2. UPR, School of Medicine – IT Director
Obsidis Consortia, Inc. – President & Founder
Security B Sides Puerto Rico – Organizer
Init6 Security User Group – Founder & Mentor
Self Employed - Technical Instructor
“The Cleaner”
PRgov - Information Security Council Member
“Jedi Master”
3.
4.
5. 60% of small businesses that experience a data
breach are out of business within 6 months.
IBM says there were 1.5 Million attacks alone in
2013, and 81% of them happened to small
businesses.
Visa reports that 90% of the payment data
breaches reported come from small businesses.
6.
7. Trojans
Botnets (Zombie + C&C)
Some notorious ones are
Citadel – Taken down by Microsoft on 2011
Spy eye – Developers were arrested in 2012
Zeus – In 2014, Spamhaus detected 7,182
distinct IP addresses that hosted a botnet
controller
8. Is a type of malware which
restricts access to the computer
system or files that it infects, and
demands a ransom paid to the
creator(s) of the malware in order
for the restriction to be removed.
Transactions are made with
money cards, wire transfers and
most recently , bitcoin.
If you get bit by this bug most
likely you will have to pay to
recover your files.
9.
10. How to recognize Phishing
Legitimate organizations don’t ask for sensitive data over an email.
Is the grammar and lexicon appropriately used? (broken language)
Did you expect a message from that person?
Is the website name spelled correctly (Ex. Amazone.com)
How to respond to Phishing
DELETE immediately
Don’t click stuff, enter the link in the browser by hand
Hover over the link to verify the link (still dangerous)
Don't open e-mail attachments …NEVER!
If you fell for it …
Change your passwords
Contact any institutions you think its been compromised
Report it to: http://www.ic3.gov
11. Common Techniques
Impersonation
Pretext
Framing
Elicitation
Common attacks
Customer Service
Tech support
Delivery person
Phone
Email/Phishing
http://www.social-engineer.org/framework/general-discussion/
12. Owners don’t want to mess with their money
machines.
The misconception of “that’s just a cash register”
There is new breed of malware specifically for
POS. (ie. Back off PoS)
The reality is that most PoS and Kiosks are fully
working computers that run some kind software
over a common Operating System (ei. Microsoft
Windows) connected to the network.
13.
14.
15. • (3) copies of your data (local, external drive, cloud)
• (2) different media (external drive, cloud, DVD)
• (1) copy stores offsite (cloud, home, office, storage
facility)
16. Do not use personal information for passwords
Do not use dictionary words as passwords
Use at least 3 of the following: a-z, A-Z, 0-9, !@#$%^&*
At least 16 characters long
Use passphrases
Ex. I like cold pizza, 1 Lik3 c0ld Pizz4!
Change regularly (every 90 days)
Use a password manager (LastPass)
17.
18. Use only when absolutely necessary
Isolate guest network
Authenticate & control access
Limit the number of services available (http, https,
dns)
Use WPA2 with a strong password
Control output power *
Turn off beacon broadcasting *
Use MAC filtering *
* Not effective against a skilled attacker
19. 1. Use Password protected access control
2. Control application access and permission
3. Keep the OS and firmware current (update)
4. Backup your data
5. Use remote or automatic wipe if stolen or lost
6. Don’t store personal financial data on your device
7. Beware o free apps
8. Try mobile antivirus (Android)
9. Control Wireless connectivity (Wi-Fi, Bluetooth, NFC, RFID)
10. If possible use a Mobile Device Management (MDM) solution
20. Read carefully the Terms and conditions of service,
and the Privacy Policy
You only assurance is a good contract & SLA (get a
lawyer)
Encrypt everything before uploading it to the cloud
Not all clouds are the same, understand you needs.
Get the service from a reputable provider.
21.
22.
23. Cyber criminal use various method to hide their tracks
Tor Onion Router - Tor is free software and an open network that helps you defend
against traffic analysis, a form of network surveillance that threatens personal freedom
and privacy, confidential business activities and relationships, and state security.
Private VPN - individuals can use VPNs to get access to network resources when they're
not physically on the same LAN (local area network), or as a method for securing and
encrypting their communications when they're using an untrusted public network.
Proxy Servers - In a personal computing context, proxy servers are used to enable user
privacy and anonymous surfing.
Spoofing - a spoofing attack is a situation in which one person or program successfully
masquerades as another by falsifying data and thereby gaining an illegitimate
advantage.