ABOUT YOUR INSTRUCTOR

• JUAN ORTIZ

• JORTIZ@BITSNCS.COM

• BLOG: JUANORTIZ.PRO

• BORN AND RAISED IN PUERTO RICO

• INFO SEC, VIRTUALIZATION, CLOUD,

ARCHITECTURE AND BUSINESS INTEGRATION

COURSE SCHEDULE

Start End Content

8:30 9:00 Class Introduction

9:00 10:15 Module 1: Basic facts, myths and sad realities

10:15 10:30 Morning Break

10:30 12:00 Module 1: Labs

12:00 1:00 Lunch Break

1:00 2:15 Module 2: Securing the Infrastructure

2:15 2:30 Afternoon Break

2:30 4:00 Module 2: Labs

4:00 4:15 Wrap up and Q&A

AGENDA

• DEFINE AND UNDERSTAND COMPONENTS OF INFORMATION SECURITY

• UNDERSTAND INFOSEC ENEMIES

• DEFINE VULNERABILITIES

• EXPLAIN COUNTERMEASURES

• DEMO & LABS

PURPOSE AND METHODOLOGY• THIS IS AN INTRODUCTORY COURSE

• DESIGNED TO BE A FAST WAY TO GET UP TO SPEED IN INFORMATION SECURITY

• THIS COURSE COVERS A BROAD SPECTRUM OF SECURITY TOPICS AND IS LIBERALLY SPRINKLED WITH REAL LIFE EXAMPLES

• A BALANCED MIX OF TECHNICAL AND MANAGERIAL ISSUES MAKES THIS COURSE APPEALING TO ATTENDEES WHO NEED TO UNDERSTAND THE SALIENT

FACETS OF

• INFORMATION SECURITY BASICS

• THE BASICS OF RISK MANAGEMENT.

• WE BEGIN BY COVERING BASIC TERMINOLOGY AND CONCEPTS

• THEN MOVE TO EXAMPLES OF THREATS

• WE COVER THE BASICS OF CRYPTOGRAPHY, SECURITY MANAGEMENT, AND WIRELESS TECHNOLOGY

• THEN WE LOOK AT POLICY AS A TOOL TO EFFECT CHANGE IN YOUR ORGANIZATION.

• IN THE FINAL DAY OF THE COURSE, WE PUT IT ALL TOGETHER WITH AN IMPLEMENTATION OF DEFENSE IN-DEPTH.

CAVEATS• THE COURSE IS DESIGNED TO BE PERFORMED ON A WINDOWS ENVIRONMENT

• YOU SHOULD NOT BRING A REGULAR PRODUCTION LAPTOP FOR THIS CLASS! WHEN INSTALLING

SOFTWARE, THERE IS ALWAYS A CHANCE OF BREAKING SOMETHING ELSE ON THE SYSTEM. STUDENTS

SHOULD ASSUME THAT ALL DATA COULD BE LOST.

• IT IS CRITICAL THAT STUDENTS BE ABLE TO LOGIN TO THE ADMINISTRATOR LEVEL ACCOUNT

• END POINT SECURITY SOLUTIONS CAN PREVENT PROGRAMS FROM BEING INSTALLED CORRECTLY ON THE

SYSTEM. STUDENTS NEED TO BE ABLE TO TEMPORARILY DISABLE END POINT SECURITY SOLUTIONS OR

MAKE EXCEPTIONS TO ALLOW PROGRAMS TO RUN.

MODULE 1 - BASIC FACTS, MYTHS AND SAD REALITIESA FRAMEWORK FOR INFORMATION SECURITY

SECURITY

• IT HAS MANY DEFINITIONS

• IN REALITY IT IS A SENSE OF SECURITY

• KEY TERMS: THREAT, EXPOSITION, VULNERABILITY COPING, RISK

• CAT AND MOUSE GAME

• THERE ARE MANY STRATEGIES

• DEFENSE IN-DEPTH

ESSENTIAL TERMINOLOGIES

ELEMENTS OF INFORMATION TECHNOLOGY

DEFENSE IN-DEPTH

“

”

THINGS TO DO IF YOU WANT TO GET HACKED

DON’T DO THEM, PLEASE

BAD PASSWORDS, BAD IDEA

WE ARE STILL NOT LEARNING

REPEAT YOUR PASSWORDS• Facebook

• Twitter

• Gmail

• Youtube

• eBay

• PayPal

• BPPR

• Yahoo

• Instagram

• Pinterest

• Amazon

• Netflix

• Microsoft

• Spotify

• Pandora

• Dropbox

• OneDrive

• SmartPhone

• iCloud

• GoDaddy

• Linkedin

• IMDB

• Wikipedia

• Muchas más

DON’T USE MULTI FACTOR AUTHENTICATION

• AUTENTICACIÓN

• ALGO QUE SABES

• ALGO QUE TIENES

• ALGO QUE ERES

• EN QUE LUGAR ESTAS

• DISPONIBLE COMÚNMENTE

• AUTORIZACIÓN

CLICK EVERY POSIBLE LINK

PAY RANSOMS WHEN ASKED

DON’T ENCRYPT YOUR DATA

• FTP

• Telnet

• Simple Mail Transfer Protocol (SMTP)

