUNDANCY
• SECURITY AWARENESS TRAINING
• ASSESSMENTS – PENTEST AND VA

31. MODULE 2 - EXERCISES AND LABS
• LAB 5 - CONFIGURE FILE BACKUP (SYNCBACK, AZURE BACKUP)
• LAB 6 - CONFIGURE ENCRYPTION AND SECURE CONTAINERS (TRUECRYPT/VERACRYPT/BITLOCKER)
• LAB 7 – CALCULATING HASHES (HASHCALC)
• LAB 8 – SCANNING FOR MALWARE (MALWAREBYTES)
• LAB 9 – WIPE HARD DRIVE SPACE (CCLEANER, KILLDISK)

32. CONCLUSION
• THERE IS NO SUCH THING AS “COMPLETELY SECURE”
• IF IT IS TOO GOOD TO BE TRUE, IT PROBABLY IS
• A LAYERED PLAN WILL BE THE MOST EFFECTIVE
• KEEP IT SIMPLE, WHEN POSSIBLE
• MOST ATTACKS ARE EFFECTIVE DUE TO IGNORANCE
• ONCE YOU RUN YOUR SECURITY PLAN, DO NOT LEAVE IT AS IT IS. VERIFY IT CONSTANTLY
• MAKE DRILLS AND TESTS

33. WRAP UP AND Q&A