• HTTP

• Post Office Protocol 3 (POP3)

• Internet Message Access Protocol (IMAPv4)

• Network Basic Input/OutputSystem

(NetBIOS),

• Simple Network Management Protocol

(SNMP)

DON’T USE ANTI-MALWARE

• Any system can be

vulnerable to

infection

• The attacker uses

naiveness as

weapon

• There are many

effective tools

Before After

DO NOT PATCH YOUR MACHINE• ERVERY HUMAN MADE SOFTWARE HAS FLAWS

• THIS APPLIES TO OS, FIRMWARE, DRIVERS AND SOFTWARE

• BE AWARE – WINDOWS UPDATE DOES NOT PATCH THIRD PARTY SOFTWARE

DOWNLOAD FREE STUFF

• THE PIRATE BAY

• KICKASSTORRENTS

• TORRENTZ

• EXTRATORRENT

• YIFY-TORRENTS

• EZTV

• ISOHUNT.TO

• LuckyWire

• BearShare

• Morpheus

• LimeZilla

• Nodezilla

• Warez

• Blubster

DO NOT BE SUSPICIOUS• COMMON SENSE IS THE LEAST COMMON OF THE SENSES

• IF ITS TOO GOOD TO BE TRUE, IT PROBABLY IS

• IF A LIE IS WELL DEVELOPED, WE WILL NOT HESITATE TO CLICK THAT MALICIOUS LINK

• POLL: ASK A RANDOM PERSON WHAT IS HIS WEAKEST PASSWORD IN EXCHANGE FOR A PEN

• RECIPROCITY: IT’S NATURAL TO RETURN THE FAVOR.

• PEOPLE LIKE TO BE PRAISED

• PEOPLE ARE AFRAID OF POWER POSITIONS

MODULE 1 - EXERCISES AND LABS

• LAB 1 - CREATE A STANDARD USER ACCOUNT

• LAB 2 - CONFIGURE MICROSOFT UPDATES

• LAB 3 - CONFIGURE THIRD PARTY SOFTWARE UPDATES (SECUNIA PERSONAL SOFTWARE INSPECTOR)

• LAB 4 - CONFIGURE PASSWORD MANAGEMENT (LASTPASS, KEEPASS)

MODULE 2 - SECURING THE INFRASTRUCTURE APPRECIATING THE RISKS ASSOCIATED WITH BEING CONNECTED TO THE INTERNET

WHAT DOES A HACKER DO

NETWORK DESIGNS

ATTACK TYPES• PUBLIC INFORMATION - SEARCH ENGINES, SOCIAL NETWORKS AND EVEN JOB SEARCH

• NAME RESOLUTION ATTACKS

• SESSION HIJACKING, SPOOFING, MAN IN THE MIDDLE

• DENIAL OF SERVICE

• CROSS SITE SCRIPTING, COOKIE STEALING

• VIRUS, TROJANS, KEYLOGGERS AND WORMS

• VULNERABILITIES

• COVERT TRACKS

ATTACKER RESOURCES

• LACK OF PLANNING AND PROTECTION PROVIDE THE BEST ATTACKING ENVIRONMENT

• THERE ARE A LOT OF TOOLS FREELY AVAILABLE, OTHERS READY FOR SELL

• THERE ARE REALLY BAD PEOPLE ON THE INTERNET, ON BUSINESS

• DEEP WEB AND ANONYMIZERS – THEY EXIST AND ARE PRETTY EFFICIENT

DEFENSE MECHANISMS• POLICIES AND DATA WIPING

• UPDATES AND CLIENT SECURITY SOFTWARE

• ENCRYPTION – SYMMETRIC VS ASYMMETRIC, ONE WAY HASHES, CERTIFICATES AND DISK ENCRYPTION

• FIREWALLS, IDS, DMZ, HONEY POTS

• SECURE NETWORK PROTOCOLS

• SEGMENTATION

• BACKUP, REPLICATION AND REDUNDANCY

• SECURITY AWARENESS TRAINING

• ASSESSMENTS – PENTEST AND VA

MODULE 2 - EXERCISES AND LABS

• LAB 5 - CONFIGURE FILE BACKUP (SYNCBACK, AZURE BACKUP)

• LAB 6 - CONFIGURE ENCRYPTION AND SECURE CONTAINERS (TRUECRYPT/VERACRYPT/BITLOCKER)

• LAB 7 – CALCULATING HASHES (HASHCALC)

• LAB 8 – SCANNING FOR MALWARE (MALWAREBYTES)

• LAB 9 – WIPE HARD DRIVE SPACE (CCLEANER, KILLDISK)

CONCLUSION• THERE IS NO SUCH THING AS “COMPLETELY SECURE”

• IF IT IS TOO GOOD TO BE TRUE, IT PROBABLY IS

• A LAYERED PLAN WILL BE THE MOST EFFECTIVE

• KEEP IT SIMPLE, WHEN POSSIBLE

• MOST ATTACKS ARE EFFECTIVE DUE TO IGNORANCE

• ONCE YOU RUN YOUR SECURITY PLAN, DO NOT LEAVE IT AS IT IS. VERIFY IT CONSTANTLY

• MAKE DRILLS AND TESTS

WRAP UP AND Q&A